Withholding information about a problem as extortion - computer security research

Question

Over at Security.StackExchange, a discussion broke out over the use of the term "extortion" in a situation where an anonymous security professional sent an email to a business to say that they found a vulnerability in the business' website, but the security professional asked for money upfront before they would discuss any details.

The rest of the context of the email suggests that it is likely a scam (they likely have nothing of value to offer), but I want to put that aside. The actor could or could not have an actual vulnerability to discuss.

Does the situation satisfy the general legal understandings of "extortion"? I see that New York State law and this discussion about extortion in the Doha Declaration suggests that it could be, but it might not fit perfectly.

There is an implied threat of future harm to the site or business, not by the actor themselves necessarily, that a specific, potentially existential problem exists that anyone could take advantage of. And because all security vulnerabilities are exploited by people, whether by malicious intent, accident, or mistake, then extortion laws that say that the loss/damage could be caused by another, appear to be relevant here. Protection racket discussions seem to also be relevant.

We could reframe the situation to something non-technical:

PersonA calls PersonB, who is on vacation, and says, "I know you are away from home. There is something wrong with your house. Pay me money and I will tell you what is wrong."

Ethics and morality aside, does the situation cross over into a general legal understanding of extortion?

This has an impact on how security professionals contact people with whom they have no pre-existing relationship with, to discuss the vulnerabilities they find, while hoping to offer commercial services.

Since it's causing confusion in the answers and comments, please clarify in your question: are you interested in an answer which applies in NSW, New York State, both, or somewhere else? — user8675309, Apr 16 '20 at 21:42
@Z4-tier As stated in the question, I'm looking for general legal theory, in accordance with the site's guidance for asking questions "Legal terms and language, doctrines and theory". Since extortion is an ancient concept, with legal examples going back in English law back to the 13th century, I thought there would be general discussions to point to. I'm not looking to argue a specific case or mount a specific defence. — schroeder, Apr 17 '20 at 08:13
In fact, I have since discovered several discussions and legal opinions on extortion as it pertains to "coercion" and "inducement", which suggests that extortion can be very difficult to define in strict legal wording. Mostly because people expect extortion to necessitate coercion, but case law points to multiple instances where it does not when people corruptly try to avoid coercion while engaging in extortionary acts. — schroeder, Apr 17 '20 at 08:20
As someone that has worked in the industry and found holes, I've left them because of exactly this. Why waste my time helping someone else when I could take a hike. — user31025, Apr 17 '20 at 04:52
I reallydon't think that your house analogy is comparable. I think this scenario would be more apt: Someone rings the doorbell of the house that you've built yourself. He introduces himself as an architect and claims to have noticed a major structural problem that could cause the house to fall down. He offers his services to fix it. The thing is that you're not away, you're right there. And you caused the initial problem, it's not an external "accident". — pipe, Apr 18 '20 at 04:32
I see you're ailing. We're an EMT crew and our ambulance is right outside. Would you like an ambulance ride? It's not free. sorry, I'm not a masher, but you have a bit in your eye. Do you have fuzzy vision somtimes? Yes, it's probably retinitis. Very treatable. Here is my card, come make an office visit. They aren't free. — Harper - Reinstate Monica, Apr 18 '20 at 15:40

score 19 · Answer 1 · answered Apr 16 '20 at 11:56

19

Ethics and morality aside, does the situation cross over into a general legal understanding of extortion?

No.

Extortion necessarily includes coercion.

An offer to tell what is wrong (and from the point of view of the target — only allegedly wrong) is neither threat nor force, therefore no coercion.

It would have been coercion (and therefore extortion) if the guy said along the lines "If you don't pay I will exploit the vulnerability, and/or tell a bunch of bad guys about it — they will be sooo thankful to me".

