Computer Fraud and Abuse Act used to threaten journalists

The journalists, a Scripps News Investigation team, were researching Lifeline – a US federal program that provides a subsidized phone service for low-income families. During their research, “A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,” reports the Scripps Howard News Service. Subsequent investigation discovered more than 170,000 records “listing sensitive information such as Social Security numbers, home addresses and financial accounts of customers and applicants of Lifeline.”

The journalists notified Dale Schmick, COO for both TerraCom and YourTel; and within hours the records were secured. However, the EW Scripps Company later received a letter from Jonathan D Lee, counsel for both TerraCom and YourTel, labeling the journalists ‘hackers’, and accusing them of having “engaged in numerous violations of the Computer Fraud and Abuse Act.” It appears from the letter that the telecoms companies are attempting to minimize the cost of formal breach notification measures, and have chosen the Computer Fraud and Abuse Act as a means of forcing the journalists, labeled as hackers under the Act, to fully disclose every detail they have. Lee warns that “civil litigation is highly likely”; but if he can force full disclosure proving that the ‘breach’ was purely journalistic, then breach notifications may not be necessary, and costs saved.

Meanwhile, a carefully worded posting appeared on the TerraCom website. “TerraCom, Inc.,” it said, “was recently the victim of a security breach that resulted in unauthorized access to some applicant's personal data stored on our computer servers.” For most people it is a stretch to define Google searching as hacking, but the journalists’ subsequent use of Wget (an open source batch downloading tool) to retrieve the records technically takes the process into murkier waters – and certainly within the scope of the Computer Fraud and Abuse Act.

It was this Act that was used against Andrew Auernheimer (weev – currently in prison after conviction) who used an automated tool to get AT&T’s website to deliver the email addresses for AT&T customers. The issue is what constitutes ‘unauthorized access’ under the Act. “Hell,” said Auernheimer at the time, “if scraping data from a public webserver becomes criminal, virtually all of the content that appears on Google News or Google Blogsearch is going to send someone to jail.”

But if Auernheimer could successfully be prosecuted for using his own automated script, then the prognosis for the Wget-using Scripps journalist/hackers is not good if Lee’s implied threat of prosecution under the Computer Fraud and Abuse Act actually comes to fruition.

What’s Hot on Infosecurity Magazine?