Federal Courts Sound The Alarm Against RECAP; Worried About PACER Profits

from the and-that's-how-it-goes dept

We've been excited to see what would happen with the RECAP Firefox extension, which is being used to help free up public domain court documents that have been locked up behind the PACER paywall. However, there were also questions about how the folks who run and/or benefit from PACER would react. We now have at least part of the answer: bogus scare tactics. Paul Alan Levy alerts us to the fact that the Federal Court system, which profits from PACER, has started sending out scare notices to try to keep lawyers from using RECAP:
The court would like to make CM/ECF filers aware of certain security concerns relating to a software application or "plug-in" called RECAP, which was designed to enable the sharing of court documents on the Internet.

Once a user loads RECAP, documents that he or she subsequently accesses via PACER are automatically sent to a public Internet repository. Other RECAP/PACER users are then able to see whether documents are available from the Internet repository. At this time, RECAP does not appear to provide users with access to restricted or sealed documents.

Please be aware that RECAP is "open-source" software, which means it can be freely obtained by anyone with Internet access and could possibly be modified for benign or malicious purposes. This raises the possibility that the software could be used for facilitating unauthorized access to restricted or sealed documents. Accordingly, CM/ECF filers are reminded to be diligent about their computer security and document redaction practices to ensure that documents and sensitive information are not inadvertently shared or compromised.

The court and the Administrative Office of the U.S. Courts will continue to analyze the implications of RECAP or related-software and advise you of any ongoing or further concerns.
I especially like the "scare quotes" around "open-source." Of course, I'm not quite sure why the fact that the extension is open source makes it any more vulnerable to being "modified for benign or malicious purposes." Either way, looks like the Federal Courts don't like competition eating away at their PACER profits.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    senshikaze (profile), Aug 24th, 2009 @ 1:55pm

    Open source is teh evil

    as a user of open source software, and a (bad) developer, I take exception at that. But then again, its a capitalistic society. TANSTAAFL is ingrained in the psyche.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      :Lobo Santo (profile), Aug 24th, 2009 @ 2:02pm

      Re: Open source is teh evil

      Hey! We have those exact letterd stitched into our flag! (Here on the moon.)

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 24th, 2009 @ 2:23pm

      Re: Open source is teh evil

      A capitalistic society implies that the federal courts do nothing in terms of laws or precedent to interfere with Recap. If they do that's not capitalism, it's closer to communism or tyranny.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 2:09pm

    Ed Felten's Team of Mavericks

    Scare quotes around open-source?

    Of course. You see, the plugin was developed by the real simpleton team surrounding Ed Felten. And, to make matters worse, those guys are always researching Government Transparency, finding vulnerabilities with DRM, voting machines and hard drive encryption, commenting on the three-strikes laws.

    Those Ed Felten followers... They are such a nefarious group of people. How dare they think this way!

    http://www.techdirt.com/search.php?q=Ed+Felten

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    PrometheeFeu (profile), Aug 24th, 2009 @ 2:16pm

    Apparently, someone believes that open-source means anyone can modify the software and replace the currently distributed version. That is simply not accurate. Almost all open source projects have a person or a group of people in charge of vetting modifications to the software. Now, there is nothing stopping somebody from making changes and distribution their version on their own website, but as long as you get the software from the official project website, you will only get the vetted versions. And guess what? The people that vet and develop are no more and no less liable than a normal corporation that would develop bad software. I trust open source projects that are well maintained because unlike closed source software, there is a guy out there reviewing the code who does not have an incentive to sell the product to me. Let's imagine the software tester at Microsoft finds out Windows is buggy... Who does he report it to? You? Or the guy whose interest it is that you buy the software. Conflict of interest anyone?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 24th, 2009 @ 2:25pm

      Re:

      What I would be concerned about is that anyone can pretend to be RECAP and they can put fake data on the RECAP databses pretending it came from PACER, and there are malicious people who would do such a thing (heck, Techdirt recently got hacked even).

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Noah, Aug 24th, 2009 @ 2:39pm

        Re: Re:

        Yes, but as (almost) everyone learned back in middle school, one source is not enough! I look at RECAP as a good place to start, but I wouldn't bet my life on it.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Rich Kulawiec, Aug 24th, 2009 @ 2:46pm

        Re: Re:

        1. Given the abysmal track security track record of federal, state and local government agencies, I would be far more concerned about fake data on PACER itself.

