Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country

from the 'you're-making-us-look-bad'-said-company-caught-looking-bad dept

Nothing says "Please stop keep talking about the bad stuff we do" quite like a bogus defamation lawsuit. Citizen Lab, which has reported on a great number of tech companies that are less than discriminating in their selection of customers (think Hacking Team), has been served with a lawsuit by a purveyor of internet censorship software.

On January 20, 2016, Netsweeper Inc., a Canadian Internet filtering technology service provider, filed a defamation suit with the Ontario Superior Court of Justice. The University of Toronto and myself were named as the defendants. The lawsuit in question pertained to an October 2015 report of the Citizen Lab, “Information Controls during Military Operations: The case of Yemen during the 2015 political and armed conflict,” and related comments to the media. Netsweeper sought $3,000,000.00 in general damages; $500,000.00 in aggravated damages; and an “unascertained” amount for “special damages.”

Netsweeper apparently was less than amused by Citizen Lab's insistence on reporting facts, including the nasty one about it supplying internet filtering software to a country whose government has been blacklisted by the United Nations. You know, things like this:

The research confirms that Internet filtering products sold by the Canadian company Netsweeper have been installed on and are presently in operation in the state-owned and operated ISP YemenNet, the most utilized ISP in the country.

Netsweeper products are being used to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.

These new categories of censorship are being implemented by YemenNet, which is presently under the control of the Houthis (an armed rebel group, certain leaders and allies of which are targeted by United Nations Security Council sanctions).

Netsweeper was given a chance to defend itself against Citizen Lab's allegations before the report was made public.

We sent a letter by email directly to Netsweeper on October 9, 2015. In that letter we informed Netsweeper of our findings, and presented a list of questions. We noted: “We plan to publish a report reflecting our research on October 20, 2015. We would appreciate a response to this letter from your company as soon as possible, which we commit to publish in full alongside our research report.”

Netsweeper never replied.

Rather than meet the situation head on, Netsweeper chose to hang back and lob a lawsuit at Citizen Lab after it published its report. Fortunately for the security researchers, Netsweeper has chosen to drop its lawsuit entirely, possibly because pursuing the questionable defamation claims would have put it up against Ontarios's version of anti-SLAPP laws: the Protection of Public Participation Act.

The world of security research is still a dangerous place. When researchers aren't being arrested for reporting on their findings, they're being sued for exposing security flaws and highly-questionable behavior. It's a shame there aren't more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, censorship, citizen lab, filtering, software, yemen
Companies: citizen lab, netsweeper


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 29 Jul 2016 @ 3:57am

    Its a pity that doing business with a blacklisted country doesn't have any punishment attached to it.

    Perhaps they hired a better lawyer who told them how badly their first lawyer had screwed them by drawing much more attention to their income from selling to rebels and repressive regimes that most Canadians would balk at.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jul 2016 @ 4:09am

    Do they deny the allegations?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jul 2016 @ 4:40am

    Typical behavior by Netsweeper

    Keep in mind that there's no money too dirty for the sociopaths at Netsweeper. They've been peddling their censorware to dictators and thugs for years:

    The Booming Business of Internet Censorship
    and
    Sweeping Rights Aside: Ottawa, Pakistan and Netsweeper
    and
    When a Canadian company decides what citizens in the Middle East can access online
    among others

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jul 2016 @ 5:04am

    "It's a shame there aren't more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job."


    An as-yet unsolved problem is everyone, including black-hat hackers, can say they are "security researchers" entitled to exceed reasonable and authorized levels of access to Internet-connected systems.

    The law does not distinguish between researchers who have incorporated as businesses and are ostensibly working for the public good, those independent "researchers" who offer zero-days for ransom, hostile nations, pranksters, and others up to no good. Regardless of what moral high ground the white-hats and some grey-hats may be on, no one has the legal right to harm businesses by poking around and disclosing vulnerabilities. From the point of view of the hacked companies, these people are all uninvited burglars who keep trying all the windows and doors, moving in shadows and seeing what items of value might be left lying about and seeing what trouble they can stir up.

    I don't sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research, but I also don't see the "security research" industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on. If you want to make progress on this issue, come up with a code of ethics, a list of things you can and can't do in the course of "research", and discuss how the law can be changed to protect those researchers who work for the public good, without giving a free pass to the malicious ones.

    reply to this | link to this | view in chronology ]

    • identicon
      Cynosura, 29 Jul 2016 @ 5:21am

      Re:

      I don't sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research,

      You sure could have fooled me.

      I also don't see the "security research" industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on.

      Maybe they need to be "regulated" in some way to ensure that they don't step on the wrong toes, huh?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2016 @ 5:22am

      Re:

      "no one has the legal right to harm businesses by poking around and disclosing vulnerabilities" - you right. It's much better when criminals or governments do it.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 29 Jul 2016 @ 5:36am

        Re: Re:

        If the white hats don't find it the black hats will, and if the white hats are scared off from reporting by threats of what happens to anyone who exposes system/security vulnerabilities then the first a company is likely to learn about a vulnerability is when someone exploits it maliciously, rather than just for research/investigation purposes.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 29 Jul 2016 @ 5:55am

          Re: Re: Re:

          Exactly, which is why this is so problematic. White hat finds a vulnerability = company is notified and given a chance to fix it before the public is notified. Black hat finds it = zero day exploit sold to highest bidder, everyone has an incentive never to advise the company or the public.

