Return to Blog Archives>>

Reporters Threatened with CFAA Lawsuit for Googling Confidential Data

threatening to sue the Scripps reporters who discovered it via Google. The contractors in question, Terracom and YourTel, left a smorgasbord of personally identifying information on the web belonging to applicants to a government run program that subsidizes phone service for low income individuals.  This information included Social Security Numbers, Passport copies, names, signatures, birth dates and the like.  Scripps reporters working on a story about online privacy apparently obtained the information (remember under the CFAA obtaining information can be just looking at it) first via Google searches and then using the program Wget.  Nothing was really hacked, at best there was a harvest of unprotected low hanging informational fruit. Of course, rather than owning up to their sloppy security, counsel for the companies sent a cease and desist letter (below) saying that Scripps needed to cough up money to mediate the purported breach, and making implied threats of criminal prosecution. For anyone familiar with U.S. v. Auernheimer, this fact pattern should sound familiar and Scripps counsel should be concerned about being on the receiving end of a federal CFAA Indictment.  For those of you who don’t know, Andrew Auernheimer is currently serving a 41 month sentence in federal prison for conspiring to access AT&T’s publicly accessible servers and harvesting roughly 120,000 email addresses that AT&T had left exposed on the open web.  No password was bypassed, and no real hack occurred.  I was lead trial counsel for Auernheimer, and I don’t see much difference between what happened in that case and what happened here.  Except maybe that the DOJ might be a bit sensitive about going after reporters given their current track record on that front. Anyhow, this is another paradigmatic example of how flawed the CFAA is.  By not defining its key operative phrase “unauthorized access” as requiring  bypassing a password or some other type of technological access barrier, it allows corporations to be negligent regarding their infosec. The corporations know that someone else, and not themselves, will suffer the consequences for discovering their confidential data that the corporation has displayed for all to see on the open web.  Why should anyone disclose any computer security flaw in that type of set up?  Why risk a felony conviction?  Better to keep your mouth shut and let all sorts of criminal organizations and foreign governments harvest the information than to incur the wrath of the Department of Justice and a vexatious and costly civil suit. (Tor) h/t Ms. Smith (if that is her real name), Privacy Fanatic Blog h/t @apblake Here’s the Cease and Desist Letter JLee Cease and Desist Ltr Oh yeah, this is not legal advice and is for informational purposes only.    ]]]]> ]]>

Road to Nowhere

In Liminae: The Road to Nowhere

It takes us about six hours to drive to the rural state jail (that’s owned by two judges) the Feds contracted with to hold our client. Accused of computer crimes, he can’t effectively review evidence in jail – there’s no practical access to computers in the gulag. They’ve seized all his assets claiming they’re the ill-gotten gains of crimes the government can’t identify, and their computer forensics – if you can call them that – have no scientific basis and are full of basic errors and typos. In my decade as a federal criminal defense lawyer doing computer cases across the country, I’ve never come across a case where the government was so completely off.

Read More »

Guilty Until Proven Innocent

A defendant’s view from the trenches of federal criminal court This post is originally published to Substack. You can read and follow us there.

Read More »

For media inquiries, please email


©2022 Tor Ekeland Law, PLLC   •

Attorney Advertising   •   Past results do not guarantee future results   •   Licensed in New York