Dangerous Ruling Says If Someone Goes Onto Your Openly Shared Google Drive, You Can Sue Them For Unauthorized Access

from the this-is-not-good dept

If you accidentally leave your Google Drive accessible to anyone with the URL, and someone goes there and deletes stuff, is that “unauthorized access” and a violation of the CFAA? To me, the answer should be absolutely not. But in this recent ruling the judge went the other direction (first noted by Evan Brown).

So, let’s start this one off by noting that the defendant in this case seems to be a generally terrible person, who runs a Facebook group focused on spreading ridiculous nonsense regarding her local school district. As described in the lawsuit the group is:

“dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District.”

Yeah. So, you get an idea of what we’re dealing with here. The father of a member of that school board, who seemed (perhaps reasonably) concerned about the activity in this group, started collecting information on what was going on in the group and storing it on a Google Drive account. Apparently without realizing it, he set the folder to be accessible to anyone with the URL.

At some point, things got messy, with the son of the school board member being accused of defamation. Here is the description of what happened next from the court opinion:

In 2021, Plaintiff’s son was accused of defamation. He responded to his accuser by emailing “13 photographs of public Facebook comments, made by his accuser, some of which were stored on the server.” One of the photographs displayed the URL to the Google Drive, and that photograph made its way into Amanda’s possession, where she noticed the URL and asked a third party to make a hyperlink for the URL. Once provided, she clicked on it to access the Google Drive. She reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.

So, obviously, that’s not great. But, it seems clear that the fault was with the owner of the Google Drive folder, Mark Greenburg, who failed to properly secure it. Even if it feels icky that the defendant here, Amanda Wray, messed with the folder, none of that would have happened if Greenburg had properly secured the account (which is the default setting — so he had to proactively choose to share the folder differently).

Wray seems like a terrible human being in oh so many ways, but it seems ridiculous to argue that she violated the CFAA. The court, however, goes the other way:

This is a close call. Plaintiff acknowledges that the portion of the Google Drive accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this setting did not per se render the Google Drive public, given that the URL was a string of 68 characters. What’s more, the Google Drive was not indexed by any search engines, unlike the website in hiQ. Therefore, it wasn’t just “anyone with a browser” who could stumble upon the Google Drive on a web search—the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser. By the Court’s eye, Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access it needed authorization.

In short, the plaintiff’s argument is that security by obscurity should be legally protected. The fact that it was not indexed by search engines doesn’t seem like it should matter at all. The fact is that Greenburg (accidentally, but that shouldn’t matter) made the folder available to anyone with the URL, and his son (accidentally, but that also shouldn’t matter) revealed the URL. At that point, it’s public. It’s on Greenburg to secure the folder.

Wray’s response, to go into the folder and mess around with it isn’t great, but that should not be seen as “unauthorized access” under the CFAA.

I worry about rulings like this, because it could cause real damage, especially for security researchers, and others who quite often will find public folders that are not secured properly. If the settings are set so that the folders are public, it is deeply problematic to argue that the access is unauthorized. The settings themselves that open up the folder literally say that everyone with the URL is authorized to view it, even if they have to type in a long URL by hand. That’s what happened here, and to argue that the access is unauthorized, once again, raises serious problems with the way the CFAA is interpreted.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dangerous Ruling Says If Someone Goes Onto Your Openly Shared Google Drive, You Can Sue Them For Unauthorized Access”

Subscribe: RSS Leave a comment
Anonymous Coward says:


That’s not a great example. Taking something left at a curb would certainly be theft if whoever left it didn’t mean to abandon it. I often see small libraries, kids’ bicycles, and benches (for example) in that area. It may sometimes be hard to establish criminal intent, but a civil ruling of “give the stuff back” should not be surprising.

Anonymous Coward says:


A better analogy:

I accidentally published the combination to my front door in a picture I posted publicly.
Someone used the combination to enter my home, destroy things and write graffiti all over the walls.

The google drive URL itself is like a password, or combination. Just because you have a password does not mean you were given permission to use it and then modify/delete whatever you could access with that password.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

Except in this case, the act of publishing it (making the Google Dive folder open) specifically SAYS it authorizes people to come in.