Provided that the guy does not say/imply he will do something if not paid, there are no legal issues here.

answered Apr 16 '20 at 11:56

Greendrake

27,460
4
63
126

4

This answer does not appear to be consistent with the NSW or New York State wordings for what coercion applies. There need not be a specific threat of action by the actor, and fear or undue malice is sufficient. Protection racket laws also state that protecting against the actions of a 3rd party, if done with fear and malice, suffice. – schroeder Apr 16 '20 at 12:28
6

@schroeder Your linked NY definition of extortion requires the intention to "cause", "engage", "accuse", "expose", "testify", "use" or "perform". Mere fear the target may subjectively feel is not by itself sufficient to call it extortion. This is pretty consistent with the general definitions I cited. Also, where is NSW in your question? – Greendrake Apr 16 '20 at 12:31
2

That's not what the NY text says at all. The NY text says that the intent is to get property by instilling fear that "cause", "engage", "accuse", "expose", "testify", "use" or "perform" will happen. Not that those are the actor's overt acts. And I did not cite NSW in my question but we talked about it in the other comment thread. I hoped the context would transfer here. – schroeder Apr 16 '20 at 17:15
5

@schroeder It does not matter if the target feels that the actor will do any of those actions: the "instilling" has to be obvious to independent reasonable observer. If the actor merely offers (vs. demands) there is no objective instilling of fear. – Greendrake Apr 16 '20 at 23:00
2

@schroeder Re jurisdictions — on this site answerers pick up jurisdictions from questions, not from other answers. If you seek answer for a specific jurisdiction, you should tag your question with it. – Greendrake Apr 16 '20 at 23:03
I can understand that the site has standards for the questions, but I'm talking about coherence in argument. Your answer is not coherent with legal texts, including legal texts mentioned in another answer. Your are quoting Wikipedia, not legal texts. And Wiki is wrong on this, I have learned. To quote UPenn Law Review: "Nonlawyers tend to think of extortion as necessarily coercive." Your answer, and comments, would be more helpful if you included legal text. Not Wiki. – schroeder Apr 17 '20 at 06:41
1

@schroeder The whole reason courts of law exist is that law does not break down to simple formal logic and math-like proofs. The point of my answer is to provide a sound legal point which, should it not sound convincing enough, one could nevertheless probably successfully argue in court. Also do not underestimate Wiki legal texts — they provide reasonable overview of what the law is. Of course there will always be random lawyers that disagree. – Greendrake Apr 17 '20 at 06:59
5

What exactly you say matters, even if there is no explicit threat. The law could very well interpret something like "You are vulnerable to hacking; if you pay me I will to tell you how to stop it" as "I will hack you if you don't pay me". Kind of like the gangsters who ask a shopkeeper to pay them for "protection". It would be a legal loophole way too easy for criminals to exploit. – NotThatGuy Apr 17 '20 at 10:30
1

@NotThatGuy That's exactly why I wrote "say/imply" and not just "say". – Greendrake Apr 17 '20 at 14:07
2

@schroeder In law there is a difference between subjective and objective tests. If I come up to you in the street and say "Hi, isn't the weather nice today?" and you go away with the fear that I have compelled or induced you to deliver property to me, then whilst subjectively I have "instilled" the fear in you, objectively (by the reasonable person test that Greendrake linked to) I have not. The important thing is not whether or not the fear was instilled in you specifically, but whether a reasonable person would have had that fear instilled by my actions. – JBentley Apr 17 '20 at 15:29
@JBentley yes, I understand that. What is this comment in reference to? – schroeder Apr 17 '20 at 19:42
I cannot accept this answer because it is based on a fundamentally faulty premise that "Extortion necessarily includes coercion". It does not. It is based on a common, yet faulty misunderstanding of the theory of extortion and the answerer is ignoring all evidence that is antithesis to his claim. Despite the votes, I cannot accept it. – schroeder Apr 17 '20 at 19:47
@schroeder I think you are now informed enough to answer the question yourself, aren't you? – Greendrake Apr 17 '20 at 21:38
2

@schroeder I don't understand the purpose of your question. You seem only willing to accept an answer that conforms to the conclusion that you've already formed. In that case this should be a Q&A style question and you should post your own answer. What exactly is it that you are hoping for? – JBentley Apr 17 '20 at 22:35
2

@NotThatGuy 'The law could very well interpret something like "You are vulnerable to hacking; if you pay me I will to tell you how to stop it" as "I will hack you if you don't pay me". ' Really? Because that sounds like pretty standard advertising to me. – NPSF3000 Apr 18 '20 at 04:08

score 4 · Answer 2 · edited Apr 17 '20 at 13:45

In my opinion the specific case we are discussing is a borderline one. The other answers might be right in general, but they aren't considering the real "threatening" email that we have seen in the security community here on Stack Exchange. The OP didn't include the original email in his question, but I already knew what he was talking about because I had seen the original thread.

