If I read your emails, change your password, and use your emails against you in a divorce proceeding, am I cyberstalking you?

If you said "yes" to the question posed in the title of this post, you may have some difficulties in Florida. In Young v. Young, 2012 Fla. App. LEXIS 15112 (Sept. 28, 2012), a Florida appellate court said "no" to that question, holding that cyberstalking, per Florida statute, requires "electronic communications by [a person] of "words, images, or language . . . directed at" another individual (the person allegedly getting stalked).

In Young, the husband allowed his wife to use his computer password to install a multi-user licensed anti-virus program. Under these facts, I'm not exactly sure why she needed the password, but the case does not clarify. The husband, in my estimation, was operating under good faith because at the time of disclosure, the couple was either at, or still amidst, their dissolution proceeding.  (At this point I'd like to stop and offer what should be obvious advice at this point - short of a court order, never disclose your password to anyone, for anything, at any time. Including your wife. I can't think of many stories I have heard that open with "so I gave her/him my password" and end happily.)

The wife, without the husband's consent, then "used the password to read his email and then changed the password so that he could no longer gain access to his account." Subsequently, she "filed a paper in the divorce proceeding that contained extensive personal information taken from the emails." The husband filed for a domestic violence injunction, which was granted by the lower court after interpreting that the wife's actions "amounted to cyberstalking."

The court of appeals overturned the injunction, stating that reading your emails, changing your password, and using the information discovered in your email account are not electronic communications directed at another, and therefore fall outside the purview of the statute.

In my common understanding of stalking in general, but also cyberstalking, I was never under the impression that stalking had to include some sort of communication to the "stalkee." Isn't part of stalking doing so by use of stealth? Indeed, one online dictionary defines it as:

1. To pursue by tracking stealthily.

2. To follow or observe (a person) persistently, especially out of obsession or derangement.

To me, this is an odd outcome - but, it is more a failing of statutory drafting than a mistake by the court. The husband may also have other remedies (computer intrusion statutes at the state level), however those will certainly not be sufficient to obtain a DV injunction. The larger question is this, does the wife's behavior give rise to the husband's belief that he was in imminent danger of domestic violence, which is the DV injunction standard in Florida. That's a high bar to meet, but one would need to know the content of the emails to know just how angry she might have been. As a public policy matter, I think a DV injunction here wouldn't be a bad thing.

Read More

Student's suit for forced Facebook disclosure survives motion to dismiss; court finds reasonable expectation of privacy in Facebook messages

In R.S. v. Minnewaska Area Sch. Dist. No. 2149, 2012 U.S. Dist. LEXIS 126257 (D. Minn., Sept. 6, 2012), a federal district court refused to dismiss the case of a 12-year-old against a Minnesota school district for allegedly punishing her for statements made on her Facebook wall and forcing her to disclose her Facebook password to search through her profile.  The case involves multiple causes of action, most of which survived the motion to dismiss, including the First and Fourth Amendment claims.

A summation of the facts can be found here: Minnesota girl alleges school privacy invasion, and here:
12-year-old sues school district over Facebook profile search and with a hat tip to the Student Press Law Center, the original complaint can be found here and its article here.

While the court only has one side of the story, currently, the facts are pretty favorable for the plaintiff as described. In quick summary, it does not appear that her comments meet the requirements of Tinker to regulate student speech, nor did the school have a compelling reason to search her Facebook account.

Addressing the Fourth Amendment claim, the court first noted the distinction between Facebook wall posts (which would receive less protection depending on the settings) and messages, and ultimately held that with respect to the student's messages and profile information:

Based on Plaintiffs' complaint, at least some of the information and messages accessed by the school officials were in R.S.'s exclusive possession, protected by her Facebook password. R.S. controlled those items until she involuntarily relinquished her password. As with a private letter, the content of R.S.'s electronic correspondence was available only to her and her correspondent. The Court concludes, based on established Fourth Amendment precedent, that R.S. had a reasonable expectation of privacy to her private Facebook information and messages.

The court went on to explicitly equate Facebook messages with email, stating that "[t]he Court agrees that one cannot distinguish a password-protected private Facebook message from other forms of private electronic correspondence."

Finally, the court detailed the contours of school searches - that reasonableness in that context is determined under a lower standard due to the school environment - balancing the students reasonable expectation of privacy against the "substantial interest of teachers and administrators in maintaining discipline in the classroom and on school grounds." T.L.O. The court found nothing on the school's side of the scale to justify the search. The courts stated:

Based on the facts alleged in the complaint, the school officials had reason to believe that R.S. may have had a sex-related discussion with a classmate. Both R.S. and her classmate had already admitted as much to the school officials prior to the search. Plaintiffs contend that such an out-of-school discussion, even a "naughty" one, broke no law or school policies. 

At this stage, based on the facts alleged in Plaintiffs' complaint, the Court cannot disagree. It is difficult for the Court to discern what, if any, legitimate interest the school officials had for perusing R.S.'s private communications. . . . the school officials had no reason to believe that the search would return evidence of illegal behavior or violations of school policy. At this stage, there is no discernible school interest against which to balance R.S.'s reasonable expectation of privacy. 

