Subject of FBI Investigation Reveals Government Concerns About Access to Federal Courts' Public PACER System

Posted on October 6, 2009 by Aaron Wright

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but does not explicitly sate, that the crime may have been a violation of the Computer Fraud and Abuse Act (18 U.S.C. §1030), as the FBI apparently asked the Administrative Office of the US Courts how Mr. Swartz would have know his access was unauthorized.

The FBI closed its investigation of Mr. Swartz without filing charges. The investigation of Swartz's activity, coupled with questions about what constitutes accessing a computer "without authorization" under anti-hacking statutes (as I previously discussed here), suggests that future efforts to open the PACER system (as well as existing efforts, like RECAP) may meet with some government resistance.

For more on efforts to make the PACER system more accessible to the public se our previous posts on the subject.

Links

Tags: , , , , , ,

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Posted on August 13, 2009 by Gabriel M. Helmer

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network.  During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know."  As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California.  He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work.  Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer.  Working with Seattle Police, the victim set up a meeting with Wood and he was arrested.  Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General.  The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation. 

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)).  He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

Tags: , , , , , , , , , , , ,

Bozeman, Montana Suspends Controversial Requirement That Job Applicants Provide Usernames and Passwords to Facebook Accounts

Posted on July 15, 2009 by David Pardo

When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism.  Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc."  In the aftermath of media exposure, Bozeman has decided to "suspend its practice of reviewing candidate’s password protected internet information until the City conducts a more comprehensive evaluation of the practice."

On June 19, 2009, city manager Chris Kukulski officially apologized (.pdf) for the intrusive application, stating “[t]he extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community.”

This controversy is another indication that social networking sites and other digital media are coming under greater scrutiny as employers conduct background checks. For example, the application for high-level political positions in the Obama transition phase required applicants to include copies of e-mails that might embarrass the President, copies of all blog posts, a link to one’s Facebook page, and a list of “all aliases or ‘handles’ . . . used to communicate on the Internet.”

The Bozeman application would have required applicants to violate Facebook’s Terms of Use, which state that “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” In addition, Bozeman’s request apparently was limited to obtaining usernames and passwords and did not seek authorization to access applicants’ sites. Consequently, any access by city officials might have run afoul of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), which prohibits intentionally accessing a “protected computer” without authorization.

Links:

 

Tags: , , , , , , ,

How far do anti-hacking statutes extend?

Posted on May 12, 2009 by Aaron Wright

An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers.  In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual activity, had exceeded his authorized access to the computer and was guilty of the felony of “unauthorized use of property; computer, cable, or telecommunication property or service” (or “hacking”). The court concluded that the employee has exceeded his authorized access despite the fact that there was no city computer use policy or software that placed limits on employees' use of city computers.

This ruling, which appears to expand the scope of anti-hacking statutes, has been criticized in the media. For a detailed analysis of the case, see the Wired article “Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer”

Links:

Tags: , , , , ,