Papua New Guinea Streisands Sketchy ‘Involuntary Resettlement’ Efforts By Threatening DDoSecrets
Hamilton Vagi, head of Papua New Guinea's National Cyber Security Centre, apparently never learned the first rule of trying to bury embarrassing information: threatening journalists just makes them dig in harder. And quite often leads to Streisanding the very information you were hoping would go away.
Back in February, DDoSecrets published around a million emails from Papua New Guinea's Mineral Resources Authority. The response was... crickets. Turns out not many people have burning curiosity about the daily correspondence of Papua New Guinea's mining bureaucrats, nor the willingness to dig through a million such emails.
But Vagi couldn't let sleeping dogs lie. Three months later, he sent them a pretty threatening letter about the existence of this collection of emails.
He claims that this data is massively damaging:
The data was unlawfully obtained and poses significant risks to individuals and organizations within Papua New Guinea. It is protected under local laws, including the Digital Government Act 2022 and the National Cyber Security Policy 2021, as well as international cybersecurity regulations such as the Budapest Convention on Cybercrime, to which Papua New Guinea is a signatory. Exposure to this sensitive information could lead to identity theft, financial fraud, and reputational damage.
And, as that paragraph suggests by mentioning the Budapest Convention on Cybercrime," Mr. Vagi turned the threat dial up to 11 regarding how he was very much going to call the manager INTERPOL on DDoSecrets.
Given the legal protections governing this data, I urge you to remove it from your platform under both local and international laws. If the data is not removed, we may be forced to escalate this matter through the relevant legal and international channels, including cooperation with INTERPOL
Perhaps it won't surprise you to learn that DDoSecrets doesn't take kindly to vexatious, censorial threats. Oh, and they have a lawyer, Stanley Cohen, willing to call out the nonsense. You know that we at Techdirt love a good lawyer smackdown response letter to vexatious threats, and this sure is a good one. It starts out with a quick primer in how journalism works.
Although my clients respect your request, in keeping with age-old tradition and practice as journalists and publishers of information even, at times, sensitive embarrassing information, for use and republication by other journalist's, DDoSecrets understands well its place and obligation to assist in the growth and protection of a robust and widespread marketplace of ideas.... even one in which controversial, if not painful, political concepts and practices arc exposed, examined and debated among the body politic as a whole.
In that light, I can assure you that my clients are not hackers" and play no role, direct or otherwise, in identifying, seeking or obtaining information from repositories be they state or private entities concerning information and/or internal communications regarding their activities. That isto say at no time does DDoSecrets identify targets or systems to be breached or the manner and means by which to do so in order to access material from any state or private entity. 0, 100, as journalists living up to the highest of that profession's age-old standards, DDoSccrets takes all necessary steps to protectredact any and all collateral personal data it might receive that if published could pose a direct threat to individuals and or their families be it personal or economic in nature. Quite frankly, that a person, entity or a state may prove to be embarrassed by virtue of a21% century political expose of their intent and activity is of no dispositive or controlling moment to DDoSecrets or, for that matter, any other journalist or publication ... it comes, after all not just with the turf, but the profession.
Then, it challenges the threat to go all legal on the site:
My client is a bit shocked, but not intimidated, by your undisguised threats to retaliate against DDoSecrets for what proved to be the publication by it and others of embarrassing political data retrieved from the Mineral Resources Authority (MRA) of Papua New Guinea (PNG). I can assure you DDoSecrets played no role whatsoever in the manner and means by which the MRA material was obtained and neither requested nor directed others to do so when it was apparently hacked" more than two years ago. Moreover, that the MRA publication contains political information that falls very clearly within the reach, responsibility and safeguard of DDoSecrets as journalists is beyond dispute.
Then Cohen drops the hammer, pointing out exactly why Vagi might be so eager to make these emails disappear. Buried in those million boring bureaucratic messages are details about the Mineral Resources Authority's cozy relationship with government-owned mining companies on something called an involuntary resettlement policy"-a euphemism that would make Orwell proud.
So Cohen calls attention to this in his reply letter, noting that perhaps that's what's driving their sudden interest in this?
As uncomfortable to state actors in PNG as it may be, one would be hard-pressed to argue that that the mere publication of data that raise questions concerning the good faith and motivation of entities involved with it constitute a violation of the intended reach of any law. For example, among the PNG related data release was an exchange of 2013-05-06 between Mineral Government PG" and several dozen others affliated with MRA. Entitled Consultation Meeting- Involuntary Resettlement Policy"
Seems newsworthy!
