New survey reveals how security researchers and journalists experience legal and criminal threats
Security researchers and journalists are no strangers to legal threats, and increasingly, threats from criminals. Some may see threats as an occupational hazard of working in cybersecurity, oftentimes in response to revealing or disclosing a vulnerability, data lapse, or cyberattack, much to the chagrin of someone else.
But while there are periodic reports of threats made against security researchers and journalists, there are also countless cases where threats have caused a chilling effect that we may never hear about.
As a reporter for almost two-decades, I know all too well the threats that security researchers and journalists encounter. I've also experienced threats and intimidation of my own, such as the FBI turning up to my house for reporting a story, and being subject to hostility from an overseas government for disclosing multiple security lapses, all the way to countless spurious (and rejected) legal threats and demands.
But these still pale in comparison to the threats others have had to endure, including cases where researchers and journalists have been threatened with hefty sanctions if they publish, and instances where some have been actively sued. In other noteworthy reports from further afield, good-faith researchers and journalists have had to fight criminal charges or otherwise been prevented from doing their jobs.
Still, there hasn't been a wider exploration of both legal and criminal threats faced by both security researchers and journalists, many of whom do similar work, nor has it been clear to what effect that threats have on publishing and reporting.
I teamed up with Dissent Doe, the pseudonymous journalist at DataBreaches.net, one of the finest journalists in the data breach reporting space and someone I've known for years. Dissent Doe, too, has received numerous threats for their research and reporting.
We both wanted to explore more about what effect threats have on security researchers and journalists at large, so we got to work.
We surveyed over a hundred security researchers and journalists who cover a mix of cybercrime investigations, malware research, and data breaches about the legal and criminal threats they've experienced and how it affected their work. To our knowledge, this is the first survey that aims to understand how often security researchers and journalists are legally threatened or threatened by criminals, and to understand how that affects the publication or withdrawal of research or journalism.
While the survey size was relatively small, and we note that we heard from more researchers than journalists, the responses were pretty interesting.
Here are some of the takeaways:
Most security researchers and journalists have received a threat for their work
Three-quarters of security researchers and journalists who responded said they have faced a threat for doing their work, leaving a quarter of respondents saying they have never received one. We know anecdotally that researchers and journalists experience threats, but to see it quantified to this degree shows threats are an inherent risk of this field.
We also asked how concerned respondents were about the threats they received, and asked folks to mark on a scale their perceived severity. These scores are subjective, of course, but we wanted to understand how concerned they felt and how this affected their decision to retract or change their findings, if at all.
We found that concern scores in the lower-half (ranked 1-5) were mostly associated with the decision not to retract or remove, while higher scores (ranked 6-10) led to a mix of people retracting and others not. Of the people who were most concerned, most said that they found the threats to be credible.
Legal threats are common for all, but journalists get more criminal threats
Half of all respondents have received at least one legal threat, such as indirect threats like messages to formal letters from law firms, all the way to federal or police investigations.
While researchers and journalists are both equally likely to receive a legal threat, we found that journalists were more likely to be threatened by criminals, including threats that have occurred in the real-world.
This could be in part because we had a smaller sample of journalists, but we also found journalists were far more likely to have their name attached to their work, which may increase their odds of having a threat directed at them.
In the face of threats, most researchers and journalists stood their ground
In spite of receiving threats, the majority of researchers and journalists did not retract or change their research or reporting, even in some cases after receiving death threats.
We heard examples of specific threats, including violence and intimidation, but we decided not to publish them to not encourage further threats. But despite facing threats from criminals, the significant majority of journalists and researchers who are threatened — even with violence — continued with their research or reporting.
This was an interesting, and a positive overall response. While some threats were not considered credible, plenty were, and based on some of the comments we read, many researchers and journalists were simply determined not to capitulate.
But we also note that some researchers and journalists were put in an impossible situation. For example, one respondent reported that their news outlet decided to retract so they would not have to reveal the identity of a source in court.
We hope to keep exploring the threats that face security researchers and journalists, and hope others will also consider future research to help refine our understanding as to why and under what circumstances that research or journalism is retracted or removed. Legal and criminal threats can have chilling effects, and more research is needed to determine what support researchers and journalists need to prevent, assess, and respond to them.
You can check out DataBreaches.net for the full findings, as well as a downloadable PDF.
