BEL: +32 (0)488 90 57 80 | IRL: +353 (0)87 7794892
Wexford & Antwerpen

Security research is not a crime

September 2, 2019 In Design News,Digital Freedom
Security research is not a crime
In most issues of EFFector, we give an overview of all the work we’re doing at EFF right now. This week, we’re taking a deep dive into a single issue: the increasingly dangerous climate for technologists, developers, and cybersecurity researchers in the Americas—and in particular, the case of Ola Bini, who was arrested in April in Ecuador despite little evidence. We’ve just returned from a fact-finding mission to the country to learn more.
I’m Danny O’Brien, EFF’s Director of Strategy. I’ve just returned from a trip to Ecuador, along with Katitza Rodriguez, EFF’s International Rights Director, and Veridiana Alimonti, our Latin American Senior Policy Analyst. EFF doesn’t regularly make visits like this, but we were on a fact-finding mission to discover more about the arrest of Ola Bini, a Swedish open source developer who was arrested in unusual circumstances in April. I’ll tell you more about Ola in a moment.
Authors, speakers, and journalists have long been understood by those in power as dangerous elements; and over the last thirty years, “technologist” has joined the list of occupations that corrupt politicians and dictators fear. I’ve led EFF’s “Offline” project, which shines a light on those coders, bloggers, hackers, and researchers who have been jailed, detained, or otherwise persecuted for their work online. Even as they build and improve the tools we use to protect ourselves from surveillance, and even while they help to enhance free expression and privacy around the world, these experts are increasingly threatened or jailed by governments that misunderstand their work or misrepresent it for political gain.
This is not new to us, and is not likely to surprise you, as an EFF supporter. Since EFF was founded in 1990, we have frequently stepped in to defend security researchers from misunderstandings made by law enforcement, and raised awareness when technologists in the United States have been incarcerated.Even now, much of the EFF staff is joining the tens of thousands of fellow travelers currently descending on Las Vegas for various online security conferences, to discuss exactly the kind of work for which these technologists are often persecuted, and even work with technologists who might face prosecution or persecution for work announced at Black Hat, DEFCON, and other events.
In Latin America, security researchers’ rights are not always as well-recognized or appreciated by law enforcement and governments as they are in the United States. While security researchers play a vital role in fixing flaws in the software and hardware that everyone uses, their actions and behaviors are often misunderstood. For example, as part of their work, they may discover and inform a company of a dangerous software flaw—a civic duty that could be confused with a hacking attack. Partly for this reason, we recently launched a new LatAm Coders’ Rights Project to help establish that security researchers have rights too.
Just months after its launch, Ola Bini was arrested in Ecuador on a warrant for a “Russian hacker.” With the most basic research, we knew that he is neither of these. From our viewpoint in San Francisco, the evidence presented seem slim, and so we decided to send a team to Ecuador to learn more about his prosecution.
Meet the Developer: Ola Bini
Ola Bini is Swedish citizen and open source developer who has worked for years to improve the security and privacy of the Internet. He builds secure tools, develops new languages, and contributes to a wide range of popular free software projects, including JRuby and implementations of the secure and open communication protocol OTR. He has also contributed to Certbot, the EFF-managed tool that provides strong encryption for millions of websites around the world. Ola’s team at ThoughtWorks was one of the few paid groups tackling popular, but under-resourced, applications like Enigmail.
Like many people working on the many distributed projects defending the Internet, Ola has no need to work from a particular location. He settled recently in Ecuador, and co-founded a non-profit organization there devoted to creating user-friendly security tools. Then, as he prepared to travel from his home in Quito to Japan, he was seized by authorities claiming that he was attempting to flee the country. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his Twitter account.
Initially, we thought his arrest was due to a common misunderstanding. Security researchers can have habits and behavior that seem eccentric or suspicious: they encrypt all of their communications and lock down their computers, they sometimes dress and behave differently from the norm. As part of their work, they collect unusual books and hardware—like the so-called “evidence” presented after Ola’s arrest—a pile of USB drives, hard drives, two-factor authentication keys, and technical manuals.

