Why does US Law Enforcement so dramatically escalate every contact with a citizen? Everytime they do this, they risk accidental injury to the people, kids, pets.
What in this particular situation necessitated a SWAT-level treatment?
Maybe the law should be fixed such that warrants have to specifically include firearm authorizations.
US LEOs are indoctrinated with the belief that they are 'at war'. Convincing the public of this is imperative to retaining authority, securing more funding, and receiving immunity from any consequences of their actions. One way they accomplish the above is by never passing up an opportunity to dress up like an army man and publicly display force
In theory, they combine those things to decide whether to just knock on the door and walk in or bring SWAT along.
This happens different between agencies and what parts of the country.
But, codifying these guidelines / rules into a law probably wouldn't hurt. Sometimes it is hard to capture the nuances of the situation into a formal law though.
Also, remember that like 10-100's of these things are probably executed daily, peacefully, without any conflict or issues. You only hear about it when they go wrong (or some asshole fed is in a bad mood or something I guess).
This is always true. By that logic, we should SWAT every warrant, every traffic stop, every parade. There should always be a threat assessment.
This would imply it's all #2 ("publicity"). Which means police forces and public defenders are using the threat of extreme violence as... a PR move? Against American citizens who are innocent until proven guilty in a court of law?
The irony is cops do this to protect themselves, and statistically speaking it has the exact opposite effect.
Well, you could do some basic investigation before an arrest, which would both give you in most cases a good idea of the threat profile and often give you a better idea if the information you've been fed actually accurately represents the facts.
Its not "investigation" is, you know, right there in the name of the agency, or anything.
"people in charge" only stay in charge when they don't look like fools. so anyone pointing out the king isn't wearing any clothes must be tied to a stake and burned for all to see.
also, your dog must die.
When I found it, I told one of the teachers that I trusted and she insisted that I must tell the principal. So I went down to the principal's office and told her. My primary goal was to get this removed or made private because even at that young age I knew this was very sensitive data and I wouldn't want just anyone having access to my information like that.
When I got home from school, I found my mother upset because we'd been called to return to school for an emergency meeting. I was questioned, and when I told them I only wanted this sensitive information properly secured I was told by the county IT administrator "Did you ever stop to think if maybe this information was public for a reason?" I took a second, and literally wanted to say "There is no reason this information should ever be public" but I ended up keeping my mouth shut in hopes to not get into further trouble.
I was nearly expelled for "hacking". They placed me on "academic probation" and threatened that if I did so much as forget my school ID at home one day, I would be immediately expelled without question. I was removed from my elective classes that involved computers and was disallowed from touching any computers at school.
Fun fact: Someone on the yearbook staff accidentally deleted the only copy of the yearbook files and our yearbook was in danger of basically not being made. I was called to the principal's office and asked to help. I was able to recover the deleted files and save the day. At some point they realized I never had malicious intent, but I still hold a small grudge for the way I was treated as a criminal for uncovering such a big security hole.
Thought long and hard about what to do but decided to not do anything, dont feel like risking my entire life just to help someone. This is me assuming they did not intend to have it publicly open.
With that story out there, it would be nice to have a legit legal way to inform the police or a similar trustworthy government agency that could handle issues like this.
Perhaps the FCC has something similar?
I'm looking at 'Have I been pwned' [0], but they seem to care about only breaches that have been publicly acknowledged. Sounds like they don't want to be in the business of breaking this kind of news themselves.
Maybe there needs to be a new Web site for this kind of thing -- located outside the US, of course. (Probably there already is one and I don't know about it.)
Best case among the likely outcomes of that is: "Can you re-send that e-mail? It's all garbled or something."
"I accidentally discovered this when I miss typed an IP."
So, the chance of them going "out of business" is pretty slim. It's entirely possible that dentists unfortunate enough to have chosen Eaglesoft will get to pay some HIPAA fines, however.
Foremost among the many reasons, because investigation of HIPAA Privacy and Security violations is almost entirely (if not entirely) complaint-based rather than proactive, and probably no one filed a complaint to the HHS Office of Civil Rights.
Which I think should be the immediate and first act on discovering something like this with PHI, if for no other reason that doing so makes clearly applicable the whistleblower protections of 45 CFR 160.316.
