Javier Smaldone is a well-known figure in the Argentinian infosec community. As a security researcher, he’s worked to highlight the flaws in electronic voting in Argentina, despite the country’s local and federal attempts to move ahead with insecure software and electoral procedures.
The Argentinian authorities have a reputation of responding poorly to such criticism: In 2016, when Joaquín Sorianello warned an e-voting company about vulnerabilities in their e-voting software, his home was raided by the Buenos Aires’ police. Another technologist, Ivan Barrera Oro, was raided in 2017 shortly after demonstrating voting vulnerabilities in current software. The cases against Sorianello and Oro were both subsequently dismissed.
Now, it seems, it’s Smaldone’s turn to fend off a questionable criminal investigation. In early October, his home in Buenos Aires was raided by federal police, his phone and computers seized, and he was detained for questioning. The warrant for the search was in connection with a highly-publicized leak of data, exfiltrated in late July from the federal police themselves. The 700GB data was hosted anonymously, and caused political embarrassment both to law enforcement and the Argentinian politicians mentioned in the leaks.
Smaldone’s surprising raid was one of a series across the country against technologists by law enforcement investigating the leak. However, the material submitted by the police to the courts to obtain a warrant mostly points to perfectly lawful acts of free expression that would be entirely expected from an outspoken security researcher—not to any suspicious acts by Smaldone.
Police cited as incriminating Smaldone’s public discussion on Twitter of the high-profile politicians whose data was in the leaks, and his own subsequent analyses (on his blog and in the media) about how the attacks were carried out. It’s not surprising – much less incriminating – that Smaldone, who has testified before the Argentinian Senate on cyber-security, might have political opinions, or might express his expert opinion on the attacks. The police also claim in the request that Smaldone’s Twitter accounts “constantly expresses aversion to the police,” and that this “aversion” sometimes goes “beyond mockery.” But, again, this is not evidence of a crime.
Additional technical evidence for Smaldone’s involvement is weak, based on vague correlations between the geotracked location of Smaldone’s phone and activity related to the attack. The police even submitted as evidence that the leakers’ Tor onion service used the same version of the Nginx web server software as Smaldone’s blog – despite the fact that their shared version was the latest, stable update of what is currently the most popular web server application in the world, and was therefore also installed on millions of other Nginx servers at the time. At least based on the evidence that has been publicly disclosed, the raid on Smaldone appears unjustified.
Smaldone’s case is the latest, not just in a pattern of persecution against e-voting critics in Argentina, but in an accelerating trend of misunderstanding and scapegoating technologists in the wider region – one which we described in detail in our 2018 whitepaper, “Protecting Security Researchers’ Rights in the Americas.” Latin American technologists are increasingly caught up in unrelated, politicized, cyber-security investigations, with little evidence, conducted under too broad laws, by poorly-advised justices.
EFF has been fighting against such prosecutions since its founding in 1990. Argentina’s Javier Smaldone joins Ecuador’s Ola Bini as independent computer experts who are still being treated as dangerous suspects, for no more than practicing their lawful work, and using their inalienable right of free expression. We have joined with Access Now, and digital rights groups across the Americas in a letter to the judge and justice minister involved in the case, calling for Smaldone’s rights to be respected.