I don't really like the framing that the reporter is framed for using "view source". This reinforces the idea that the people responsible for this are just uneducated. I'm sure, at this point, someone already explained them.
That reporter is a victim of harassment, and that if it wasn't for "view source", it could be for some unrelated stuff. It's the same as protesters being arrested for all kinds of bogus reasons, or random people being arrested with planted evidence. The goal is to deter someone you don't like from exercising their legal right (journalism, protesting, standing in the street in the wrong neighbourhood), by weaponizing unrelated laws.
The only reason "view source" is being talked about is because that looked like the best case when the book was thrown at that journalist.
I hope that case remains at threats and doesn't get to actual charges.
>I don't really like the framing that the reporter is framed for using "view source". This reinforces the idea that the people responsible for this are just uneducated. I'm sure, at this point, someone already explained them.
I don't like the framing either, but for different reasons. From my reading, the journalist is being targeted for reporting the vulnerability or perhaps for exploiting the vulnerability- I'm not sure.
To be clear, most websites have some disclaimer that says "don't use this website for unauthorized purposes". This is deliberately vague and includes "don't use SSNs that we leave laying around".
Should the website leave SSNs laying around? Definitely not.
Should the web site owner have the strong arm of the law come smashing down on them? Absolutely.
Should others use those SSNs? Definitely not.
If the journalist saw the SSNs and then did nothing, leave him alone. If he did something with them, charge him. If he reported them, and he is being harassed for reporting them, then write an article about that.
Seeing it and doing nothing is worse in my eyes. That is how you create societies that ignore terrible problems for fear of law enforcement retaliation.
The only way he should be charged is if he committed identity theft or sold the numbers.
This entire debacle is a direct attack on journalists.
>This entire debacle is a direct attack on journalists.
As if this attack on a free press wasn't brazen enough, local PACs have already put out attack ads against the journalist, to frame this as the governor "holding fake news accountable." [1]
If you are young and educated, you are not the target audience of these theatrics and you’re more than likely going to bounce from the state (Columbia aside, Missouri’s version of an affordable Austin).
Conservatives are swinging for the fences with their base in decline. I can come up with no other explanation for these disingenuous actions.
For a case that could potentially embarrass the state, I'd think the prosecution would try hard to make sure the case appears on the right judge's docket.
Just because you understand it to be a ridiculous charge and view the gov as embarrassing himself, does not mean all have made that judgment for themselves. Those holdouts would latch onto a verdict as truth and view the gov as vindicated.
I’m sure the governor would rather see this all the way to the end, lose and then cry foul than just admit he is wrong too. He probably already knows he is wrong but no politician would ever admit it. Politicians will dig in their heals until they’ve dug their own grave than admit fallibility. They are incapable of it.
IANAL, but the local Missouri computer crime statute is very broad [1]. Technically, the reporter seems to have factually "Accessed a computer, a computer system, or a computer network, and intentionally examined information about another person" without "authorization." Considering the conservative PAC for the state has already pushed attack ads against the reporter [2], and the fact that the prosecutor is elected (potentially supported by conservative PACs), I definitely see a possibility of this going to court and potentially arriving at a conviction. Again, IANAL, and I don't know the jurisprudence or case history behind this particular statute.
The reporter did not access anything they did not have permission to access! It was on a publicly accessible website, posted publicly, for the purpose of public dissemination. The statue is even more restrictive than that- the part you didn't quote:
"A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization"
No one could possibly prove beyond a reasonable doubt that the reporter did not have "reasonable grounds to believe that he has such authorization". The reporter did not know that the website had private information on it when he accessed the page.
The law does allow for a civil action to be taken by the owner of the computer system (In this case the state) which would lower the standard of evidence to more likely than not- but given the facts of the case, I don't think it comes even close to meeting that bar.
I totally agree with you in principle. Everything the reporter accessed was publicly accessible.
That said, it seems like a prosecutor could articulate an argument that the reporter accessed information he had no reasonable grounds to believe he was authorized to access because he deliberately decoded some Base64-encoded strings that the reporter expected to contain sensitive information. Further, that because the reporter knew the site was using encoding to "protect" this information, by decoding the information he had believed might contain unauthorized information, he had "examined information about another person" that he had no "reasonable grounds" to believe he was authorized to access.
