In August 2020, two FBI agents were standing on my doorstep, unannounced, wanting to ask me questions about a TechCrunch story we had published the year before.
The story was about how a hacker took thousands of documents, including visas and diplomatic passports, from a server at Mexico's Embassy in Guatemala. The hacker said they had contacted Mexican officials about the vulnerable server but were ignored, and so the hacker tweeted out a link to the embassy's files. "When I don’t get a reply, then it’s going public," the hacker told me.
I contacted Mexico's consulate in New York for comment, as is standard practice when reporting a story. A spokesperson said the Mexican government took the matter "very seriously." We published our story, and that seemed to be the end of it.
The FBI knock at my door a year later suggested it wasn't. I declined to speak with the agents and closed the door.
After we published our story the Mexican government requested the help of the U.S. Department of Justice through diplomatic channels to investigate the hack and presumably try to identify the hacker. Because I had contact with the hacker, that must have made me a subject of interest to the Mexican authorities, hence the visit a year on.
A month after the house call, the Mexican government provided the FBI with a list of written questions it wanted us to answer, many of which were already answered in the story. Our response to the DOJ declined to provide anything more than what we had already published.
Legal demands against reporters are not uncommon; some even see it as an occupational hazard of working in the media. Demands often come in the form of a threat, almost always compelling the journalist or news outlet to retract a story, or sometimes even to stop a story before it's published. Journalists covering cybersecurity — a beat rarely known for its chipper and upbeat headlines — are especially prone to legal threats by companies or governments wanting to avoid embarrassing headlines about their poor security practices.
Take the recent public standoff between Missouri Governor Mike Parson and the St. Louis Post-Dispatch newspaper, which the governor accused of illegal hacking after one of its journalists found thousands of Social Security numbers on the state education department's website. The journalist verified this with three people whose Social Security numbers were exposed, promptly informed the state of the security lapse and held the story until the data could be taken down.
Parson said the reporting violated the state's hacking laws and ordered law enforcement and a county prosecutor to investigate the paper, claiming the reporting was "an attempt to embarrass the state." Legal experts, lawmakers and even members of Parson's own party derided the governor for his rebuke of the newspaper, which was found to have acted entirely ethically. Parson doubled down in a video paid for by his political action committee, which contained several false claims and called the newspaper "fake news." Earlier this month, the department apologized for the lapse that ultimately affected more than 620,000 state educators.
Claiming illegality or impropriety is a tactic used more broadly against security researchers, who find and disclose exposed personal information and security flaws before malicious hackers can exploit them. Security researchers, much like independent journalists, often work alone and have no choice but to acquiesce to legal threats, fearing high legal costs of taking a case to court, even if their work is entirely legal and helped to prevent a potentially worse security incident down the line. Not all of them have an experienced and willing media legal team to back their play.
We've rebuffed spurious legal demands before, but having federal agents on your doorstep simply for doing your job is certainly a new one for me. There has been no suggestion of wrongdoing, though it's unsettling not knowing what view Mexico would take if I ever stepped foot on its soil.
But it's the legal threats and demands that don't make it to print that can have the most damage. Legal demands inherently have a silencing effect. Sometimes they succeed. Journalism can be risky and the newsrooms don't always win. Left unchecked, legal threats can have a chilling effect that stifles both security research and journalism by making it legally toxic to work. That means the world is less informed and sometimes less secure.