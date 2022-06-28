



This is from a bad department

If someone who accidentally knows the URL makes Google Drive accessible and someone goes there and deletes something, is it “illegal access” and a violation of CFAA? For me, there should never be an answer. But in this recent ruling, the judge went in the opposite direction (first pointed out by Evan Brown).

So, noting that the defendant in this case generally looks like a terrible person running a Facebook group focused on spreading ridiculous nonsense about her local school district. let’s start. As explained in the proceedings, the groups are:

We are dedicated to disseminating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-critical race theory policies within the Scottsdale Unified School District.

yes. So you get an idea of ​​what we are dealing with here. The father of a member of the school board, who appears to be (possibly reasonably) concerned about what’s happening in this group, collects information about what’s happening in the group and stores it in his Google Drive account. I started to do it. Apparently unnoticed, he set up the folder so that anyone with that URL could access it.

At one point, the son of a member of the school board was accused of defamation, and things were confused. Here’s an explanation of what happened next from the court’s opinion:

In 2021, the plaintiff’s son was accused of defamation. He responded to his whistleblower by emailing 13 photos of Facebook’s public comments created by his whistleblower. Some of them were stored on the server. One of the photos showed the URL to Google Drive, which became the property of Amandas, where she noticed the URL and asked a third party to create a hyperlink to the URL. Once offered, she clicked on it to access Google Drive. She reviewed, downloaded, deleted, added, reorganized, renamed, and published content on Google Drive.

So obviously that’s not great. However, it’s clear that the Google Drive folder owner, Mark Greenburg, wasn’t properly protected. If defendant Amanda Ray here was offended by ruining the folder, nothing would have happened if Greenberg had properly protected his account (this is the default setting). So he had to actively choose to share the folder in another way). ..

Ray looks like a terrible person in many ways, but it seems ridiculous to claim that she violated CFAA. However, the court goes in the opposite direction.

This is a close call. Plaintiffs admit that the part of Google Drive that Amanda accessed was not password protected. Plaintiffs mistakenly enabled a setting that would allow anyone with a URL to access the site. However, plaintiffs claim that the setting itself did not expose Google Drive, given that the URL was a 68-character string. Moreover, she did not index Google Drive on any search engine, unlike the hiQ website. Therefore, it is not only those who have a browser that may encounter Google Drive in web search to get the correct URL in the browser. In the eyes of the court, plaintiffs argue that Google Drive is limited and therefore anyone attempting to access it requires permission.

In short, plaintiffs allege that the security of hiding should be legally protected. The fact that it wasn’t indexed by search engines doesn’t seem to matter at all. In fact, Greenburg (accidentally, that doesn’t matter) makes the folder available to anyone who has a URL, and his son (accidentally, that doesn’t matter) publishes the URL. did. At that point, it is open to the public. It is Greenburg that protects the folders.

Wray’s response to going into a folder and tinkering with it isn’t great, but it shouldn’t be considered “unauthorized access” by CFAA.

I’m worried about such a ruling, especially for security researchers and others who frequently find public folders that aren’t properly protected, as they can cause real damage. If the folder is set to be published, it is very problematic to claim that access is not allowed. The setting to open a folder itself literally indicates that anyone with a URL is allowed to view the folder, even if you have to manually enter a long URL. That’s what happened here, and claiming that access isn’t granted poses a serious problem with the way CFAA is interpreted.

