Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country
from the 'you're-making-us-look-bad'-said-company-caught-looking-bad dept
Nothing says “Please stop keep talking about the bad stuff we do” quite like a bogus defamation lawsuit. Citizen Lab, which has reported on a great number of tech companies that are less than discriminating in their selection of customers (think Hacking Team), has been served with a lawsuit by a purveyor of internet censorship software.
On January 20, 2016, Netsweeper Inc., a Canadian Internet filtering technology service provider, filed a defamation suit with the Ontario Superior Court of Justice. The University of Toronto and myself were named as the defendants. The lawsuit in question pertained to an October 2015 report of the Citizen Lab, “Information Controls during Military Operations: The case of Yemen during the 2015 political and armed conflict,” and related comments to the media. Netsweeper sought $3,000,000.00 in general damages; $500,000.00 in aggravated damages; and an “unascertained” amount for “special damages.”
Netsweeper apparently was less than amused by Citizen Lab’s insistence on reporting facts, including the nasty one about it supplying internet filtering software to a country whose government has been blacklisted by the United Nations. You know, things like this:
The research confirms that Internet filtering products sold by the Canadian company Netsweeper have been installed on and are presently in operation in the state-owned and operated ISP YemenNet, the most utilized ISP in the country.
Netsweeper products are being used to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.
These new categories of censorship are being implemented by YemenNet, which is presently under the control of the Houthis (an armed rebel group, certain leaders and allies of which are targeted by United Nations Security Council sanctions).
Netsweeper was given a chance to defend itself against Citizen Lab’s allegations before the report was made public.
We sent a letter by email directly to Netsweeper on October 9, 2015. In that letter we informed Netsweeper of our findings, and presented a list of questions. We noted: “We plan to publish a report reflecting our research on October 20, 2015. We would appreciate a response to this letter from your company as soon as possible, which we commit to publish in full alongside our research report.”
Netsweeper never replied.
Rather than meet the situation head on, Netsweeper chose to hang back and lob a lawsuit at Citizen Lab after it published its report. Fortunately for the security researchers, Netsweeper has chosen to drop its lawsuit entirely, possibly because pursuing the questionable defamation claims would have put it up against Ontarios’s version of anti-SLAPP laws: the Protection of Public Participation Act.
The world of security research is still a dangerous place. When researchers aren’t being arrested for reporting on their findings, they’re being sued for exposing security flaws and highly-questionable behavior. It’s a shame there aren’t more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.
Filed Under: canada, censorship, citizen lab, filtering, software, yemen
Companies: citizen lab, netsweeper
Comments on “Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country”
Its a pity that doing business with a blacklisted country doesn’t have any punishment attached to it.
Perhaps they hired a better lawyer who told them how badly their first lawyer had screwed them by drawing much more attention to their income from selling to rebels and repressive regimes that most Canadians would balk at.
Do they deny the allegations?
Typical behavior by Netsweeper
Keep in mind that there’s no money too dirty for the sociopaths at Netsweeper. They’ve been peddling their censorware to dictators and thugs for years:
The Booming Business of Internet Censorship
and
Sweeping Rights Aside: Ottawa, Pakistan and Netsweeper
and
When a Canadian company decides what citizens in the Middle East can access online
among others
An as-yet unsolved problem is everyone, including black-hat hackers, can say they are “security researchers” entitled to exceed reasonable and authorized levels of access to Internet-connected systems.
The law does not distinguish between researchers who have incorporated as businesses and are ostensibly working for the public good, those independent “researchers” who offer zero-days for ransom, hostile nations, pranksters, and others up to no good. Regardless of what moral high ground the white-hats and some grey-hats may be on, no one has the legal right to harm businesses by poking around and disclosing vulnerabilities. From the point of view of the hacked companies, these people are all uninvited burglars who keep trying all the windows and doors, moving in shadows and seeing what items of value might be left lying about and seeing what trouble they can stir up.
I don’t sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research, but I also don’t see the “security research” industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on. If you want to make progress on this issue, come up with a code of ethics, a list of things you can and can’t do in the course of “research”, and discuss how the law can be changed to protect those researchers who work for the public good, without giving a free pass to the malicious ones.
Re: Re:
I don’t sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research,
You sure could have fooled me.
I also don’t see the “security research” industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on.
Maybe they need to be “regulated” in some way to ensure that they don’t step on the wrong toes, huh?
Re: Re:
“no one has the legal right to harm businesses by poking around and disclosing vulnerabilities” – you right. It’s much better when criminals or governments do it.
