Skip to main content

View Diary: Internet Law: Reading this could be a felony (39 comments)

Comment Preferences

  •  Clarification to law is needed (5+ / 0-)
    Recommended by:
    Mayfly, G2geek, AoT, codairem, kurt

    What is the law that says, "mining the data and SAVING the results" is illegal?

    By this definition, just accessing the data on AT&T's server would be illegal, because my browser or device would likely access and SAVE at least one record. See the problem?

    AT&T published an API, which implicitly grants access to use of the data from the server.

    •  Nope, you are allowed to access your own data (3+ / 0-)
      Recommended by:
      Mayfly, G2geek, erush1345

      That's completely different then knowingly accessing someone else's data and saving it for purpose or purposes unknown.

      To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

      by ontheleftcoast on Fri Nov 16, 2012 at 10:03:15 AM PST

      [ Parent ]

      •  Once again, where is the law for this? (2+ / 0-)
        Recommended by:
        Mayfly, AoT
        •  The identity theft laws are on the books (2+ / 0-)
          Recommended by:
          G2geek, erush1345

          What needs to be sorted out by the judge is if intent matters. If I grabbed your data from the internet would you feel OK about it if I said, "I don't intend to do anything wrong with it"? There are well established rules on what you can and can't do with private data. Saving it and sharing it (which he also did) are both violations of those rules. I can't quote you chapter and verse from the law but I've worked in security. The rules for 'clear text' data in security are well known to anyone in the field. He knew those rules and broke them. He thought it'd be OK if he explained it. I hope he's right.

          To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

          by ontheleftcoast on Fri Nov 16, 2012 at 10:14:15 AM PST

          [ Parent ]

          •  If it's identity theft to have someone else's info (3+ / 0-)
            Recommended by:
            AoT, codairem, kurt

            Then how can it be legal for me to go and purchase someone's personal information from a service like Intelius on the Internet?

            •  Now you're asking a better question (2+ / 0-)
              Recommended by:
              erush1345, Catte Nappe

              The data available on those services is considered public information. Things like your birth date, street address, and many other things you might consider personal or private are not. At least not in the eyes of the law. However, your credit card number PIN, your account passwords, and other data are considered private. But here's where it gets murky -- if you give what the law considers public data to a company that stores it and says the data will be kept private then "Viola!" that's now private data and has to be treated as such. The reason is some of that private data may actually be private data and thus all of the data has to be treated with the same level of care.

              To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

              by ontheleftcoast on Fri Nov 16, 2012 at 10:34:08 AM PST

              [ Parent ]

              •  The data returned in this (3+ / 0-)
                Recommended by:
                AoT, codairem, kurt

                ...were email addresses. Is an email address private data? I'd certainly rather people had my email address than my street address.

                •  See, you're using human logic here (0+ / 0-)

                  If I took the content of a protected movie that consisted of 3 seconds of a completely black screen with no sound and sold it I'd be guilty of selling "information". It doesn't matter what that information was. If the content was supposed to be protected or private than it has to be treated that way. The old expression, "The law is an ass", definitely applies.

                  To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

                  by ontheleftcoast on Fri Nov 16, 2012 at 10:45:13 AM PST

                  [ Parent ]

                  •  Yes, but there is also "intent of the law" (1+ / 0-)
                    Recommended by:
                    AoT

                    And I still don't understand: is an email address considered "private information?"

                    •  This is hard to explain (1+ / 0-)
                      Recommended by:
                      TBTM Julie

                      The e-mail address itself isn't the problem. But if the API was designed to faciliate the use of purchasing with your iPhone then yes, it'd be a problem. Because the e-mail address could be tied to the phone and knowing the EID (electronic ID) of the phone could give you access to private information like bank accounts info, etc. that are tied to the EID. So to re-iterate, if the API was designed to return private data, even if the data appears to you and I to be public data, then saving and sharing that data is a violation of the law.

                      To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

                      by ontheleftcoast on Fri Nov 16, 2012 at 10:56:23 AM PST

                      [ Parent ]

                    •  Just to clarify this (1+ / 0-)
                      Recommended by:
                      TBTM Julie

                      (Speaking as someone whose job is partly in the 'internet security' field but is not a lawyer.)

                      Is your name considered 'private information'? Is your phone number considered 'private information'? Is your social security number considered 'private information'? Are your health records considered 'private information'?

                      The answer to all of these questions is identical: 'private to whom'?

                      If you give your health records and your name to a newspaper reporter, on the record, and they elect to publish it, then those things aren't private information for the purposes of that newspaper (and anyone who reads it). If you publish your social security number intentionally on an ad on Craig's List (not terribly advisable, of course) then it is not private information for the purposes of Craig's List and anyone who reads it.

                      Likewise, if you give your name and email address in a newspaper interview, on the record, it is not private information. The newspaper publishes it. Anyone who wants to see it can see it. You have given your consent that that information that you gave them can be shared.

