Should journalists or security researchers be able to access your home network and change settings without your permission, or snoop on your email and web browsing traffic, in order to further their research? I would think the answer is obviously no, even if the research is legitimate. But two stories that ran last week seem to be expressing dismay at restrictions placed on journalists or security researchers by the Computer Fraud and Abuse Act that allegedly prohibit them from doing exactly that. The issue is significant because, in the wake of several controversial prosecutions (Lori Drew, Aaron Swartz, Andrew Auernheimer (a/k/a “weev”)), there is considerable pressure building to amend the CFAA. I think it would be a serious mistake to amend the CFAA, or any other electronic intrusion statute, to permit journalists or security researchers — or possibly anyone describing themselves as such, such as bloggers or hobbyists — from accessing poorly secured home networks or private communications just out of curiosity.
Here’s Forbes privacy blogger Kashmir Hill on a security flaw in a home automation system:
Insteon’s flaw was worse in that it allowed access to any one via the Internet. The researchers could see the exposed systems online but weren’t comfortable poking around further. I was — but I was definitely nervous about it and made sure I had Insteon users’ permission before flickering their lights. Weighing on my mind was the CFAA/”unauthorized access” to computer systems charges used to prosecute Aaron Swartz and to convict Andrew “weev” Auernheimer, a hacker who exposed a vulnerability in AT&T’s servers that leaked the email addresses of the company’s iPad 3G users.
“This type of issue is very much like the one presented in the ‘weev’ case,” said Marcia Hofmann, a lawyer who specializes in Internet law and security matters. She is part of a team of lawyers appealing Auernheimer’s criminal conviction and 41-month prison sentence, a sentence that has had a chilling effect on other researchers who seek to expose security flaws in company’s products. Hofmann says the Trustwave researchers’ reluctance (as well as my own wariness) to poke around in something publicly available on the Internet to alert the users affected “shows why that case is such a dangerous precedent.”
“The people who discovered this and reported it to the company so it can fix the problem shouldn’t have to worry that they somehow ran afoul of the law,” says Hofmann.
This strikes me as puzzling. I think you should absolutely have to worry about breaking the law if you intentionally access my insecure home automation system over the web without my permission, even if it is for a good cause. Perhaps my door locks have a security flaw as well, but I would not want some television news reporter walking into my house and turning on all the lights in order to demonstrate that fact. To the extent that the CFAA prohibits such activity, I think that aspect of the statute should be preserved.
The “weev” case is less clear-cut, in part because it involves a “storefront” web page of a business, not a residence. Auernheimer and a colleague discovered that accessing the AT&T Mobile login page using a URL that included randomly generated iPhone equipment ID numbers returned, in some cases, matching AT&T subscriber email addresses. AT&T obviously intended that only the subscriber would see this information. Indeed, this is what interested Auernheimer; he was able to easily expose AT&T customer email addresses that had been poorly protected. He wrote a script to gather as many email addresses as possible, and then reported his find to journalists and bloggers, even including a sample of what he found. The question in the weev case is not AT&T’s intent in keeping the information hidden, but rather whether AT&T could reasonably expect that others would respect that intention. In the home automation case, the issue seems clearer, since the online access in that case allows someone to make physical changes on someone else’s property. But AT&T is a commercial entity with a public login page that anyone may visit. Can it reasonably expect that visitors will not tinker with the login page URL in order to reveal subscriber email addresses? Again, obviously it’s poor security to construct your page like AT&T did. But a failure to take ordinary security precautions does not by itself change the content of social markers of privacy boundaries. If I leave my car doors unlocked, it’s widely understood that that is not an invitation to lift the door handle and enter my car. Did Auernheimer do the electronic equivalent of looking at a document AT&T had left face-up on the counter at the store, or did he go around the counter and look under the cash register?
Here’s the other example, from the New York Times Bits Blog column on Friday, about the ease of obtaining information broadcast by the many devices we carry around with us everywhere:
You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them — and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed.
Mr. O’Connor says he did none of that — and for a reason. In addition to being a security researcher and founder of a consulting firm called Malice Afterthought, he is also a law student at the University of Wisconsin at Madison. He says he stuck to snooping on himself — and did not, deliberately, seek to scoop up anyone else’s data — because of a federal law called the Computer Fraud and Abuse Act.
Some of his fellow security researchers have been prosecuted under that law. One of them, Andrew Auernheimer, whose hacker alias is Weev, was sentenced to 41 months in prison for exploiting a security hole in the computer system of AT&T, which made e-mail addresses accessible for over 100,000 iPad owners; Mr. Auernheimer is appealing the case.
‘I haven’t done a full deployment of this because the United States government has made a practice of prosecuting security researchers,’ he contends. ‘Everyone is terrified.'”
One thing that is not clear here is why the CFAA might apply to this situation. The CFAA penalizes “intentionally access[ing] a computer without authorization” and thereby obtaining information. According to the Bits Blog post, however, it doesn’t sound like O’Connor’s devices access anything; they just listen. Perhaps something has been left out of the description of how they operate, but if the devices are just listening devices, then it would not be the CFAA that would potentially apply, it would be the Wiretap Act.
And again, I don’t understand why that would be a bad thing. O’Connor drew the line at listening in to, say, other people’s unsecured email transmissions, and that strikes me as a pretty good line to draw, even for a security researcher. Google has recently argued to the Ninth Circuit that all unencrypted radio transmissions, such as the unencrypted wi-fi signals you might find at a coffee shop, are unprotected against eavesdropping. The Wiretap Act excepts liability for intercepting electronic communications that are “readily accessible to the general public.” Google argues that unencrypted wi-fi is “readily accessible” to any member of the general public who happens to drive by the owner’s house, and that “social norms have developed around encrypting radio communication.” But again, even if it becomes more common to take certain security precautions — locking your car doors, say — that doesn’t necessarily change the social significance of what the absence of those precautions mean. I think it is perfectly appropriate for the Wiretap Act to prohibit eavesdropping on someone’s email or web surfing traffic, even if it is technically simple to do so, and even if the eavesdropper has good intentions, for the same reason it is illegal to use a boom mic to listen in on what two people are quietly discussing in a secluded area of a public park.
Cross-posted at the Marquette University Law Faculty Blog.