By Daniel J. Solove
I’m a St. Louis Cardinals fan, so I guess it is fitting that my favorite team becomes embroiled in a big privacy and data security incident. At the outset, apologies for the feature photo above. It pulled up under a search for “baseball hacker,” and as a collector of ridiculous hacker stock photos, I couldn’t resist adding this one to my collection. I doctored it up by adding in the background, but I applaud the prophetic powers of the photographer who had a vision that one day such an image would be needed.
Maybe the photographer wasn’t surprised by it, but I certainly was stunned by the New York Times headline:
Cardinals Investigated for Hacking Into Astros’ Database
What? Hacking? Really? The story seems hard to believe. As a fan, I hate to see my team involved in tawdry stuff like this. They are one of the most well-managed teams in Major League Baseball. But good baseball management doesn’t necessarily translate into privacy or security savvy.
The facts aren’t fully known yet, but from what is being reported, Jeff Luhnow, who used to be with the Cardinals, became general manager for the Houston Astros a few years ago. Luhnow built a database called “Redbird” with lots of information and statistics about players. The database adopted the Moneyball approach to baseball, which is chronicled in the bestselling book by Michael Lewis, and involves analyzing enormous troves of data to make baseball decisions as opposed to the good old-fashioned going with one’s gut. Essentially, Moneyball is baseball’s version of Big Data.
When Luhnow joined the Astros, Houston launched a Moneyball-style program called “Ground Control.”
According to the NYT:
Investigators believe that Cardinals personnel, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.
Although all the facts haven’t come to light yet, there are some important lessons to be learned already in what has been reported.
1. Computer crime is often not high-tech.
There are some who object to the word “hacking” to describe what happened here. Hacking connotes high-tech wizardry, the stuff chronicled in the movie War Games or regularly on TV where people can break into any network by typing for 10 seconds on a keyboard.
The methods used by the Cardinals personnel to access the Astros’ system were not very sophisticated. The Cardinals employees used some old passwords they knew from when Luhnow and others were working with the Cardinals. The passwords weren’t changed when they went to the Astros. So the Cardinals are not tech whizzes, but they do know some of the ancient wisdom passed down through generations of computer fraudsters: People often have poor password practices. People select bad passwords, they put them on sticky notes near their computers; they don’t change them; and so on. The Cardinals guessed correctly that Luhnow or the others didn’t bother to change the password after he went from the Cardinals to the Astros.
Whether you call it “hacking” or not, the key thing for the law is that someone is accessing a computer in ways that are not authorized. This doesn’t need to occur through any kind of technical acumen.
The federal Computer Fraud and Abuse Act (CFAA) imposes criminal penalties when a person “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” A protected computer is defined very broadly — essentially, it constitutes any computer connected to the Internet.
There are a variety of different types of crimes under the CFAA depending upon the circumstances, but the foundation of all of them is unauthorized access. And based on the facts reported, there was unauthorized access. Even though the passwords was readily guessable — and even though it appears the Cardinals already had the list of passwords in its possession — the ease of access doesn’t matter. No matter how careless Luhlow might have been with security, it is still a crime to access his computer without authorization.
Many people have the misconception that computer crime is very sophisticated. Much computer crime isn’t sophisticated. Hackers often get into a system through con artistry. They get in by tricking people into giving them their password. If you read about the exploits of reformed hacker Kevin Mitnick, the inspiration for the movie War Games, many of his techniques seem closer to the movie Dirty Rotten Scoundrels.
2. It pays to think about security for more than 1 second.
Apparently, the amount of thought that the Astros gave to security wasn’t very much. The Cardinals had the password.
Quick Data Security Tip #18: If you’re moving to another organization, and the organization you’re leaving has your password, for goodness sake, at the very least, at the bare minimum . . .CHANGE YOUR PASSWORD!
We often lament the fact that hackers from abroad can seemingly break into any computer system. It’s tempting to throw up one’s hands and say: “I give up! Data security is just too hard!”
But many security breaches involve obvious mistakes. We can eliminate most security breaches just be trying to cut down on the simple mistakes.
I’m not saying that we should stop sweating the hard stuff. But there’s a lot of easy stuff to security, and improving how we deal with the easy stuff will go a long long way!
We should sweat the easy stuff. This will help a lot.
3. Just because you have access doesn’t mean that you can access.
Many people mistakenly think that if they have access to data, they can look at it. Perhaps the Cardinals personnel thought that since they had the password, they could try it out. There are lots of cases of people improperly accessing another person’s account because they know their password. This comes up in many cases where spouses or exes snoop into each other’s accounts. This is often a CFAA violation.
Using a password to access another person’s account without authorization feels a bit naughty, so you might think that it is an obvious case. But there are plenty of CFAA that aren’t obvious. There are cases where former employees seek to access their accounts just a few days after their job ended. There are cases where current employees access data that they shouldn’t access, and these, too, are a violation of the CFAA. When the data involves “protected health information” under HIPAA, there can be criminal penalties under HIPAA for snooping into the data. There are cases where hospital employees look up information about celebrities or friends or family members who were being treated at the hospital. Some cases like these have resulted in jail.
So if I hire you and say: You may access this and that, but whatever you do, don’t access the data in the “forbidden fruit” database, and you do, then you better bring your fig leaf.
4. It is easy to be a “hacker” because the CFAA is very broad.
There are a lot of “hackers” out there. The CFAA’s scope is extremely broad, and its terms are not well-defined. Many people might be shocked to learn that they are a federal computer criminal under the same law that is used to prosecute hackers.
For example, if you pick up a person’s smart phone and glance at their email, that’s within CFAA’s scope. Sometimes a student is typing on his smart phone in a 9th grade class. The teacher grabs the phone and starts to read the text message that the student is writing. The teacher’s conduct is “unauthorized access.”
How broad is the CFAA? According to the U.S. Department of Justice (DOJ), if you continue to use a website after violating its terms of service, that’s a federal crime. Indeed federal prosecutors from the DOJ tried out this theory on a person who created a fake MySpace account in the case of United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). The prosecutors lost, but the DOJ continues to try out this theory and similar theories (see the United States v. Nosal litigation).
So the millions of children under age 14 who have Facebook accounts are federal criminals because Facebook forbids children under 14 from having accounts. If a website says that people with blonde hair are unwelcome on the site, and they go to the site, they are federal criminals.
It is amazing that this interpretation is even advanced with a straight face. One would think it’s an April Fool’s joke. There are hard questions and easy ones, and it seems to me that the DOJ’s interpretation is so monumentally stupid that anyone advancing it should have their law degree revoked.
The CFAA needs a serious rethink. The statute was originally created in 1986. Its scope is way too broad and its definitions are way too vague. Too much common conduct can get swept up in broad interpretations of the law’s scope.
Here’s what I would do with the CFAA:
Yes, I would push the delete key and make Congress start over. This law needs a lot more thought because the issues are quite complex.
There have been too many prosecutions under the CFAA based on very broad theories of its scope. This has demonstrated why the statute ought to be struck down as void for vagueness. Under the U.S. Constitution, laws can be invalidated if too vague. According to the test established by the Supreme Court, a vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. Failing on one of these prongs is sufficient to kill a law; the CFAA flunks both.
The CFAA needs to be significantly revised, like so many of our laws dealing with computers and electronic communication which have fallen woefully out of date.
5. People need basic literacy in privacy and security.
The points above all point to one very important takeaway — many people don’t know enough about what to do regarding privacy and security. They don’t know that some of their conduct might be criminal. They don’t know basic good data security practices.
The Cardinals personnel might not have known that what they were doing was illegal — and I definitely bet they didn’t know how severe the consequences could be. The Astros personnel didn’t know some basic ways to protect data security.
As one who produces privacy and security training for organizations, I am constantly reading about how privacy and security incidents occur so I can design my training to prevent them. So many incidents involve people doing foolish things because they either didn’t know better or didn’t understand the severity of the consequences.
Everyone needs to know about privacy and security, yet so many people lack basic knowledge. We may not be able to get everyone to know the digital equivalent of the infield fly rule, but we at least can try to get people to know the basic rules of the game.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.