We were just noting how the Computer Fraud and Abuse Act is regularly abused
to bring "hacking" charges where none are really warranted. And here we have yet another example. Alex Howard
points out that a Minnesota Public Radio reporter, Sasha Aslanian, is potentially facing "hacking" charges
from a Texas company called Lookout Services. Lookout creates employment/compliance software for large organizations, and Aslanian was reporting on a supposed data vulnerability in the software used to verify employment eligibility that could potentially reveal private info. Aslanian's report
noted that she was able to see info from the state of Minnesota, and the state was now directing agencies to stop using Lookout. The details are not entirely clear, but from what's written at the MinnPost link above, it sounds like there were some vulnerabilities, poor security, and a bungled demonstration which revealed a vulnerability -- all of which Lookout admits -- and from those vulnerabilities (which Lookout claims it closed), someone was able to adjust the URL to find private data.
So, basically, the company admits to a series of vulnerabilities, which exposed info that allowed the reporter to eventually see some private data... but still claims that the reporter was "hacking" and is now looking to sue under the same Computer Fraud and Abuse Act, which could lead to 5 years in prison. Because our federal government still hasn't passed a journalism shield law, the reporter is potentially liable, though, as the MinnPost reporter notes, Lookout seems particularly shortsighted in bringing this lawsuit in the first place. All it does is call more attention to its own vulnerabilities and failings. And the CEO of Lookout basically responds that she doesn't care:
While the legality and severity of Lookout's security breach remains to be adjudicated, there's no doubt Aslanian was trying to serve the public interest -- something a prosecutor might consider. As Dalglish says, "The state of Minnesota should be grateful MPR exposed what's going on. It seemed like a pretty good story."
I asked Morley if she realized, by filing a high-profile suit, how hapless her timeline made Lookout look. After all, there's the webinar screwup, letting clients pick lame IDs/passwords and caching security credentials in such a way that rendered them useless.
"Yup," she admitted. "It was a perfect storm that came together. Our communication with the state really broke down -- in our contract, we had 60 days to fix any problem. But there was still an unauthorized intrusion, and that was wrong."
So, even though this will publicize not just Lookout's failings, but also how it responds to people who notice and report on vulnerabilities, the company still thinks it needs to bring a lawsuit because exposing those vulnerabilities "was wrong"? I would argue that the company's reaction to this gives many more reasons never to do business with Lookout -- more than any discovered vulnerabilities. Vulnerabilities in software happen -- and it's more telling how a company reacts when they're exposed. Suing those who expose them isn't what you want to see. Update
: Lots of good points in the comments, pointing out (of course) that Lookout cannot bring criminal charges against the woman, only prosecutors could do that, and it seems unlikely they would do so in this case.