Justin Shafer searches the Internet for public, unsecured computer servers that store confidential patient medical information.

So does a mysterious cybercriminal group called TheDarkOverlord, which holds such data for a ransom paid out in Bitcoin.

Shafer and TheDarkOverlord have communicated via social media. But Shafer’s supporters say he’s trying to expose the hacking group and protect patient data that companies carelessly store on vulnerable servers.

The FBI thinks otherwise. Agents in Dallas have raided his North Richland Hills home twice, and the Atlanta FBI office was investigating him as a possible co-conspirator of TheDarkOverlord as of March 31, according to an FBI affidavit.

But Shafer is behind bars in the Dallas area not because he is accused of violating the Computer Fraud and Abuse Act. The 37-year-old computer technician is charged in federal court with cyber stalking for the alleged online harassment of a Dallas FBI agent who investigated him.

Shafer harassed the agent and his family on social media and on his websites, the FBI affidavit says.

The case has generated a lot of interest among computer tech circles, which are abuzz with questions about whether the FBI unfairly targeted Shafer on stalking charges because they have yet to make an illegal hacking case.

Shafer’s lawyer says that prosecutors are overreaching and that his client was exercising his right to free speech.

Justin Shafer (Dallas County Sheriff's Department)

Shafer is accused of causing “substantial emotional distress” to the FBI agent and his wife by making “derogatory and inflammatory statements” about the agent on Twitter and posting identifying information about his wife and other family members.

The tweets and Facebook posts in question were posted from May 2016 through March 21. Shafer included a past home address for the agent as well as Facebook profiles of his mother, cousin, wife and ex-wife. Shafer also sent a Facebook friend request to the agent’s wife and messaged her on Facebook, according to the FBI.

And Shafer followed the agent’s wife on Twitter “in an attempt to harass and intimidate her,” the affidavit said.

Shafer runs a business that does computer work for dental offices. He was arrested in March and indicted the following month on charges of stalking and violating a law that protects people who perform “certain official duties.” He was sent back to jail for violating his pretrial release by posting about his case on his blog.

His New York computer law attorney, Tor Ekeland, said he took Shafer's case for little money because the law he's charged under is "problematic." Ekeland also said the government's use of the law to prosecute Shafer is "improper." He said Shafer's social media posts didn't "articulate any specific threat."

“It’s way too easy to charge normal internet conduct as a felony under that statute,” he said. “He’s in jail right now because of his speech.”

Data held hostage

It’s unclear if Shafer is still under investigation for hacking. The U.S. attorney’s office and FBI declined to comment.

His wife, Jennifer, declined to discuss the case except to say that her husband did not commit a crime.

“Of course he’s innocent,” she said. “This whole thing is just insane. He shouldn’t be there.”

The past year has seen a sharp increase in the number of ransom demands from hackers who have stolen data from companies and threatened to release it, prompting the FBI to issue a warning in March. Cyberattacks usually involve malware, or ransomware, a virus that locks computers to prevent the access of data until the ransom is paid. Recently, hospitals and other medical facilities have been targeted for their sensitive patient data.

The FBI has said that cybercriminals earned more than $200 million from businesses and institutions in extortion schemes during the first three months of 2016.

The search for TheDarkOverlord continues. The FBI has not announced any arrests in the case.

Shafer and TheDarkOverlord were both looking for public, unsecured computer sites known as anonymous FTP servers that some hospitals and other health care companies use to store private medical records.

The servers allow companies and institutions to store data online until they need to retrieve it. But anonymous servers aren’t always secured by passwords. Experts say companies should use these servers only to host public files.

Most large companies have upgraded their servers but smaller companies are more lax about data security, leaving them open to attacks.

Shafer calls himself a "security researcher" who is concerned about private health information ending up on unsecured servers that are vulnerable to hackers.

Shafer's business website says he can set up imaging hardware and software for dental practices and "generally keep you up to date with the latest technology."

He says on his blog that he has helped dental and medical companies identify security breaches involving their patient data. Shafer said he tries to access data and then alerts companies that own the data that it is not secured. He documents his findings as well as his communications with the companies on his blog and Twitter account, sometimes posting screenshots.

In one YouTube post, Shafer demonstrated how he worked his way into an American Dental Association database to find information about member dentists.

