In yet another paradigmatic example of the flaws in the Computer Fraud and Abuse Act (CFAA), two government contractors who left non-password protected confidential information on the open web are threatening to sue the Scripps reporters who discovered it via Google.
The contractors in question, Terracom and YourTel, left a smorgasbord of personally identifying information on the web belonging to applicants to a government run program that subsidizes phone service for low income individuals. This information included Social Security Numbers, Passport copies, names, signatures, birth dates and the like. Scripps reporters working on a story about online privacy apparently obtained the information (remember under the CFAA obtaining information can be just looking at it) first via Google searches and then using the program Wget. Nothing was really hacked, at best there was a harvest of unprotected low hanging informational fruit.
Of course, rather than owning up to their sloppy security, counsel for the companies sent a cease and desist letter (below) saying that Scripps needed to cough up money to mediate the purported breach, and making implied threats of criminal prosecution.
For anyone familiar with U.S. v. Auernheimer, this fact pattern should sound familiar and Scripps counsel should be concerned about being on the receiving end of a federal CFAA Indictment. For those of you who don’t know, Andrew Auernheimer is currently serving a 41 month sentence in federal prison for conspiring to access AT&T’s publicly accessible servers and harvesting roughly 120,000 email addresses that AT&T had left exposed on the open web. No password was bypassed, and no real hack occurred. I was lead trial counsel for Auernheimer, and I don’t see much difference between what happened in that case and what happened here. Except maybe that the DOJ might be a bit sensitive about going after reporters given their current track record on that front.
Anyhow, this is another paradigmatic example of how flawed the CFAA is. By not defining its key operative phrase “unauthorized access” as requiring bypassing a password or some other type of technological access barrier, it allows corporations to be negligent regarding their infosec. The corporations know that someone else, and not themselves, will suffer the consequences for discovering their confidential data that the corporation has displayed for all to see on the open web. Why should anyone disclose any computer security flaw in that type of set up? Why risk a felony conviction? Better to keep your mouth shut and let all sorts of criminal organizations and foreign governments harvest the information than to incur the wrath of the Department of Justice and a vexatious and costly civil suit.
h/t Ms. Smith (if that is her real name), Privacy Fanatic Blog
Here’s the Cease and Desist Letter
Oh yeah, this is not legal advice and is for informational purposes only.