I am extremely sympathetic, this shouldn’t be illegal, but as Gob in Arrested Development says, “Come on!”. There is a difference between legality and being appropriate.
In the US you can pass that line (and should be able to) without criminal threat, which is great. But it doesn’t make you a good person.
Gob: “Come on!” Compilation - Arrested Developmen…: http://youtu.be/SP_9zH9Q44o
Dear FSM, give me the patience.
I am not and never will be an authoritarian sympathizer. But that doesn’t mean I will agree with (insert politically charged word here, which aren’t constructive) types of governance.
If you have a problem with enforcement then local PD and local district attorneys are the first step. Second are your house reps, third is senate, and fiftieth is the FBI.
Henry Kissinger’s recent book is called “World Order.”
The linked Barrett Brown review is of Henry Kissinger’s “White House Years”.
This was published first in 1979. It’s not recent.
Yup. We’re stepping right into line with other regimes cracking down on journalism. The government’s endgame is for us to wind up like China.
That said, he did do things that I think they should have punished him for, likely including throwing him in jail. The fact that the things they actually threw him in jail for are not those things represents incredible abuse of prosecutorial power, and I would far rather have him escape punishment than have the government be able to abuse its power like that.
I think threatening people with violence, including on the internet, should be punished much more severely than it is. I would totally support them throwing him in jail for threatening that FBI agent, if they were similarly diligent about tracking down all the folks who have been sending death threats to eg Anita Sarkeezian, and throwing all of them in jail for a similar amount of time. Unfortunately, that’s not what they threw him in jail for. They threw him in jail for putting up a link to data that other people took, and yet other people hosted. That precedent could easily lead to similar punishments for people linking to the Snowden documents, or anything on Wikileaks.
You’ve got the facts backwards.
He didn’t “(re)publish” PII.
He copied a link from an anon irc room.
The link led to a large, heterogenous collection of information which anonymous had just dumped as part of their hack.
Some of that information was affirmatively newsworthy (it was subsequently reported on at length).
Some of it also included PII.
He then pasted this link into a private irc channel used by ProjectPM. ProjectPM was the outfit he created to do investigative research into the state security // private security nexus.
Sharing a link to information which contains (among lots of newsworthy information) PII is not the same as sharing PII. It is not “trafficking” in PII.
Sharing a link to information with a small community of journalists and researchers for the purposes of distinguishing salient from sensitive information is not the same as sharing that link with the general public.
These are the facts on which you would have him censured. They genuinely do create worrying precedents for the practice of security journalism. What he did is analogous to Greenwald sharing a reference to information with Poitras for the purposes of working on a story. If what Brown did is to be criminalized, journalists are severely restricted in their ability to “share data discreetly till they understand the story.”
It’s worth pointing out again, as the article above did, that he was not convicted for posting the link. The attempt to portray sharing a link on a private irc as “trafficking in stolen information” was so outlandish that the government dropped the charge. The government’s wild version of events was re-introduced at sentencing, even though he had not been convicted of it, in order to give him an extra year in prison.
He didn’t share it on pastebin, he shared it on a private irc channel for his crowdsourced investigative journalism group, ProjectPM.
People do things they might not otherwise do when it becomes clear that the government it out to get them. You shouldn’t make bad decisions, but people do. Authorities know they can make most people make bad decisions by harassing them enough since those people essentially have no recourse to stop the harassment. It’s hard to make good decisions if you know the people who are supposedly protecting you (and the only people who are empowered to do so) are actually ignoring your rights and coming after you.
I don’t know much about this case, and I’m sure there are things about it no one will ever know. What I do know is that if an FBI agent wanted to they could pretty much follow a person around all day shoving them every 10 seconds to see if they eventually snapped. The facts of this case are that they went after someone for expressing themselves legally, found out they couldn’t sneak that through, and ended up charging the person with other things that were the fallout of their investigation. When people get charged with the fallout of the investigation when the investigation itself didn’t work out, that smells badly of abuse.
While I agree with you, it’s still a bad decision to not wait until you’re off your opiates before recording 45 minutes of yourself saying that any government agents approaching you will be assumed to be working as a Mexican drug cartel assassination squad that you will kill to defend yourself from.
There’s a fairly good distance between feeling distraught and out of control from government harassment over trumped-up charges, and going so completely on the offensive in response that you are committing actual crimes and doing their job for them.
It’s probably not unreasonable to suppose that, but it’s also still illegal for someone to threaten you or your family with injury or death; regardless of it’s in response to you performing your job, regardless of their perceived illegitimacy of your state-empowered actions.
I know I am in the minority here. But it is trivial to mask PII, and publishing data–regardless of the platform–that contains PII is extremely unethical. The two issues I am vigorously disputing is 1) that Mr. Brown should be considered a journalist, and 2) that his behavior was in any way okay.
We cannot condone dropping caches of material like this. I will repeat–he should not be serving a criminal sentence. But he should not be lauded.
Seriously, at BB we respect and promote privacy, but not when it comes to stolen documents?
It is trivial to mask PII once you know that it is there. But knowing what is and what isn’t PII can be a tricky task that requires vetting the documents first, and if there are a large number of documents you might want to split that up between members of your team. The problem is that the US government here are arguing that you can’t.
It’s Stratfor, the target we talk about. The poster child of the intelligence-industrial complex, one of the surveillance-pushers. They are getting the taste of their own medicine, how it feels when some uninvited third party can read their sensitive data.