For every objection that is coming to your mind reading this, think to yourself whether you are confident you could convince a tech-illiterate prosecutor (who is looking to "hold fake news accountable") to see things your way. Further, is a jury or a judge going to be able to find salient AND relevant differences between "decoding" and "decrypting" or "client-side" vs "server-side" software? And are those differences great enough to affect their interpretation of the reporters actions in the context of the statute? Judges, prosecutors, and juries cannot be relied upon to unwrite bad tech laws.
> think to yourself whether you are confident you could convince a tech-illiterate prosecutor (who is looking to "hold fake news accountable") to see things your way.
“It is difficult to get a man to understand something when his salary depends upon his not understanding it.”
> information he had no reasonable grounds to believe he was authorized to access because he deliberately decoded some Base64-encoded strings that the reporter expected to contain sensitive information
From a mathematical or CS perspective, i.e. from the perspective of objectivity and rigor, the Base64-encoded strings contain precisely the same information as the decoded version.
Even from a lay perspective... it's as if the state issued a public declaration in Chinese, and translating to English was "accessing" different information than the Chinese original.
> For every objection that is coming to your mind reading this, think to yourself whether you are confident you could convince a tech-illiterate prosecutor (who is looking to "hold fake news accountable") to see things your way.
Ask the prosecutor if sharing stolen Base64-encoded SSNs would be _legal_ because Base64-encoding makes them _different information_ than the original SSNs.
You won't be able to convince the prosecutor of anything ever, but you won't get a straight answer to that question either.
If that the data was encrypted in a way that was easy to defeat, and the reporter specifically decrypted the data using a method that would not be generally available or known to a layperson without having specific tech knowledge…that reporter is going to have a tough time defending against a “hacking” claim—especially in a state with an overly broad legal definition about accessing unauthorized data. They capitalized on the data and benefitted by writing a story about it.
As a juror your job is to convict or acquit based upon the law and jury instructions given to you. Your job is not to convict or acquit based upon your opinion on what the law should be.
I suppose it's true, though, that poorly-encrypted ciphertext still contains the original information as the plaintext.
Encryption has the clear intent of removing all the plaintext information from ciphertext, producing a random string that is useless without a secret key, but this may fail, and then the plaintext information remains.
However, encoding information (in Base64 or otherwise) has the intent of removing no information.
My original formulation of argument was flawed, since it made no reference to or distinctions of intent.
Ok so let’s use the word “encoded” instead of encrypted, but the distinction between the two to a layperson might not be as nuanced as a reader on Hacker News might understand. Even the word “decoded” as opposed to decrypted would raise eyebrows to a layperson juror.
If the law is overly broad about unauthorized access of the information and if by default the information being accessed is not plainly readable without conversion requiring special knowledge or software, I think a conviction might be likely and justified.
> Even the word “decoded” as opposed to decrypted would raise eyebrows to a layperson juror
What does "raise eyebrows" mean?
You hypothesize a jury that simply doesn't understand the word "encoding," and can't be taught its meaning because it sounds like
"encryption"?
If a message were broadcast in Morse code, then you could be convicted for unlawful access if you were to decode that into letters, right? Because it's Morse "code," an encoding.
I guess juries might not convict in that case because they've heard of "Morse code", but not "Base64 encoding"?
Anyway, if communication with juries is this fragile (and maybe it is) then a jury conviction really means nothing and the trial system as a whole is pretty hopeless and certainly cannot justify imprisonment of anyone.
“Raise eyebrows” is basically an idiom that means “have skepticism for (what is being told to them)”. I think the standard lay person on a jury would not necessarily be open to a defense attorney attempting to explain that the word “decode” in goes against their base understanding of the word. The defense argument has to overcome the jury’s lay understanding of decode by arguing that although yes, we are revealing information…its not really revealing anything since it was easy to reveal in the first place for someone with the skills to do it.
To use a metaphor—if a state building is closed, but a person with certain knowledge knows that the windows on the building are easily opened by lifting and pulling in a certain way. Then, that person opens the window, enters the building, takes pictures of sensitive information, and later tells the government about the window, then writes to the world later after the government replaces the windows about how easy it was for them to enter and find that sensitive information, would they be guilty of breaking in and stealing information? I think yes.
Even if their intent was not malicious, and ultimately resulted in more secure data, they did something that was not authorized and then capitalized on it after. If the law doesn’t have a caveat for that situation and if the jury is doing its job and doesn’t have an instruction to allow the out, a conviction is likely.
I'm not asking you about the meaning of a common idiom. I'm only asking about what you mean. What are you trying to say.
