Minnesota Public Radio Reporter Faces Hacking Charges For Reporting On Data Leak

from the federal-shield-law? dept

We were just noting how the Computer Fraud and Abuse Act is regularly abused to bring "hacking" charges where none are really warranted. And here we have yet another example. Alex Howard points out that a Minnesota Public Radio reporter, Sasha Aslanian, is potentially facing "hacking" charges from a Texas company called Lookout Services. Lookout creates employment/compliance software for large organizations, and Aslanian was reporting on a supposed data vulnerability in the software used to verify employment eligibility that could potentially reveal private info. Aslanian's report noted that she was able to see info from the state of Minnesota, and the state was now directing agencies to stop using Lookout. The details are not entirely clear, but from what's written at the MinnPost link above, it sounds like there were some vulnerabilities, poor security, and a bungled demonstration which revealed a vulnerability -- all of which Lookout admits -- and from those vulnerabilities (which Lookout claims it closed), someone was able to adjust the URL to find private data.

So, basically, the company admits to a series of vulnerabilities, which exposed info that allowed the reporter to eventually see some private data... but still claims that the reporter was "hacking" and is now looking to sue under the same Computer Fraud and Abuse Act, which could lead to 5 years in prison. Because our federal government still hasn't passed a journalism shield law, the reporter is potentially liable, though, as the MinnPost reporter notes, Lookout seems particularly shortsighted in bringing this lawsuit in the first place. All it does is call more attention to its own vulnerabilities and failings. And the CEO of Lookout basically responds that she doesn't care:
While the legality and severity of Lookout's security breach remains to be adjudicated, there's no doubt Aslanian was trying to serve the public interest -- something a prosecutor might consider. As Dalglish says, "The state of Minnesota should be grateful MPR exposed what's going on. It seemed like a pretty good story."

I asked Morley if she realized, by filing a high-profile suit, how hapless her timeline made Lookout look. After all, there's the webinar screwup, letting clients pick lame IDs/passwords and caching security credentials in such a way that rendered them useless.

"Yup," she admitted. "It was a perfect storm that came together. Our communication with the state really broke down -- in our contract, we had 60 days to fix any problem. But there was still an unauthorized intrusion, and that was wrong."
So, even though this will publicize not just Lookout's failings, but also how it responds to people who notice and report on vulnerabilities, the company still thinks it needs to bring a lawsuit because exposing those vulnerabilities "was wrong"? I would argue that the company's reaction to this gives many more reasons never to do business with Lookout -- more than any discovered vulnerabilities. Vulnerabilities in software happen -- and it's more telling how a company reacts when they're exposed. Suing those who expose them isn't what you want to see. Update: Lots of good points in the comments, pointing out (of course) that Lookout cannot bring criminal charges against the woman, only prosecutors could do that, and it seems unlikely they would do so in this case.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ima Fish (profile), Dec 16th, 2009 @ 1:47pm

    I'm trying to understand how Lookout Services could sue Sasha Aslanian criminally.

    If Lookout Services sues, it would be a civil lawsuit and Sasha Aslanian would face no prison time or criminal conviction.

    My guess is that if Lookout Services is pushing for criminal charges to be brought, any sane prosecutor will refuse to do so.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Jake, Dec 16th, 2009 @ 2:14pm

    Lookout are claiming that Aslanian guessed someone else's user ID and password to get some of this data. That's going a bit too far; a lack of a minimum username/password length or other restrictions is undoubtedly a major security weak-point, but it wasn't necessary to perform an actual dictionary attack and gain access to some poor sap's personal data to prove the point.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    btr1701 (profile), Dec 16th, 2009 @ 2:20pm

    > but still claims that the reporter was "hacking" and is now looking
    > to sue under the same Computer Fraud and Abuse Act, which could
    > lead to 5 years in prison. Lookout seems particularly shortsighted in
    > bringing this lawsuit in the first place.

    There's a lot about this that doesn't make sense. A private company can't sue someone into prison. They can sue for monetary damages, but only the state can press criminal charges and lock people up.

