13

There is a case in the news where a journalist identified a security issue in the web site of the Missouri Department of Elementary and Secondary Education that exposed 100,000 social security numbers. He did this by viewing the source of the page, using the f12 hotkey or right-click and selecting "Inspect" or "View page source" depending on your browser. When he made this discovery he disclosed the vulnerability to the DESE, and delayed publishing an article on the discovery until the department removed the vulnerability and worked to find if any other related sites and applications contained similar vulnerabilities.

The response of the Missouri Governor Mike Parson was to accuse the reporter of hacking under Section 569.095, RSMo. While the County Prosecutor has announced no charges would be filed this has involved four months of harm to the individual and their family and the Governor maintains that Renaud had unlawfully hacked the school website.

A somewhat similar case is the 2017 case of the Hungarian teenager who identified a bug in the Budapest Transport Authority (BKK) website that allowed anyone to set the price of a ticket. He demonstrated the flaw by buying a ticket, and told the BKK by email. He was arrested. He lived outside of Budapest and could not use the purchased BKK pass.

There are four aspects that seem to me could give rise to legal risks, but I have no idea if any could reasonably give rise to successful charges in cases such as this:

  • Use of developer tools on third party web sites
    • The developer tools in modern browsers are very powerful tools. One illustration of this is to select the "Debugger", and the "Pause on any URL". This gives one a view of the activity of many web sites that is not intended by the developer, particularly those using the cloudflare tools. It also produces a human readable version of minified javascript, which is produced to be machine readable. This is not decompilation as javascript is not a compiled language, however functionally it is like applying a java decompiler to a java web start application for example. I think it has been claimed that the DMCA can criminalise decompilation, could such a law be used in this case?
  • Decoding the data within the web site
    • As I understand it the SSN's were encoded in Base64, whereas the rest of the website was another encoding (ascii?). This may have involved a separate tool to be identifiable as an SSN, but may well not as javascript includes the functionality (the function atob()) and many developers can do a rough job in their heads. Is it possible that one can commit a crime by inappropriately decoding strings in common formats, perhaps even in your head?
  • Handling of potentially erroneously exposed PII
    • If one comes across personally identifiable information (PII) on the internet I would assume there are things you can do that are illegal. I am not sure what they are, but I do know that the accepted way to handle security issues in software is to inform the organisation responsible and wait an appropriate time before publishing the issue. This is roughly what the reporter did in this case, but are there any specific legal measures that one can take in such situations to ensure one is not breaking any laws?
  • Fraudulently gaining something
    • If one actually exploited a software error to get a material benefit, such as cheap transport, it seems that one could be committing fraud. If one makes a purchase to demonstrate a flaw and tell the organisation about it without making use of the purchase can this be illegal, or does one need to intend to actually gain a benefit?

Any jurisdiction would be interesting, particularly any that has actual case law of such actions being found to be illegal.

Improve this question
2
  • 1
    Assuming the reporter's activity constitutes a hack ... Even if the reporter behaved ethically it's a seriously gray area. See a decent WaPo write up washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/… That aside, this wouldn't be the first time a politician clearly doesn't understand technology and what constitutes a hack. But legal theory can be surprising. I look forward to the answers.
    – user608
    Commented Mar 2, 2022 at 16:00
  • 4
    @608 it doesn't constitute a hack.
    – Trish
    Commented Mar 2, 2022 at 16:20

1 Answer 1

Reset to default
7

The law is really bad at protecting whistleblowers

From my understanding of US law, this is not unauthorised access to a computer: the reporter made a legitimate request to a remote computer, that computer provided data,the reporter accessed the supplied data on their own computer.

However, pointing out the failures of people in power is fraught even if it is not illegal.

It is certainly within the Governor’s power to authorise an investigation of the reporter. On the face of the law, it seems reasonable to suspect that what was done might be a violation so there is nothing legally wrong with initiating an investigation. I suspect that such a broad interpretation of the law would fall foul of the First Amendment which may partly explain why it wasn’t prosecuted: the government doesn’t want to find out.

Similarly they can issue press releases, which, due to the First Amendment, don’t have to be true, just not defamatory. Saying it’s a possible violation is true and not defamatory. Saying the reporter was an evil person who is only doing this for political purposes is a statement of opinion and not defamatory.

It’s a fact of the world that people with power can use that power in ways that are malicious, unethical, and unfair but not necessarily illegal.

Improve this answer
7
  • 1
    Your first paragraph could be applied to decompilation, which I think is considered against the DMCA. Is it certain that it is true?
    – User65535
    Commented Mar 3, 2022 at 7:31
  • 1
    @User65535 not at all. Pressing F12 just allows you to see the raw html that was supplied to your browser rather than the pretty interpretation your browser gives it.
    – Dale M
    Commented Mar 3, 2022 at 11:27
  • 3
    @User65535 it is very functionally different to what a decompiler does. A decompiler acts as more of a translation service from machine code into source code. Without the use of a decompiler, the machine code looks nothing like what is shown on-screen in IntelliJ. With websites, the human readable code you see when pressing f12 is the exact same code the web server sent and the web browser interpreted.
    – 520
    Commented Mar 4, 2022 at 11:26
  • 2
    @User65535 Suppose you have text written in English, but heavily abbreviated, with all nonessential words or words that can be inferred from context removed. A pretty-printer (which is what browser developer tools accessible with F12 have) is similar to re-adding the omitted words to make the text more readable to someone who speaks English. A decompiler is similar to translating the text into another language so someone who does not speak English can read it.
    – Someone
    Commented May 7, 2022 at 14:50
  • 1
    Decompiling is different. Decompiling is somebody sending you the finished product, and you take it apart to reverse engineer it. This is more like they're sending you the source code and assuming you'll compile it yourself without peeking at the code, and if you do, accusing you of the crime.
    – komodosp
    Commented Nov 4, 2022 at 12:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .