Noteworthy [Ir]relevance [See Updates]
Just when I was beginning to worry about the relevance of my note topic, something much like it hits the news. [Please see the UPDATES below: it appears that Kos got some of his story wrong.]
According to various links from Kos, there's a potential scandal brewing over the outing of Alan Keyes daughter through her blog. I can't confirm a bit of this, but it seems that a young lady who may or may not be Maya Keyes kept a 'diary-style' site on Xanga, where she posted some rather personal stories which indicate she is a lesbian. According to Kos:
The evidence comes from Maya's very public blog (first discovered by Modern Vertebrate). Xanga apparently allows parts of the site to be "protected" from those not on a special list, but Xanga has poor technology, as some of that protected content can be easily found. For example, here's the post where she hides parts of her site.
(links removed) Now, please note again that I can't confirm any of this. Indeed, it does appear that sites like chillinois are linking to some of these entries by exploiting a very strange security flaw. (The August 21st entry appears on the link but not the main blog.) But at this time of night, I couldn't tell you one way or the other, or how they're doing it. (Yes, it appears to be passing a userid in the URL, but certainly Xanga's security ain't that bad, is it?) Whatever the case, I feel sorry for the blog owner, whoever she is: she's about to get a lot more attention than she bargained for.
But that's an aside: I'm not that interested in 'outing' anyone, and I'd not even mention this if it hadn't been on Kos. (The guy's huge. If he's 'broken' the story, it's out. My silence would have no effect.) I'm interested in the technological question.
You see, I'm looking into the relationship between 'unauthorized access' (as ther term and terms like it are used in the Computer Fraud and Abuse Act) and its courtroom interpretation. I first grew interested after studying the case of Manuel Miranda and the Senate 'hacking' scandal, but wondered if another topical case would ever arrive. To me, this might be such a case (although Xanga might not be covered by the CFAA).
Assume that what Kos says is true: that the security was 'broken.' The question would become how it was broken. It could be by traditional 'hacking': a user figures out how to outsmart Xanga's security. Or it could be by finding a valid user ID and logon, say stealing one from the young lady's friends. Or one might make a Xanga account, email the young lady kindly, and ask her to become part of her 'friends' list. All of these would fall outside my legal problem.
But suppose that the user who first came across this did so knowing that these were supposed to be protected (there's an entry to that respect), but it just so happened that his account was given access it shouldn't have by Xanga's servers. He downloads the information, publishes it on his blog, and scandal ensues. Has he 'hacked' anything, or rather exceeded his 'authorized access?' Or is the operator of the server the one that should be civilly or criminally responsible?
Anyway, I'll have to watch this story, to see how the technical details pan out. Should be interesting.
Update: In case this ever gets back to the young lady in question--unlikely, but stranger things have happened--shoot me an email and I'll be happy to look into making the blog more secure. As I said, I hate that this kind of thing happens.
Update II: Taking a look at it in the cold light of day, it doesn't look like the entries were protected at all, at least from this side. So whilst it might be an interesting hypothetical situation, it's probably irrelevant to my research.
Update III: I spent a few minutes IMing the young lady whose ID is on the blog, and confirmed that there are some protected entries, and Xanga's protection seems to be working. It appears that what chillinois quoted is indeed set to 'public.' Please note that I did not ask for confirmation as to who the person on the other end of the AIM was: first of all, it's not the element in which I'm interested, and secondly, it wouldn't really go any length to determining if this is a hoax.
Update IV: For what it's worth, I just contacted the author of the blog in question and asked her permission to leave this post up. Which makes me feel a bit better about the whole thing, though not much. Most of her site is now being reset to "private." As this looks less and less like a hoax, the young lady has my sympathy: this is probably more attention than she bargained for.
Comments
Having just read this myself and followed a few links I believe that
The posts were public
She made them private
She subsequently made them public again
And that's about it. Reading the posts she seems to be pretty much out. Still, I'm not sure that's important in the least. To address your legal wonderings...
"But suppose that the user who first came across this did so knowing that these were supposed to be protected (there's an entry to that respect), but it just so happened that his account was given access it shouldn't have by Xanga's servers. He downloads the information, publishes it on his blog, and scandal ensues. Has he 'hacked' anything, or rather exceeded his 'authorized access?' Or is the operator of the server the one that should be civilly or criminally responsible?"
How does this tie in to your earlier cause celebre, that of the open files on the ethics committee, or whatever it was?
mhukimPosted by: Martin | September 27, 2004 11:12 AM
Roughly speaking, it's the same situation: someone publishes information to which the author might feel a reasonable expectation of privacy. The question would be whether liability--if any--falls upon the publisher (in this case, chillinois) or the server operator (Xanga).
Assuming statutes like the CFAA applied, those who wished to apply the rule against Miranda would have to also apply it to chillinois. (Or the original publisher, anyway.) Whereas a weakness of my preferred rule might be that Xanga's not the person society wishes to constrain here.
I still have to give the hypothetical a bit of thought, though. As mentioned above, the facts have 'changed' slightly from what Kos stated.
csrbjkPosted by: A. Rickey | September 27, 2004 11:19 AM
Also worth noting that if the posts linked to were ever private--which I can't confirm, but at present doubt--they're being made private again.
jpgh ovpjrgPosted by: A. Rickey | September 27, 2004 11:21 AM