    > Because our federal government still hasn't passed a journalism
    > shield law, the reporter is potentially liable

    This also doesn't make sense. Even if the feds passed the journalism shield law, it wouldn't protect a journalist from charges of computer intrusion. It would merely allow a journalist to "shield" his/her source from discovery and prevent judges from holding them in contempt for refusing to reveal them.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Dec 16th, 2009 @ 2:37pm

    New Laws

    Biden has passed a law yesterday in the secret session with the stakeholders that allows corporations with a net worth of greater than 1 billion dollars (And that contribute more than $1M annually to his campaign fund) to investigate, arrest, try and convict private parties or small businesses for any offense they deem suitable. This bill allows a hybrid criminal/civil conviction. It was done to protect the corn farmers.

    Just knowing this is a offense of the new law. Sorry

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Jim, Dec 16th, 2009 @ 2:54pm

    re: New Laws

    I wish I could be 100% certain that A.C. is kidding about Biden's new laws. :(

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    TheStupidOne, Dec 16th, 2009 @ 2:55pm

    Re:

    "sane prosecutor" ... I didn't know mr fishy was such an optimist

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    ., Dec 16th, 2009 @ 3:05pm

    The reporter is a secret agent from milw0rm :)

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Eric Goldman (profile), Dec 16th, 2009 @ 3:12pm

    Deja Vu

    This is like what Phil Angelides' campaign did to Schwarzenegger in 2006. http://www.techdirt.com/articles/20060914/110036.shtml

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    CVPunk, Dec 16th, 2009 @ 3:27pm

    Re: re: New Laws

    ummm... the VP doesn't write laws or pass them.

    JFGI

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Windy, Dec 16th, 2009 @ 4:14pm

    Re: Re: re: New Laws

    That is the beauty of it .... no one would believe that under his new powers the VP could pass something. And, why no one wanted to be in the room when he did. If there was any fallout from it .. he could just blame Bo.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Cynyr (profile), Dec 16th, 2009 @ 5:00pm

    My 0.02USD take it or leave it

    IANAL

    if they had a legitimate login to the system, no hacking. legit in this case being a source telling them their ID/password(assumming the source claimed that it was their auth), or the journalists own account on the system.

    If the initial login was not legit(blank passwords and exposed UIDs not being counted here, especially if they were handed out at a demo. You have no excuse for letting demo accounts having full access) then yes it was a crime, but not because they viewed other data than the account contained, but because they gained access to the system in the first place.

    IMO putting things on the internet without security/password is like putting a big "FREE STUFF, HAUL AT YOUR OWN EXPENSE" sign on it. no complaining that it then was viewed/copied/played with/etc.

    During the internal tests of the software no one thought of trying to change the or even using greasemonkey to modify fields in the form. REPEAT AFTER ME "ALL USER SUBMITTED DATA SHOULD BE TREATED AS HOSTILE, UNTIL PROVEN OTHERWISE AND SANITIZED", that includes data that you sent them, no guarantee that it didn't have bits flipped while moving across the internet, or that someone in the middle isn't trying to play games. What amazes me more is that this was contracted out to a third party to be hosted on their hardware in their building with god only knows what physical security. WHat happens when you call a random extension at this place and then act confused and say you have this number as tech support for using the system, and that you are just trying to verify some data but it isn't showing up, and ask if they could try there? Also electronic access to computer systems is not the same as physical access to a card catalog, or warehouse of boxes with this info in it, the rules need to be different.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Mr. Starx, Dec 16th, 2009 @ 5:56pm

    Hacking

    Umm... exploiting vulnerabilities to gain control of data that you do not have permissions for IS hacking. That's the very definition of hacking. Just because the vulnerabilities are obvious doesn't make it less than hacking.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Michael, Dec 17th, 2009 @ 8:52am

    Re: Hacking

    Perhaps, but in this particular instance, there is no intent to do any harm. In fact, the company really had a favor done - someone exposed a security flaw AND TOLD THEM ABOUT IT. This, at least, gave them a chance to fix it.

    It seems unlikely that there will be a prosecution without this intent, but the law should be clearer about what is hacking and when it should be a crime.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Lisa Loufe, Dec 24th, 2009 @ 12:04am

    Re: Hacking

    I agree... exploriting vulnerabilities is hacking. period,.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This