It seems that the 21st century responsible disclosure procedure goes like that:
0. use tor for the research itself
1. report problems anonymously
2. if they don't care - report them to law enforcement for breach of confidentiality
3. if these don't care either or don't accept anonymous tips - make noise in the media
Of course, this is for dealing with idiots who keep their data on public FTP. If the attack takes some clever hacking, go check if they don't offer bug bounties. Funny times we are living in.
There is no step 2.
Based on his website it appears that "Tor" is actually his given name. What an odd coincidence.
Unless there's a lot left out of this article, I wouldn't think most "unauthorized computer access" suspects tend to be heavily armed. (Particularly if the company actually reported the context of the "crime", including the fact that he had voluntarily notified them of the problem.)
The rationalization is that serving warrants can sometimes be risky, so why take the chance? It's in law enforcement's best interest to err on the side of caution: better to scare the crap out of people than get shot without warning. Which is why the government and the courts are supposed to balance LE's concerns with the rights of the people.
The best policy may be, simply not to be home at 6 AM. They're psychologically incapable of raiding when normal people are awake, or of making arrests in safer ways such as via a phone call to an attorney or simply waiting by their target's car until he leaves for work in the morning.
Particularly for protected patient information (but maybe for other classes of sensitive data as well), it would be interesting to somehow classify having this information breached as a crime by the holder of the information (I realize this might be hard to do given the reality of security these days, so there would need to be some nuance of course). The crux of my idea would be to automatically count any access that results in prosecution as a breach of said data, thus meaning that prosecuting a security researcher would automatically put the information holder under separate prosecution. I wonder if something like this could be feasible.
The source of the problem in this case is that the CFAA is too loose/broad and the penalties are absurd. The solution is to fix that. Make it so that the only penalties available are proportional and innocuous actions like reporting vulnerabilities are bright-line not illegal whatsoever.
You're essentially suggesting cold war style MAD as a solution to the government foolishly supplying toxic waste to children who are then found using it to poison people they don't like, under the theory that if everyone can poison everyone then everyone will have to behave. Better to clean up the toxic waste than ensure equal access to it.
In my industry, the EPA produces technology forcing regulation, we will have to invest a few hundred million to meet the upcoming standards and continue selling our product in the US after 2020. To sell our product in 2027, we need technology that hasn't been commercialized yet.
Maybe computer security could use a technology forcing regulation to get real investment in secure software to happen.
Many financial institutions use the last 4 of your SSN as identity verification.
If you're a business, it's the last 4 of your FEI/EIN.
I know at least in FL, this is publicily available at sunbiz.org
So with the account number printed at the bottom of your paycheck/stub and the FEI/EIN, you can often authenticate to a financial institution and obtain privileged information.
I know this not because I was on the "hacker" side, but because I was involved on the financial institution side of it and caught this as part of my engagement. The institution was issuing new logins for its internet banking site and the password would have been based on the users name, zip code, and SSN/FEI/EIN, all 3 of which are available (in FL) on that sunbiz.org site.
In my experience, credit unions are usually worse than Banks on the security side. There are exceptions, but they are not the norm.
One credit union I dealt with always opened and closed with a single employee. Very dangerous for the employee. This same union kept the A and B part codes to their vault in a locked desk drawer(one of those cheap desk drawer locks that anyone can pick with a paper clip) in the lobby, and full internet access was available on all computers. Tellers all shared a single cash drawer and the teller PCs were routinely used by the tellers for general web surfing, Facebook, Pandora, etc...
That's how law enforcement in the US works. A crack in the door, in the form of a ridiculous accusation, is all it takes for one's life to be destroyed.
Why go after Patterson? Because that would give them opportunities for more raids and prosecutions, which look great on an annual review. And raids and prosecutions for acts which are probably more politically useful to politically-minded US Attorneys than whatever kind of case they could make against Shafer.
And, of course, sign it with a new PGP key you've just created, so that if you ever need to release a follow-up with proof that it's you, or come forward as the author of the disclosure, you can.
This is my plan too. Responsibly disclose anonymously. That should prevent our corporate lords from sending SWAT teams into our homes.
There was a similar issue with S3 credentials and Facebook a few months ago. The security researcher went too far. There was a large outcry by everyone about Facebooks response. I'm not addressing the response. I'm saying as a security researcher you need to protect yourself by trying very hard to limit the impact of what you're doing to remove risk of legal liability. Only go as far as the first problem and no further.