But here's where it gets weird. Cohen reveals this wasn't the first time Papua New Guinea officials reached out about the emails. Earlier, someone claiming to be an ISMS consultant" for the Mineral Resources Authority took a completely different tack-asking DDoSecrets to help them figure out if it was an insider attack."
That you now seek to bully DDoSecrets into removing. nay, censoring explosive embarrassing information essential to an informed body politic of the People of Papua New Guinea, regarding the pernicious relationship between the mining industry and, at times, PNG is not just an affront to the role of journalism, but a dramatic about face from an earlier outreach by others holding themselves out to be representative of MRA. Thus, in a series of earlier text messages, one self-identifying as an ISMS consultant" working for the Mineral Resources Authority of Papua New Guinea' focused not on content but carrier. One such exchange is telling:
ISMS: Either take the data being publicised, down and/or letting us know if it was an insider attack."
DDoSecrets: 1 mean what would happen to him? Or her?"
ISMS: Nothing. This is all about ensuring that future risks can be mitigated. We are just interested in making the MRA more secure so this doesn't happen again"
DDoSecrets: Ok"
ISMS: Can you atleast confirm whether it was an insider?"
DDoSecrets: I don't know what to say"
ISMS: if you can confirm it was an insider, then we can strengthen our insider security and our awareness training"
DDoSecrets: What if don't?"
ISMS: IF it wasn't an inside, then we will spend our efforts securing the perimeter."
As for Vagi's threats of criminal referrals and INTERPOL involvement? Cohen basically laughs him out of the room. He methodically demolishes each legal theory Vagi throws around:
Finally, I would like in brief to comment on your red herring of potential state and international criminal exposure by my client for nothing more than publication of politically sensitive material. Preliminarily, to the extent you rely upon the Budapest Convention as the basis to demand that DDoSecrets remove its expose on various protocols and activities of the Mineral Resources Authority (MRA) of Papua New Guinea, as constructed and applied your interpretation is little more than a palpable wishful shout .. an argument here lacking any relevant application as to DDoSecrets. Without analyzing in full the intended reach of the Convention, in relevant part its clear intent is not to silence publication of materials received by journalists and publications who played no role whatsoever in the activity that led to its acquisition, but rather to address cybercrimes" such as hacking or conspiracy to hack by those who engaged in that very activity. Indeed, on this point, unless I am in need of a stronger reading glasses, I found no part of the Convention which specifically sets forth a lawful basis to prosecute not those who hacked otherwise secure" data bases of information, but rather those who subsequently published it... here some two years later and only after taking reasonable steps to redact the information in such a way as to safeguard sensitive personal information contained therein.
Likewise, while I have reviewed the Papua New Guinea Digital Government Act 2022 and the National Cyber Security Policy 2021 and found them to reflect a powerful commitment by the state to enter the increasingly interconnected world of the 21st century, at days end neither is on point as to your demand of DDoSecrets. Thus, while these Acts clearly express a strong commitment to the establishment of a proactive and far-reaching strategy to ensure state cybersecurity by, inter alia, safeguarding digital infrastructure each fails to address let alone criminalize, as here, third party publication of embarrassing state information.
So, too, I would note that your threat to seek criminal law intervention and enforcement through various international entities including INTERPOL is likewise a bark without bite. Having litigated and prevailed at INTERPOL on the basis of the political" exception, I am well aware of what is necessary to obtain a Red Notice against a given identified and criminally charged individual by INTERPOL, as well as its political exemption rule. In this case, your ignored demand of DDoSecrets would, in any event, fail to satisfy the requisite charging predicate for triggering a Red Notice, and most certainly presents activity well within the clear reach and intent of INTERPOL's political immunity clause.
So what did Vagi's legal threats accomplish? Well, they guaranteed that a lot more people are now aware of the MRA email dump and its revelations about involuntary resettlement" policies. Before his letter, these were just boring bureaucratic emails gathering digital dust. Now they're the subject of international attention and legal drama.
It's a textbook case of the Streisand Effect, but with a bonus lesson: when your job involves covering up potentially sketchy mining policies, maybe don't pick a fight with people whose entire business model depends on exposing government wrongdoing. They tend to be pretty good at it.