That remains true even if you cede the argument that the URL “is like a password”, which it definitively is NOT.

Anonymous Coward says:

Re: Re: Re:

No. You’d have an argument if the owner gave specific access to the defendant with editing privileges. Accidentally leaving a door open doesn’t express intent. It’s just careless, not intentional. You’d also have to argue the plaintiff intentionally sent the address to the defendant with the intent that they have access. That’s clearly not the case.

Bruce C. says:

Re: Re: Re: The deciding factor ...

The tampering raises a troubling aspect. If you have an open house allowing people to tour your home or for purposes of selling it, sure you should expect that any rando can come in and look around.

But there isn’t any expectation that you’re giving permission to people to come in and take things, or smash them up with a blunt weapon.

Similarly, deleting or modifying files is a separate access level and permission from just reading them.

Quokko says:

Re: Re: Re: Many levels of deliberate deceit

Plaintiff Greenburg did literally nothing but inadvertently set his drive settings to something unintentional. His son didn’t advertise the security error. The defendant’s cohorts SCOURED for it (for the purposes of exploitation), and found it (in pixel form) rather obscurely contained within just ONE of 13 attached screenshots. The defendant then chose to deliberately exploit an obvious security weakness that she KNEW was off-limits to her.

This comment has been deemed insightful by the community.
Bergman (profile) says:

Re: Re:

A better analogy still would be putting a dry erase board in an out of the way, seldom-traveled, but still public corridor. Nobody knows it’s there so anything you write on it goes untouched.

Then one day, you tell someone you trust about where it is, and they publish that information to the world. Shortly thereafter, someone walks down that public corridor, erases something you wrote, and writes their own thing.

Yeah, they didn’t have your direct permission, but you were the one who chose to put it in a public corridor instead of in your private office behind a door that only you have a key to.

Naughty Autie says:

Dangerous Ruling Says If Someone Goes Onto Your Openly Shared Google Drive, You Can Sue Them For Unauthorized Access

Is it actually dangerous, though? Reading the article tells me that Wray didn’t simply go onto the plaintiff’s Google Drive, she added and deleted stuff, which is technically hacking since she did it without the permission of the plaintiff. This is why the judge said it was a close call: the access was technically authorised, but the addition and deletion of data wasn’t. I will agree that the plaintiff’s argument of ‘not indexed by search engines’ is bullshit, though. There’s a few sites that don’t pop up in search results on Google, but that doesn’t prevent me accessing them and viewing their pages.

TheDumberHalf says:

Re: I believe google drives are indexed by search engines.

You have to know which engines or the markup to use in the search. There’s a massive open-directories community that shares information this way. Because the RIAA doesn’t know about these engines or markup, the community has thrived, untouched for decades now.

Anonymous Coward says:

Re: Re: Re:2

Even if someone’s willing to give up their right to privacy in exchange for respect of their right to freedom of speech, that doesn’t solve the issue of Google showing results based on what its algorithms thought you meant, which is sometimes far removed from the carefully constructed search term you actually entered. This is why Bing’s my go-to when it comes to looking stuff up online.

Anonymous Coward says:

Re: Re:

Except he clearly didn’t do that intentionally. You’re interpreting consent where he didn’t provide it. You don’t get to keep a wallet you found on the street that someone accidentally dropped. You don’t get to walk into someone’s house just because the front door is unlocked. He didn’t publish the address to the folder as a hyperlink nor did he post it to the world. He accidentally sent it in an image to a single person.

Naughty Autie says:

Re: Re:

Public Google Docs are public, and the owner had to specifically authorize public access, though.

Except he didn’t, though. As I pointed out above, Alphabet’s permissions are opt-out in places without sufficiently strong privacy laws, including the US, so Google Drives are public by default and you have to actually set them to private just like with Facebook settings not so many years ago.

Anonymous Coward says:


i think it is dangerous; the CFAA is the wrong route, and a law designed for abuse.

There are plenty of torts for which one could make a case. The federal “War Games” law is a stupid and unnecessarily escalated avenue to take. And the ruling, if it stands, just opens the door to more egregious stupid.

nasch (profile) says:


the access was technically authorised, but the addition and deletion of data wasn’t.