                      If you give your name and email address to that same newspaper for the purposes of signing up for a subscription (and, to save complexity, you uncheck all the boxes that say that the newspaper can share your email address with partners etc), then that's an entirely different story. Indeed, if the newspaper has your email address and name printed in a story, and they also have it in their subscriber database, then they simultaneously have your name and email address as public information and private information.

                      (Health information is treated more stringently, with many more safeguards, due to HIPAA. There are many situations where a company has an implied license to share your information if it's not HIPAA-related, but doesn't have that in the case of HIPAA. So that one isn't a perfect parallel, but the situations are still fairly similar.)

                      Really, you can see why it is important that the email address be treated as private information in such a situation. Because if it isn't, there is nothing stopping any company from sharing it with anyone they want, with or without your consent. As it is, many kinds of businesses are required (or the requirement is implied by the law, if not stated) to get your consent before sharing that sort of information with anyone.

                      If someone breaks in and 'steals' that information, then the company is in breach of their implied (or possibly express, depending on their TOS... I think AT&T's TOS makes it explicit) contract with you to keep your data confidential. That contract makes the information private information. It's not the content that matters, it's the fact that the company has promised you that the information will be kept private (again, either an implied promise or an explicit one).

                      Now, if the company publishes it, e.g. the newspaper puts it on their front page, then you can't be punished for reading it. But if they simply protect it inadequately (e.g. a company officer leaves a briefcase in the lobby of the company HQ while he goes to the bathroom, and someone picks it up and walks off with it) then they may be remiss in their duty to keep your information private, but that simple fact does not make you any less guilty of misappropriation.

                      It's hard to make laws that are just in every single instance. This one is damned complicated, and arguably problematic, but from reading the facts that I've seen, it's pretty clear that he broke it, and probable that he knew that what he was doing could at the very least have made him civilly liable, if not criminally prosecutable. And his disingenuous crap about incrementing numbers on a URL is doing him absolutely no favors, and his lawyer should tell him to shut up.

        •  The lawmakers don't know from tech. We should all (4+ / 0-)
          Recommended by:
          TBTM Julie, G2geek, ontheleftcoast, kurt

          beware lest some corporate groups put out crazy "model legislation" re this.

          Save the Home Planet

          by Mayfly on Fri Nov 16, 2012 at 10:17:34 AM PST

          [ Parent ]

          •  we need to start electing legislators who are.... (5+ / 0-)
            Recommended by:
            TBTM Julie, AoT, ontheleftcoast, Mayfly, kurt

            .... working scientists, engineers, technicians, etc., people who understand science & technology.

            Lawyers are smart but when it comes to tech they're laypeople.   We have more than enough smart laypeople in Congress; it's time to get some serious experts.  

            We got the future back.

            by G2geek on Fri Nov 16, 2012 at 10:31:06 AM PST

            [ Parent ]

            •  Heh! We got a WoW player into Congress (5+ / 0-)
              Recommended by:
              TBTM Julie, rja, Mayfly, kurt, G2geek

              And some internet savvy politicians like Grayson are there as well. It's not hopeless, but we need to organize and get them to listen to us and not AT&T or Apple about what's best for consumers.

              To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

              by ontheleftcoast on Fri Nov 16, 2012 at 11:17:24 AM PST

              [ Parent ]

          •  No, they don't (4+ / 0-)
            Recommended by:
            codairem, TBTM Julie, Mayfly, kurt

            We saw that clearly demonstrated with PIPPA(?) or what ever those supposed anti-piracy laws were called. We, the People, are not the ones telling Congress to "protect our data" it's the corporations that are trying to make us all pay for services, etc. that are getting the bills thru committees. But we have seen that community action can stop those bills from becoming law. In this case, though, the law already exists. Undoing it and getting justice in this case is another beast entirely.

            To me progress is not so much a goal as it is a process and I believe it will not follow a straight course. Remember, the drops of water that form the river may not take the shortest path but they will still reach the ocean.

            by ontheleftcoast on Fri Nov 16, 2012 at 11:16:03 AM PST

            [ Parent ]

        •  18 USC section 1030 (0+ / 0-)
          18 USC § 1030 - Fraud and related activity in connection with computers
          (a) Whoever—
          ....
          (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
          ....
          (C) information from any protected computer;
          ....
          (5)
          (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
          (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
          (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
          ....
          shall be punished as provided in subsection (c) of this section.
          ....
          (c) The punishment for an offense under subsection (a) or (b) of this section is—
          (1)
          (A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
          (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
          and so on.

          http://www.law.cornell.edu/...

          You can tell Monopoly is an old game because there's a luxury tax and rich people can go to jail.

          by Simian on Sun Nov 18, 2012 at 11:22:03 PM PST

          [ Parent ]

    •  Yes and there's a procedure for that: (5+ / 0-)

      Clear your browser cache, and better yet reset your browser so it clears all accumulated cookies, history, etc., everything back to factory default settings.

