Isaac Wolf, a reporter for Scripps Howard News Service, said he was just doing a basic Google search when he stumbled upon Social Security numbers and other sensitive records lying wide open on the Internet.
But after Wolf and his colleagues revealed in a story last week that two companies had left thousands of customers at risk of identity theft, the companies claimed that the Scripps employees weren’t just reporting — they were hacking.
Wolf had been researching companies that provide discounted phone services to low-income Americans through a federal program called Lifeline. He discoveredcompleted customer applications were visible online, listing customers’ Social Security numbers and dates of birth — a virtual treasure trove for identity thieves.
The two companies that collected the records, TerraCom Inc. and its affiliate, YourTel America, have threatened to sue Scripps, claiming the employees illegally downloaded the information.
The case marks the latest chapter in an ongoing debate over the gray area between pointing out computer security vulnerabilities and violating anti-hacking laws.
In this case, the companies’ attorney argues that Scripps’ reporting methods violated the Computer Fraud and Abuse Act — a controversial law that recently has been used to prosecute people like Internet activist Aaron Swartz and members of Anonymous. Critics have called for reforms to the law and say that it is overly broad and excessively punitive, issuing stiff penalties for some computer-related crimes they deem relatively innocuous.
Orin Kerr, a professor of law at the George Washington University Law School, said Scripps did not appear to have violated the law because, “The information was posted on the web, and anyone can visit a public website.” But, he added, referring to federal prosecutors, “I’m not sure the DOJ would agree.”
Kerr said Scripps’ methods were similar to a recent high-profile case involving Andrew “Weev” Auernheimer, who was convicted last year of illegally obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website. Auernheimer disclosed his findings to a reporter for the website Gawker and argued that AT&T should be held accountable for leaving customer data on the Internet. But a jury found him guilty of identity theft and conspiracy to gain unauthorized access to computers, and Auernheimer was sentenced in March to more than three years in prison.
In another similar case, Eric McCarty, a computer security consultant, found a bug in the University of Southern California website that allowed people to obtain applicants’ personal information, including Social Security numbers. In 2006, McCarty pleaded guilty to illegally accessing computer systems and was sentenced to six months home detention.
“We see time and again that whenever someone discovers a security flaw, the companies who screwed up blame the messenger,” said Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society.
Scripps said its investigative team discovered more than 170,000 sensitive customer records online and used a computer script to rapidly download those records. Wolf said the program did nothing more than what he did by manually searching Google — only faster. In a story published last week, Scripps posted a video demonstrating how Wolf initially found the customer records by typing “terracom filetype.pdf” into a Google search.
“Everything we saw was freely posted online, and not password protected,” Wolf said in a phone interview with The Huffington Post.
Granick said companies and prosecutors have argued that security research crosses a line and becomes illegal when it involves using computer software to download information, even if that data is publicly available online. Auernheimer, for example, wrote a computer script that exploited AT&T’s security flaw.
“There’s this idea that you can access information, but if you access it fast then you’re a criminal,” Granick said. “If anything, these are very subjective calculations that shouldn’t be the basis for whether someone goes to prison.”
Wolf and his colleagues at Scripps have not been charged with a crime. But TerraCom and YourTel said they are in discussions with law enforcement about the data breach. The companies have argued that Scripps should pay the costs of complying with laws that require companies to disclose data breaches to customers.
In a statement, Dale Schmick, chief operating officer of TerraCom, Inc. and YourTel America, Inc. said company officials “accept responsibility for the lapse in security” and acknowledge that records of 270 Lifeline applicants were available through a basic Internet search. He said the company has since tightened its security and is providing credit reporting for customers.
Schmick said the Scripps employees went beyond basic Google searches to find thousands of other customer records by using “sophisticated computer techniques and non-public information to view and download the personal information of applicants.” A spokesman for the two companies acknowledged the directories were not protected by any passwords, but rather by long and complicated URLs.
Wolf said Scripps “categorically denies” downloading information that wasn’t publicly available and said more attention should be paid to the customers whose personal information was exposed.
“This is about the tens of thousands of applicants who have had their most sensitive information compromised and who have been placed at heightened risk for identity theft,” he said.
CORRECTION: A previous version of this story referred inaccurately to a computer script used by Scripps in its reporting. The program downloaded, but did not search for, customer records. A previous photo caption, headline and version of the story also inaccurately made a direct link between Isaac Wolf and Scripps writers and reporters to hacking. The accusations were made of Scripps employees.