The context is necessary if we want to understand the potential threats. Whether something is extortion or not depends on how the threat is perceived by a potential victim (not really a specific victim, but on average, a reasonable person). Every tiny detail of the context might play an important role. If I told you "Buy these shoes or you will look like an idiot", that sentence will not be perceived as a threat by most people, because of several factors: context, culture, virtually nonexistent gain or loss, etc. Even if you read an advertisement saying "Buy these shoes or I'll kill you", that won't be perceived as a threat (after all, it's just an advertisement, it'd be perceived as a joke). But if you were walking alone in the dark and a masked stranger approached you saying "Buy these shoes or I'll kill you", that would feel much different. On the other hand, if a doctor says "I need more ventilators or lots of people will die from Covid-19", it's not extortion, because the threat is real and they aren't asking for a personal gain.

That said, here are the points I think we need to consider, to analyze the whole context:

Is the threat justified? Is the threat real or not? Has it been exaggerated to make it sound worse? Etc.
Freedom or coercion? Does the potential victim feel free to make any decisions? Is the potential victim free to chose between several options, or get the service from another competitor? Etc.
Is any personal gain justifiable? For example, if someone provides a professional service, it makes sense to pay for it. If someone wants money to give you back your data after they have stolen it, that's not a professional service.

You didn't post the original email with the potential extortion, so I'll quote it here:

I'm a Security Researcher running a vulnerability identification service for a small group of private clients, and I accidentally found some vulnerabilities in your infrastructure.

For a small fee, I will share the vulnerability details with you (includes POC, screenshots, and suggested solutions).

Paypal instructions:

Recipient: REDACTED GMAIL ADDRESS
Paying for an item or service (covered under PayPal Purchase Protection for Buyers)
Amount: $100
Add a note: [redacted, my domain name]

After I receive your payment, within 48 hours, I will send you an email with all the vulnerability information.

It is borderline because on one hand there are no direct threats, but on the other hand the email lacks important information that would have helped a lot in reassuring the client and sounding more professional. For example, the introduction is fine, except the researcher's name (or his company's name) is missing. Also, the last sentence is ambiguous because "within 48 hours" might mean you have to pay within 48 hours or it might mean that they will provide the service within 48 hours after the payment. Maybe they even phrased it like that on purpose, to make it sound ambiguous.

Here's why it is borderline, considering the points I listed above:

Is the threat justified? It's hard to identify the threat. If you only consider the words in the email, there is no direct or indirect threat. They don't tell you "you will be hacked", or "you might be risking something", they don't even give any advice, whether you should or shouldn't do something about it. They only state some facts. But when you consider the context, the word "vulnerability" in itself implies there is a potential danger in the information security field. However no information is provided even on the type or severity of the vulnerability. In the INFOSEC field, a vulnerability might destroy your business within hours, or might never have any effects whatsoever, depending on its severity and who/what is affected.
Freedom or coercion? Hard to say. The lack of details in the email won't make the recipient feel completely free of contacting the researcher, asking for more information, negotiate the price, seeking advice from a competitor, etc. They immediately talk about money, that they want upfront. Even that ambiguous "within 48 hours" might be misinterpreted and put unnecessary pressure on the recipient. However nothing stops the recipient from actually trying to contact the researcher in some way (either via the address they received it from, or via the address used for PayPal), and ask for more information.
Is any professional gain justifiable? They are asking for a small fee and in exchange you will get a service (a report). It's ok to be paid if you provide a service. However nobody knows how professional that report will be, since we have no information about the researcher. Plus the initial approach is very unprofessional and non-standard anyway.

So I wouldn't be able to decide whether this specific case is extortion or not. I would say it depends on whether it is actually possible to contact the researcher by answering to the email they sent, and then how they go on interacting with the client. If they don't answer in a reasonable time, it might well be extortion because the client might feel in danger and might not be able to decide what to do. If they do answer though (and collaborate without threatening anybody), I'd say the original email in itself should not be considered a form of extortion.