I don’t think that works. Either the granting of permissions is recognized as having taken place, or it isn’t. I think it should be, but it doesn’t make sense to split it in half and say he authorized the public to access the folder but not change it.

nasch (profile) says:

Re: Re: Re:

There’s a blog the public are authorized to access, but not change that refutes your hypothesis by its very existence.

That’s because read only and edit access are separate for that blog. That was not the case for the Google document (folder? not sure) in question. Full access was granted to both view and edit by a single action. Either that action authorized anyone with the link to view and edit the information, or it didn’t. There is no coherent argument for how it could have authorized viewing but not editing.

Anonymous Coward says:

I’m okay with this one because there appears to actually be malicious intent in the access. The defendant likely knew the owner of the folder didn’t want them to do that. And it wasn’t the access itself, but the deletion of content that seems most offensive.

I would say this is like noticing your neighbor accidentally dropped something from their pocket while going to their car and you walk over after they leave and throw it away while knowing your access was unintended by the owner and that they wouldn’t want you to throw the property away.

This comment has been flagged by the community. Click here to show it.

terop (profile) says:

If I leave my front door open, you’re still not allowed to come in and take my television. Anyone get caught carrying away the tv from my home will still be procecuted for burlary. Same with the car door, even if the door is open, taking my car radio is still illegal.

Same rule applies to google drive. While it’s common for people to keep their drive door open, it’s simply not acceptable to delete files from it or take the contents and publish it on unrelated sites.

Security research can claim “good faith” on their security research. While black hat security people have more trouble with getting good faith proven, ordinary white hat security folks should have no problems.

Good faith is clearly not present when after some arguments with the owner, someone goes deleting data from people’s google drive storage as it was in the case referred above.

Naughty Autie says:

Re: Re:

The deletion and downloading of the files should perhaps be treated as vandalism and/or theft.

Such charges being appropriate only in the case of destruction of physical property. Since this case deals specifically with digital property, the appropriate charge is hacking. Hacking falls under the CFAA which, due to the differences between physical property and digital property, is in no way a “‘special’ on a computer law.”

Bergman (profile) says:

Re: Re: Re:

It IS a special on a computer law, because if the defendant had done it literally anywhere but on a computer, the maximum sentence would be a year in jail, but would more likely be punished with a fine or community service.

But because it was on a computer, the penalty is 10-20 years in prison without possibility of parole.

tom (profile) says:

Re: Re: Re:

We shouldn’t need a special ‘on a computer’ law to charge vandalism. The public Google drive location wasn’t much different then a public park. What was allegedly done was closer to vandalism then hacking. Much like someone going to a public park and chopping down several trees. The person chopping trees was authorized to be in the park but not authorized to chop down trees. The person deleting files was authorized to be in the google drive but not authorized to delete files.

Charge for the crime committed, vandalism of property, not for just being in the public drive.

Anonymous Coward says:

Re: Re: Re:2

It wasn’t a public park. It was private property that the defendant inadvertently had access to, like a neighbor’s front door be unlocked. The defendant chose to walk through the door. The link to the folder wasn’t published publicly either. It was accidentally sent in an image and not as a hyperlink. The defendant would have to argue the plaintiff sent the address with the intent of giving the defendant access and editing privileges, which clearly isn’t the case here.

She cray-Wray says:

Re: Re: Re…

What we need, is a clarification in law that specifically states that our virtual spaces are indeed extensions of our homes and property.

The defendant here has an established and lengthy history of jumping on and immediately exploiting anything and everything she can find that casts her (many) foes in a negative light. In this case, she spent close to three months keeping her illegal access a secret from the plaintiff, while she crafted a horrible defamatory narrative about the plaintiff’s intent for collecting the data. The discovery will show just how nefarious her intent was, and this MTD situation does not even come close to accurately portraying just how ugly and dark her heart is.

This comment has been flagged by the community. Click here to show it.

Ashley S. says:

Actually, there is no truth to Greenburg’s allegation that the group is ““dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District.”

This is merely his political attempt to vilify the Defendent. There is also no proof that the Defendant deleted or reorganized files. In fact, View access to a Google drive does not allow editing capabilities. If Greenburg’s files were deleted or reorganized it was likely by the other users that he granted Edit access. Greenburg has not proved that these changes were made by the Defendant.

