PACER Hacked By Malicious Entities, Briefly Turning It Into A Useful Source For Federal Court Documents
from the power-user-mode-engaged dept
The US Court system’s electronic filing front-end has always been a mess. Not only is it prohibitively expensive for most casual users, it’s prohibitively dysfunctional even for power users. Whoever isn’t discouraged by the outdated front end will be just as unimpressed by its back end. PACER charges per page like it’s a librarian running paper copies on a mimeograph. It also charges per page of search results, even if the inadequate search system fails to turn up anything more than the notification that this failure has added another $0.10 to your PACER tab.
Perhaps the only way to make PACER useful is to bypass the front end and root around in the digital back room. That’s what appears to have happened here, as first reported by Politico:
The electronic case filing system used by the federal judiciary has been breached in a sweeping cyber intrusion that is believed to have exposed sensitive court data across multiple U.S. states, according to two people with knowledge of the incident.
The hack, which has not been previously reported, is feared to have compromised the identities of confidential informants involved in criminal cases at multiple federal district courts, said the two people, both of whom were granted anonymity because they were not authorized to speak publicly about the hack.
First, let’s discuss the “sensitive court data.” PACER records are de facto public documents. But not everything contained in the US Courts system is actually public or even meant to be public. In addition to the things Americans are still expected to pay $0.10/page to access, there’s plenty of stuff filed under seal or otherwise prevented from reaching publicly-accessible dockets. And those documents might include things the government would definitely prefer no Americans have access to, much less the presumably foreign hackers who managed to breach the system.
But Politico isn’t exactly correct that this hack “has not previously been reported.” The breach was apparently discovered by the government on July 4 (hmmm), but the attacks and the attack surface had previously been highlighted by the federal judge overseeing PACER modernization efforts. Two weeks before this hack was discovered, the judge had told Congress PACER was under constant attack by malicious hackers.
Michael Scudder, who chairs the Committee on Information Technology for the federal courts’ national policymaking body, told members of the House Judiciary Committee that about 200 million harmful cyber “events” were prevented from penetrating court local area networks in fiscal 2024.
“The Judiciary has had to respond to waves of highly sophisticated and persistent cyber threats,” Scudder said in written testimony. “Given the information in the Judiciary’s control, we continue to face unrelenting security threats of extraordinary gravity.”
This was apparently shrugged off as something a DOGE-subservient federal government wouldn’t be spending any money on. After all, very few people in power actually seem to care whether or not there’s easy and equitable access to court records citizens have a First Amendment right to access. And the US Court system itself is more concerned it won’t be able to buy new flatscreen TVs and office chairs if anyone allows everyone but (mainly corporate) power users to access documents for free.
And while this wasn’t confirmation of this particular hack, the government had been warned hackers were incessantly attacking PACER in hopes of accessing whatever wasn’t accessible via its counter-intuitive front end.
The modernization of PACER is relegated to the back burner in perpetuity, it seems, even though spending money to update the system might have made it a bit more resilient to persistent attacks. But the federal government rarely feels compelled to throw money at things that might make things better for the hundreds of millions of peons who have somehow failed to secure a seat in Congress.
Under Trump and DOGE, this breach may result in some hand-wringing about the potential exposure of confidential sources (or buried evidence of police misconduct) but it’s unlikely to result in funding for additional security efforts, much less any movement forward on the free access front.
I can only hope the hackers decide to dump these documents somewhere publicly-accessible, which will save citizens millions in PACER fees while also exposing the amount of banality of the government out of the public eye by pretending literally any fact about any well-known surveillance tech or commonly-used law enforcement tactics will somehow create nationwide criminal chaos if the general public finds out things it most likely already knows.
But more importantly, this shows how little the government cares about one of its offerings that mainly benefits people who aren’t government employees. While the government has no problem spending money to make sure its own are taken care of, the people paying the tab are seldom considered worthy of government investment. And I can pretty much guarantee the reaction to this hack will be even less access to presumptively public records, rather than the implementation of a robust system that repels hackers and provides better, cheaper access to records the public has already paid for once.
Filed Under: data breach, federal courts, hacking, pacer, public records, us court system
Comments on “PACER Hacked By Malicious Entities, Briefly Turning It Into A Useful Source For Federal Court Documents”
So why jump so confidently to “malice” as the motivation? Sure, it’s possible that someone was seeking secret data to do harm, such as to murder an informant or file false documents. But in the absence of evidence, it’s also possible that they just wanted to make the system useful for everyone, and had no idea this could cause collateral damage.