The idea of implied threat is in parallel with the notions of "fear" and "malice", as defined by various jurisdictions. I agree that it's the lack of details, including lacking an identity, which would create the fear and the sense of malice in the average recipient. As evidenced by the fact that someone came to StackExchange to make sense of it. — schroeder, Apr 16 '20 at 15:25
I would also add that the existence of a PoC (and the fact that the actor created/has one) heightens the danger/potential for harm. — schroeder, Apr 16 '20 at 15:31
"Is any professional gain justifiable?" No. If the actor has a valid vulnerability, then the way the actor tested and is disclosing it is not in line with professional standards. The actor didn't just find something through normal interactions, they pentested it without an existing relationship or permission. That's not ok. — schroeder, Apr 16 '20 at 15:36
@schroeder, I meant to say that it makes sense to pay for an actual service or good (compare it to "pay if you don't want me to hurt you"). I was only considering the problems related to an extortion. Of course in this case the approach it totally unprofessional, so I edited the answer to include that. — reed, Apr 16 '20 at 16:31
Here's a fun rabbit hole. After reading that, I'm both very glad and very sad I did not pursue a law career. So much fun, but I'd spend more time reading legal texts than I do reading security and risk texts. — schroeder, Apr 16 '20 at 19:13
"Whether something is extortion or not depends on how the threat is perceived by the potential victim" — this is plainly wrong. The potential victim could be emotionally unstable etc. What matters is what a reasonable observer perceives. — Greendrake, Apr 16 '20 at 23:14
@schroeder I am not talking about 3rd parties. Person/observer — semantics. The point is that the person is imaginary: it is placed in the place of the target in a thought experiment. That's how judges apply the concept. — Greendrake, Apr 17 '20 at 07:03
"There is no direct threat, and not even any implied threats." Then it is not even borderline -- no threat, no coercion, period. It's like "I see that your roof is leaking, I can fix it for 100 dollars." If that's coercion we'd have to reinvent our economy ;-). — Peter - Reinstate Monica, Apr 17 '20 at 09:45
I think the difference to the NY definition of extortion linked to by the OP is: The law implies that the (property or physical) injury by 3rd parties is tied to the payment. There is a difference between pointing out a general possibility (as in this case) and offering a fix, which is perfectly fine; and "instilling a [specific] fear" which can be averted only by paying this specific person or organization. As an example, advertising your protection service business, or offering to install better locks in an unsafe neighborhood is obviously fine, even when pointing out the lack of safety. — Peter - Reinstate Monica, Apr 17 '20 at 09:59
@Peter-ReinstateMonica, Greendrake, you are right, in fact my wording was not correct even though I didn't mean to say that the threat depends on the specific potential victim, I meant a victim in general, on average, that is, as you say, the reasonable person. As for the implicit threat, I was only focusing on the words used in the email, not on the context. The context actually might imply a threat. I have edited my answer to make some points clearer. — reed, Apr 17 '20 at 11:25
Anyway, we can't discuss this issue by making comparisons and analogies in other contexts, because that would be misleading. As I say in my answer, the context is key. You can't compare a leaking roof with a vulnerability in the INFOSEC field, for example. It's hard to find a good analogy in this specific case. — reed, Apr 17 '20 at 11:27
@Peter-ReinstateMonica your comparison is not apt. To say there is a leaky roof is to identify the problem. My post includes the more apt comparison of a completely undisclosed problem. The lack of info heightens the threat. To sell a protection services business is to provide a defined value: general unknown threats in the future. In this case, it's more like saying "I saw some specific shady people coming down your street. Buy my protection services and I will protect you." And that's straight up "protection racket". — schroeder, Apr 17 '20 at 13:00
@schroeder "There is a leak in your roof [but I'm not telling you where]" = "There is a leak in your site [but I'm not telling you where]": Almost perfect analogy. — Peter - Reinstate Monica, Apr 17 '20 at 13:56
@Peter-ReinstateMonica, no way, a leaking roof is nothing like a vulnerability on a website. It's hard to find good analogies, and I haven't been able to think of a good one involving roofs, cars, or anything like that. So far, the only interesting one I've thought of involves a person's health. Analogy: an anonymous doctor contacts you and says they accidentally found a problem somewhere in your body, they'll tell you everything for $100 via PayPal within 48 hours blah blah blah". — reed, Apr 17 '20 at 14:09
@Peter-ReinstateMonica it's more like "I'm driving down your street. With my experienced eye, I see that your roof won't make it through another rainy season. The color is faded to black in a subtle way, but that won't make sense to those without experience. Would you like a new roof now, or would you like to be back of the queue when the rains come?" — Harper - Reinstate Monica, Apr 18 '20 at 15:57
@reed in another comment I used the Doc Martin example. Doc is creeping on a woman on the plane. Sees her again "Your eye, you have retinitus. It's fixable. I am now your local GP, come see me." (It's not free). — Harper - Reinstate Monica, Apr 18 '20 at 16:01

score 1 · Answer 3 · edited Apr 17 '20 at 13:45

1

Yes, it's extortion - specifically blackmail.