That, and the broken creditcard security model that is like the man behind the curtain we are supposed to ignore and not ask questions about.
Again, he did not “publish data” that contains PII.
He shared a link with other investigative journalists on a private irc chatroom for his own private association of investigative journalists.
The link did not “contain” PII - it was a mere hyperlink - it led to a large tranche of data published by someone else, within which was 1) a large amount of newsworthy information and 2) some PII.
There is little to no likelihood he knew the full tally of what was in the tranche. He will have been posting the link so that he and his associates at ProjectPM could go and look at the data. Presumably, he and his associates will have to go and look at the data before they are able to tell which parts of the data are salient and newsworthy, and which parts of it are private information the publication of which which serves no public interest.
How do you propose it is “trivial to mask” PII if investigative journalists are barred under threat of criminal prosecution from looking at, and coordinating in their investigation of, the source material?
This isn’t a case of you being in a minority of opinion. Your account of the alleged conduct is factually inconsistent even with the conduct alleged by the government.
Which is why an excellent example of security reporting is poitras and greenwald. Krebs doesn’t mess this up, goodin doesn’t, nytimes doesn’t, and BB doesn’t.
I will make this simple.
Never, ever share source material unless it is encrypted with a password communicated on a separate channel.
Never share source material without running say regex::common first.
I am gobsmacked by this ignorance.
Share it ethically and not over irc! Pgp, 7zip, and gpg are easy to use. As is the phone to transfer your key.
Above all, read it.
"He will have been posting the link so that he and his associates at ProjectPM could go and look at the data. "
This is precisely what not to do. There should not be legal issues posting a link to sensitive data, but it is against all rules of operational security. It is the ‘wash your hands’ of operational security.
He didn’t share data. He shared a link to data with journalists on a private irc where there were only journalists.
But we also don’t punish because of hate, and we don’t support mob rule. Posting links should not be illegel, but it also doesn’t mean it is okay. And seriously, seven proxies and aes.
This is the disconnect.
Never, ever do that. Ever.
I have to take a hard line on this since I get to deal with developers that write SSN s to unencrypted log files, CCs that are transmitted in http, and passwords that are sent via gmail. There is no excuse for this kind of information leakage.
And a ‘security journalist’ that doesn’t perform average opsec is as bad as a food critic that can’t recognize a potatoe.
Exactly what difference do you think using end to end crypto would have made to the facts on the ground here?
We are talking about a database that has just been dumped in the wild by a celebrity hacker group. The thing is public.
Meanwhile, off to the side, a tiny investigative journalist association, wishing to investigate the material to see if it contains newsworthy information, shares a link to the (already massively public) material on a private IRC chatroom.
You now say you feel this was unethical because Brown didn’t use end to end crypto.
Your threat model here is what exactly? Let’s presume SSL was not in use on this IRC server, which is not a foregone conclusion. So your threat model is… that identity thefts subvening on the hacked data might eventuate from an adversary performing a MITM attack on Barrett Brown’s connection to the IRC server in order to intercept… an already publicly available link to a database that has been posted somewhere else in the clear? Really?
At a more general level, I agree with the principle that journalists should use best security practice in their online communications. All of their communications, whether “sensitive” or not.
But information security involves relative judgments of risk where you evaluate the cost of security measures against the risk and severity of threats. Journalists with limited time and resources should probably allocate those resources to high risk situations, where failure to employ information security potentiates serious consequences. Actual situations where they are handling actually sensitive information. Leaving aside that there is no actual harm alleged arising from BB sharing this link, what is the potential harm arising from Brown’s alleged neglect here; what is its scope, it’s severity and its likelihood?
There is a miniscule risk of harm, because he was sharing a link in a private IRC populated only by investigative journalists with whom he was familiar, for the purposes of researching the new information. The data was already public, the link was already public. Anyone who wanted to obtain the link or the data could do it without the exorbitant cost in time and effort involved in intercepting packets between Barrett Brown’s irc client and the ProjectPM server. And lest we forget, we are not talking about BB sending people’s CC information, he was sending a link to a file hosted on someone else’s server, published by someone else, of which some tiny proportion was sensitive information. So our hypothetical attacker would, upon intercepting the link, have to go and dig through the data like everyone else in order to sate his malice. The risks here are exceedingly negligible. Employing a form of end to end crypto, whether it’s otr, pgp or some hyperobscure doodad using the btc blockchain and working over geological epochs, makes a negligible difference to those already infinitesimal likelihoods.
As I say, journalists in general should ideally use crypto for everything. But failing that, infosec is about dealing with what is probable and mitigating risks, not about creating work environments hermetically sealed against the most outlandish risks our imaginations can come up with, and I see more of an ethical problem with journalists failing to use crypto when there is a reason to use it, than with journalists failing to use crypto when there is no real reason at all to use it short of pedantry.
Would you maybe share some links which demonstrate what the ethical fuss is about?
Of course “do not harm” makes sense. But why my or others PII would be obviously harmful is not obvious, You stress “operational security”, which I understand as protecting your organization against adversaries. So who’s organization as a journalist are you protecting? Most people do not have organizations or adversaries. So locking down PII on general principle sounds like trying to do everybodys security for them, despite (in general) not knowing the particulars of their affiliations.
It sounds like if I put my contact information out in the world because I want to be involved with things, that others are legally liable if the record my info. This could seem protecting (if I accepted the protection of others), but it could also be isolating, keeping me from freely associating.
edit: I mean links to explanatory reports, articles, etc! Not links to example PII - just to be clear!
