Wednesday, January 13, 2021

When is a "Hack" not a hack? How about fraud and negligence?

So... Was the "parler hack" a crime?

Was it even a HACK?

Well...There was almost certainly a crime comitted.... several in fact... but probably not what you might think... or by who you might think.

Because of the comprehensive incompetence and fundamental errors in architecture, design, development, and implementation of the Parler site, services, applications and infrastructure; technically, a very strong argument can be made, that none of the actions the people who accessed (or possibly compromised) the Parler data took in doing so, were actually illegal under U.S. federal law, and the laws of most states.

Effectively, there was no private or confidential data access, because none of the data was actually private or confidential, regardless of whether it was intended to be or legally required to be... the site admins allowed elevated privileged access to be created by unprivileged users, and allowed privileged users to query and retrieve all data within the control of the organization, without properly validated authorization or authentication  

Everything else those accessing the data did, was just scripting those authorized queries to run over and over until they had all the data.

That's not technically illegal, so long as they didnt eliberately circumvent or compromise a policy, wiith a deliberate technical control mechanism enforcing that policy, using an unlawful method. 

...And by any reasonable interpretation of federal law and definitions, and at least most state laws and definitions, the individuals accessing that data didn't so so... Because they didn't have to, because the site devs and admins didn't program or implement any ACTUAL privacy or security controls into the site or the database.... Anyone who knew how to do it, could have done it for themselves, at any time, without bypassing or circumventing anything, or using any outside tools etc... 

The researcher who discovered the data exposure, made her own privileged account, because the site devs and admins didn't implement account controls that would prevent any authenticated user from doing so if they knew how... and privileged accounts were never verified or properly authenticated, and had permissions to do everything else.

...At that point, I don't believe any actual access restriction ornother relevant policy enforcement control, or privacy control, was actually compromised or circumvented by unlawful means... Or for that matter, at all. 

Now... that wasn't the developers or administrators or owners INTENT... but you don't commit a crime for circumventing INTENT.

Its not even a crime to violate policies and terms of service... usually... maybe... depending on many details and variables.

It actually IS a crime to create a new account to circumvent policy, after you have been banned... at that point you are using a technical means to circumvent enforcement of your authorization removal and ban... Even though any user could do so, for any reason, and there isn't anything special about doing so, because you know that you have been banned and are no authorized, an are using technical means... making a new account... to circumvent a technical control... the blocking of your old account... and are accessing such systems without authorization through such circumvention. 

That is explicitly a federal crime "Knowingly unlawfully or improperly accessing a computer system or communications network, without proper authorization".

 If you use such circumvention to do more than a trivial amount of damage, or to intimidate or harass people or commit other crimes, its a fedral felony, under the telecommunications act (originally passed all the way back in 1934 but revised MANY times since) as modified by the computer fraud and abuse act, the USA patriot act, and other related acts and sections etc... etc...

But if a site admin/dev writes a policy that says "users won't use their accounts to gain more access and privileges than they are explicitly granted by admins' that policy won't actually have any force, and violating it won't be a crime... 

at least until you get caught the first time, and kicked, and then log in or make a new account, and try it again, at which case you are knowingly circumventing policy and controls via technical means. 

Even if it was clearly not intended for users to give themselves admin privileges, and gain access to other users daya... even if there's policies that say so explicitly... its not a crime, if the user can do it, without using technical means to circumvent technical controls enforcing those policies.

In this case, they never actually properly implemented such controls. Users were able to make privileged accounts and access other users data, without any technical circumvention... they just had to know job to do so. Nothing else would have stopped them. 

...That means it was almost certainly not a crime... But like I said, there is maybe a little wiggle room for charging something here... 

Oh... But here's the really fun twist...

The Parler site owners, admins, devs etc... ?

They had legal and regulatory requirements under various state, national, and international laws and regulations, to properly and effectively control, secure, and protect, the personally identifiable, private, secure, or confidential or higher data, of its users, employees, partners, and other corresponding entities.

They also had a lawful duty of care, to implement security and privacy controls, at least to the minimum prevailing industry standards of compliance, and generally accepted minimum proper practices, and minimum best practices, for operational protection of personally identifiable, private, or confidential or higher information. 

...In fact, they had state, federal, and international legal and regulatory requirements; as persons of responsibility for the care and protection of the security and privacy of such data; to legally certify, under penalty of perjury, and civil and criminal liability...

... on at least an annual basis (and possibly as often as every 30 days)...

... that they were in fact meeting such minimum standards and practices with policies,, processes, and technical controls, that were in fact effective in doing so.

...When, in fact, they did not have such policies processes and technical controls, that were in place and effective... Or at all...

Which means everyone who signed those certifications, was committing state, federal, and international fraud, breech of trust, and failure of duty of care (and by the by, violation of their own published and stated policies, and the public statements of their persons of responsibility, which extends the fraud, and may also be interpreted as breech of contract or breech of promise, depending on the exact data, the type or individual or organization, their relationship to the organization and the exact laws of the jurisdiction in question)

That...essentially automatically... makes what they did both tortuous civil negligence, and gross criminal negligence.

I say this as someone who does this for a living, advises clients on it professionally, has co-authored many briefs and provided support for many motions, and testified in both depositions and trials; both as an investigator, and as an expert witness on this subject.

All that said... I mean... you always have to take two major factors into account:

1. MOST jurisdictions that I know of, would probably agree with what I wrote above, most of the time, presuming what we now believe we know, holds true... But not necessarily all.

 Some states and other jurisdictions have different legal standards and definitions, under their own  laws and regulations, that could see these various individuals actions in accessing Parlers data,  interpreted by prosecutors and judges, as rising to criminal behavior... Or conversely could interpret the site owners, admins etc... as neither criminally or civilly liable, or that insufficient actual harms had resulted from those otherwise negligent actions such that they would meet thresholds for criminal or civil liability.

...AND...,

2. On any given day, given any particular set of facts, circumstances, and laws, any judge can decide almost any possible way, accounted for under the law... 

...and maybe some not contemplated by the law... 

Or may even simply act flatly outside the law; either because they believe the law is itself in error or improperly interpreted or applied, and that the courts should or must address this defect or defects...

...Or that regardless of any potential legal defect existing or not, that their actions outside the boundaries of the law are in the interest of justice... 

...Or sometimes they just think its the morally or ethically correct thing to do, regardless of the law... That they SHOULD or MUST take such action, regardless of the law, even if they are later reversed, because to do otherwise would be absurd,, obscene, or would tend to shock the conscience (and yes, all of those unusual words and usages are quotes from famous rulings where judges did exactly those things, for those reasons).