DHS Subpoenas Twitter For New Zealand Security Researcher's Info

from the instead-of-addressing-the-problem,-we'll-go-after-the-people-talking-about-i dept

Over the weekend, Zack Whittaker of ZDNet reported a New Zealand security researcher has somehow earned the unwanted attention of DHS and ICE.

Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data.

The New Zealand national, whose name isn’t known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month.

Flash Gordon secured the assistance of the EFF to challenge the subpoena, but apparently that effort failed. This leaves everyone with the unanswered question as to why DHS/ICE are seeking the researcher’s identifying info.

As Whittaker notes, the researcher has discovered and reported several data breaches. One in particular might have drawn the attention of the feds: the exposure of a law enforcement training database.

The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training — known as ALERRT — at Texas State University.

The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.

This would be the sort of thing the US government notices, even if it’s only interested in prosecuting the messenger. PII belonging to law enforcement officers is considered to be the most sacrosanct of data, and anyone exposing a government contractor’s careless handling of it is likely to find themselves targeted by federal agents.

But this is all conjecture at this point. Flash Gordon only knows the government as demanded his info and is likely to receive it soon, if it hasn’t already. The involvement of DHS and ICE is still strange, as a breach involving US law enforcement personnel would normally be handled by the FBI.

As Dissent Doe points out in her coverage at Databreaches.net, it could have something to do with the expansive definition of “export,” which covers information as well as physical goods. That’s actual ICE territory — its less-controversial export control function. It’s illegal to export “controlled” info and tech, so the researcher’s New Zealand locale could provide a nexus for criminal charges, but only if you’re willing to suspend reality during the charging process. Doe asks:

But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?

If this has anything to do with the multiple US-based breaches Flash Gordon has reported, the information has traveled from US companies to US journalists via a New Zealand intermediary. If Gordon has downloaded a copy of the breach’s contents, the same thing applies: the info shared with US journalists was “exported” from New Zealand to the US. The only possibility left is this: the government wants to consider a New Zealand researcher’s acquisition of breach data from US companies to be considered an illegal “export” of controlled info.

Unfortunately for the researcher, the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim. It hasn’t always been successful in its novel interpretations of these laws, but every federal prosecution has the potential to completely destroy the target’s life — even if it ends in a dismissal or verdict in the defendant’s favor.

The last possibility is this: it’s just a fishing operation meant to deter Gordon and others like him from searching for breaches and turning this data over to journalists. If the US government obtains identifying info, it can simply retain the info indefinitely as an implicit threat, pushing Gordon to pursue “safer” careers and hobbies. This won’t make anyone else any safer, but it will at least spare the government and its contractors further embarrassment.

Filed Under: , , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DHS Subpoenas Twitter For New Zealand Security Researcher's Info”

Subscribe: RSS Leave a comment
Anonymous Coward says:

going underground

Someone (“Flash”) is doing the feds a public service by pointing out sensitive data is there for anyone to steal.
They are lucky “Flash” got there first and not a terrorist group or someone who just wanted to sell the data on the dark web … though of course who knows if “Flash” was the first finder, someone of more evil intent may have grabbed the data – finding unsecured data on the web is not that difficult.
If ICE try to indict “Flash” all it will do is make whistleblowers not reveal what they have found – so the data has more chance of being found by “bad guys” – or in worst case a security researcher realising they will be prosecuted for finding the data (and so no chance to monetize via increasing their security reputation (& thus chargeable rates) / getting bug bounties) will themselves be tempted to sell the data on the dark web to help pay their bills.

There is a good reason “don’t shoot the messenger” is an old but important cliche.

Anonymous Coward says:

Considering that the biggest baddest generator of internet malfeasance is the US NSA it is very likely what is happening is that these so called security issues are really NSA exploits the person who exposes such faults is really exposing methods and procedures the NSA uses to subvert computers.

Also considering that the US government claims world wide legal jurisdiction (so does Spain and the complete EU) under the psychology of universal justice that makes any exposure of these procedures a US crime regardless of the citizenship or location of the individual performing the action.