Re:
Agreed. It seems as though Tim has forgotten the lesson provided to us in Hanlon’s Razor.
Re: Re:
Not just Tim, though. Almost everyone working in computer security seems to have the same idea, always talking about “malicious” this or that—including “malicious software”, as if our current technology can create software capable of intent. And as if “malice” is somehow a better explanation for me than “greed” or “we don’t know the motivation” when money goes missing from my bank account. (Robin Hood wasn’t malicious, but why would the victims care?)
Re: Re: Re:
Software is an instrument of its author’s intent. Malicious software is software written for a malicious intent. Would you equally object to terms like “malicious lawsuit” on the basis that a lawsuit is not a person?
Re: Re: Re:
Nope. Robin Hood was a traitor, though, stealing the money earmarked to ransom his King out of captivity in the Middle East (not that I blame the Muslims when we were the ones waged war against them to “reclaim” territory that was never ours).
Re: Re: Re:2 Robin Hood wasn't malicious
While the tales of Robin Hood are fiction possibly based on folk tales of one or more actual historical characters, nothing in any of the folk tales or classic fiction indicates that what you have said about Robin Hood being a traitor is true. Indeed, the classic fictional tales all show Robin Hood being a supporter of the rightful king gathering money for the king’s ransom. As the Robin Hood story is non-copyrighted and open to retelling, it has been retold in many forms across the years and there may exist a story in which what you said about Robin Hood being a traitor was true. It does not make it the dominant form of the Robin Hood mythos and should not be represented as such.
Re:
Riiiight. That’s totally what happened. Someone installed PACER 2.0 and migrated everything while maintaining security and proper auth.
Your (below) razors are dull, rusty, and defectively manufactured.
Re: Re:
That’s a weird thing for you to hypothesize out of nowhere, given that nobody said anything like it and the evidence suggests the opposite. It seems that someone fucked the system up. We just don’t know why. “Malice” would mean that the damage was their intent, rather than a side effect.
So?
A service that is >90% automated, being Run as IF, it was Still TOTALLY MANUAL and needed 10,000 persons to handle all the input data from Every City, County, State?
Where, Most of the Data, is Generally Already Scanned into TXT format for Quick reference in EACH state. And all anyone needs to do, is FIND IT in that Jungle of State Servers that hasnt been updated in 20 years, That Controls ALL the state computers.
UNLESS,
States are Charging for Their OWN server access. And there is NO standard Protocol Used in the States.
AND SOME STATES HAVE COPY PROTECTED DATA, FOR SOME ODDBALL REASONING.
Protocols(Computers and manual services) Procedures. GOTTA LOVE THEM.
secret laws
PACER is an attempt to construct secret laws.
Remember, “the law” is comprised of legislative text plus administrative findings.
Legislation is often restricted as we discussed in a previous article – incorporation of (copyrighted) model text by reference (NFPA, NEC, Etc). And as noted by comment above, some states claim copyright on public funded output!
What makes “the law” changes all the time. All day, every day. Administrative findings. Most are mundane, sone restrict and some expand the interpretation of the legislation and previous findings.
For example, divorce law in California. It it impossible to keep up with every nook and cranny.
No private citizen can know exactly what “the law” is at any moment.
Judicial output is public funded work product. They should pay us to take it! None of this xerox fees from 1974 crap.