        2. How do we know that this hasn't already happened?

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Aug 24th, 2009 @ 5:37pm

        Re: Re:

        heck, Techdirt recently got hacked even

        And you think such a thing couldn't possible happen to PACER? I've got news for you.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Kazi, Aug 24th, 2009 @ 2:23pm

    Actually, they are just concerned about this:

    -------------------------------
    (https://www.recapthelaw.org/2009/08/20/a-note-on-recaps-c ommitment-to-privacy/)
    We’re confident that RECAP maintains the security model set up by the courts, and that it will never upload documents while a user is logged into CM/ECF. The code is open source, so anyone with concerns is welcome to inspect it for themselves. We’d like to work with the judiciary in the coming weeks to ensure they understand how RECAP protects privacy and security, and to incorporate any further enhancements they might suggest. In the meantime, users can continue using RECAP with the knowledge that it’s designed with privacy as our top priority.

    Update: A final reason users should be comfortable with using RECAP is that the extension’s operation is extremely transparent. The little “R” icon in the lower-right-hand corner of every browser window turns blue when RECAP is enabled (which should only happen when you’re logged into PACER) and grey when it’s disabled (which should happen when you’re logged into CM/ECF). We don’t think you’ll ever see a blue icon when you’re browsing CM/ECF, but if you do, you should immediately disable recap and let us know about it so we can investigate the problem. In addition, RECAP notifies you about every document it uploads (unless you choose to turn this feature off). Again, you should never see an upload notification while you’re on an CM/ECF page, but if you do you can contact us and we’ll delete that document from our database. So you don’t have to take our word for it when we say RECAP won’t upload CM/ECF documents, you can monitor what it’s doing and verify for yourself.
    -------------------------------

    So you might be sensationalizing the news a bit here and the "scare quotes" are not really scare quotes but to identify the name of the program ...

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Ryan, Aug 24th, 2009 @ 2:37pm

      Re:

      Concerned about what? That excerpt just reinforces the argument that RECAP is as safe as anything else. Additionally, the quotes from the federal "court" release are around "open-source", not "RECAP".

      Heh, see what I did there? I put quotes around "court" for no reason, as if to imply that they are something less than an actual court.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Fred McTaker (profile), Aug 24th, 2009 @ 2:49pm

    Executables can always be altered

    The worry that executables can be altered by nefarious third parties isn't limited to open source applications at all. Plenty of trojans/malware come in the form of altered proprietary (no public source access whatsoever) executables and drivers. This is where the whole term "trojan" came from - short for Trojan Horse, where in this case the horse is made of an application you know and love instead of wood, like Windows drivers or notepad.exe. That's why the open source community advocates cryptographic signing ALL applications, open source or otherwise, so that you can independently confirm that the source and binaries came from a trusted provider. So giving a warning, about confirming that applications came from a trusted source, isn't bad on its own. The assumption that such precautions should only apply to open source applications is complete FUD-mongering.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 24th, 2009 @ 3:05pm

      Re: Executables can always be altered

      Is the information on Pacer digitally signed by a governmental private key? I highly doubt it.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        ..., Aug 24th, 2009 @ 6:38pm

        Re: Re: Executables can always be altered

        "Is the information on Pacer digitally signed by a governmental private key? I highly doubt it."

        Does what you posted refute anything in the Fred McTaker post?
        Or are you implying that the WARNING was a fake put there by nefarious users.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Aug 24th, 2009 @ 7:05pm

          Re: Re: Re: Executables can always be altered

          Fred McTaker said

          "That's why the open source community advocates cryptographic signing ALL applications, open source or otherwise, so that you can independently confirm that the source and binaries came from a trusted provider."

          But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Aug 24th, 2009 @ 7:58pm

            Re: Re: Re: Re: Executables can always be altered

            "But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?"

            That's a problem that only the courts can solve... by signing the documents in the first place. There has been a push to get them to do this, but they have been resistant.

             

            reply to this | link to this | view in chronology ]

          •  
            identicon
            ..., Aug 24th, 2009 @ 8:25pm

            Re: Re: Re: Re: Executables can always be altered

            "But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?"

            You are asking a valid question, however it is unrelated to the post to which you responded.

             

            reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Aug 25th, 2009 @ 10:46am

            Re: Re: Re: Re: Executables can always be altered

            But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?

            But how do you know the information on PACER came from Pacer and not someone posing as PACER pretending the data came from PACER?

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Nov 2nd, 2010 @ 6:07pm

              Re: Re: Re: Re: Re: Executables can always be altered

              The likelihood that someone will get in the middle of each interaction between the PACER server and each user and go unnoticed while changing tons of info is far less than the likelihood that someone posing as PACER will send RECAP invalid information.

               

              reply to this | link to this | view in chronology ]

  •  
    icon
    Matt (profile), Aug 24th, 2009 @ 2:55pm

    Legitimate concerns?

    It is possible that the court system has some legit concerns. Going to CM/ECF and PACER is scary, in part because some documents get (appropriately) sealed or even stricken entirely _after_ filing. With paper, it was unlikely that a doc that should have been sealed would be released to broad distribution before that happened. With PACER, it is less unlikely. With RECAP, it is still less unlikely. This can be a huge concern in circuits, like the 9th, that are unforgiving about the loss of privilege in the face of inadvertent disclosure. Add to that the concern that a dumb or ill-informed lawyer could install a trojan RECAP.

