Homeland Security Subpoenas Twitter For Data Breach Finder's Account

An anonymous reader shares a report: Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data. The New Zealand national, whose name isn't known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month. The pseudonymous data breach finder regularly tweets about leaked data, found on exposed and unprotected servers. Last year, he found a trove of almost a million patients' data leaking from a medical telemarketing firm. A recent find included an exposed cache of law enforcement data by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations.

Homeland Security's export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder's account. ICE demanded Twitter turn over his screen name, address, phone number -- and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account's IP address history, member lists, and any complaints filed against the Twitter account.

Finder. Not breach creator. Finder.

How dare you say the king is wearing no clothes!

No fan of an HSA TLAs

[TimMD909]

The Homeland Security crowd seems as focused on security as the Ministry of Truth was about truth.

Re:No fan of an HSA TLAs

[93+Escort+Wagon]

Well, it is run by Ming the Merciless - and he’s show. a special interest in this particular case.

Re:No fan of an HSA TLAs

[gweihir]

Indeed. You know a society is in decline when keeping up appearances becomes far more important than solving problems.

Re: No fan of an HSA TLAs

[Reverend+Green]

Tacitus said it best:

"The more corrupt the state, the more numerous the laws."

Re:We'd all be better off

Government secrets used to be leaked in newspapers; burn all newspapers!

Incompetence?

[Maelwryth]

Someone should tell them what the wheel on the mouse does. It might save them having to use a lawyer every time they want some freely available info in a twitter feed....or they could just talk to him.

Is the subject correct?

[houghi]

I thought it was a judge who did the subpoena and not HLS? If so do not get angry at HLS for asking it but at the judge for goving it, if you think they should not have done that.

I have been in situations where the police asked for data and I (and my cow orkers) refused to give it untill there was an order from a judge. The police is allowed to ask for it, yet we are not allowed to give it.

The thing is atht these where cases we had no real issue giving the information, but if the defence found out how they got their proof, the case could easily be trown out.
And I am talking about cases like fraud, blackmail, childporn, theft. Not about grandma downloading a Metallica song. (That reference tells you how old I already am) because those where never in court., In fact I remeber reading a letter where the courts said not to bother them with such cases as it would be hogging to much time and would be seen as a contempt of the court if they continued. (Unfortunately I have not kept the letter). Yes, they would still help if there was some sort of financial gain. i.e. a copy of a CD? No problem. Selling that copy? You are going to court.

If the courts or a jury gave an OK to the sobpoena (and not rubberstamped it) I have no real issues. I must see what it is based on before any outrage.

Re:Is the subject correct?

I thought it was a judge who did the subpoena and not HLS? If so do not get angry at HLS for asking it but at the judge for goving it, if you think they should not have done that.

A subpoena is supposed to be for producing testimony and other evidence in a case. Who would be the defendant in this case? Are they planning to bring some kind of charge against Flash Gordon? WTF? No wrongdoing on his part has been alleged. Surely they're not planning to prosecute the people who left the data accessible.

If the finder

[Grand+Facade]

is a US citizen will IRS also be putting his last 10 years under scrutiny?

Isn't this akin to shooting the messenger?

Or is the finder in the game and looking to get the feds to take down his competition?

Re:If the finder

[HiThere]

This seems clear evidence that if you find an official has made a mistake, you ensure that your notice of that is really anonymous. Possibly by selling it on the black market.

The horse is already out

[Nidi62]

In a sane world, they would be finding them to give them a medal. If he could find those leaks, there's a good chance somebody else already had. And these days it seems the only way to get companies to acknowledge and fix leaks is to make them public, otherwise they get swept under the rug.

On a side note, having a hard time seeing how this falls under the purview of ICE. And I'm sure the government will be going after the medical telemarketing firm for a breach of HIPAA

Re:The horse is already out

TFA says: Although ICE's public image is often viewed through a lens of detentions and deportations, a large part of the agency's work includes fighting national security threats and fighting transnational crime, including prosecuting those who violate export laws.

Remember, this is publicly accessible data

They're going after someone who walks down the virtual street pointing out things that are publicly accessible without a single functional access control mechanism. This isn't a "hacker," it's a person that points at something on the digital street that anyone could find and access anyway. This person has committed no crimes whatsoever in doing this.

Re:Remember, this is publicly accessible data

[BlueStrat]

They're going after someone who walks down the virtual street pointing out things that are publicly accessible without a single functional access control mechanism. This isn't a "hacker," it's a person that points at something on the digital street that anyone could find and access anyway. This person has committed no crimes whatsoever in doing this.

He committed the worst crime imaginable in the eyes of the US Government.

He revealed the incompetence and ineffectiveness of a US Government security agency. To those in government, there are few crimes as onerous as revealing their incompetence and lawbreaking for all to see.

It appears that the NSA and other US TLAs have been too busy with US domestic mass surveillance, data-farming, and domestic political shenanigans to bother with piddly things like securing national infrastructure and other mundane tasks they were created to perform. Very sad.

Strat

Re:That's no boating accident

[onepoint]

While you might have thought you were Trolling, I went and looked and discovered something that I never knew existed and it's rather interesting ( at least to me who like's to learn about customs, shipping and laws

what ICE issued was a
Export Enforcement Supeana: WTF is what I said, then I learned, interesting tool they have https://www.law.cornell.edu/cf... that's the link to the Cornell legal explanation of it and where it sits in the law books.