What kind of thinking is this? He was doing them a favor. Every time, it seems to me that they are embarrassed by the incident and lash out. WHY!?? We should be treating these researchers like heroes, not kicking in their doors and having the FBI charge them with criminal CFAA violations. Once the chilling effect comes down in full force, we'll have a much less secure Internet.
The arrest may have nothing to do with accessing the Public FTP, and entirely to do with the research he was doing on the FTP service itself. If he was attempting to exploit the FTP service hosted by someone else (something or other aboubt database credentials was mentioned), he would absolutely be in violation of CFAA. You do that sort of research on your OWN system.
First rule of security testing: make sure you have permission.
This is getting ridiculous. I can't predict the general public's opinions on things like this but it seems so clearly "wrong".
I have hope for a peaceful fix but I am skeptical that we aren't well on our way to a much more traditional violent revolution.
Everything I've read on the subject suggests that the early signs of revolution are a sufficiently large disparity between the rich and the poor such that the poor can no longer provide for themselves. It seems like this is well on its way and likely speeding up.
I'd love to see some statistics on situations like the 2014 Ferguson Missouri situation. I'm curious if there's a rise in situations where the government sufficiently crosses the line that the public backlash manifests violently. I expect that we're still in a stage where these situations are still largely centered around poor minorities [1] but situations like this suggest that incidents are starting to expand into demographics that might get the "middle class" [2] to finally pay attention.
I hope we can find a way to unite as a single voice to change things. I hope it doesn't end up being violent. The following things encourage me.
* Decreased relevance of the "mass media". This is a double edged sword. On one hand it allows for news that might be ignored by a major network to still be disseminated widely. On the other hand, the "public" has a really poor track record of consuming news that isn't also entertainment and many of these issues seem to fall entirely outside of people's interests.
* The ability to aggregate these sort of events to establish a clear pattern of behavior. It's getting harder to hide things.
Also these disclaimers:
1. I say poor minorities because based on my knowledge of the law enforcement overstepping it's typically in situations involving people who are poor and black.
2. The "middle class" is used here to reference a predominantly "white" demographic that most mass media caters to. I've struggled to find the appropriate language here, fearing I'll be labeled racists somehow. Hoping that my message reads as intended.
However, loads great in lynx!
Absolutely jaw-dropping.
People's reactions to this kind of thing just blow my mind. If you are about to walk away from your car, having parked it in a high-crime area, and a passerby points out to you that you haven't locked it, do you call the police and have them arrested for looking into your car? If they were going to steal your car, would they have told you about it???
My wife ran into this back in 2001 or so. She had visited some Web site and noticed that the URLs followed a familiar pattern -- I think related to the Microsoft Access database. She wondered if some internal files were accessible via paths analogous to those she'd seen on the intranet where she worked. Sure enough, they were. She told the company about it, and of course they yelled at her.
Unfathomable.
If it was meant to be public, then you shouldn't have gotten in trouble for pointing out its existence. I don't understand the twisted logic there.
I figured out that the teachers had the same schema for their accounts. They also published a directory with all the names and phone numbers of the students and teachers. So basically I tried accounts until I got a teacher who didn't change their password. Then I used their ability to place files in shared folders on the network to distribute Quake2 across the different servers. I told a friend and they told people and inevitably the school blamed me for it and kicked me out of all my electives that had computers in them. I was the first student to ever fail touch typing because I couldn't complete the class.
Standardized learning and I have never been friends. I'm glad they tought me the system doesn't work and to work/learn outside of it.
There was some problem with the alias. I couldn't receive the FB confirmation email. So I gave up and went to sleep. The next morning I received a call from the campus police - they wanted to talk to me. I don't remember all the details, but I just remember a long process of being interrogated by campus police and later school administrators who were certain that I had hacked the president's email account. I mistakenly thought simply telling them "I wanted to add the school president as a friend on TheFacebook" was innocent and harmless enough. Some time later I received a letter with a list of 20 or so charges including things like Identity Theft and the possibility that I may be expelled.
I only found out at the end of this whole process that due to a bug in the mail system it allowed me to register a duplicate email alias and all of the school president's emails were being bounced and they assumed I was receiving them. I was able to knock it down writing an apology and community service.
Wow. Whatever happened to the cops coming and saying "That was dumb. Let this be a lesson. Don't do it again."?
This reaction makes me very, very angry.
I would love to push it back on them: it's unclear under what laws/regulations this would fall, but if you (as the student who found it) can get in trouble for finding this info, they can most certainly get in trouble for posting it in a location it can be found in.
