decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Sounds familiar | 269 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Why they didn't encrypt it
Authored by: Anonymous on Tuesday, July 02 2013 @ 05:39 PM EDT
I mean, why didn't they, at a minimum, encrypt this information?

This one is easy. They didn't encrypt the data because that would have defeated the very purpose of what they were doing.

AT&T's goal was not to share e-mail addresses. It was to provide convenience. I need you to fill out this form. Hey, tell you what - give me your ICCID, and I'll tell your browser your e-mail address and pre-populate the form to save you the hassle of typing it.

"Encrypting" the e-mail address in the response would defeat the purpose. There's no obvious way to "decrypt" that the "real" device's web browser would know but a random person browsing the page wouldn't. Asking the user to enter some kind of second secret as a "decrypt key" (e.g. an AT&T account number) would work, but completely defeat the "convenience" point of the exercise.

What they effectively did was expose e-mail addresses protected exclusively through "security through obscurity" - the trust that no one would think to look at a URL that had an ICCID number in it, other than the person whose device had that ICCID.

What they should have done instead is either required authentication first (username/password), at which point you could fill in everything you like, or not tried to do this at all.

[ Reply to This | # ]

Off Topic Thread Here...
Authored by: lnuss on Tuesday, July 02 2013 @ 05:44 PM EDT
...

---
Larry N.

[ Reply to This | # ]

Corrections Thread Here...
Authored by: lnuss on Tuesday, July 02 2013 @ 05:45 PM EDT
...

---
Larry N.

[ Reply to This | # ]

Newspicks Thread Here...
Authored by: lnuss on Tuesday, July 02 2013 @ 05:46 PM EDT
...

---
Larry N.

[ Reply to This | # ]

COMES Thread Here...
Authored by: lnuss on Tuesday, July 02 2013 @ 05:47 PM EDT
...

---
Larry N.

[ Reply to This | # ]

Doors and signs
Authored by: tknarr on Tuesday, July 02 2013 @ 05:49 PM EDT

I'd think the first requirement of "exceeding authorization" is that the system would have to demand their authorization. There's far too many parallels in other law, that just wanting to deny access isn't sufficient. If I want to mark my property off-limits and prosecute trespassers, it's not enough for me to merely decide my property's off-limits. I have to actually mark and post it so that people know before they cross onto it that they aren't allowed. And for a lot of purposes there has to be not just signs but an actual barrier that would prevent casual access, like a fence that has to be climbed over to get onto the property. AT&T's site had no barrier, it gave out the information before it had demanded authorization. It's like having an open door to the building lobby, with keys required only to get into the elevators, and then trying to prosecute people for coming into the lobby without ever trying to get on an elevator. Any attempt at prosecuting that would be laughed out of court. Yet here we are.

[ Reply to This | # ]

Sounds familiar
Authored by: Anonymous on Tuesday, July 02 2013 @ 06:22 PM EDT
Why does the name Aaron Swartz come to mind?

[ Reply to This | # ]

    Orin Kerr's Appeal Brief for Andrew "Weev" Auernheimer - Another CFAA Case~pj
    Authored by: Anonymous on Tuesday, July 02 2013 @ 06:32 PM EDT
    One might be able to argue that he _did_ exceed the authorized access by trying
    different query parameters.

    [ Reply to This | # ]

    What was the real crime here?
    Authored by: jbb on Tuesday, July 02 2013 @ 09:16 PM EDT
    After reading the appellant’s brief, I was left with the impression that the judge and the prosecutors repeatedly misinterpreted the law on purpose in order to persecute this person. In addition, I wondered why New Jersey prosecutors would take on this case when it has nothing to do with New Jersey.

    To understand what happened we have to look at the basic facts of the case. The defendant, Auernheimer, used a simple screen scraping program combined with a list of product IDs to gather email addresses that were publicly posted by AT&T. There was no protection on the web site; you give the site a product ID number and it gives you back the email address of the person who owns that product. The claims (here and elsewhere) that the ID number served as some sort of protection are farcical. That's like saying a username without a password offers protection.

    A simple analogy would be an online bank account that uses the account number as the username. You need to provide the account number AND a password to get account information. It would be a huge security scandal if you only needed to give an account number! No one would claim that the account number alone served as both the username and password and was thus secure. That's utterly ridiculous. Yet this is what people are claiming here. They say the AT&T account information was secure because you needed to provide the publicly available the product ID number.

    Such a massive and obvious security SNAFU is a huge embarrassment to a tech company like AT&T. It betrays a reckless disregard for the security and privacy of their customers. In a fair and just world corporations would be severely penalized for this kind of reckless behavior. At the very least they should be publicly humiliated for it. There is no question that the true villain in all of this is AT&T, yet so far they have gotten off Scot free.

    So what is the actual crime committed by Auernheimer, the crime that caused New Jersey judges and prosecutors to bend over backwards and twist the words of the law into pretzels in order to persecute him? He embarrassed AT&T by making their bone-headed security foul-up public. Since our laws still fail to protect us from such corporate negligence, Auernheimer was doing a public service. If you don't catch them in the act and punish them, they will never learn.

    Until they were bought out by SBC in 2006, AT&T Corporation was headquartered in Bedminster, New Jersey, Their research labs are still located in that state. I would not be surprised if AT&T had more political clout in New Jersey than in Texas which has been the location of their corporate headquarters after the SBC buyout.

    So Auernheimer embarrasses AT&T by making their security foul-up public. Instead of going after AT&T for violating the trust of their customers; New Jersey, the long time home of AT&T Corporation, prosecutes the whistle blower. In order to make it stick they had to repeatedly disregard both the spirit and the letter of the law. Once again the US persecutes someone for exposing a violation of the public trust while letting the true criminals go free. It seems like the worst crime you can commit nowadays is to embarrass the powers that be whether they are in the government or in the corporations the government serves.