All of these items are familiar property for anyone working in his field. Of course, owning such things is not a crime, but they can seem suspicious to an authority who isn’t in the know.
Building and Testing Secure Tools Is Not a Crime
There is nothing wrong with testing and finding flaws in security. Security and encryption researchers help build a safer future for all of us using digital technologies. Even in the U.S, too many legitimate researchers face serious legal challenges that prevent or inhibit their work from laws such as the Convention on Cybercrime, the Digital Millennium Copyright Act, the Computer Fraud and Abuse Act, and similar state laws. And computer crime laws in many countries around the world are even more pernicious.
But that is not what Ola Bini does. From our prior knowledge of his work, he builds strong systems—he does not pen-test or analyze them for exploits. If the Ecuadorian government was looking for someone with the skills to attack Ecuador’s systems, they found the wrong guy.
As Bini’s case dragged on, another anomaly struck us. If someone breaks into a house, and you arrest a suspect, the prosecution should at the very least be able to tell you which house was broken into. It’s the same in the digital world.
During a press conference held just before Ola’s arrest, Ecuador’s Interior Minister announced that the government was about to apprehend individuals who are supposedly involved in trying to establish a “piracy center” in Ecuador, including two Russian hackers, a Wikileaks collaborator, and a person close to Julian Assange. She stated: “We are not going to allow Ecuador to become a hacking center, and we cannot allow illegal activities to take place in the country, either to harm Ecuadorian citizens or those from other countries or any government.” Neither she nor any investigative authority has provided any evidence to back these claims.
Bini’s prosecutors did not say what systems he is supposed to have broken into at that press conference in April. And despite many opportunities to clarify—after Bini’s initial arrest and his nine-week imprisonment, since his release following a successful Habeas Corpus plea, or even after last week’s thirty-day extension of the investigation—we still do not know what systems he is supposed to have targeted, or any more details of his alleged criminal behavior.
Ola Bini’s Case is a Political One, Not a Criminal One
After being in Quito for a week and speaking to journalists, politicians, lawyers, academics, and Ola and his defense team—and extending invitations to Interior Minister María Paula Romo and Diana Salazar Mendez to meet with us—we believe we now have a better picture of what this prosecution is about.
In brief, based on the interviews that we conducted, our conclusion is that Bini’s prosecution is a political case, not a criminal one. 
Bini’s lawyers told us that they have counted 65 violations of due process so far during the trial. The subsequent Habeas Corpus decision that released him from jail after over two months of imprisonment confirmed the weakness of the initial detention. Journalists have told us that no one is able to provide them with concrete descriptions of what he has done. And we know that while Ola Bini’s behavior and contacts in the security world may look strange to authorities, his computer security expertise is not a crime.
We think Ecuador’s politics have attached their own stakes to either abandoning Ola’s case or continuing to prosecute. Supporters of the present government need Bini’s successful prosecution in order to confirm their claim of a threat to Ecuador from Julian Assange—and justify why the government changed the policy of the previous government and ejected him from the embassy. Opponents of the new leadership want to show support for Assange by defending Bini, and use his case as an example of the maliciousness of the new administration. At this point, there is no political faction who wants Bini’s case to quietly end, and allow him to return to his normal life. Everyone benefits from him being a visible example—either of the danger of Assange and “Russian Hackers,” or the political bias of the courts under Ecuador’s new government.
Bini’s innocence or guilt should not be a political decision. It should be determined by a fair trial that follows due process. At this point, we are urging political actors of all sides to step away from this case, and to allow justice to be done. By remaining involved, they risk damaging the reputation of Ecuador’s judicial system abroad, and violating the international human rights standards as defined within the Inter-American system for the protection of human rights.
Protecting The Rights of Security Researchers
Ola Bini’s detainment is a flagship case of the targeting of technologists, and the dangers of overbroad cybercrime laws.
Technologists, developers, security researchers, and hackers all have fundamental human rights. We must not allow politics to sway the judicial process towards scapegoating their work. We must stop politicians from demonizing benign uses of technology. And we must ensure that the laws protect the fundamental human rights of security researchers across the world.
If you are a researcher wondering if your own research is in a legal gray area, or concerned that the vendor will threaten legal action, please reach out to or visit our Coders’ Rights project for legal FAQs. All EFF legal consultations are pro bono (free), as part of our commitment to help the security researcher community. If you happen to be in Las Vegas this week, you can also stop by the EFF booths at BSides, Black Hat, or DEF CON to make an appointment with one of our attorneys, though we highly recommend contacting us as far in advance of your talk as possible. And as always, even if you don’t have a legal question, come say hi at the booth or watch one of our talks.
For now, Ola Bini is in legal limbo. The clock is running out for the prosecution to formally charge him, although it was just reset to 30 days when they linked a new individual, Ricardo Arguello, to the case. Over the years, we have often heard from those who have been released from detention that shining a spotlight on their case has led to better treatment in prison or a speedier release. We hope you’ll join us in advocating for Ola and other individuals like him whose online work has led authorities to unjustly incarcerate them or take them offline.
Digital rights are human rights. Together, we can work to protect those rights globally, and fight back against the injustice and fearmongering perpetrated worldwide against innocent technologists.
EFF Updates
No other updates at this time.

Supported by Donors
Our members make it possible for EFF to bring legal and technological expertise into crucial battles about online rights. Whether defending free speech online or challenging unconstitutional surveillance, your participation makes a difference. Every donation gives technology users who value freedom online a stronger voice and more formidable advocate.
If you aren’t already, please consider becoming an EFF member today.
Supported by DonorsOur members make it possible for EFF to bring legal and technological expertise into crucial battles about online rights. Whether defending free speech online or challenging unconstitutional surveillance, your participation makes a difference. Every donation gives technology users who value freedom online a stronger voice and more formidable advocate.If you aren’t already, please consider becoming an EFF member today.