Further, because you were actually punished for it, it means one of two things: they were in fact in the wrong for publishing it (and thus should be punished -- whether it's a criminal offence or merely a professional reprimand); or if they can't be punished, neither can you -- which means the principal should be in trouble for a giving out a groundless punishment.
In my mind, it ceases being an "honest mistake" when they attempt to punish the person who points it out.
I realize that the real world is much more complex than this: you were a kid, your parents don't necesarily want to put you through the doubtless retaliation the administration would put you through anyway (even if not official), and the people with the authority may not see it the same way (in the same way police officers rarely charge other officers with crimes).
The school did not, and the district superintendent agreed with them. Who knew that an FM Radio made out of a La Gloria Cubana cigar box-with labelling removed so as not to run afoul of any "tobacco paraphernalia" questions constituted a "bomb".
Parents sued to have me reinstated, but the social stigma lasted well throughout high school. Kids nicknamed me "bomberman" and there was this whole narrative that I had to be removed from the school, handcuffed by the FBI and put into the back of a box truck and hauled away. When in reality, my dad picked me up in his Honda (which would later become my Honda) and we drove home.
You are hearing one side of a story (that doesn't mean there is another side that would change your mind or my mind of course) but keep in mind that the parent also said "I admit I was snooping".
Let's say for arguments sake someone enters a room that they are not supposed to be in and finds something in a desk drawer that shouldn't be there. Should the person snooping be commended for doing that? As if a reward saying "go anywhere anytime and as long as the end justifies you are off the hook". Are you allowed to enter your neighbors house in search of contraband or access his computer? I realize this was allegedly "public" but the devil is in the details of what that means exactly.
Makes me glad that my school was reasonable when I got dragged into some "hacking" accusations. We were just made to work with the IT staff for a week (instead of going to classes), and that was the end of it.
The IT staff were surprising fine with it all (I think they realised A) that we weren't malicious, just bored and curious, and B) that it was their mistakes that gave people access (VNC server installed on all PCs with the password "vnc"; domain admin. account having the password of "school" etc.)
I believe I had to stay up late writing a 4-page apology paper to forestall disciplinary proceedings since my family was planning to go on vacation the next day.
I'm also very much glad to see the incredible foresight and knowledge that the FBI is displaying here. What better way to show us why we should not responsibly disclose data vulnerabilities than to arrest and raid someone's home for doing so?
Stories like this really influence me to put my faith in the capabilities of law enforcement. What that means for our individual rights and freedoms, and for the future of the US economy is sure to be nothing but excellent! I would never think about moving away from such a country!
And should you by some miraculous series of events manage to get your case heard in a court (have $$$ to burn), they'll just appeal the verdict (and win).
There is no escaping this shitfest.
This is so true and so many people don't realize it.
It's easy to be idealistic about these things until it actually happens to you.
Being "in the right" doesn't mean you'll win ("right" according to your morals/ethics and "right" legally are often two completely different things) and it doesn't mean that the costs of fighting - financial, personal, etc. won't ruin you, especially when the plaintiff is stubborn, vindictive and has deeper pockets than you do.
More often than not, you'll end up settling civil cases, and the tangible and intangible costs that you accrued while fighting your case are usually victory enough for the plaintiff.
Why? Andrew "Weev" Auernheimer was prosecuted AND CONVICTED for accessing a public HTTP server with no password protection. They apparently didn't have any trouble pursuing that with a straight face. The conviction was overturned because they had prosecuted him in the wrong state.
“It’s weev all over again.”
Edit: ProAm above reminded me of the Andrew Auernheimer case that was nearly identical to this and was resolved as I describe.
When you analogize to a separate situation like keyed locks or zeppelin airspace access rules you're attempting to say something about similarities between the reasoning in resolving the rule on both sides, which requires you to actually make a contention about what aspects of the situation are compatible, and which of those aspects are salient to the definition in question.
Computer behavior patterns are different enough that if you want to analogize, for the love of god explain the aspect you are analogizing. Even the notion of a "protocol" doesn't really exist in meat space.
Something like "transit through third-party routers is a form of access easement"? OK, I could maybe roll with that as a premise if we get into the weeds about what that would imply.
"It's like an unlocked door!" Jesus christ, stop. No, it's not. Even particular unlocked doors aren't what you're thinking of as an archetypical unlocked door, because "unlocked door" isn't a legal concept.
