Did the FBI Violate the CFAA by Obtaining Leaked Data from Misconfigured Website?

Silk Road, an illegal narcotics website allegedly owned and operated by Ross Ulbricht, was run for years on a hidden website. That was until the FBI discovered its IP address, because it was leaking from the site, due to a misconfiguration of the user login interface but Ulbricht, the site administrator.

While this discovery was deemed not to be a violation of the 4th Amendment (against unlawful search and seizure), it does raise the question of whether or not it violates the CFAA (Computer Fraud and Abuse Act).

The brief filed by the U.S. Attorney’s Office for the U.S. Department of Justice’s trial, described how investigators found the server, and argued that there was “nothing unconstitutional or otherwise unlawful” about the FBI’s detection of the leak.

According to the brief, it doesn’t matter that Ulbricht intended to conceal IP address of the server from public, because he failed to do so competently, therefore making the information fully accessible to the public.

“This is why it’s so important to have a professional web design firm design your website, to avoid what may seem like little mistakes that can turn into bigger problems,” says Jorge Benito from IBIS Studio, a Web Design Company Located in Coral Gables, FL. “People would be amazed of how much of their information is publicly available when small business resort to DIY website builders.”

Another similar case from a few years ago had a different result. Last year, Andrew Auernheimer was criminally prosecuted for visiting website addresses on an AT&T server that AT&T thought and hoped would not be found by the public, but were still publicly-available. In this, the DOJ deemed the process of obtaining the email addresses to be criminal unauthorized access, because AT&T had not intended for the public to see it.

In that case, Auernheimer was sentenced to three and a half years in prison. The case lead critics to claim that the Computer Fraud and Abuse Act was too stringent and punitive. But apparently it is also unclear on what is information is considered publicly available, and what isn’t.

Leave a Reply

Your email address will not be published.