The only conclusion is that anybody dumb enough to expose such information in a form that can be in any way tracer back to them (and on the internet that is anyway at all) is a DAMN FOOL.

Anonymous Coward says:

Import/export of info

It’s illegal to export "controlled" info

In other words, it’s illegal to speak certain things across an international border. Cryptographers had some success claming this as a 1st-amendment violation in Crypto Wars 1.0, when they printed their "controlled info" in a book and mailed the book; the government didn’t and still don’t fully recognize digital info as speech.

We should expect this view to be harmful in the future, especially once ICE realizes they can control the import of info and decides to set up a Great Firewall of America (perhaps Mexico will pay for it). You’ve gotta stop illegal transmission of copyrighted stuff, right?

Matthew Cline (profile) says:

But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?

Maybe someone in the U.S. govt thinks that Flash didn’t discover the data breach on his own, but that rather a whistleblower tipped him off? A U.S. whistleblower telling someone outside the U.S. could be considered to be "exporting" the information.

Anonymous Coward says:

no good deed goes unpunished, as they say! obviously, DHS and ICE have been caught not securing their data and now dont like the fact being exposed. in retaliation, in true USA security forces and companies fashion, the person who discovered this fact will be thrown into a USA prison after being found guilty of breaching the defenses himself. we all know that the USA hates to be found guilty of anything, always laying the blame for everything it fucks up on to anyone and everyone possible. as for NZ, it’s so shit scared of the USA, it just bends over and grabs ankles at the slightest excuse needed, including trumping up methods of getting Dotcom extradited!! fucking disgraceful!!

6 Jul 2018 says:

Re: power

… the core “legal issue” here is government “subpoena Power” — the Executive Branch & Congressional branch of US Federal Government have NO subpoena authority at all under the Constitution. DHS/ICE have no subpoena power .

Subpoena is a judicial authority only… and all judicial powers reside only in the Federal Judicial Branch.

DHS/ICE “Administrative Subpoenas” are absolutely non-constitutional, but nobody cares.

Recipients of administrative subpoenas can file a motion in federal court to throw out the subpoena, but the “accepted” standard for court review is highly biased to the government side. Basically, a Federal executive agency only has to show that the information sought is necessary for the performance of the agency’s official duties. This court standard is so lax that one US Supreme Court decision said administrative subpoenas can be issued based merely on “official curiosity”. Of course this vaporizes the 4th Amendment.

Ninja (profile) says:

So the message is: if you are a security researcher, hide behind several layers of anonymity and protection (TOR, VPN, Proxies etc) and just dump everything in the wild to cause as much mayhem as possible so 1- the responsible for the problem will be forced to fix it and 2- you’ll be protected.

Doesn’t sound like a good outcome for anybody. We should instead be protecting these guys.

Ken Martin (profile) says:

“Flash Gordon”

Once DHS and ICE know “Flash’s” identity, he may end up shackled in front of a judge in the US, and sentenced to a lengthy period at the expense of American taxpayers. He has been a tad unwise. Barbaric. Decades later, he may see his homeland. Then again, he may die in prison. Still, it was much the same under Obama. It amazes me people want o immigrate to the US. Right now, I would not even visit. Since 9/11, the US has been an angry and paranoid nation who treat aliens badly.

SGOR says:

the CGIS database under the radar

These databases-all of them- are overseen by partisan morons.

The FBIs CGIS database, now controlled by a French company, and formerly in the hands of 3M- Was compromised by a racist sectarian Obama cultist who utilized DHS connections to attempt to subvert the presidential election.

Oooops….inside information alert: Pasadena, CA police were quick to frame it as anything but insider trading, and DHS quickly ran a behind the scenes narrative, framing the whistle blower in clasdic ADL terms: racist, liar, undependable~despite a service record of total company loyalty and dilligence.

The good news? It took a year, but those responsible are all now fired.

Sadly, no federal charges, because FBI/DHS snitch culture protects its own……rats.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...