Dangerous Ruling Says If Someone Goes Onto Your Openly Shared Google Drive, You Can Sue Them For Unauthorized Access
from the this-is-not-good dept
If you accidentally leave your Google Drive accessible to anyone with the URL, and someone goes there and deletes stuff, is that “unauthorized access” and a violation of the CFAA? To me, the answer should be absolutely not. But in this recent ruling the judge went the other direction (first noted by Evan Brown).
So, let’s start this one off by noting that the defendant in this case seems to be a generally terrible person, who runs a Facebook group focused on spreading ridiculous nonsense regarding her local school district. As described in the lawsuit the group is:
“dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District.”
Yeah. So, you get an idea of what we’re dealing with here. The father of a member of that school board, who seemed (perhaps reasonably) concerned about the activity in this group, started collecting information on what was going on in the group and storing it on a Google Drive account. Apparently without realizing it, he set the folder to be accessible to anyone with the URL.
At some point, things got messy, with the son of the school board member being accused of defamation. Here is the description of what happened next from the court opinion:
In 2021, Plaintiff’s son was accused of defamation. He responded to his accuser by emailing “13 photographs of public Facebook comments, made by his accuser, some of which were stored on the server.” One of the photographs displayed the URL to the Google Drive, and that photograph made its way into Amanda’s possession, where she noticed the URL and asked a third party to make a hyperlink for the URL. Once provided, she clicked on it to access the Google Drive. She reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.
So, obviously, that’s not great. But, it seems clear that the fault was with the owner of the Google Drive folder, Mark Greenburg, who failed to properly secure it. Even if it feels icky that the defendant here, Amanda Wray, messed with the folder, none of that would have happened if Greenburg had properly secured the account (which is the default setting — so he had to proactively choose to share the folder differently).
Wray seems like a terrible human being in oh so many ways, but it seems ridiculous to argue that she violated the CFAA. The court, however, goes the other way:
This is a close call. Plaintiff acknowledges that the portion of the Google Drive accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this setting did not per se render the Google Drive public, given that the URL was a string of 68 characters. What’s more, the Google Drive was not indexed by any search engines, unlike the website in hiQ. Therefore, it wasn’t just “anyone with a browser” who could stumble upon the Google Drive on a web search—the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser. By the Court’s eye, Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access it needed authorization.
In short, the plaintiff’s argument is that security by obscurity should be legally protected. The fact that it was not indexed by search engines doesn’t seem like it should matter at all. The fact is that Greenburg (accidentally, but that shouldn’t matter) made the folder available to anyone with the URL, and his son (accidentally, but that also shouldn’t matter) revealed the URL. At that point, it’s public. It’s on Greenburg to secure the folder.
Wray’s response, to go into the folder and mess around with it isn’t great, but that should not be seen as “unauthorized access” under the CFAA.
I worry about rulings like this, because it could cause real damage, especially for security researchers, and others who quite often will find public folders that are not secured properly. If the settings are set so that the folders are public, it is deeply problematic to argue that the access is unauthorized. The settings themselves that open up the folder literally say that everyone with the URL is authorized to view it, even if they have to type in a long URL by hand. That’s what happened here, and to argue that the access is unauthorized, once again, raises serious problems with the way the CFAA is interpreted.