After being made aware of a large and potentially costly privacy breach exposing more than 170,000 records containing Social Security numbers and financial information, the two companies responsible for the blunder are threatening legal action against the journalists that uncovered it. The companies’ lawyers claim that by using “automated means” like the Wget command-line utility to download the records instead of an ordinary web browser, the “hackers” have violated federal cybersecurity law and should expect to be held liable for any financial damages that result.
An ordinary Google search led to someone's completed Lifeline application form
The story revolves around Saturday’s Scripps News Service report on the federal Lifeline phone subsidy program, which provides discounts on phone service to low-income families. In order to qualify for Lifeline, you have to prove that you’re already receiving some kind of federal or state assistance, like food stamps or Medicaid to your phone company. Two such companies, the Oklahoma City-based YourTel and its sister company TerraCom, contracted out the job of verifying applicants to Vcare, an Indian call center service, reports Ars Technica. In the process of an investigation into the program, an ordinary Google search led Scripps News investigator Isaac Wolf to a completed Lifeline application form on an unrestricted Vcare website. Repeating the search led to thousands more.
On April 26th, weeks before the story broke, Scripps sent a letter to the CEO of TerraCom and YourTel, Dale Schmick, requesting an on-camera interview, leading to a prompt fix of the security hole. But four days later, Scripps received back a sternly-worded letter condemning the journalists for a “prolonged pattern of accessing and downloading of certain confidential data belong to the companies.”
"After March 25, they began using the 'Wget' program."
The letter goes so far as to accuse the “Scripps Hackers” of engaging in “numerous violations” of the Computer Fraud and Abuse Act (CFAA) — the controversial 1986 law used to charge Aaron Swartz and Andrew “weev” Auernheimer. Most interestingly, the letter charges that “much of the Scripps Hackers’ activity was automated. After March 25, they began using the ‘Wget’ program to search for and download the ccompanies’ confidential data,” before they “attempted to hack into additional Vcare servers and directories providing greater access.” Wget is an open source command-line application that's used to download files from the internet using the same HTTP protocol used by web browsers.
It also notes that Scripps downloaded “over 120,000 Proof Files” — documents establishing proof of address, or proof of enrollment in public assistance programs. Documents which TerraCom, YourTel, and Vcare were all legally prohibited from retaining. Scripps’s own lawyer fired back a day later, “respectfully” declining TerraCom’s request for the identities of the “hackers.”
It shouldn’t come as a surprise that TerraCom and YourTel are looking to pass the buck after being caught with their pants down, and the companies are, for the moment, only threatening civil litigation. Nevertheless, the prospect that someone can be charged under the CFAA for bulk downloading publicly available data with Wget instead of clicking on individual links in Internet Explorer once again highlights the desperate need to reform the CFAA.