The government isn't done jerking around security researcher Justin Shafer quite yet. Shafer came across a bunch of dental patient information in an improperly secured database. This discovery led to the FTC levying a $250,000 fine against the software provider, Schein, for falsely portraying its faux encryption as actual encryption. After notifying affected parties, Shafer was thanked for his help with a raid by FBI agents.
This happened days after the FTC announced its settlement with Schein. FBI agents dragged Shafer outside of his house in his boxers at 6:30 in the morning and took every electronic device in the house except for his wife's phone. His children were awakened by shouting men pointing guns at their parents.
This wasn't the only time Shafer was raided. He was raided once more, again for suspicions he was engaged in illegal hacking, this time allegedly in conjunction with TheDarkOverlord. Neither of these two raids resulted in anything more than a bunch of seized electronics and Shafer's family being taught to fear, if not hate, federal agents. No charges were brought as the result of these two raids.
This second raid led to Shafer directing his anger at the agent who had secured the search warrant, Special Agent Nathan Hopp. Following this raid, Shafer tracked down Hopp and Hopp's wife via social media, engaging a series of unwise (but not actually threatening) confrontations with the agent's wife. In one message to her, he implored SA Hopp's wife to return video recordings of his children, which had been seized along with everything else.
This led to a third raid by FBI agents -- this time in response to Shafer's alleged "threats." Shafer was released on bail, but quickly sent back to jail after he vented about his treatment by the FBI in an ill-advised blog post. Shafer spent eight months in jail before finally being released. The DOJ pursued a superseding indictment, most likely because its original indictment failed to impress the judge presiding over Shafer's case.
The situation got even more petty and bizarre when the DOJ demanded Twitter hand over info of all accounts engaged in a conversation about Special Agent Hopp -- one that culminated in Justin Shafer delivering an apparently threatening smiley face emoji. Most of the convo participants were easily identified, making this weird flex by the DOJ a vulgar display of stupidity and vindictiveness.
Last March, the cavalcade of petty stupidity finally came to a close. Well, almost. Shafer signed a plea agreement with the DOJ, pleading guilty to a single count of retaliating against a federal official. (The FBI's multiple acts of retaliation against Shafer are apparently within the bounds of the law…) Shafer has finished his probation and done everything he's supposed to, but the government isn't holding up its end of the bargain.
According to his plea agreement [PDF], the government could choose to seize one specific set of data. Under "Financial Obligations," the plea agreement specifies:
The Court may order the forfeiture of the Defendant's interest in the following property: All electronically/digitally stored means of identification (other than the Defendant's own) stored on electronic storages [sic] devices and/or media seized from the Defendant pursuant to the execution of federal search warrants.
The FBI has so far refused to return anything to Justin Shafer. The hard drives containing leaked patient data also contained more than 250 family videos. The FBI has made no move to forfeit anything else it seized. It has also said it will meet with Shafer to delete the patient information he downloaded during his security research. But ten months after broaching the subject, the FBI hasn't set a date for returning Shafer's personal files that were swept up along with the data the FBI sought.
On top of that, the court never ordered the forfeiture of the leaked patient data, so the FBI technically can't even keep that. Understandably, the feds may move for forfeiture of this specific data if Shafer tries to get it back, but for now, it doesn't really have any legal basis to hold onto anything it seized during the May 2016 raid that started the ball rolling on this debacle.
The FBI should have returned everything it wasn't authorized to keep once it had a signed plea deal in hand. It has no use for anything found on any of the seized devices, especially since it undoubtedly knows where to find and remove the patient data the court says Shafer shouldn't have back. But ten months later, it has made no move to return the files it seized, which include 250 family videos of no possible interest to the FBI.
There's no reason the FBI can't just hand over everything but the patient data without making Shafer and his legal rep jump through a bunch of hopps hoops. But it seems the FBI isn't through with Shafer. Given the history on display here, the lack of forward motion by the agency that raided Shafer's home three times but only managed to walk away with single (bullshit) count of retaliation via threatening a family member (read the law and the indictment to see why this charge is bullshit) can only be seen as vindictive.
The entire picture is ugly: reported data breaches were treated as criminal acts by an agent with too much free time and a vivid imagination. When his (repeated) target lashed out, the DOJ expanded past its fantasies of a Shafer-DarkOverlord partnership to punish Shafer for stupid, but not truly threatening, internet activities. Now it's sitting on his personal belongings because it can, not because it needs to.
Filed Under: doj, fbi, justin shafer, raids, seized items