      I ran into this once when I found a kiddie porn site on line (I was deleting spam and I saw one that was pretty damn suspicious so I figured, if this is what it looks like let's go bust these people).  I didn't know jack squat about the browser cache rules, or the rules about merely accessing kiddie porn.  But when I saw the main page on the website I figured that what I'd found was suspicious enough to merit calling the FBI on a Saturday.

      I didn't click past that main page or do anything else on the computer at that point: I just picked up the phone and made the call.

      They took down the URL I found, and then told me about the law: illegal to even access the stuff unless reported to law enforcement immediately (I called them immediately, so no problem there), and also illegal to store even in browser caches.  So I asked them to talk me through the steps needed to clean my computer sufficiently, which they did, and that was that.  

      The same rule could be applied to any other case of accessing data whereby you run into something illegal or otherwise needing emergency response:

      1)  As soon as you even see the item in question, call the relevant authorities.  If it's a corporate system, call their computer security people immediately.  If it's something like kiddie porn or a terrorist site, call the FBI.  Do it immediately, do not wait.  (Word to the wise: do your cybersleuthing on weekdays during business hours, so you don't end up having to pester the FBI on a weekend.)

      2)  Give your full name & contact information and a description of what you found and how you came to find it.  Provide whatever other information is requested.

      3)  Ask specifically if you should clear your browser, and unless you are already experienced at dealing with these things, ask them to tell you what you need to do in order to clean up your machine to avoid accidentally storing material illegally.

      4)  If you're a computer security researcher and you're dealing with security issues, there is a protocol for giving the corporation in question a certain amount of time to respond and fix the problem, before you publish the results of your research.   Abide by that protocol, it has stood the test of time.  

      5)  Before you publish anything, talk to your company's lawyer or to EFF or some other source of legal advice about publication.  Get that advice in writing and follow it.

      6)  Do Not joke around about "selling data to China" etc.   Corporate security & law enforcement people do not have the leeway to say "my personal interpretation of the statement was that the person was joking."  They have to take everything that crosses their desk seriously until or unless they have a reason to do otherwise that will stand up to cross-examination.  

      7)  Do Not go seeking monetary rewards from corporations for finding their security holes.  That looks like extortion, and that will get you busted for extortion, and you will go to federal prison.  That actually happened to someone else on DK.  If you ever get lucky and catch a criminal who is on a Wanted list, law enforcement will let you know if there is a reward for the case, but if you ask, it's somewhat crass, and may affect your credibility.

      --

      In general there's plenty that law-abiding citizens can do to help catch baddies online, and to help catch corporate security holes.  But you have to know what you're doing, do it conscientiously, and be prepared to follow the rules if you find something.  

      We got the future back.

      by G2geek on Fri Nov 16, 2012 at 10:56:55 AM PST

      [ Parent ]

      •  Even safer, boot TAILS before you start digging. (3+ / 0-)
        Recommended by:
        ontheleftcoast, yella dawg, G2geek

        The Amnesic Incognito Live System (Tails) is built to keep you from saving your browser cache, cookies, history, etc.  

        The About page says:

        Tails is a live system that aims at preserving your privacy and anonymity. It helps you to use the Internet anonymously almost anywhere you go and on any computer but leave no trace using unless you ask it explicitly.

        It is a complete operating-system designed to be used from a DVD or a USB stick independently of the computer's original operating system. It is Free Software and based on Debian GNU/Linux.

        "And if you come down with a case of Romnesia, and you can’t seem to remember the policies that are still on your website, ..., here’s the good news: Obamacare covers pre-existing conditions." -- President Obama, 10/19/2012, George Mason University

        by rja on Fri Nov 16, 2012 at 11:32:40 AM PST

        [ Parent ]

        •  sweet. excellent. except... (1+ / 0-)
          Recommended by:
          TBTM Julie

          In theory you can wipe everything in a manner equivalent to reformatting your hard drive.  

          Except if you look further down the linked page, you find reports of "numerous security holes" in previous versions.

          So in practice it's not quite there yet, and its new enough that reasonable people would give their engineers more time to fix various bugs & holes along the way to having a properly-performing product.  

          Alternately it could be worthwhile to get a netbook that can be dedicated to cybersleuthing.  This way if you find something really really interesting, you can, if requested or approved by your friendly contacts in LE or "wherever," save it all to the netbook and hand in the netbook as material evidence that can be used in the case.  

          Later (years after the instance recounted above), when I got into the game of chasing right-wing terrorists in cyberspace, I opted for the netbook approach.  This because I'm cautious about the limits of my own expertise, and there's nothing like an air gap to ensure that one's regular production machines remain safe from the likely risks of one's forays into places where bad people hang out.  

          We got the future back.

          by G2geek on Sat Nov 17, 2012 at 02:34:45 AM PST

          [ Parent ]

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site