Shafer said on Twitter that he’s called medical patients to warn them of the security risks involving their information.

One company warned its employees about him in 2015, saying Shafer had taken an interest in the security of its software. Shafer posted the letter on his blog. “He has hacked in on networks that have security vulnerabilities and then has shared how he did it with the world on YouTube and other web sites,” the letter said. The ADA suggested Shafer's motive in accessing its data was to seek business from the organization. Shafer responded that he never sent the ADA an invoice for his work.

Shafer also has reported his findings to federal agencies and news websites. Companies can be fined by the government for using outdated and unsecured technology to store protected data.

TheDarkOverlord emerged around June 2016 and began accessing medical records from hospitals and clinics. The group has sought ransom money for the health data as well as unreleased television shows such as Orange is the New Black. When victims didn't pay, the hacking group released the stolen material.

TheDarkOverlord has claimed responsibility for at least 15 major computer breaches and the sale of over 1 million customer records.

The Dallas FBI began investigating Shafer in February 2016 after he accessed files on a server belonging to Patterson Companies, a medical supplies firm based in Minnesota, court records show.

Shafer downloaded about 22,000 patient records from the site, the FBI affidavit said. Patterson could not be reached for comment.

The FBI raided his house in May 2016 and found a database of about 48,000 records on his computer that TheDarkOverlord was selling, the affidavit said. Shafer said on his blog that he notified the FBI at the time that the hackers had shared their stolen records with him and he sent the bureau a copy of the database.

During another search of his house in January, agents found a computer “chat session” between Shafer and TheDarkOverlord, the affidavit said.

“Collaboration between multiple FBI divisions has subsequently identified significant links (IP addresses, emails, social media accounts) between TheDarkOverlord and Justin Shafer,” the FBI affidavit says.

John Pescatore, director of the SANS Institute, which provides cybersecurity training, said anyone who uses computer tools to download unauthorized information can be charged with a crime. But prosecutions usually don't happen unless there is evidence of malicious or criminal intent, he said.

It’s not a good idea for security researchers to download sensitive data, he said, even if they find that it can be easily accessed. It’s worse to publicize information about vulnerable servers containing sensitive information, Pescatore said.

“It’s risky because the bad guys now know about it,” he said.

You also risk attracting attention from law enforcement, he added.

“You’re waving a flag in front of the bull,” Pescatore said.

Free speech?

After the second raid of his home, Shafer posted tweets in February about the FBI in Dallas, including some that the affidavit called “threatening.”

One of the tweets said it “takes big men to steal a 5-year-old kid’s saved games from his Wii... But that is who you are. Worthless, without integrity.”

On March 21, Shafer sent a Facebook message to the agent’s wife in which he said to tell him “I said howdy” and “Tell him I want my videos of my kids. You should just use your real name on Facebook.”

Shafer's case is similar to that of Barrett Brown, a Dallas journalist who was charged in federal court with accessing stolen credit card information by linking to it. Those charges were later dropped. But what sent Brown to federal prison were actual threats of violence he made on YouTube against the FBI agents who investigated him.

Ironically, Shafer has re-tweeted posts about Brown and his legal troubles.

Case law exists that protects crude and abusive tweets directed at another person. A federal district court in Maryland dismissed an indictment against a man in 2011 who was accused of causing a Buddhist religious leader emotional distress with his blogs and tweets about her.

In his tweets, the defendant told the victim to kill herself, among other things. But the judge ruled that the First Amendment protects “uncomfortable” speech online and that none of the tweets were “true threats.” The judge also said the tweets and blog posts were similar to a physical bulletin board where recipients of unkind messages could simply ignore them.

A condition of Shafer’s pretrial release was that he not use social media. Shafer wrote an April 14 blog post about his case, the FBI and the victim. He said he would “love” to sue Patterson Dental. He called the FBI “shady” and said the agent who investigated him “does nothing but threaten people.”

An excerpt from Justin Shafer's blog.

Because of that, U.S. Magistrate Judge Renee Toliver revoked his pretrial release in April and ordered him held in custody, saying he was a danger to the community.

Shafer protested to his pretrial services officer who confronted him about the blog post, saying in an email: "Blogger is not social media, and anyone telling me otherwise will be violating my First Amendment speech."

“You can take my Facebook and Twitter, but you will NOT take away my blog,” Shafer said in his blog post.