Re: Re: Re:
If the white hats don’t find it the black hats will, and if the white hats are scared off from reporting by threats of what happens to anyone who exposes system/security vulnerabilities then the first a company is likely to learn about a vulnerability is when someone exploits it maliciously, rather than just for research/investigation purposes.
Re: Re: Re: Re:
Exactly, which is why this is so problematic. White hat finds a vulnerability = company is notified and given a chance to fix it before the public is notified. Black hat finds it = zero day exploit sold to highest bidder, everyone has an incentive never to advise the company or the public.
This is why it’s important to allow genuine researchers to continue without fear of prosecution. The bad guys are going to be doing it with or without the help of a handy excuse, and you make everyone less safe by attacking the messengers who inform you of your problem.
Re: Re: Re:2 Re:
“it’s important to allow genuine researchers” – I do not really care for any certificates of authenticity they have on them so long they report properly.
Re: Re: Re:2 Re:
But somehow we can’t tell the difference between disclosing a vulnerability to a company, and selling exploits! It’s too confusing!
Re: Re: Re:3 Re:
That’s why we need a white-hat certification agency.
Spectroscope producers would be happy.
Re: Re: Re: Re:
That should be obvious, but alas – is not.
The criminals – being, well, criminals – do not care for laws anyway, and the governments will get away with any poking with a straw man or a scapegoat.
Only the poor end user will have hard time sitting from screwing.
Oh, well…
Re: Re:
Similarly business do not have a right to make money without regard to the costs they impose on society, which includes exposing customers to data exposures just to make a larger profit by not following best security practices. In any case, this was not revealing a vulnerability, unless you consider doing business with authoritarian dictators and would be authoritarian dictators a vulnerability.
Re: Re:
no one has the legal right to harm businesses by poking around and disclosing vulnerabilities
On the other hand, businesses are free to harm hundreds of millions of people by concealing vulnerabilities and lying about them.
Re: Re:
“no one has the legal right to harm businesses by poking around and disclosing vulnerabilities”
…which is why the industry generally has a very good track record of not publicly disclosing any potentially harmful data until after the company in question has had a reasonable amount of time to either a) fix their security issue or b) issue their own response to the issue, depending on whether there has been a breach or not. Normally, the only time disclosure is made before the company has been able to fix their end is if they either ignore the request to do so (or follow the request for a fix up with legal action), or if the breach is so severe that it’s in the public interest for immediate disclosure.
Bear in mind that it’s often not the law that’s the problem here, it’s companies who prefer to try and silence researchers rather than publicly admit they have an issue and/or fix the revealed security flaws. I agree that the law has a problem distinguishing between black and white hats, but it’s as much a problem with the way the law is attempted to be applied as the letter of the law itself.
Re: Re: Re:
It’s funny how it follows the same pattern as physical items with design, materials, or construction flaws. Companies don’t like those investigated either. Only in the digital space, they have all these extra ways to stifle research or the researchers.
Re: Re:
“no one has the legal right to harm businesses by poking around and disclosing vulnerabilities”
You’re shooting the messenger and blaming them for the news.
The vulnerabilities that the businesses allow is what harms them. The exposure of the vulnerabilities is just inevitable and necessary.
In the same manner, Edward Snowden isn’t responsible for harming the US intelligence structure by exposing their illegal actions. Their illegal actions did that.
Guccifer 2.0 or the Russians or whoever hacked the DNC emails isn’t responsible for harming the DNC’s reputation. The DNC did that by sending those emails in the first place.
If you don’t have vulnerabilities or take sufficient actions to find and nullify what vulnerabilities you have, then you’re fine. If you expect everyone to politely ignore the fact that you’re not wearing any clothes, then you must think you’re royalty or something and even that won’t save you.
Re: Re: Re:
You’re shooting the messenger and blaming them for the news.
Shooting the messenger is a common method used to attempt to suppress news.
Re: Re:
Why not, has that right been specifically prohibited? Remember that thing about “all rights not delegated“? Or is that just an old scrap of paper to you?
Market outloook for censorware
The future opportunities to sell censorware might improve depending on the outcome of the US election.
Streisand effect
At what point will lawyers start advising their clients of the Streisand Effect before they’re introduced to it the hard way? Do law schools need to add this to their core curriculum?
Re: Streisand effect
Only while they are crossing the River Styx!
When I am elected president, I will abolish things so idiots can be all placed on an island on Mars where they will be free to censor each other freely without us peons getting in their way.
Re: Re:
Get ready for “Feel the Berenerd!”, at .38 g’s. But I think there are no islands on Mars, maybe the top of Olympus Mons would be better.
Either way, you’d be a much better candidate than that “Make Uranus Great Again!” guy. Definitely not voting for him…
Gah.