release

When a burglar breaks into a house, is it the fault of the thief, or the fault of the homeowner for having insufficient security?

Or maybe, just maybe, is it both?

The Crime

The good folks at RedState rightly condemn two recent episodes in which Democratic operatives have broken into supposedly secure areas of political web sites to steal information. Most recently, the spokesperson for a Democratic candidate for Minnesota’s U.S. Senate seat lost her job after she “viewed an unreleased TV ad for Republican candidate Mark Kennedy that may have been illegally obtained.”

The Law

It is clear that a crime was committed under the laws of Texas (which is where the server in question is located). Texas Penal Code, Chapter 33, provides in part:

Sec.A33.02. BREACH OF COMPUTER SECURITY.AA(a) A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.

Also, it seems obvious that this would constitute an “unauthorized access” to stored electronic communications per 18 USC 2701:

whoever—
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

It may also violate 18 USC 2314 which prohibits interstate transport of stolen, converted, or fraudulently obtained material.

The Perp

Now, the fellow who originally dug up the campaign ads has posted a statement on his blog explaining exactly how be broke into the server:

While searching for political ads, I clicked on a link titled ‘netview,’ which then brought me to another webpage. No other information was requested. I therefore typed in the name ‘Allen.’ Nothing more, nothing less. This redirected me to a webpage containing three pieces of information. Kennedy for Senate, a date, and a hyperlink. Upon clicking the hyperlink, I was directed to the aforementioned political advertisement. At no point in this process did I circumvent or misrepresent myself. The website containing this ad can be accessed by anyone online. It is possible to directly go to this website. It is in no way secured.

(Emphasis added) When Kunin says that “no other information was requested” he means no information other than the password.

(And as a side note, this guy obviously hasn’t lawyered up yet, because no competent criminal lawyer would have let him publish that confession.)

The Defense

Some folks short on both legal training and common sense claim that the weak security of the site exonerates the criminal. Supposedly, the fact some of the material behind the password screen might be accessible in other ways somehow absolves Kunin. But here’s the important fact. A web site asked him for a password; he plugged one in, and it worked because he guessed right. He was not given the password by anyone at the PR firm or the campaign. He was not granted authorization by anyone other than his own lucy guess. At that moment, regardless of what page the web server delivered next, Noah Kunin committed a computer crime.

For a laugh, check out where Chuck Olsen says “This is not a password screen.” (No, Chuck, it’s just a screen that asks for a password. It’s not a password screen.)

The Barn Door is Open

Now, the real problem isn’t so much that criminal hackers exist, and that they have political agendas. We know this. The real problem is that political figures and their staff don’t understand internet security. The first rule of thumb is that if you don’t want someone else to know something, don’t put it on your web server. Of course, there are times when one needs to distribute information to a select group of people, and the internet is the best way to do that. The way this PR firm “secured” its private information was not merely inadequate, it was gross incompetence. Mind you, that doesn’t excuse the criminals, but it does pose a very real problem.

Anyone who uses technology to disseminate confidential information (like, for example, lawyers) has a responsibility to know and use the proper security methods to protect the confidentiality of that information. When information is stolen, the thieves have the moral and legal responsibility for their actions, but anyone in a position of trust who fails to recognize that thieves exist and fails to take those necessary precautions is equally responsible from a moral standpoint. The PR firm in question, although it has some awfully A-list clientele, needs to clean up its act on the security front or it may soon find all its horses gone and the barn burned to the ground.