Also Greenburg is an all-around terrible person and has been for many years.




This comment has been deemed insightful by the community.
Toom1275 (profile) says:

Re: Re:

And theu;re absolutely deliberately lying that the group doesn’t engage in harmful anti-mask amti-education acts:


That article also mentions some of the deranged defamations made of Greenberg.

A.G. says:


I think that everyone can agree that the plaintiff did not intend to share the Google drive publicly and while it must be painfully embarrassing to be exposed for the troll that one is, the plaintiff’s own sloppiness and ego is what got him in this mess. The plaintiff had to manually change the drive default settings from “restricted access” to “anyone with the link can view.” Whether he did that and forgot, or got really proud of his trove of data he was collecting (including photographs of the defendant’s children) and kept it wide open – he screwed up and is now in the business of trying to save face over a very sophomoric choice.

There is no point in comparing this situation to finding a key and entering someone’s house because it is not the same. 1. This is the internet, not a diary under your bed. 2. The plaintiff is miffed that someone had the wits to type in the 60 something url and have success.

I do feel bad that the author of this article and his platform have been tricked into publishing this without completing research first. The Greenburgs have a VERY litigious history, personally and in business. Do you have kids, Mike? How would you feel finding out a grown man was storing photos of your property and family on a drive? And it wasn’t because he thought you were cute.

Man gets angry that there are people in opposition of his views. Man starts keeping files on people he doesn’t like. Man gets caught being a creeper. Man now wants to sue the people he targeted because they found out he was targeting them.

The only way that Greenburg could even file this case was to claim that the files were tampered/deleted/whatever his allegation is. Where is that proof? Google says “ANYONE with the link can VIEW.” It does not say “Anyone with the link can EDIT.” Greenburg just wants a head on a platter and a payout to replace his own negligence.

Naughty Autie says:


Interesting indeed, Ms. Wray.

How would you feel finding out a grown man was storing photos of your property and family on a drive? […] Man gets caught being a creeper.

Those sentences I quoted above? That’s how I knew who you are, and it’s also the reason ‘Man’ could have grounds to sue you for libel on top of the ongoing lawsuit for you destroying his data.

migi (profile) says:

I am not a lawyer, but I think there are reasons to think that this is not some sort of legal disaster.

Firstly it’s a civil case not a criminal case, so to succeed the plaintiff does not need to reach beyond reasonable doubt, only preponderance of the evidence.

Secondly this is a ruling on a motion to dismiss and as the court notes “When analyzing the sufficiency of a complaint, the well-pled factual allegations are taken as true and construed in the light most favorable to the plaintiff.”
So when the plaintiff claims that a google drive URL is the equivalent of a password and the judge thinks it’s a close call, that seems likely not to pass muster later on when the judge doesn’t need to view things in the light most favourable to the plaintiff, and can fully account for the defendant’s arguments (If I was the defence lawyer I’d be thanking the judge for signalling an angle that he is receptive to counterarguments).

Thirdly the plaintiff alleged $5000 worth of damages, which he incurred by hiring a “forensic IT team”. If the defendant had accessed the drive but not done any vandalism, I don’t see how the defendant would have ever incurred those costs because there would never have been a reason to hire them.

I’m not sure the court got it right, but I think that this story is untimely because it’s about an interim decision not the final decision. If the court (or jury) rules this way in the final decision that would be a much bigger problem.

Anonymous Coward says:

One of the photographs displayed the URL to the Google Drive, and that photograph made its way into Amanda’s possession, where she noticed the URL and asked a third party to make a hyperlink for the URL.

The defendant’s a member of a school district and she can’t even create a hyperlink out of a URL through the analog hole? 😶

Schnookums says:


The bad actors here were able to sucker someone else into taking the legal risks involved in accessing the drive. Very clever manipulation happened. Once inside, they found more than they’d imagined in terms of ammunition with which to mischaracterize the plaintiff’s drive contents. It contained information regarding lots of people, and most of them did not want to be associated with the hacking. But after 90-days of clandestine access and activities, defendant could no longer resist the urge not to publicly exploit what she’d found.

Plaintiff has also filed a “fraternal twin” defamation suit in state court regarding the same matter.

