Find a security flaw, go to jail. That’s the general attitude of government entities around the world. Over in Australia, an Anonymous member and fundraising manager for a cancer support group is facing an ever-shifting number of charges for finding and testing security holes.
Adam John Bennett is a rather un-anonymous member of Anonymous. He also acts as an unofficial mouthpiece for Anonymous via his LoraxLive online radio show. His supposed participation in a large-scale hack saw him raided by Australian Federal Police in May of 2014. Since then, he’s been awaiting prosecution for a variety of charges — charges government prosecutors seem unable to pin down.
The data breach leading to Bennett’s arrest involved a target of Australia’s controversial data retention law, which requires ISPs to hold onto subscribers’ internet activity (including social network use and emails) for two years and grant extensive access to a variety of government agencies.
AAPT confirmed it was breached in July 2012, following claims by an Australian sect of Anonymous that it snatched 40GB of data from the major Australian internet service provider (ISP).
After stripping out personally identifiable information from the data (which included members of the Australian government), Anonymous released the data to raise awareness around expectations of data security: To demonstrate that if an ISP as large and trusted as AAPT can’t keep its own data secure, it will be unable to keep Australians’ data safe under the proposed laws.
Rather than consider this a point well taken, the government went after Bennett. As for the prosecution itself, it’s been a complete shambles.
On March 11, Adam Bennett — known by most as the radio voice of Anonymous, LoraxLive, who was arrested last year for alleged computer crimes — will finally learn what he’s being charged with.
This had been expected to happen this week. Instead, at the last minute, Australian Commonwealth prosecutors — for the third time since the case began 10 months ago — requested another delay to change its lineup of accusations against him.
Maddeningly, the prosecution also indicated it will be dropping its initial charges against Bennett, and adding a slew of new ones.
Not only can’t the government decide what to charge Bennett with, but it’s also been instrumental in hamstringing his defense counsel. It’s hard enough to structure a defense when charges remain largely unknown. It’s even harder when the prosecution shows up late on the Friday before the next court date and dumps 20 GB of “evidence” into the defense’s lap.
Even more irritating is the fact that the prosecution apparently hopes to add Bennett’s vulnerability testing of his own employer to list of charges.
One of the charges Bennett’s counsel expect to be in the final lineup is “Heartbleed Vulnerability Testing for Cancer Support W.A. 2014.” This is in regard to a Heartbleed vulnerability test created by Bennett to test his employer’s servers (Cancer Support W.A.) for Heartbleed vulns, which would have put the CRM that Bennett was involved in building for the organization at significant risk.
This addition of complete BS suggests the prosecution can’t find much about the Anonymous ISP hack it can wrap charges around. Instead, it seems to be operating purely on bluster. Constant delays followed by last-minute data dumps aren’t the sort of actions that indicate prosecutorial confidence. Instead, it gives the impression that the government hopes to obfuscate its way into a guilty verdict.
Meanwhile, Bennett is still living under restrictive bail conditions that prevent him from using the internet for anything other than banking, employment (he lost his job at the cancer support group after his arrest) or legal advice.
While the government may be right to complain about the unauthorized use of an ISP’s data, it seems to be more concerned with making an example out of someone who may have had something to do with providing a practical demonstration of the stupidity of data retention laws. The fact that it’s going after him for testing his own employer’s defense against vulnerabilities suggests there will be some prosecutorial “piling on” when it finally gets around to enumerating its criminal charges — presumably in hopes of deterring future exposures of flaws in its lawmaking logic.
This is what happens when governments try to “protect” citizens with little more than expansions of surveillance and law enforcement powers. Retained data is just as apt to be misused by cybercriminals as it is by law enforcement/security agencies. Any time you ask a third party to hold onto data it normally doesn’t, it increases the risk of serious breaches involving plenty of normally private information. There are no exceptions. Anonymous exposed the short-sightedness of data retention laws. In response, the government has decided to shoot as many messengers as it can get its hands on.