from the instead-of-addressing-the-problem,-we'll-go-after-the-people-talking-about-i dept
Over the weekend, Zack Whittaker of ZDNet reported a New Zealand security researcher has somehow earned the unwanted attention of DHS and ICE.
Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data.
Flash Gordon secured the assistance of the EFF to challenge the subpoena, but apparently that effort failed. This leaves everyone with the unanswered question as to why DHS/ICE are seeking the researcher’s identifying info.
As Whittaker notes, the researcher has discovered and reported several data breaches. One in particular might have drawn the attention of the feds: the exposure of a law enforcement training database.
The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training — known as ALERRT — at Texas State University.
The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.
This would be the sort of thing the US government notices, even if it’s only interested in prosecuting the messenger. PII belonging to law enforcement officers is considered to be the most sacrosanct of data, and anyone exposing a government contractor’s careless handling of it is likely to find themselves targeted by federal agents.
But this is all conjecture at this point. Flash Gordon only knows the government as demanded his info and is likely to receive it soon, if it hasn’t already. The involvement of DHS and ICE is still strange, as a breach involving US law enforcement personnel would normally be handled by the FBI.
As Dissent Doe points out in her coverage at Databreaches.net, it could have something to do with the expansive definition of “export,” which covers information as well as physical goods. That’s actual ICE territory — its less-controversial export control function. It’s illegal to export “controlled” info and tech, so the researcher’s New Zealand locale could provide a nexus for criminal charges, but only if you’re willing to suspend reality during the charging process. Doe asks:
But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?
If this has anything to do with the multiple US-based breaches Flash Gordon has reported, the information has traveled from US companies to US journalists via a New Zealand intermediary. If Gordon has downloaded a copy of the breach’s contents, the same thing applies: the info shared with US journalists was “exported” from New Zealand to the US. The only possibility left is this: the government wants to consider a New Zealand researcher’s acquisition of breach data from US companies to be considered an illegal “export” of controlled info.
Unfortunately for the researcher, the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim. It hasn’t always been successful in its novel interpretations of these laws, but every federal prosecution has the potential to completely destroy the target’s life — even if it ends in a dismissal or verdict in the defendant’s favor.
The last possibility is this: it’s just a fishing operation meant to deter Gordon and others like him from searching for breaches and turning this data over to journalists. If the US government obtains identifying info, it can simply retain the info indefinitely as an implicit threat, pushing Gordon to pursue “safer” careers and hobbies. This won’t make anyone else any safer, but it will at least spare the government and its contractors further embarrassment.