Thursday, June 2, 2011

Legal Issues in the PBS Hack

LulzSec, a splinter group of Anomous, hacked PBS television this week. Here are a couple articles about it:

Obviously, hacking in and stealing the data was wrong, but then things get less clear. Here's what I saw and did:

1. LULzsec posted the stolen data on Pastebin where anyone could find it
2. LULZSec tweeted links to the Pastebin dumps
3. I retweeted the LULZSec tweets

A couple people told me I was wrong in step 3, but I am confident my actions were legal and ethical.  But items 1 and 2 are less clear to me.

i asked Alex Muentz for a legal opinion, and here's what he sent me:


Re: legalities of LulzSec's PBS hack

Moral and ethical considerations aside, let's look to the law. Since PBS' web servers are engaged in interstate and international communications, they're protected under U.S. Federal law. By my limited understanding of what LulzSec actually did, they have committed at least three separate crimes, violating the Computer Fraud and Abuse Act and the Stored Communications Act.

I'm assuming the following for this analysis:
LulzSec is more than one person working together to a common goal.
LulzSec did not have permission to obtain or divulge PBS' secrets.
You (and other re-tweeters) are not members of or acting to further LulzSec's actions.

LulzSec's actions were as follows:
1. Accessed PBS servers without permission
2. Changed PBS' web page
3. Obtained information stored within, including logins and stored emails.
4. Divulged the obtained information by posting on Pastebin
5. Tweeted the links to Pastebin containing the PBS documents.

Other people, commenting on LulzSec's actions have re-tweeted the Pastebin links.

So, what laws did LulzSec violate?

Accessing non-public files on PBS servers-  The Computer Fraud and Abuse Act (codified at 18 USC 1030)  prohibits unauthorized access of computers of Federal interest, including computers used in interstate communication. By obtaining any information stored on PBS servers, LulzSec has violated 18 USC 1030(a)(2)(C), which reads as follows:

“intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...information from any protected computer”.

LulzSec claims to have targeted PBS, so their actions (and access) were intentional. I am assuming that PBS did not grant LulzSec access to the private sections of their servers or their information. Since PBS' servers were Internet accessible and intended to facilitate communication between PBS and affiliate employees, they were used in interstate communication, thus making them a 'protected computer' under 18 USC 1030(e)(2)(B).

LulzSec's second violation of the CFAA would be the modification of PBS webpage. Section (a)(5)(A) of the CFAA bars the knowing transmission of a program, information, code or command that results in the intentional, unauthorized damage to a protected computer.

Presumably, once LulzSec obtained user rights on the PBS server, they had to tell it to change the web page served from that server.  While non-lawyers may disagree with the idea that merely modifying another's web page is 'damage', there is case law that supports this theory. Damages under the CFAA include costs of cleanup, securing a compromised server, identifying the attacker or performing a forensic examination.

Now, let's look to LulzSec's posting of PBS' information. The Stored Communications Act protects electronic communications held in storage. Unauthorized access to an 'electronic communications facility' and obtaining, altering or preventing the transmission of an electronic communication is a crime. By downloading any emails, forum posts to their or other computers, LulzSec has broken yet another Federal law.

Ok. Great. We know LulzSec has been naughty. So they obtained and posted private material. What about the re-tweeters?

All the re-tweeters are doing is pointing out the actions of another. If they're working with LulzSec to further their aims, perhaps an accessory or conspiracy theory could be used to find them liable. I'm assuming that you're not supporting LulzSec , but instead trying to comment on the actions of a criminal group.

1 comment:

  1. "LulzSec, a splinter group of Anomous"
    good starting LOOOOOOOOOOOOL