I have to say, I am very interested to see the outcome of this case. I think the Fourth Amendment details are fascinating and I have paid close attention to First Amendment cases dealing with out-of-school speech so I'm hooked there, too.

If you are looking to brush up on recent school speech cases dealing with electronic speech and school intervention, look no further than the decisions of Layshock and J.S., recent cases from the Third Circuit which are laid out nicely in this student piece from the B.C. Law Review site by Paul Easton: SPLITTING THE DIFFERENCE: LAYSHOCK AND J.S. CHART A SEPARATE PATH ON STUDENT SPEECH RIGHTS.

Read More

LinkedIn's negligence in failing to adequately secure user passwords

As most of you are aware, LinkedIn's site has apparently been hacked, and 6.5 million passwords of users were exposed (if you weren't aware, change your password); the likely attacker operated out of Russia. Take all I say with a grain of salt, as LinkedIn has recently tweeted "[o]ur team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred. Stay tuned here." But, I doubt that this is a false alarm, and for the uninitiated, let me translate that tweet in honest technology speak - "We've realized a breach occurred, we are panicking in a board room and attempting to spin this in the least damaging light possible."

In this day and age it is unsurprising that a large site has been owned by hackers; I think most would agree that this has become commonplace. But, it appears that corporations are failing to evolve based on the failures of their compromised brethren. While LinkedIn should be applauded (quietly) for their use of SHA-1 hashes to store passwords, they should then immediately be criticized for failing to also salt the passwords, or use a more cryptographically strong algorithm such as SHA-256, or SHA-512.

A quick explanation will make their negligence clear. Let us assume that the chance of disclosure of passwords is merely a function of exposure to the internet, multiplied by the traffic of (aka attacks on) the company, divided by the security measures in place to prevent data disclosure. The equation can be noted as EXP * TR / SEC = DISC(%). That equation is of course not scientific, but it helps to explain the current atmosphere of the internet. The variables EXP and TR are hard to control by any company that is out on the internet, and in fact, most companies interested in making a profit want those values to increase. The key to business viability, trust of the consumer (industry respect), and meeting the responsibility placed on you as a data steward is the company's SEC value. I would also argue that the more vital the service you are offering on the internet is, the more responsibility and obligation you have to increase your SEC value.

By using unsalted SHA-1 hashes, LinkedIn essentially conceded that the value of DISC would be enormous, and it did so by negligently failing to salt those passwords. I say negligently because it is commonly understood in the industry that use of a salt makes cracking password significantly harder. Take for example the NIST Enterprise Password Management Guide, which states:

The use of salts also makes cracking more difficult—for example, using 48-bit salting values effectively appends a 48-bit password hash to the original password hash, assuming that the attacker does not have access to the salting values and that the salting values are well-chosen. So a salted password might have the same effective length, and therefore be roughly as time-consuming to crack, as an unsalted password  that is several characters longer. Also, salts typically use the full range of possible values, unlike passwords that have limited character sets, so salts can strengthen the effective password complexity. Policies for password expiration, length, and complexity should take into account the use of salts.

The use of salts defeats, or at least slows down the use of "rainbow tables," which are tables of already calculated hashes of passwords. So, if I know that your site uses SHA-1 hashing, I take a wordlist of X number of words, and hash all of those into a database. Then, when a Russian hacker discloses all of your passwords, I merely correlate the values disclosed with the values in my table to discover passwords. I may not get all of the passwords, because the dictionary file originally used normally does not have every word or possible combination of letters, numbers, and symbols used by individuals, but I am guaranteed to get a large portion because users typically have bad passwords (or shall I say weak/predictable passwords).

The use of salting defeats rainbow tables because the hope is that the potential "cracker" of the passwords is clueless on the salt used to hash the passwords by the particular site, so a traditional rainbow table is useless. Thus the hacker would need to create a rainbow table for every possible iteration of the salt - an extremely time consuming task, and wholly not worth it. In all of these password cracking scenarios, there is a race condition going on. Specifically, that the number of entrants to the race decreases exponentially as the complexity and difficulty of the passwords that could be cracked increases (the value of SEC increases). As an internet company you need not outrun the bear behind you that is attempting to expose your security weaknesses, you merely need to be running faster than the others around you.

It is no argument for LinkedIn to assert that they could not have feasibly implemented a salt on their SHA-1 hashes, nor is it an argument for them to assert that others are using SHA-1 hashes. It is widely known that SHA-1 has been significantly weakened, and SHA-2 (256, 512) algorithms are better alternatives - the federal government urged federal agencies to stop using SHA-1 in March, 2006, and a competition has been running since 2007 to come up with SHA-3.

We must assume that password hashes are going to be disclosed because of the plethora of weaknesses in software currently implemented worldwide. What we shouldn't assume is that the stewards of our data are failing to exercise due diligence in protecting our information. The driver of an increase in the value of SEC is the real world accountability for preventable security failures.

Update: As expected, LinkedIn has confirmed the breach.

Read More