Re:
No dude, PACER is literally the docketing system for district courts. Admin stuff is on regulations.gov. And yes, most private citizens don’t know anything about admin law, but the lawyers who work in their niche are all ridiculously dedicated specialists who believe in holding the administrative state to account regardless of administration and have turned down far more lucrative and less stressful work to do what is frequently invisible, entirely not understood by most people we went to law school with (half of my admin law class dropped out, and it’s a pre-req for all the juicy stuff like immigration law and the niche classes about the admin parts of the DMCA, which was taught over the summer, had 4 students, and was taught by the head of the IP division of the state bar who offered all 4 of us a position. I was the only one to turn it down since the DMCA is relatively tame compared to the clusterfuck that is immigration law and I was gunning for a position that paid me less, had me working insane hours, use 3 languages routinely, encounter daily the only part of the US code that singled out my ethnicity by name and marked us for removal – kept even though all provisions had been moved out in the 1940s – and in the end, somehow managed to help facilitate 17,000 DACA recipients in getting a green card because DHS didn’t know their own regulations as well as the attorneys. I actually don’t even know how counsular processing works for someone to legally get their spouse an immigrant visa to the US but I can tell you the exact wording that, when the law still mattered, can fit through the semantic trap ICE long kept to define “criminal” in an absolutely insane way that they managed to finangle into allowing the removal of legal immigrants who were ticketed for turnstile jumping in NYC, because paying the ticket, which is not a criminal offense but a violation under NY law, can be interpreted as agreeing to the allegation that falls under “theft of services”, which thanks to the word “theft” in the name, is categorically considered a crime involving moral turpitude by ICE. Except the theft doesn’t happen until the person gets onto the train, so only in NY would you contest the ticket and make it into a trespassing offense, which ICE won’t flag since trespassing is not a moral matter. Moral turpitude is ported from the 1880s when it was a veiled reference for interracial sex, btw, although it did jack squat to prevent that from happening anyway. ICE is also the only governmental body that has the power to punish someone for not having sex – nonconsumation is considered a sign that a marriage was contracted for fraudulent purposes, and to add insult, lying to a federal official is a felony that is categorically removable as well, essentially giving ICE the authority to, under the penalty of first detention or imprisonment and then removal from the country, order two people to fuck. This isn’t a hypothetical, they constantly conduct invasive interviews of couples they deem potential frauds and somehow they seem to all be interracial or at least not involving a white couple. Trump’s first wife got status in Canada through a lavender marriage, but heteronormativity is only compulsory for the racially inpure, or something. Most people don’t know, but some of us have RSS feeds just to force agencies to admit to things in writing. But none of this is on PACER, since agency decisions until last year’s Loper Bright were given so much deference that admin law straight up doesn’t end up in district court very often, and PACER is really just the district court docketing system, one that looks like Geocities not for retro reasons but because it’s as official as web design was back in the day. Each court actually runs its own PACER instance so it’s actually a federated system. Filing actually uses a system that looks exactly like PACER but you can and most practitioners do use a separate account for just in case you accidentally comingled personal funds with litigation expense. Nothing is secret because it doesn’t need to be when you can’t be held responsible for intentional bad acts or negligence or anything else that causes harm. Can’t sue ICE, but if they issue a detainer on a US citizen they then remove – not unusual, just public these days – if you manage to get back into the states you can sue the municipality into bankruptcy.
Divorce law is actually a lot more straightforward since it’s not federal, and well, if it’s a no-fault then really the only thing stopping divorce by app is a cooperating federally recognized Indian tribe willing to be a bit flexible with how they determine membership. When there’s something to fight over, it really just becomes insanely frivolous. I once had to wait 4 hours watching a couple fight over a set of season tickets for my law school’s team – they had no-contact orders out so they had to split it game by game, plus potential playoffs and NCAA tournament tickets since the school is pretty good and makes deep runs regularly. I had a very obvious and not even really contested suppression motion waiting but since they would not stop arguing, made more insane because it was my 3L year and I didn’t need to pay to go to any game and can reliably be on the front row because the school’s system of holding spots had a loophole that the law students took advantage of (you need to put a tent out but it’s never stated that you need to stay in the tent, so we’d pitch a tent as early as possible, have someone sit in it to throw off the underclassmen, put a mannequin we found in a trash bin in for the rest of the time and when doors open 16 of us go in front and center. Meanwhile, this couple just had to go on and on over a pair of seats that apparently cost a ton of money and aren’t very good because neither went to the school and alumni had priority. Frivolous, yes, but complex? Only if you make it.
(If you need something, I regularly fulfill requests on courtlistener.com, since features like full text search and webhooks are nice to have generally. For PACER that is, since regulations.gov has a perfectly functional search system.)
Really?
Doesn’t seem all that malicious to me. Quite the opposite, in fact.
Re:
Mmkay. And how, exactly, does it then follow that they can’t possibly have done, or be doing, more than one thing in/with the system(s) compromised?
Re: Re:
It doesn’t follow, and the preceding comment said nothing about it. Disguising a malicious act as a public service (“hacktivism”) might actually be a good strategy for a criminal. That’s one reason why, when a system is compromised, the general recommendation is to re-install it entirely; even if the only apparent damage is minor, such as a juvenile web site defacement.
Whether this particular hack was malicious is information we don’t have.