From the article:
I actually remember them having a passworded FTP site
back in 2006. To get the password you would call tech support
at Eaglesoft\Patterson Dental and they would just give you the
password to the FTP site if you wanted to download anything.
It never changed. At some point they made the FTP site anonymous.
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
Sadly, I don't get to write these laws.
It is more like having a store with lights on and an open sign then arresting someone for breaking an entering when they go inside.
Sometimes that's just the time, expense, job and reputation loss, etc. of the arrest, but sometimes (e.g. Freddie Gray) the ride is a'rough ride' and you can't beat that either.
They probably rarely have cause to perform this sort of raid, so they do so at any opportunity.
Knock.
Depending on the response from the inhabitant, either take them into custody or call for backup.
Bringing a gun escalates things immediately. If I was in that home and I was carrying a gun, and if a handful of people abruptly came in with assault rifles, I'm liable to react very differently because it's such an affront to what feels reasonable. I think it's more reasonable to think that this is a terrorist attack and to react accordingly, rather than the reality of people acting as an agent of the government bringing deadly force in droves because someone grabbed a file from a public FTP server.
If I had seen 5 men in suits and shades peacefully walk in without any kind of weapon, I'm not going to think anything of it. They're putting themselves at risk. It makes no sense.
And the honest answer as to, "why?" is that the people who kick in doors are complete meatheads who think that morality and legality strictly align. They think if someone has broken the law, they deserve anything that is coming. They don't care about anyone's safety, they care about taking baddies.
Now I'm not sure where their training draws the line on infant collateral damage: Don't shoot in rooms with babies? Shoot around the babies?
But imagine if the rule was: Don't upset the children. (silly I realize, but thats how what-ifs are played). It seems like decisions would be made resulting in fewer grenades landing in bassinets.
"He is an upstanding family man, with 4 children. He accessed a publicly available server on the Internet, the kind of server you could access at any time by clicking a hyperlink on Facebook, and now he is a felon and rotting in jail." Or something like that.
I suppose that registered guns suggest that someone is not criminal, because the alternative assumption should be unregistered guns.
I don't see why a registered gun would be a point in their favor. They probably registered their car, paid their taxes, and stopped at red lights too.
That's less clear than it might seem; the information Patterson gave them may have been sufficient basis for probable cause against Shafer, but it was probably shaded (at least by omission) in a way that it did not do so against Patterson.
Now, obviously, one would hope that the FBI would do some meaningful additional investigation before conducting a raid, but there were very few people beside the person they'd been handed as a subject who would have been able to provide information which would have flipped this to something where Patterson would be the offending party (and even there, its for something which the FBI is neither the usual first investigating agency nor an agency that is particularly expert.)
Will they? Since Eaglesoft claimed to provide encryption, and the practices relied on that claim, it seems unlikely that the practices are at fault; if they are subject to civil liability at all for inadvertent violations -- or even if they just have costs to cure the violations without money liability, which seems more likely given the history of HIPAA enforcement -- they would seem to have a claim for at least the total resulting costs in damages against Patterson.
As far as criminal violations of HIPAA goes, it doesn't seem particularly likely that any occurred, and if any did its pretty clear that the practices are (barring any evidence of knowledge that hasn't come to light) unlikely to have had the requisite knowledge or intent to be culpable, though the violations may have been willfully caused by Patterson's actions, which -- even though Patterson might not usually be directly covered by HIPAA as regards what appears to be on-premise software they sell -- might make Patterson a (and possibly the only) chargeable principal in any crime. 18 USC Sec. 2(b): "Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal."
It's like Shafer wrote a letter to their office asking for their list of patients, and lo and behold, they've sent him back an envelope containing that list.
(1) The law enforcement decision makers are unaware of the research (which is unlikely), or
(2) The stated motivation is not the actual motivation.
... which turns out to be the same calculation they used all along.
The public would certainly be safer and happier if there were fewer FBI agents rather than more.
Nevertheless, if you want to print something and wish to remain anonymous, it isn't a bad idea to assume that every document that a particular printer ever prints can be linked using the printer's serial number, even if you think that specific printer is safe. Never print anything on it that can be linked to your public identity. Don't connect it to the internet.
You may never know whether there's some sort of steganographic encoding mechanism that targets certain print geometries in ways that you can't detect. There probably isn't. But if you're a dissident or troublemaker, can you take even a tiny risk?
