Security Researcher At The Center Of Emoji-Gate Heading Home After Feds Drop Five Felony Charges

The security researcher who was at the center of an audacious and disturbing government demand to unmask several Twitter accounts on the basis of an apparently menacing smiley emoji contained in one of them is now facing zero prison time for his supposed harassment of an FBI agent. Justin Shafer, who was originally facing five felony charges, has agreed to plead guilty to a single misdemeanor charge. Shafer, who spent eight months in jail for blogging about the FBI raiding his residence repeatedly, is finally going home.

Here are the details of plea agreement [PDF] Shafer has agreed to. (h/t DissentDoe]

Mr. Shafer is pleading to a single misdemeanor of simple assault, based on his sending a Facebook direct message to an FBI Agent's immediate relative's public Facebook account. There is no allegation of any physical contact.

The government agrees to recommend a sentence of time served. Mr. Shafer already served 8 months in jail before trial for criticizing the government's prosecution in a blog post. He was released after the defense filed a motion arguing his pre-trial detention violated First Amendment free speech rights and the statute governing pre-trial detention.

The government is not seeking for any restitution.

The United States Attorney's Office has agreed not to prosecute Mr. Shafer for the events leading to the initial armed FBI raid of his family's home.

Mr. Shafer has agreed to a no contact order with the FBI agent, the agent's family, and the company involved in the initial investigation.

What started out as normal security research soon became a nightmare for Shafer. His uncovering of poor security practices in the dental industry -- particularly the lack of attention paid to keeping HIPAA information secured -- led to his house being raided by FBI agents. The FBI raided his house again after he blogged about the first raid. The FBI justified its harassment of Shafer with vague theories about his connection to infamous black hat hacker TheDarkOverlord. To do this, the FBI had to gloss over -- if not outright omit -- the warnings Shafer had sent to victims of TheDarkOverlord, as well as the information on the hacker Shafer had sent to law enforcement agencies including the FBI.

Blogging about his interactions with the FBI led to the judge presiding over his criminal trial to revoke his release and jail him for exercising his First Amendment rights. This was ultimately reversed by a federal judge who agreed Shafer was allowed to call FBI agents "stupid" and blog about his treatment by the federal agency. (He was not to reveal personal info about FBI agents, however.)

This trial has come to a swift end because the presiding judge sees zero merit in the government's case.

[T]he case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense's motion to dismiss if the prosecution didn't come up with some reasonable plea deal.

This case comes to an end, but it does not absolve the government of its abusive behavior. Here's what Shafer's defense team (Tor Ekeland, Fred Jennings, and Jay Cohen) had to say about their client's treatment by federal law enforcement.

Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen's right to criticize the government.

And what can we learn from this debacle? Here's what Shafer has learned: never help anybody.

I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won't care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.

Thank god the FBI was there to help ensure public safety no one publicly badmouthed one of its agents. Shooting the messenger is the expected response when security breaches are discovered. If it's not those leaving personal info exposed threatening researchers with lawsuits or criminal charges, it's the government itself stepping in to "protect" entities that can't even protect the data of paying customers.