Homeland Security subpoenas Twitter for data breach finder's account

The subpoena demanded Twitter turn over information that would identify the data breach finder.

Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data.

The New Zealand national, whose name isn't known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month.

Also: Homeland Security's own IT security is a hot mess, watchdog finds

The pseudonymous data breach finder regularly tweets about leaked data found on exposed and unprotected servers. Last year, he found a trove of almost a million patients' data leaking from a medical telemarketing firm. A recent find included an exposed cache of law enforcement data by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations.

Homeland Security's export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder's account.

Twitter informed him of the subpoena, per its policy on disclosing legal processes to its users. A legal effort to challenge the subpoena by a June 20 deadline was unsuccessful.

Attorneys from the Electronic Frontier Foundation provided Flash Gordon legal assistance.

ICE demanded Twitter turn over his screen name, address, phone number -- and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account's IP address history, member lists, and any complaints filed against the Twitter account.

The subpoena did not demand the account's private messages or any other content, which typically requires a court order or a search warrant.

It's not known why the subpoena was issued. Twitter spokesperson Emily Horne said the company does not comment on individual accounts for privacy and security reasons.

ICE export enforcement subpoena. (Image: supplied)

ICE has faced calls for it to shut down amid bipartisan pressure -- and complaints from within the agency -- over the recent incarcerations of child migrants and lawful asylum seekers. Although ICE's public image is often viewed through a lens of detentions and deportations, a large part of the agency's work includes fighting national security threats and fighting transnational crime, including prosecuting those who violate export laws.

In a message, Flash Gordon said he believed that the subpoena may have related to the recent find of law enforcement data, but couldn't be sure.

Lawsuits threaten infosec research — just when we need it most

Security researchers have a target on their backs — and looming threats of legal action and lawsuits have many concerned.

Read More

"I don't know what else [Homeland Security] would want from me," he said.

But serving an export enforcement subpoena -- used in cases to investigate US export law violations -- is almost unheard of in the case of a data breach involving private and personal information, according to one export controls attorney.

"As a general matter, the subpoena is likely to relate to the development or production of a controlled item, and not names, addresses, and contact information," said the attorney in a phone call, who asked not to be named to avoid any conflicts with his work.

The attorney said that if the subpoena related to the ALERRT breach that this would be "a misuse" of the subpoena power, as the exposed personal data wouldn't be an export control matter. He said that an export enforcement subpoena may relate to the posting of materials subject to export controls, such as military items, or technical information and schematics.

A search of Flash Gordon's several hundred tweets revealed nothing obvious that would justify the kind of subpoena served.

The attorney said it's "not clear how a Twitter account could even be relevant in an export control investigation," calling the case a "head scratcher."

The data breach finder said he's been left without answers, and doesn't know which offending tweets -- if any -- led to the legal process. As we covered last year, several prominent security researchers and data breach hunters spoke of a "chilling effect" on their work.

"Which sucks," he said in a message, "because now I don't know what I am allowed to post or talk about on Twitter."

When reached, ICE spokesperson Matthew Bourke would not comment.

Got a tip?

You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More