« Policy Update | Main | A Few Quick Thoughts on Fair Game »

Noteworthy [Ir]relevance [See Updates]

Just when I was beginning to worry about the relevance of my note topic, something much like it hits the news. [Please see the UPDATES below: it appears that Kos got some of his story wrong.]

According to various links from Kos, there's a potential scandal brewing over the outing of Alan Keyes daughter through her blog. I can't confirm a bit of this, but it seems that a young lady who may or may not be Maya Keyes kept a 'diary-style' site on Xanga, where she posted some rather personal stories which indicate she is a lesbian. According to Kos:

The evidence comes from Maya's very public blog (first discovered by Modern Vertebrate). Xanga apparently allows parts of the site to be "protected" from those not on a special list, but Xanga has poor technology, as some of that protected content can be easily found. For example, here's the post where she hides parts of her site.

(links removed) Now, please note again that I can't confirm any of this. Indeed, it does appear that sites like chillinois are linking to some of these entries by exploiting a very strange security flaw. (The August 21st entry appears on the link but not the main blog.) But at this time of night, I couldn't tell you one way or the other, or how they're doing it. (Yes, it appears to be passing a userid in the URL, but certainly Xanga's security ain't that bad, is it?) Whatever the case, I feel sorry for the blog owner, whoever she is: she's about to get a lot more attention than she bargained for.

But that's an aside: I'm not that interested in 'outing' anyone, and I'd not even mention this if it hadn't been on Kos. (The guy's huge. If he's 'broken' the story, it's out. My silence would have no effect.) I'm interested in the technological question.

You see, I'm looking into the relationship between 'unauthorized access' (as ther term and terms like it are used in the Computer Fraud and Abuse Act) and its courtroom interpretation. I first grew interested after studying the case of Manuel Miranda and the Senate 'hacking' scandal, but wondered if another topical case would ever arrive. To me, this might be such a case (although Xanga might not be covered by the CFAA).

Assume that what Kos says is true: that the security was 'broken.' The question would become how it was broken. It could be by traditional 'hacking': a user figures out how to outsmart Xanga's security. Or it could be by finding a valid user ID and logon, say stealing one from the young lady's friends. Or one might make a Xanga account, email the young lady kindly, and ask her to become part of her 'friends' list. All of these would fall outside my legal problem.

But suppose that the user who first came across this did so knowing that these were supposed to be protected (there's an entry to that respect), but it just so happened that his account was given access it shouldn't have by Xanga's servers. He downloads the information, publishes it on his blog, and scandal ensues. Has he 'hacked' anything, or rather exceeded his 'authorized access?' Or is the operator of the server the one that should be civilly or criminally responsible?

Anyway, I'll have to watch this story, to see how the technical details pan out. Should be interesting.

Update: In case this ever gets back to the young lady in question--unlikely, but stranger things have happened--shoot me an email and I'll be happy to look into making the blog more secure. As I said, I hate that this kind of thing happens.

Update II: Taking a look at it in the cold light of day, it doesn't look like the entries were protected at all, at least from this side. So whilst it might be an interesting hypothetical situation, it's probably irrelevant to my research.

Update III: I spent a few minutes IMing the young lady whose ID is on the blog, and confirmed that there are some protected entries, and Xanga's protection seems to be working. It appears that what chillinois quoted is indeed set to 'public.' Please note that I did not ask for confirmation as to who the person on the other end of the AIM was: first of all, it's not the element in which I'm interested, and secondly, it wouldn't really go any length to determining if this is a hoax.

Update IV: For what it's worth, I just contacted the author of the blog in question and asked her permission to leave this post up. Which makes me feel a bit better about the whole thing, though not much. Most of her site is now being reset to "private." As this looks less and less like a hoax, the young lady has my sympathy: this is probably more attention than she bargained for.

Comments

Having just read this myself and followed a few links I believe that The posts were public She made them private She subsequently made them public again And that's about it. Reading the posts she seems to be pretty much out. Still, I'm not sure that's important in the least. To address your legal wonderings... "But suppose that the user who first came across this did so knowing that these were supposed to be protected (there's an entry to that respect), but it just so happened that his account was given access it shouldn't have by Xanga's servers. He downloads the information, publishes it on his blog, and scandal ensues. Has he 'hacked' anything, or rather exceeded his 'authorized access?' Or is the operator of the server the one that should be civilly or criminally responsible?" How does this tie in to your earlier cause celebre, that of the open files on the ethics committee, or whatever it was?
Roughly speaking, it's the same situation: someone publishes information to which the author might feel a reasonable expectation of privacy. The question would be whether liability--if any--falls upon the publisher (in this case, chillinois) or the server operator (Xanga). Assuming statutes like the CFAA applied, those who wished to apply the rule against Miranda would have to also apply it to chillinois. (Or the original publisher, anyway.) Whereas a weakness of my preferred rule might be that Xanga's not the person society wishes to constrain here. I still have to give the hypothetical a bit of thought, though. As mentioned above, the facts have 'changed' slightly from what Kos stated.
Also worth noting that if the posts linked to were ever private--which I can't confirm, but at present doubt--they're being made private again.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

NOTICE TO SPAMMERS, COMMENT ROBOTS, TRACKBACK SPAMMERS AND OTHER NON-HUMAN VISITORS: No comment or trackback left via a robot is ever welcome at Three Years of Hell. Your interference imposes significant costs upon me and my legitimate users. The owner, user or affiliate who advertises using non-human visitors and leaves a comment or trackback on this site therefore agrees to the following: (a) they will pay fifty cents (US$0.50) to Anthony Rickey (hereinafter, the "Host") for every spam trackback or comment processed through any blogs hosted on threeyearsofhell.com, morgrave.com or housevirgo.com, irrespective of whether that comment or trackback is actually posted on the publicly-accessible site, such fees to cover Host's costs of hosting and bandwidth, time in tending to your comment or trackback and costs of enforcement; (b) if such comment or trackback is published on the publicly-accessible site, an additional fee of one dollar (US$1.00) per day per URL included in the comment or trackback for every day the comment or trackback remains publicly available, such fee to represent the value of publicity and search-engine placement advantages.

Giving The Devil His Due

And like that... he is gone (8)
Bateleur wrote: I tip my hat to you - not only for ... [more]

Law Firm Technology (5)
Len Cleavelin wrote: I find it extremely difficult to be... [more]

Post Exam Rant (9)
Tony the Pony wrote: Humbug. Allowing computers already... [more]

Symbols, Shame, and A Number of Reasons that Billy Idol is Wrong (11)
Adam wrote: Well, here's a spin on the theory o... [more]

I've Always Wanted to Say This: What Do You Want? (14)
gcr wrote: a nice cozy victorian in west phill... [more]

Choose Stylesheet

What I'm Reading

cover
D.C. Noir

My city. But darker.
cover
A Clockwork Orange

About time I read this...


Shopping

Projects I've Been Involved With

A Round-the-World Travel Blog: Devil May Care (A new round-the-world travel blog, co-written with my wife)
Parents for Inclusive Education (From my Clinic)

Syndicated from other sites

The Columbia Continuum
Other Blogs by CLS students