Or just didn't have a family with the right media instincts.
> "Public school bureaucracy run by bureaucrats" doesn't have the right mass appeal.
It has incredible mass appeal, which is frequently exploited politically -- by both sides of the political spectrum.
But for it to get media attention, someone's got to get it to the media's attention. Outside of people and institutions that are already high-probability news sources, the media isn't really actively monitoring what goes on to find potential stories, things become stories because someone involved brings it to the attention of the media.
iamdave: picked up from school by his dad, no police involved.
Not exactly the same situations. Both crappy situations, but Ahmed's treatment was an order of magnitude more inappropriate.
We're brown, I think colloquially "black".
It turned out that his invention was a fully pre-built alarm clock removed from its plastic housing.
Also other details emerged that pretty much sealed the case against him - what he did was create an intentional hoax.
I am not sure where you are from, but I agree that it can also get worse.
The law enforcement here will consistently take anything the FBI tells them as a fact, even when the information provided by them has been consistently shown to be false or even maliciously fabricated.
I spent 3 months in jail in 2014 because the FBI emailed the Finnish NBI and alleged that I had perpetrated various attacks against large US tech companies, they provided some information vaguely connecting me to the crimes and claimed to have further evidence they'd deliver shortly. They requested that the Finnish police arrest me and seize my equipment, they did so without question.
Based on that single contact from the FBI the Finnish NBI held me in jail for 3 months and banned me from using the phone or in any manner communicating with anyone outside the jail. After the 3 months had passed the FBI had still failed to deliver any evidence, and the Finnish police had failed to discover any. In fact, they had unquestionably discovered heaps of evidence against the aforementioned allegations since the very day they arrested me. Just a few days before Christmas they were forced to very reluctantly release me.
Now it's 2016 and I just recently got a letter stating that most of those charges have been dropped as the FBI has failed to deliver the promised evidence. I've also received letters informing me of various covert surveillance techniques utilized against me after my release. These are supposed to require an even higher standard of proof than keeping someone in investigative custody, but obviously they're hard to contest when you aren't told about them.
Incompetent fucks desperately hoping to score big wins for their careers or with personal vendettas are hardly an US only problem, but at least in the US I could've fought the FBI in court. That's hardly an option here. The only thing that's better here are the sentencing policies.
You haven't been in many countries, have you?
Majority of Europe you will see SWAT team on TV once a year when they do a huge bust of over 100 drug dealers or terrorist. It would be a public shame, heads with rolls and never ending phone-calls from constitutes asking and demanding answers why their money was spent on performing a raid on a hacker who broke into publicly open computer.
I will also bet (as long as we are somewhere legal to do so like LV) a $100 that you won't find an example in Europe when SWAT team killed a dog or threw a flash grenade into a crib with a baby in it... something that happens in US and that noone can be reasonably held accountable.
It's possible that I could win. But that wouldn't really achieve anything, it wouldn't make the .fi authorities stop.
The best option I have available is to keep fighting my charges in Finland, as no matter whether I win or lose it'll be significantly harder for any other country to prosecute me for those same crimes. The courts here are fairly reasonable, while they require ridiculously low standards of proof, you essentially have to kill someone to actually go to prison here. Perhaps that makes it easier to say "guilty" just to play safe, keep the LE and prosecutors happy.
It sounds pretty interesting to me -- I imagine someone in the press would pick it up.
I was indeed wrongfully imprisoned, but by the Finnish government. I can and will receive compensation from them but at best that's going to be a few thousand euros per month, a nominal sum considering the time lost. It's hardly an irregular thing here, mostly because every single case where a person is taken into investigative custody and not given a prison sentence is treated as such. This has created a situation where these cases are so common that the justice system treats them as acceptable routine.
Article 24, paragraphs 8-10?
It looks like you would have to file a criminal complaint in order to proceed with a civil claim, and the state cannot act on criminal charges until you actually make the complaint, unless the defamation appeared in the mass media. If the Finnish prosecutor declines to act against the FBI, your only remaining remedy is to file a claim in the court of public opinion by getting a local journalist to tell your story on a slow news day.
You owe it to yourself and all noncriminal Finnish hackers to at least make a defamation complaint to Finnish police against the FBI. Your statute of limitations is 5 years.
Rather unlikely that any prosecutor would pick them up, but who knows?