    A law partner I knew had a standing requirement that his secretary power on his computer before he got to the office every day. This was not just a show of power - he did not know where to find the button. And lawyers routinely violate their firms' software installation policies. The court system is right to be concerned that mere lawyers may not understand all of the implications of installing new software.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 24th, 2009 @ 5:45pm

      Re: Legitimate concerns?

      A law partner I knew had a standing requirement that his secretary power on his computer before he got to the office every day. This was not just a show of power - he did not know where to find the button.

      Now let me get this straight, you're claiming that he could use a computer, yet he couldn't press a power button? Uh huh, sure. I bet he made her turn on his office lights too because he was too dumb to operate the light switch, huh?

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      ..., Aug 24th, 2009 @ 6:41pm

      Re: Legitimate concerns?

      "because some documents get (appropriately) sealed or even stricken entirely _after_ filing"

      pandora's box, cat out of the bag, etc

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 3:04pm

    I wouldn't be difficult for someone to take this plugin, tack on some extra code, and turn it into a keylogger or similar. It also wouldn't be difficult to have it log and forward all your https accesses to a third party.

    People think it is safe, but honestly, it is easy to put a modified versions of this open source tool online and get people to use it.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      william (profile), Aug 24th, 2009 @ 3:41pm

      Re:

      Valid points.

      However, if you are dumb enough to NOT download the OFFICIAL plug-in, from the OFFICIAL WEBSITE but from this random pop-up you see while you were surfing those _____ sites...

      Then you probably deserve it.

      It's basic Internet 101 really.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 24th, 2009 @ 6:43pm

      Re:

      This could happen - open or closed, does not matter.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Ben Zayb, Aug 25th, 2009 @ 5:10am

      Re:

      "I wouldn't be difficult for someone to take this plugin, tack on some extra code, and turn it into a keylogger or similar."

      For you to say that it wouldn't be difficult, I assume you are able to do this sort of thing. So do it.

      "It also wouldn't be difficult to have it log and forward all your https accesses to a third party."

      And after getting the thing to do all this, let's see you get us to install that filthy mod- from the official site, no less.

      "People think it is safe, but honestly, it is easy to put a modified versions of this open source tool online and get people to use it."

      Can't do it? Then don't say it. FUD for the Gods!

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    duane (profile), Aug 24th, 2009 @ 3:43pm

    with you on all but one point...

    "Either way, looks like the Federal Courts don't like competition eating away at their PACER profits."

    The Federal Court System doesn't actually call the shots with PACER and the monies it generates. Congress determines what PACER charges and what money, if any, the Federal Courts get from PACER. This is actually true for all the money the Federal Court System gets. So, PACER could generate a kabillion dollars and it wouldn't make much difference. Congresspeople would just direct it some place else and cut their budget again...

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 24th, 2009 @ 5:10pm

      Re: with you on all but one point...

      That's not true. Congress delegated the authority to charge fees to the Courts.

      http://pacer.uscourts.gov/faq.html#GP8

      In fact, there is increasing evidence that the Courts have begun to use PACER as a profit center to support costs other than Electronic Public Access.

      http://www.nextgov.com/nextgov/ng_20090819_1886.php

      You *might* be able to argue that Congress didn't appropriate funds to pay for PACER, but of course the Courts haven't asked for it. Congress, on the other hand, explicitly told the Courts in 2002 that they should move to no-fee access.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Aug 24th, 2009 @ 7:24pm

        Re: Re: with you on all but one point...

        Actually if you read more about the entire system you'll note that Congress actually directed the Courts to charge for the services. Later, with one hand they passed the e-gov act and directed things to be free, but with the other they still directed there to be charges for this sort of stuff. Typical government maneuvering. Also, the Court system doesn't set its own budget, Congress does. Congress gives money to the Court system. Whatever money the courts make it goes into a fund that then Congress has to give back to it. If there is such a concern about the Courts raking in the dough, surely the fact that they have to give it all up for someone else to decide what to do with it might temper that concern. I can assure you the Court's budget is nothing but lean -- less than two tenths of the entire budget or about 6.2 billion dollars for all the federal court systems. Finally, the "other" costs is sort of a loose definition. As the monies are going to improve electronic documentation and things of that nature. Seen one way, the monies are being used not for their original intent. Seen another, they are. Welcome to public administration.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Aug 24th, 2009 @ 7:37pm

          Re: Re: Re: with you on all but one point...

          The government tries to configure the laws in such a way as to extract as much money as possible away from you. If you work with that assumption lots of things make a lot more sense. It's not about "where the money goes, who gets it, what it's going to fund" it's about extracting as much money as possible away from you.

