New survey reveals how security researchers and journalists experience legal and criminal threats

pSecurity researchers and journalists are no strangers to legal threats and increasingly threats from criminals Some may see threats as an occupational hazard of working in cybersecurity oftentimes in response to revealing or disclosing a vulnerability data lapse or cyberattack much to the chagrin of someone else ppBut while there are periodic reports of threats made against security researchers and journalists there are also countless cases where threats have caused a chilling effect that we may never hear aboutppAs a reporter for almost twodecades I know all too well the threats that security researchers and journalists encounter Ive also experienced threats and intimidation of my own such as the FBI turning up to my house for reporting a story and being subject to hostility from an overseas government for disclosing multiple security lapses all the way to countless spurious and rejected legal threats and demandsppBut these still pale in comparison to the threats others have had to endure including cases where researchers and journalists have been threatened with hefty sanctions if they publish and instances where some have been actively sued In other noteworthy reports from further afield goodfaith researchers and journalists have had to fight criminal charges or otherwise been prevented from doing their jobsppStill there hasnt been a wider exploration of both legal and criminal threats faced by both security researchers and journalists many of whom do similar work nor has it been clear to what effect that threats have on publishing and reportingppI teamed up with Dissent Doe the pseudonymous journalist at DataBreachesnet one of the finest journalists in the data breach reporting space and someone Ive known for years Dissent Doe too has received numerous threats for their research and reportingppWe both wanted to explore more about what effect threats have on security researchers and journalists at large so we got to work ppWe surveyed over a hundred security researchers and journalists who cover a mix of cybercrime investigations malware research and data breaches about the legal and criminal threats theyve experienced and how it affected their work To our knowledge this is the first survey that aims to understand how often security researchers and journalists are legally threatened or threatened by criminals and to understand how that affects the publication or withdrawal of research or journalismppWhile the survey size was relatively small and we note that we heard from more researchers than journalists the responses were pretty interesting ppHere are some of the takeawaysppThreequarters of security researchers and journalists who responded said they have faced a threat for doing their work leaving a quarter of respondents saying they have never received one We know anecdotally that researchers and journalists experience threats but to see it quantified to this degree shows threats are an inherent risk of this fieldppWe also asked how concerned respondents were about the threats they received and asked folks to mark on a scale their perceived severity These scores are subjective of course but we wanted to understand how concerned they felt and how this affected their decision to retract or change their findings if at allppWe found that concern scores in the lowerhalf ranked 15 were mostly associated with the decision not to retract or remove while higher scores ranked 610 led to a mix of people retracting and others not Of the people who were most concerned most said that they found the threats to be credible ppHalf of all respondents have received at least one legal threat such as indirect threats like messages to formal letters from law firms all the way to federal or police investigations ppWhile researchers and journalists are both equally likely to receive a legal threat we found that journalists were more likely to be threatened by criminals including threats that have occurred in the realworldppThis could be in part because we had a smaller sample of journalists but we also found journalists were far more likely to have their name attached to their work which may increase their odds of having a threat directed at themppIn spite of receiving threats the majority of researchers and journalists did not retract or change their research or reporting even in some cases after receiving death threatsppWe heard examples of specific threats including violence and intimidation but we decided not to publish them to not encourage further threats But despite facing threats from criminals the significant majority of journalists and researchers who are threatened even with violence continued with their research or reportingppThis was an interesting and a positive overall response While some threats were not considered credible plenty were and based on some of the comments we read many researchers and journalists were simply determined not to capitulateppBut we also note that some researchers and journalists were put in an impossible situation For example one respondent reported that their news outlet decided to retract so they would not have to reveal the identity of a source in courtppWe hope to keep exploring the threats that face security researchers and journalists and hope others will also consider future research to help refine our understanding as to why and under what circumstances that research or journalism is retracted or removed Legal and criminal threats can have chilling effects and more research is needed to determine what support researchers and journalists need to prevent assess and respond to themppYou can check out DataBreachesnet for the full findings as well as a downloadable PDFppthis week in security is a weekly cybersecurity newsletter by Zack Whittaker featuring all the news you need to know good news in the happy corner a cybercat and much moreppNo spam Unsubscribe anytimep