Reporters Called 'Hackers' for Uncovering Security Flaw
Reporters for the Scripps Howard News Service have been accused of malicious hacking after they used Google to discover a trove of personal data that had allegedly been posted to an unsecured website, and then reported on the security breach.
The information, which included Social Security numbers, financial statements and other details criminals could use to commit fraud, reportedly belonged to some 170,000 U.S. residents who had applied to the federal government's Lifeline program, which subsidizes mobile-phone service for low-income people.
The data was reportedly put online by an Indian company operating as a subcontractor for Lifeline service providers YourTel and TerraCom, which have overlapping ownership and management. The Indian company, Vcare, processed Lifeline applications.
Jonathan Lee, a lawyer acting on behalf of YourTel and TerraCom, said in an April 30 letter to the E.W. Scripps Co. that the Scripps reporters used "automated" methods to harvest confidential data from the Indian company's website, and hence had "engaged in numerous violations" of the 1986 Computer Fraud and Abuse Act.
"I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the Companies in mitigating the damage from the Scripps Hackers' activities," Lee wrote.
Under Federal Communications Commission rules, U.S. companies are specifically barred from keeping the type of information allegedly posted online by Vcare. Had standard protocol been followed, the personal data would have been deleted after use, instead of finding its way onto the Internet and into Google's search index.
Scripps reporter Isaac Wolf had contacted YourTel and TerraCom for comment on April 26, and informed them that Scripps had "stumbled across numerous Lifeline applications from TerraCom and YourTel which are posted freely online."
Within hours of alerting YourTel and TerraCom, the personal data was taken offline, Wolf said in the investigative story, published Sunday (May 19).
Instead of addressing the issue of questionable data management, YourTel and TerraCom may bring civil litigation against Scripps, a possibility that Lee said was "highly likely" in his letter.
Scripps' own lawyer fired back at TerraCom and YourTel in a letter on May 1.
"Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation," Scripps general counsel David Giles wrote. "Rather, in the process of gathering newsworthy information, the bureau accessed — via a basic Internet search — personal and confidential information that apparently is available to anyone with a computer, an outlet and access to electricity."
"The search required no special skill and in no way 'hacked' or illegally accessed any server or database operated by TerraCom or any other company," Giles added.
But YourTel and TerraCom's legal team said Scripps reporters went above and beyond the average Internet user's ability by using a batch-downloading tool called Wget to "scrape" data from multiple Web pages.
The phone companies may have a case. The same legal argument was used to convict self-proclaimed Internet "troll" Andrew "Weev" Auernheimer for his role in obtaining the private email addresses of iPad customers that had been posted to a public website by AT&T.
"[The Scripps case] is another paradigmatic example of how flawed the CFAA is," Auernheimer's attorney, Tor Ekeland, wrote on his blog Tuesday (May 21). "By not defining its key operative phrase 'unauthorized access' as requiring bypassing a password or some other type of technological access barrier, it allows corporations to be negligent regarding their infosec."
Auernheimer, 27, is serving a 41-month sentence in a minimum-security federal prison in Pennsylvania. He has been put in administrative detention for finding various ways to post messages online from prison.