The Turning Point USA PAC appears to be funding their defense, as they seek to seize this as evidence of a “corrupt left” element in society.

Lostinlodos (profile) says:

“and deletes stuff, is that “unauthorized access” and a violation of the CFAA?”

I think the key here is vandalism. The deleting. Along with:

…“deleted, added, reorganized,

Is this not abuse? Abuse outside of security research?
Not “hacking” or “cracking”, but most definitely abuse.

This is very different than simply visiting an open directory and accessing/reading, public facing resources. This is intentionally causing mischief, vandalism.

I get your concern for security researchers, but this is far more than than finding and reporting issues

Lostinlodos (profile) says:

Re: Re:

It’s not, and at least from the CIS industry, never was. The hacking is the act of unauthorised access. Here, assuming everything reported is true, there is no unauthorised entry.
An open access google drive is by its nature open access

Walking into an open house, as above, is not hacking. Coming back 12 hours later when it’s locked and entering anyway, is.
You need to hack, as in break open a window or door, or crack, as in pick the lock or decipher security, to gain unauthorised access.

Lostinlodos (profile) says:

Re: Re: Re:2

Could be. There’s a reason each version of the hackers’ dictionary covers more than one definition for many terms.
Regional variation.

I use the terms I grew up with, same era as your rents.

The point here is stepping into an open door in a community where an open door is an invitation to enter… is not illegal.
Fucking up thebdtuff inside is.

Lostinlodos (profile) says:

Re: Re: Re:4

True. But That’s not the premise.

If you lived in Open Door Town where there was an open door policy, eg google drive, you have an open door policy. In open door town you close your door when you want privacy just like google drive.

Like I said initially, drive owner may be able to get some level of trespass to stick on the access level. But if you fail to close your door in an open door community it’s on the owner.

Lostinlodos (profile) says:

Re: Re: More accurately

If you leave your car running at the gas station and go inside.
If you leave the car open and I climb inside and look, you’ve granted public access.
you may get criminal trespass to stick. But nothing more.

If climb in and drive off, that’s theft.
Same as I’d I take your radio. Or a book sitting on the seat.

If I change your stations, move the seat, turn in the heater; that’s abuse. (of private property).

Now assuming you locked the door to the running car, if o pick the lock or send a fake RFID/BT command to open the door, cracking.

And if I gouge out the steering hub or require the transmission Locke to drive away without a key/fob on an auto start or auto run, that’s hacking.

See the idea?

Naughty Autie says:

Re: Re: Re: You just proved my point.

Now assuming you locked the door to the running car, if I pick the lock or send a fake RFID/BT command to open the door, cracking.

And if I gouge out the steering hub or otherwise make structural changes so I can drive away without a key/fob on an auto start or auto run, that’s hacking.

See the idea?

Amandassoiledandtwistedpanties says:

Rationalization is not your friend

There’s actually a way to specify in the Google Drive settings that the drive is being made accessible to the public. “Anyone with the link” is not it. You actually have three levels of permissions. To share it with everyone requires specifically choosing to make it open to all. The other two options require one’s actually being invited.

“Anyone with the link” is just a way to quickly give access permission to people you wish to GRANT it to. Noticing the URL in a photograph and manually hacking your way in (when you know damn well you’re not invited) is no different than copying a key to your neighbor’s home while they’re not looking. Entering and copying files (when you’ve not been invited) is theft.

Get a criminal lawyer, Amanda.

Sniffinghertwistedsoiledpanties says:

“Permission” thoughts

Permission is a concept that needs more consideration. In this situation, there are two basic kinds. And you are required to have BOTH kinds in order for the access to be legit.

“Technological permission” is what one requires to physically gain access. For example: A key. A key code. A login and password. Or in this case, a direct link to the drive.

“Given permission” is the permission that the owner of the real or virtual property must also give. The invitation.

Amanda’s partner in this crime saw the URL in the photograph and secretly attempted to access the drive (and succeeded). They gained access with technological permission, but without GIVEN permission. One need only examine their post-access behaviors to show their respective levels of “presence of mind” in their crime. They spent ~90 days preparing a strategic media blitzkrieg that the Greenburgs could not hope to immediately defend against.

This was a planned attack.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...