> I think the standard lay person on a jury would not necessarily be open to a defense attorney attempting to explain that the word “decode” in goes against their base understanding of the word.
If they're not "open" to understand what Base64-decoding means, then they're not open to understand what the defendant did. Maybe that's true. If so it's a very deep indictment of the process. If what you are saying is true, the judge should not allow the prosecution to use the word "decode."
> To use a metaphor—if a state building is closed, but a person with certain knowledge knows that the windows on the building are easily opened
We don't need a metaphor. I used another actual example (not metaphor) of a encoding -- Morse code. A person who takes a transmission in Morse code and writes it down on paper has decoded it.
Is decoding Morse code allowed "without authorization"? Do I have a right to broadcast information on my HAM radio and then demand prosecution of any people who decode it?
It seems you would argue yes. Or else "no, but only because juries have heard of Morse but not Base64."
If the state, in this case, had used strings of "." and "-" to encode the data in Morse code, instead of Base64, do you think they would have the same case?
Or what if they had used Greek instead of English? (I think if you insisted to use a metaphor for encodings, that would actually be a good one.)
You are relying on special knowledge and understanding so it’s simple to you. It’s not necessarily simple to the 70 year old grandmother sitting on a jury. Does she understand what Morse code is, probably. Can she create an equivalence between Morse code and Base64? Well that is what a defense attorney has to do now, ain’t it?
But all of that still doesn’t matter if that reporter was in possession of data he was not authorized to have and the law prohibits that . So what you have is decoded data in possession by someone who wasn’t allowed to have it but could be valid for him to have possession if it was encoded. If that is the way the law is written or the jury instruction is given…it’s a hill for the defense to climb.
I don't know if you or the post above have any knowledge of the criminal justice system in the USA. I've been in the front-row for thousands of criminal cases and the number that got dismissed before trial, not based on evidence suppression which doesn't apply in this case, is pretty much zero. I got one dismissed based on perjured grand jury testimony, and another based on an indictment flaw, but neither of those things would apply here.
Whether a jury would convict. Juries are much more complicated than most people imagine. For a start, the prosecutor is going to show the statute and the evidence and show how the person violated the statute. There might not be a proper legal defense.
You might be thinking of jury nullification where a jury acquits a defendant even where they are proven guilty, simply because the charges are bullshit. This almost never happens. Although it really should happen much more often.
Not only legal fees (which probably will be covered by someone else in this case) but mandatory court appearances that are scheduled antagonistically and punitively.
The punishments for missing these dates are among the most extreme and disproportionate in the whole system.
(With no due process, and COVID infections for all.)
Yep. As I understand, many innocent people take guilty pleas because the time cost of court appearances is unbearable or will cost them their job. I've become pretty jaded about the justice system as I've learned more about it.
Yes, and also, the plea bargains on offer usually provide a huge reduction from the maximum risk from being found guilty. Not uncommon: plead guilty and pay $100 fine, or be found guilty and go to jail for up to 1 year. The guilty and the innocent alike are given as many reasons as possible to plead guilty.
I prefer the Verge article on this one though [1]. Relevant quote from the article:
> They turned the case over to Cole County Prosecuting Attorney Locke Thompson on Monday, December 27. Governor Parson then held a press conference on Wednesday, December 29, where he cited a state statute related to computer tampering and repeatedly suggested Thompson should use it to prosecute Renaud and the paper.
It was just earlier this week that this was turned over to the prosecutor's office. This prosecutor is an elected official, and the Missouri conservative PAC has put their money behind this by placing attack ads against the reporter, and framing this as "holding the fake news accountable" [2]. Also, IANAL but if we're going by the letter of the law, the local Missouri computer crime section certainly does seem to include the actions of the reporter [3], even if the SSNs weren't Base64 encoded. Bad law, but the fact that the law is bad doesn't have bearing on whether they'll decide to prosecute.
That reporter is a victim of harassment, and that if it wasn't for "view source", it could be for some unrelated stuff. It's the same as protesters being arrested for all kinds of bogus reasons, or random people being arrested with planted evidence. The goal is to deter someone you don't like from exercising their legal right (journalism, protesting, standing in the street in the wrong neighbourhood), by weaponizing unrelated laws.
The only reason "view source" is being talked about is because that looked like the best case when the book was thrown at that journalist.
I hope that case remains at threats and doesn't get to actual charges.