From the New South Wales Crimes Act 1900 s249K:

(1) A person who makes any unwarranted demand with menaces--

(a) with the intention of obtaining a gain or of causing a loss, or

(b) with the intention of influencing the exercise of a public duty, is guilty of an offence.

: Maximum penalty--Imprisonment for 10 years.

Relevantly, s249M(4) states:

(4) It is immaterial whether the menaces relate to action to be taken by the person making the demand.

edited Apr 17 '20 at 13:45

Glorfindel

439
1
7
18

answered Apr 16 '20 at 10:41

Dale M

208,266
17
237
460

4

What makes that a demand vs offer? The guy simply offers to discuss vulnerability for money. – Greendrake Apr 16 '20 at 11:31
5

@Greendrake "Buy my beauty cream and stop looking ugly". This is the stance taken by one side of the discussion. From a marketing point of view, an offer includes a defined benefit. In the situation described, there is no defined benefit, just the undefined claim of some future loss, which becomes a form of malice (and this stance is backed up by the NSW definition of malice). – schroeder Apr 16 '20 at 11:35
@schroeder loss or potential loss? If something is wrong, it does not necessarily mean imminent loss. – Greendrake Apr 16 '20 at 11:38
1

@Greendrake for the purposes of a security vulnerability, if one exists, there is an imminent threat of loss, but the realisation of that loss is undefined. Like leaving your shop door unlocked in the middle of Times Square. – schroeder Apr 16 '20 at 11:39
@schroeder What is "imminent" threat? How is that different from non-imminent threat? – Greendrake Apr 16 '20 at 11:41
1

@schroeder the imminence of the threat is immaterial – Dale M Apr 16 '20 at 11:44
@Greendrake I might be using a risk-context definition of "threat" (i.e. a noun, not a verb). "Danger" might be the better term. – schroeder Apr 16 '20 at 11:45
5

It's entirely possible you are right, but you fail to make any argument why it is so. The definition of menaces you link to seems to require the threat of an action, but this situation is if anything a threat of inaction. – Nobody Apr 16 '20 at 19:44
@DaleM That's not a threat, that already happened. An action that already happened can't be the action that an extortion is about. – Nobody Apr 16 '20 at 19:49
1

@Nobody the action is the potential attack by an unknown hacker using the exploit. Remember the action doesn’t have to be threatened to be taken by the blackmailer. The menaces here is that “someone” will hack you if you don’t do what I ask. The blackmailer doesn’t have to know or be in cahoots with this unknown actor. – Dale M Apr 16 '20 at 19:52
3

@DaleM But that's not mentioned in the "demand" anywhere. You would need to argue why it's implied. If someone walks by while you start your car, stops, and offers to tell you about a problem with your car for 50 bucks (that they deduced from the noise or something), that would be extortion by the same argument. Why? – Nobody Apr 16 '20 at 19:55
1

@Nobody it may be. It depends if there is the “particular vulnerability” as described in 249M. That vulnerability definitely exists for a company with a cyber security weakness. It may or may not exist for the car driver. – Dale M Apr 16 '20 at 20:03
1

demand with menaces is the key - if the mail states "I give it to you for X, otherwise I hold onto it" it lacks menaces and is an unsolicited offer – Trish Apr 17 '20 at 16:40
This is not a threat with menaces both because 249M(1)(a) does not apply and also because neither part of 249M(2) applies. There is no express or implied threat of any detrimental action. The only action predicated on the payment is disclosing or not disclosing the vulnerability. Not disclosing the vulnerability is not a threatened action, it's an inaction. And the disclosing causes no harm. Neither part of 249M(2) applies because (as has been extensively discussed elsewhere) the rational response to this is not to act unwillingly but to do your own vulnerability scan. – David Schwartz Apr 17 '20 at 23:20
Where is the duty to act or the duty to mitigate? as for the menances, there is no causality between the offerer and the ultimate harm. That is the asker doesn't cause the harm, and doesn't have any duty to help the site improve their security. – Harper - Reinstate Monica Apr 18 '20 at 15:49

Withholding information about a problem as extortion - computer security research

3 Answers3

Yes, it's extortion - specifically blackmail.