          This is why it's important to allow genuine researchers to continue without fear of prosecution. The bad guys are going to be doing it with or without the help of a handy excuse, and you make everyone less safe by attacking the messengers who inform you of your problem.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 Jul 2016 @ 6:49am

            Re: Re: Re: Re:

            "it's important to allow genuine researchers" - I do not really care for any certificates of authenticity they have on them so long they report properly.

            reply to this | link to this | view in chronology ]

          • icon
            orbitalinsertion (profile), 29 Jul 2016 @ 8:54am

            Re: Re: Re: Re:

            But somehow we can't tell the difference between disclosing a vulnerability to a company, and selling exploits! It's too confusing!

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 Jul 2016 @ 6:46am

          Re: Re: Re:

          That should be obvious, but alas - is not.
          The criminals - being, well, criminals - do not care for laws anyway, and the governments will get away with any poking with a straw man or a scapegoat.

          Only the poor end user will have hard time sitting from screwing.

          Oh, well...

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2016 @ 5:30am

      Re:

      no one has the legal right to harm businesses by poking around and disclosing vulnerabilities.

      Similarly business do not have a right to make money without regard to the costs they impose on society, which includes exposing customers to data exposures just to make a larger profit by not following best security practices. In any case, this was not revealing a vulnerability, unless you consider doing business with authoritarian dictators and would be authoritarian dictators a vulnerability.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2016 @ 5:32am

      Re:

      no one has the legal right to harm businesses by poking around and disclosing vulnerabilities

      On the other hand, businesses are free to harm hundreds of millions of people by concealing vulnerabilities and lying about them.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 29 Jul 2016 @ 5:35am

      Re:

      "no one has the legal right to harm businesses by poking around and disclosing vulnerabilities"

      ...which is why the industry generally has a very good track record of not publicly disclosing any potentially harmful data until after the company in question has had a reasonable amount of time to either a) fix their security issue or b) issue their own response to the issue, depending on whether there has been a breach or not. Normally, the only time disclosure is made before the company has been able to fix their end is if they either ignore the request to do so (or follow the request for a fix up with legal action), or if the breach is so severe that it's in the public interest for immediate disclosure.

      Bear in mind that it's often not the law that's the problem here, it's companies who prefer to try and silence researchers rather than publicly admit they have an issue and/or fix the revealed security flaws. I agree that the law has a problem distinguishing between black and white hats, but it's as much a problem with the way the law is attempted to be applied as the letter of the law itself.

      reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 29 Jul 2016 @ 9:01am

        Re: Re:

        It's funny how it follows the same pattern as physical items with design, materials, or construction flaws. Companies don't like those investigated either. Only in the digital space, they have all these extra ways to stifle research or the researchers.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2016 @ 6:27am

      Re:

      "no one has the legal right to harm businesses by poking around and disclosing vulnerabilities"

      You're shooting the messenger and blaming them for the news.

      The vulnerabilities that the businesses allow is what harms them. The exposure of the vulnerabilities is just inevitable and necessary.

      In the same manner, Edward Snowden isn't responsible for harming the US intelligence structure by exposing their illegal actions. Their illegal actions did that.

      Guccifer 2.0 or the Russians or whoever hacked the DNC emails isn't responsible for harming the DNC's reputation. The DNC did that by sending those emails in the first place.

      If you don't have vulnerabilities or take sufficient actions to find and nullify what vulnerabilities you have, then you're fine. If you expect everyone to politely ignore the fact that you're not wearing any clothes, then you must think you're royalty or something and even that won't save you.

      reply to this | link to this | view in chronology ]

      • identicon
        Mimosa, 29 Jul 2016 @ 10:53am

        Re: Re:

        You're shooting the messenger and blaming them for the news.

        Shooting the messenger is a common method used to attempt to suppress news.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2016 @ 7:07am

      Re:

      no one has the legal right to harm businesses by poking around and disclosing vulnerabilities

      Why not, has that right been specifically prohibited? Remember that thing about "all rights not delegated"? Or is that just an old scrap of paper to you?

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 29 Jul 2016 @ 5:45am

    Market outloook for censorware

    The future opportunities to sell censorware might improve depending on the outcome of the US election.

    reply to this | link to this | view in chronology ]

  • identicon
    Norahc, 29 Jul 2016 @ 5:57am

    Streisand effect

    At what point will lawyers start advising their clients of the Streisand Effect before they're introduced to it the hard way? Do law schools need to add this to their core curriculum?

    reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 29 Jul 2016 @ 6:46am

    When I am elected president, I will abolish things so idiots can be all placed on an island on Mars where they will be free to censor each other freely without us peons getting in their way.

    reply to this | link to this | view in chronology ]

    • icon
      Oblate (profile), 29 Jul 2016 @ 7:18am

      Re:

      Get ready for "Feel the Berenerd!", at .38 g's. But I think there are no islands on Mars, maybe the top of Olympus Mons would be better.

      Either way, you'd be a much better candidate than that "Make Uranus Great Again!" guy. Definitely not voting for him...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jul 2016 @ 3:27pm

    Gah.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.