In August 2020, two FBI agents stood at my door, out of the blue, wanting to ask me questions about a TechCrunch story we published the year before.
The story tells how a hacker took thousands of documents, including visas and diplomatic passports, from a server at the Mexican Embassy in Guatemala. The hacker said they contacted Mexican officials about the vulnerable server, but were ignored. The hacker therefore tweeted a link to the embassy files. “When I don’t get a response, it becomes public,” the hacker told me.
I contacted the Mexican Consulate in New York for comment, as is common practice when reporting a story. A spokesperson said the Mexican government was taking the matter “very seriously”. We posted our story, and that seemed like the end.
The FBI knocked on my door a year later, suggested it wasn’t. I refused to speak to the officers and closed the door.
After we published our story, the Mexican government sought the assistance of the US Department of Justice through diplomatic channels to investigate the hack and possibly try to identify the hacker. Since I had contact with the hacker, this must have made me a subject of interest to the Mexican authorities, hence the visit a year later.
A month after the home visit, the Mexican government provided the FBI with a list of written questions they wanted us to answer, many of which have already been answered in history. Our response to the DOJ declined to provide anything more than what we had already posted.
Legal demands against journalists are not uncommon; some even see it as a professional risk linked to working in the media. Requests often take the form of a threat, almost always forcing the reporter or media outlet to retract a story, or sometimes even stop a story before it is published. Journalists covering cybersecurity – a pace rarely known for its jagged, upbeat headlines – are particularly prone to legal threats from businesses or governments that want to avoid embarrassing headlines about their bad security practices.
Take the recent public standoff between Missouri Governor Mike Parson and the St. Louis Post-Dispatch newspaper, which the governor accused of illegal hacking after one of its reporters found thousands of social security numbers on the website of the state education department. The reporter verified this with three people whose social security numbers were exposed, quickly briefed on the status of the security breach, and kept the story until the data could be deleted.
Parson said the report violated state hacking laws and ordered law enforcement and a county prosecutor to investigate the newspaper, saying the report was “an attempt to embarrass the newspaper. ‘State”. Legal experts, legislators and even members of Parson’s own party mocked the governor for his rebuke of the newspaper, which turned out to have acted in an entirely ethical manner. Parson doubled his stake in a video paid for by his Political Action Committee, which contained several false claims and called the newspaper “fake news.” Earlier this month, the department apologized for the failure that ultimately affected more than 620,000 educators in the state.
Claiming illegality or impropriety is a tactic used more widely against security researchers, who find and disclose exposed personal information and security breaches before malicious hackers can exploit them. Security researchers, like freelance journalists, often work alone and have no choice but to accept legal threats, fearing high legal fees to bring a case to court, even if their work is entirely legal. and helped prevent a potentially worse security incident. line. Not all of them have an experienced media legal team willing to support their game.
We’ve fended off bogus legal claims before, but having federal agents on your doorstep just to do your job is certainly new to me. There has been no suggestion of wrongdoing, although it is troubling not to know what point of view Mexico would take if I ever set foot on its soil.
But it’s the threats and legal requirements that fail to print that can do the most damage. Legal requirements inherently have a silent effect. Sometimes they are successful. Journalism can be risky, and newsrooms don’t always win. If left unchecked, legal threats can have a chilling effect that stifles both security research and journalism by making work legally toxic. This means the world is less informed and sometimes less secure.