Now how it applies to Twitter, well that's up to a lawyer to explain to the readers of slashdot
I understand how it applies to exports but this is confusing how it's being applied to Twitter.

Re:We'd all be better off

[PopeRatzo]

if Twitter just went away one day. It's a part of the culture at this point and collectively making everyone dumber.

I feel the same way about the Department of Homeland Security.

interesting prioritization

[jm007]

there's enough resources to track down someone pointing out DHS fuckups but not enough to set up a firewall or two to prevent the fuckups in the first place

the fuckups allowing all that private data to leak out won't be held accountable as wrongdoers, just the person pointing it all out

there's always more to the story than we're being told

Blame both. Don't allow yourself to do bad things

[raymorris]

Your post was interesting, thanks.

> do not get angry at HLS for asking it but at the judge for giving it, if you think they should not have done that.

We don't know why they're asking, or what basis (evidence) they have to support the subpoena, but let's assume for a moment that there is a bad subpoena, that the subpoena shouldn't have been done. If so, I would definitely blame the people who decided to get a bad subpoena that they shouldn't have gotten. "The judge let us get away it" isn't an excuse for doing bad things.

If a subpoena is not only bad but also illegal, the judge would ALSO be at fault for allowing an illegal subpoena. (Remember judges rule on what's legal, not on what they think is good).

In fact I would go so far as to say a free country *requires* we hold ourselves to a higher standard than "it's fine to do anything, so long as a judge doesn't rule it illegal". If we as a society decide we'll all do whatever nasty things as long as the law lets us get away with it, then we'd need laws against everything that might be a problem. If the only limits we put on our behavior is the law, pretty soon we need laws to stop all kinds of things, totalitarianism is required. If instead we live based on trying to do the right thing, to be considerate of others and avoid causing problems for other people (law or not), then we don't need so many laws. We can have a functioning society that is much more free of we each use our freedom in ways that are respectful and considerate of others, we don't need laws telling us exactly what we can and can't do.

> I thought it was a judge who did the subpoena and not HLS?

In this instance the agency can issue a subpoena. If someone doesn't comply with the subpoena, they can ask a court to enforce it.

target might be someone else

You may be jumping to the conclusion that this guy is under investigation -- possible, but not necessarily. The person under investigation could be the person who possibly exposed this data to the internet intentionally. If you are selling an ICE agent database, your client is a probably a drug exporter in Mexico, and the Internet facilitates transfer. Flash Gordon could be subpoena'ed as a material witness. Surely it happens, every once in a while, that the US justice system is seeking a legitimate bad guys.

Re:target might be someone else

[HiThere]

No, I'm jumping to the conclusion that the guy is being persecuted. They probably haven't yet decided what they're going to charge him with, but they'll come up with something. This isn't the way you contact someone to ask for their help, this is an attempt to bludgeon him with the law. Judging by what has thus far been said, the applicability of the law they're using is quite dubious, but if they can threaten Twitter enough, they can get the guy id'd. This is much more like coercion than asking for help.

Export Enforcement Subpoena???

The Twitter user is in New Zealand, correct? What exactly got exported that requires enforcement? Also, none of the information ICE is asking for is covered by ITAR, so the subpoena is unenforceable on its face.

Twitter should just respond by ceasing to operate in the United States, which would have the added bonus effect of shutting up the Cheeto-in-Chief.

Re:That's no boating accident

it seems to me that they tried requiring provision of records without a subpoena and Twitter told them to go fly a kite -- so they went and got a subpoena (just applying the information in the link).

In other words, it "applies to Twitter" because they "say so". Not being an export lawyer, my guess is that their argument goes that since Twitter operates internationally it is inherently doing export and import so it comes under their jurisdiction. And if you are exporting/importing then you have to maintain records as to what, by whom, for what purpose.

So, more generally, just an attempt to end run around the legal system that Twitter rejected. Since their bluff was called, instead of folding, they are doubling down by following up with a subpoena. The relevance of export regulations seems tenuous at best, but that is their argument and they are sticking with it.

Shoot the messenger

[gweihir]

And you will not get any bad news anymore. Short-term this may be nice, long-term it is a disaster. Is this agency staffed by complete and utter morons?

Take the pat down!

walking in those big machines will give you cancer

*sigh*

There is probably a 30% chance this is legitimate (we want to talk to this person in case this was part of a planned leak) a 50% chance it is a scare tactic to prevent people from using free speech (if someone finds this information about LEOs they should tell us, not put it online), and a 20% chance it was reactionary chest thumping (how dare they make Law Enforcement Look bad!)

I hate living in a world where it's impossible to tell the difference without being incredibly biased one way or the other.

Re:*sigh*

[HiThere]

You are an anonymous poster on the internet presuming to speak for a government that lies more often than it tells the truth. Why should we believe you?

Whose security is the DHS defending?

[Bruce66423]

The security of the American state, or of the incompetents who make these mistakes? Does ANYONE vote for the first?

Re:That's no boating accident

[grep+-v+'.*'+*]

but this is confusing how it's being applied to Twitter.

It's being applied to Twitter by a very nice smiling man in a black hat, holding a large piece of legal-sized paper on Twitter behind which is a large gun, and saying, "Nice piece of internet real-estate you've got there, ..."

It's the government. Once you finally manage to attract their attention and actually get them pissed, you've got Trouble with a Capital T.

Good info, thanks for sharing it!