Intelligence Analyst Charged With Hacking For Logging Into An Account Sent To Him Via Email

from the where's-the-hacking? dept

Wired has the odd story of a government intelligence analyst who has been charged with unauthorized access to a protected gov’t computer involved in an investigation he was not authorized to access. But the problem is that the whole reason he logged in was because he had the login information emailed to him — and he claims it went to a bunch of other intelligence analysts as well. Given that the login info was widely emailed around, due to what appears to be a breach in security protocol, it seems rather silly to then charge him with any kind of unauthorized access, and have him facing criminal charges. The real question should be why the guy was emailed the login info in the first place.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Intelligence Analyst Charged With Hacking For Logging Into An Account Sent To Him Via Email”

Subscribe: RSS Leave a comment
Tor (profile) says:

If he understood what the login data represented and that he was not supposed to have access, then I don’t see why he should go free of charges.

For example, we had a scandal here in Sweden where one party used a leaked login to access the other parties plans on how to get elected. Personally I think one shouldn’t be allowed to use login credentials that you are not supposed to have access to. It’s like dressing up like a cop and misusing the authority that gives you. Just because you (or anyone) can do this doesn’t mean you should be allowed to.

The key question I think is whether you realize that you are not allowed to use the login data.

Chronno S. Trigger (profile) says:

Re: Re:

“The key question I think is whether you realize that you are not allowed to use the login data.”

That is the key question. He’s a government intelligence analyst, probably use to working with top secret stuff. Did he get the E-Mail and think that it was a message from his boss saying he had to work in there?

Another big question is are the tens of thousands of other people this was sent to getting looked at and what about the person who sent the message in the first place.

I don’t know how I feel about this. In a normal job environment, this would be at most a fireable offense. The top secret thing throws a wrench into the works.

Misanthropist (profile) says:

I disagree Mike....

If I accidentally use the same username and password on techdirt that I do on my banks website, does that mean that anyone at techdirt has authorization to access my account?

Do you think if Mike at techdirt emptied my bank account, that he shouldn’t be charged with unauthorized access?

I’d love to tell you to try and find out.. but sadly, I did not make this mistake.

_skhn (profile) says:

If someone gives you a username and password for a intranet website, particularly if the source is one of your bosses, it makes complete sense to assume that they’ve granted you authorization to whatever that website is. Even if it says in large letters “do not access without proper auth” I’m sure that will make it completely clear that the credentials the boss sent are bad…..

The analogy about using same username and password on multiple websites doesn’t hold water. First of all, websites you use should be hoped to keep credentials in a way that the site itself can’t determine the password. And the username/password combos used should at least establish bands of security. Maybe you don’t care about using the same uname/pw in a few forums, but you have unique uname/pw combos for banking, etc.

This is more reason why access itself is not the crime, it’s what you do with the access or how you obtained the access. And more reason why the federal government can be assumed to be among the most moronic large IT operations around.

Sneeje (profile) says:


If you find a key to someone’s house in the public street, and then use the key to enter their home, does that mean you’re not trespassing?


As others have said, the issue here is “authorization” and unless he had reason to believe he had authorization, he’s boned.

Those in the classified realm also know of a similar standard – “need to know”. Just because you have a particular clearance level does not mean you get to have access to everything, and if you pursue access or exposure to things not relevant to your work, you risk being accused of a breach.

Sneeje (profile) says:

Re: Re: Trespassing?

That’s a good point, however, I think we need to adjust it even further…

Someone who may *or may not* have owned the house, gave you the key, showed how the lock worked, and invited a bunch of people over.

We do not know that the person that sent the email had the authority to authorize others to access the information.

Ed C. says:

Clever hack!

It sounds to me that someone had that login sent to a bunch of people to cover his own tracks. When there’s multiple users accessing the same login, it’s harder to tell what any one of them is doing! Of course, the person who emailed the login should be brought up on charges.

And sorry AC, but you can’t just “accidentally” send someone an email with a system login!

Dom S says:

The Scenario?

Surely the main question is under what pretence the information was provided to this guy?

If he received an email with just the details for login and no further details, he may have just signed in to see what the login details were for.

If he got it from a superior with a DO NOT USE THESE DETAILS message attached then obviously he shouldnt have used them.

ultimately, no-one but him knows the circumstances surrounding receiving the login details and no-one but him knows what the rest of the email was about.

its all well and good saying “Having a username and password is not the same as having authorization to access a resource.” agreed, but you just dont know the WHOLE story.

Mike I have to say, you’re right but you’re wrong… using secure login details on face value would be stupid and deserves punishment because the person has not been told to use them.
HOWEVER, i cant honestly say that if someone emailed me login credentials to a secure website (internal or external) whether in error or not, I wouldnt have a peek at the info behind the login screen. I guess i would be punished for this, but i would still argue that someone sent me the details without instruction so i assumed they were for me to use.

Sneeje (profile) says:

Re: The Scenario?

“[…] so I *assumed* they were for me to use.”

See the problem? If you work in the classified arena, authorization to access information is explicit, not tacit (assumed), especially if you encounter the information unexpectedly.

However, I agree that the whole story is not here and he may have had reasonable cause to believe he legitimately had authorization to the material. In which case, he ought to make that case.

Richard (profile) says:

We don't know

Let’s face it we don’t know the wording of the “warning”, where the messages came from, what the “normal practice” of authorisation was or anything. So all these comments are really flailing around in a vacuum of ignorance of the important facts.

However it smells to me like the person who really caused the problem (the one who sent the message) is trying to cover his back. The wording of the government information looks deliberately contrived to put the worst possible spin on the actions of the guy who received the message.

Clearly SOME recipients of the message had authorisation (otherwise why was it sent) and the exact same message was sent to him as to them. So all those people who likened it to picking up a key in the street are off target. It’s more like being served a dish you (think you) didn’t order at a restaurant. Is it the restaurant’s version of your dish? Is it a complimentary extra? Or does it belong to someone else?

It all hangs on how dissimilar this event was to what this guy could expect in his normal job.

Clint says:

Where is the System Security?

If he wasn’t allowed to log into the system in question, why did the system allow him to (assuming he used his own ID)?

What happened to the others or the person that sent the information? If you are going to set an example, slap all involved not just a single person.

Of course, there is probably much more to this story that what was reported.

Isn’t “government intelligence” an oxymoron?

Benjie says:

A Better Analogy

A better way to describe what happened.

Say someone you didn’t know stopped over and say “Here’s My WIFI password”

Then you started browsing Facebook and you got criminal charges for unauthorized access.

If you read the story, he did not copy/distribute/whistleblow about any info he learned from his access.

Not to mention that this guy already had Top Secret clearance for his job, so getting this info was not out of the ordinary. He just so happened to not be on the list of people to have access.

Ryan says:

But still

without reading the email, we cant come to a good conclusion. If he recieved an email telling him to log in from one of his superiors, then why would he question whether or not he had authorization.

If my teacher told me her logins to her email account, and then told me to check it, I would conclude that I was allowed to check it. Who wouldnt in that situation?

Johnny says:


The thing everyone here doesn’t seem to understand is that this was a government site. There are warnings all over the place when logging on. It doesn’t matter what your clearances is, you do not get authorization from an email – you read disclaimers and sign papers.

There is no way this guy can use the “I thought I had clearance” argument. He’s government intelligence analyst, he knows what the procedures are.

I agree he shouldn’t be charged with hacking, but unauthorized access is valid.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...