Legal Demands vs. Press Freedom

An Unexpected Visit from the FBI

In August of 2020, I received an unannounced visit from two FBI agents at my home. They wished to discuss a TechCrunch article published the previous year.

The Story Behind the Inquiry

The article detailed how a hacker had obtained thousands of documents, encompassing visas and diplomatic passports, from a server belonging to Mexico’s Embassy in Guatemala. The hacker asserted they had previously alerted Mexican officials regarding the server’s vulnerability but received no response. Consequently, the hacker publicly shared a link to the embassy’s files. “Public disclosure follows a lack of reply,” the hacker communicated to me.

Following standard journalistic procedure, I reached out to Mexico’s consulate in New York for a statement. A representative indicated that the Mexican government considered the incident with “great seriousness.” We subsequently published the story, and it appeared to be resolved.

Escalation and Official Requests

The subsequent visit from the FBI, occurring a year later, indicated otherwise. I chose not to engage with the agents and ended the conversation.

It became clear that the Mexican government, following our publication, had requested assistance from the U.S. Department of Justice via diplomatic channels. This request aimed to investigate the hack and, presumably, identify the responsible hacker. My contact with the hacker likely positioned me as a person of interest to the Mexican authorities, explaining the delayed inquiry.

One month after the agents’ visit, the Mexican government submitted a list of written questions to the FBI, intending for us to answer them. Many of these questions had already been addressed within the original article. Our response to the DOJ reaffirmed our commitment to providing only information already in the public domain.

Legal Challenges Faced by Journalists

A Common Occurrence

Requests for information from legal authorities are not unusual for reporters; some consider it an inherent risk of the profession. These demands frequently manifest as threats, often aimed at compelling a journalist or news organization to retract a story, or even to halt its publication.

Journalists specializing in cybersecurity – a field not typically associated with positive news – are particularly susceptible to legal intimidation from entities seeking to avoid negative publicity regarding their security shortcomings.

The Missouri Governor and the St. Louis Post-Dispatch

Consider the recent dispute between Missouri Governor Mike Parson and the St. Louis Post-Dispatch. The governor accused the newspaper of illegal hacking after a journalist discovered thousands of Social Security numbers exposed on the state education department’s website. The journalist confirmed the exposure with affected individuals, promptly alerted the state, and delayed publication until the data was secured.

Governor Parson claimed the reporting violated state hacking laws and initiated investigations. He characterized the reporting as “an attempt to embarrass the state.” However, legal experts, legislators, and even members of his own party criticized the governor’s response, deeming the newspaper’s actions ethical. The governor subsequently released a video, funded by his political action committee, containing inaccuracies and labeling the newspaper “fake news.” The department later apologized for the data breach, which impacted over 620,000 educators.

Impact on Security Researchers

Allegations of illegality or impropriety are also frequently directed at security researchers who identify and disclose vulnerabilities and exposed data before malicious actors can exploit them. Similar to independent journalists, these researchers often operate independently and may be forced to comply with legal threats due to the potential costs of litigation, even when their work is lawful and preventative.

Not all researchers have access to experienced legal counsel to support their defense.

The Chilling Effect of Legal Pressure

While we have successfully resisted questionable legal demands in the past, the appearance of federal agents at one’s home solely for performing journalistic duties is a novel experience. Although no wrongdoing has been suggested, the uncertainty regarding potential repercussions should I travel to Mexico is concerning.

However, it is the unpublicized legal threats and demands that pose the greatest risk. These demands inherently discourage reporting. Sometimes, they are successful. Journalism carries inherent risks, and news organizations do not always prevail. Unchecked, such threats can create a chilling effect, hindering both security research and journalism by making these endeavors legally precarious. Ultimately, this results in a less informed and potentially less secure world.