          Where it goes, what it funds, what is the purpose of some law that was passed under noble pretexts; all of that could just be a bunch of smoke and mirrors to confuse you. The assumption you want to make is that the laws are configured to extract as much money away from you as possible and you want to see how well that assumption explains the laws in place. Test every law with that assumption and see how well it explains them. This includes laws to ban things, like banning competing products to reduce competition (because less competition extracts more money away from you) under health and safety or environmental pretexts. It includes laws to ban software under the pretexts of security or national security (ie: peer to peer software maybe?).

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Aug 24th, 2009 @ 7:50pm

          Re: Re: Re: with you on all but one point...

          You are correct that at the inception of PACER, Congress directed the Courts to charge in order to support the system. The E-Government Act revised this language to say that the courts may only charge to the extent necessary, and clearly stated Congress' concern with the fact that the Courts were charging more than the cost of disseminating the information. They also made clear their intent that the Courts move toward a free system. This is quite clear.

          You are not correct about the money going into a fund that Congress has to give back. The money goes into the Judiciary Information Technology Fund that the Courts control and have the discretion to spend from without fiscal year limitation. Programs other than PACER are paid for out of this fund, and monies other than PACER fees are deposited into it... but it is all within the Judiciary and decided by them.

          You are partially correct that Congress sets the Judiciary's budget. In reality, the Courts propose a budget that is submitted to the President and must be passed along to Congress *without change* (a special condition they fought for), then Congress and the Judiciary debate whether the requests are reasonable, and once the funds are allocated the Judiciary makes the finer-grained decisions. You might feel that the Courts do not have a strong enough position in this process, but it's the same process that all branches of government go through (that's why they call it the "power of the purse").

          The reality is that the Courts have not asked for money to pay for PACER, and they appear to actually be making a profit off of the service. The path of least resistance is the status quo. Unfortunately, this may not be the best thing for the public.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Aug 25th, 2009 @ 8:56pm

            Re: Re: Re: Re: with you on all but one point...

            I do have to wonder if by receiving more funds than needed to run the PACER system, and then utilizing these additional funds for purposes other than running the PACER system, the judiciary may unwittingly be at the cusp of violating the longstanding doctrine and rule of law that excess funds may not be used for the augmentation of appropriated funds, the so-called "unauthorized augmentation of appropriated funds"? All such excess funds are by law required to be transferred to the US General Fund.

            Am I perhaps unaware of the judiciary having been given some form of a statutory exemption from the doctrine?

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Mechwarrior, Aug 24th, 2009 @ 4:45pm

    The dreaded OPENSOURCE! >:(

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dan, Aug 24th, 2009 @ 6:30pm

    Yeh right

    Yes "open source" software, unlike the proprietary software supplied with government "approved and sanctioned" voting machines. The court would never make an unfounded or defamatory claim, would they?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Prometheus, Aug 24th, 2009 @ 6:46pm

    Be afraid - be very afraid

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    orbitalinsertion (profile), Aug 24th, 2009 @ 7:17pm

    We have apparently missed the clue-train again.

    ...access and could possibly be modified for benign or malicious purposes. This raises the possibility that the software could be used for facilitating unauthorized access to restricted or sealed documents.

    How? RECAP does not access PACER. Someone would have to post the "restricted or sealed" documents after accessing them in the PACER fashion, which would require no code (and no RECAP FF extension) whatsoever. This doesn't make sense, and simply calls to attention how clueless the judiciary is.

    The Feds might have some legitimate concerns or warnings, but they were too stupid to voice those. (Simply rephrasing their statement minus the OSS or RECAP comments would have worked, as would have simply questioning the guarantee of provenance.)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Ben Zayb, Aug 25th, 2009 @ 5:04am

    As If

    "Please be aware that RECAP is "open-source" software, which means it can be freely obtained by anyone with Internet access and could possibly be modified for benign or malicious purposes."

    ROTFL!!! As if "closed-source" software couldn't be modified for malicious purposes. Whoever said this must have never heard of Windows and botnets.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    ranon, Aug 25th, 2009 @ 1:47pm

    Everybody need not sign up to RECAP

    Everybody need not sign up to RECAP. All that is required is for one person to upload a document and it will be available to all.

    Also, you are not going to get sign up's for RECAP just for uploading. A person installs the application initially to download documents. Then when he gets sufficiently comfortable with the application, and it is useful, he will start uploading documents.

    At that point, you will not have computer nitwits operating the system, and they can ensure that they take required security measures.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 7:16pm

    Is one able to access the RECAP database without having a PACER subscription?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Pacer Federal Docket Already Free, Oct 2nd, 2009 @ 8:31am

    Free Pacer Dockets

    Pacer dockets have been free for a while. Just go to http://www.freecourtdockets.com. Lots of ads, but in 1 minute without a Pacer account anyone can get a free Pacer docket.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This