When spurious ‘hacking’ claims chill journalism
This shouldn’t be complicated: If someone shares a website with the open internet, you have a right to read what they published. After all, permitting public access is what publishing a web page is for in the first place. But events in Missouri this month highlight that too many legal threats still hang over journalists (and others) who point out a site’s newsworthy shortcomings.
The story has now seen prodigious coverage, but to summarize, the firestorm kicked off after St. Louis Post-Dispatch reporter Josh Renaud published a story about a flaw in a website run by a Missouri state agency. According to the public reporting, the site, intended to let Missourians look up teachers’ credentials, also exposed teachers’ Social Security numbers in the source code. The Post-Dispatch says it notified the state before running the story — to give officials enough time to mend the vulnerability before it became public — and earned, for its trouble, threats of criminal or civil liability under Missouri’s anti-hacking laws.
The idea that viewing a site’s source code amounts to hacking is, to put it gently, ridiculous. As the Washington Post’s Philip Bump explains, that information is very much delivered to you on purpose when you visit the URL; your browser needs it to display the site in the way its designer intends. If you’re reading this on the Reporters Committee’s site, feel free to take a look at ours.
As straightforward as the question should be, in too many instances spurious hacking claims have been used to chill reporting on a website operator’s own mistakes. In 2013, for instance, the telecom firm TerraCom vowed to sue Scripps reporters under the federal Computer Fraud and Abuse Act for discovering — via a Google search — that the company was hosting users’ personal information insecurely. Earlier this year, the city of Fullerton, California, belatedly confessed error after dragging a group of local bloggers into litigation over their access to a Dropbox folder that the city chose to host at a publicly accessible URL. The list of incidents grows longer if you widen the lens beyond journalists to include, say, security researchers.
As we’ve highlighted before, the dangerous premise behind threats like these is that a site owner’s private preferences ought to be the measure of reporters’ rights — no matter what a site has, in fact and in practice, made visible to the public. But as the U.S. Supreme Court observed in a recent case, answering a related question under the CFAA, letting private parties exercise that kind of veto would criminalize a “breathtaking amount of commonplace computer activity.” Most of us don’t, after all, wait for an invitation before we visit a URL or click through a link served up by a search engine. How would we know in advance whether the site’s owner thinks, in the secrecy of their heart, that the information waiting there ought to be secret? Each website visit would be a roll of the dice, shadowed by fear of crippling liability, and among the clear consequences would be a chilling effect on data journalism that risks offending the powerful.
We don’t think that result would be constitutional, let alone reasonable. (For more on the legal arguments, you can check out our friend-of-the-court briefs in the Fullerton case.) Gathering the news online shouldn’t be a game of Minesweeper. And as much as those in Missouri’s position might wish their mistakes had never come to light, lashing out at the press is never the answer.
We’ll be following the story in Missouri as it develops.
Like what you’ve read? Sign up to get the full This Week in Technology + Press Freedom newsletter delivered straight to your inbox!
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Legal Fellow Grayson Clary and Technology and Press Freedom Project Legal Fellow Gillian Vernick.