    ---
    Our job is to remind ourselves that there are more contexts
    than the one we’re in now — the one that we think is reality.
    -- Alan Kay

    [ Reply to This | # ]

    Orin Kerr's Appeal Brief for Andrew "Weev" Auernheimer - Another CFAA Case~pj Updated
    Authored by: Anonymous on Tuesday, July 02 2013 @ 11:03 PM EDT

    His mistake was bragging about what he did.

    If you must disclose a security breach, do it anonymously.

    [ Reply to This | # ]

    Orin Kerr's Appeal Brief for Andrew "Weev" Auernheimer - Another CFAA Case~pj Updated
    Authored by: Anonymous on Wednesday, July 03 2013 @ 12:04 AM EDT


    Sounds like he must not have had very effective lawyers the first time around.


    [ Reply to This | # ]

    Forum shopping is typical for obsecnity cases
    Authored by: Anonymous on Wednesday, July 03 2013 @ 12:07 AM EDT
    This was typical behavior for postal inspectors and federal prosecutors, back
    when porn was something you ordered through the mail.

    An overzealous prosecutor in Bibletown, West Virginia, either looking to build
    his resume, or in response to a push by the administration to show that the DoJ
    is being tough on porn, orders some extreme porn from Sodom, California, and
    then hauls the producer up on obscenity charges, since the obscenity test is
    determined locally.

    The most notorious case of the era is that of the Amateur Action BBS, but other
    examples abound. For better or for worse, such cases seem to have fallen off
    mostly, because internet, and War on Terror.

    bkd

    [ Reply to This | # ]

    In the EU.....
    Authored by: tiger99 on Wednesday, July 03 2013 @ 06:48 AM EDT
    ... I do believe that a case like this would never have come to court, because it would be AT&T who were breaking the law by exposing customers data improperly. The amount of data exposed, just the email address, is fairly minimal, so I would imagine that a fine of a few thousand euros would result.

    The US does not seem to have proper data protection laws to protect individuals. If such law existed, it would quite probably take precedence in a case like this, and result in AT&T being fined a modest amount.

    A legal system which favours big business over individuals is just plain wrong, and I think that is the root of the problem. The system needs to be balanced, and fair to everyone.

    [ Reply to This | # ]

    Orin Kerr's Appeal Brief for Andrew "Weev" Auernheimer - Another CFAA Case~pj Updated
    Authored by: maroberts on Thursday, July 04 2013 @ 06:13 AM EDT
    The idea is that if you don't know where the criminal line is, how do you avoid it?

    Ignorance of the law is not normally an excuse to be let off.

    Despite that, I think the idea of criminalizing accessing a website through publically accessible URLs is incredibly daft.

    [ Reply to This | # ]

    Why has discourtesy become a felony? (Taking PJ to task.)
    Authored by: reiisi on Thursday, July 04 2013 @ 06:25 AM EDT
    I'm having a little trouble with this because arguing directly involves a lot of
    abstract reasoning, and the language we used to use to talk about it all has
    been hijacked by the enemies of freedom.

    Most of the stuff about the "criminal" nature of the mistreatment of
    personal information is getting hysterical about things which are merely
    inconsiderate or discourteous.

    E-mail addresses exposure would not be a significant danger to the general
    public or to most individuals if Microsoft had not jumped on the nascent
    internet tech in use mostly by tech types in the early-mid nineties before it
    was ready for prime-time use.

    Most of the players were taking it slow because they knew the tech was not
    ready. Generalized public e-mail for non-techies needs basic encryption, sender
    address verification, right-of-refusal protocols, and other similar
    enhancements. We knew that back then. (We didn't know how important sorting and
    filtering would become, but that was because we didn't want to believe the
    general public was going to enslave themselves to keyboards.) We also knew about
    the problems of self-activating dynamic content.

    By "we" I mean most of the tech people who were working on the
    internet tech back then.

    Microsoft, afraid of giving any window of opportunity to any competitor, jumped
    on the nascent tech, which was (and still is) only suitable for the technically
    inclined, and pushed and sold it until the critical mass was reached. And the
    result is now that the government has to criminalize discourteous behavior, to
    protect Microsoft from the fact that what they did back then was criminally
    negligent.

    I say critical mass, because once internet-enable MSWindows95 hit the market,
    all the other companies had to jump on the bandwagon or lose their customers and
    go bankrupt.

    So AT&T is the proxy, protecting Microsoft for its criminal negligence,
    because no one is willing to foot the bill of going back and getting the tech
    for general use right.

    Microsoft pretends to offer to get it right, but every plan they propose
    involves giving them AT&T's old monopoly, not by law, but by fiat default.
    And none of their plans actually address the real problems.

    [ Reply to This | # ]

    No need to encrypt anything
    Authored by: soronlin on Thursday, July 04 2013 @ 03:19 PM EDT
    The ICC-ID maps directly to one email address. That email address has exactly
    one password. Therefore there is no need for AT&T to display the email
    address on the login page; the ICC-ID is sufficient. All you need is a single
    entry box for the password.

    Maybe the user wants to login to a different account. In that case provide a
    button "Login to a Different Account" that displays a different login
    page that allows the entry of both email and password that does not tie them to
    an ICC-ID.

    [ Reply to This | # ]

    Groklaw © Copyright 2003-2013 Pamela Jones.
    All trademarks and copyrights on this page are owned by their respective owners.
    Comments are owned by the individual posters.

    PJ's articles are licensed under a Creative Commons License. ( Details )