The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
Accessing Google Drive, Using Inadvertently Revealed Long URL, Can Violate Computer Fraud & Abuse Act
So holds a federal district court, in a dispute arising from the school policy wars.
From Greenburg v. Wray, decided yesterday by Judge Douglas Rayes (D. Ariz.) (key legal point highlighted):
Amanda Wray manages a 2,000-member Facebook group … "dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District." … Plaintiff[ Mark Greenburg]'s son serves on … the elected governing body that manages Scottsdale Unified No. 48 School District ….
In response to activities by Defendants [Wray and her husband] and the Facebook Group, Plaintiff began collecting information on them, including photographs, video footage, discussions with third parties concerning them, personal comments and thoughts, and political memes. Plaintiff stored these records on his personal "Google Drive" server. Plaintiff specifically shared server access with three individuals (including Plaintiff's son), who could access the server by signing into their own password-protected Google accounts. Although Plaintiff didn't realize it at the time, the sharing settings on his Google Drive also allowed anyone to access the server by typing in the exact URL.
In 2021, Plaintiff's son was accused of defamation. He responded to his accuser by emailing "13 photographs of public Facebook comments, made by his accuser, some of which were stored on the server." One of the photographs displayed the URL to the Google Drive, and that photograph made its way into Amanda's possession, where she noticed the URL and asked a third party to make a hyperlink for the URL. Once provided, she clicked on it to access the Google Drive. She reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.
Plaintiff learned of the access and hired a forensic IT consultant team to conduct a damage assessment. He then sued Defendants under the Computer Fraud and Abuse Act …, alleging a loss of at least $5,000….
To "bring an action successfully under 18 U.S.C. § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2)," Plaintiff must allege that Defendants:
(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
Citing hiQ Labs, Inc. v. LinkedIn Corp. (9th Cir. 2022), Defendants argue that Plaintiff did not allege that Amanda accessed the Google Drive without authorization. In hiQ, a data analytics company, hiQ, was scraping data on public LinkedIn profiles, data indexed by search engines. LinkedIn found out, sent hiQ a cease-and desist-letter, and imposed technical measures to prevent scraping data from public profile. But hiQ didn't stop and instead sought a declaratory judgment that LinkedIn "could not lawfully invoke the CFAA" against it for scraping the data found on public LinkedIn profiles. Id. Ultimately, the Ninth Circuit determined that hiQ's data scraping did not fall within the CFAA because "anyone with a web browser" could access the data.
On review, the Ninth Circuit reasoned that "the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort." Thus, for a website to fall under CFAA protections, it must have erected "limitations on access." And if "anyone with a browser" could access the website, it had no limitations on access.
This is a close call. Plaintiff acknowledges that the portion of the Google Drive accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this setting did not per se render the Google Drive public, given that the URL was a string of 68 characters.
What's more, the Google Drive was not indexed by any search engines, unlike the website in hiQ. Therefore, it wasn't just "anyone with a browser" who could stumble upon the Google Drive on a web search—the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser. By the Court's eye, Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access it needed authorization.
Plaintiff alleges that the disclosure of the URL—the limitation—did not grant Amanda authorization to access the Google Drive. He asserts that the disclosure was inadvertent. As the Ninth Circuit has recognized, inadvertent disclosure of the means around a limitation on access does not per se grant authorization. Plaintiff has sufficiently plead the elements of a violation of 18 U.S.C. § 1030(a)(2).
Defendants next argue that Plaintiff's allegations of $5,000 in damages are too conclusory to state a claim. Not so. Plaintiff alleges that Amanda accessed the Google Drive without authorization, causing changes to the files saved there, and that he had to hire a forensic IT team to determine the scope of the damage, all of which he alleges cost at least $5,000. Plaintiff is not obligated to provide itemized receipts at the pleading stage….
To get the Volokh Conspiracy Daily e-mail, please sign up here.
Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.
Please
to post comments
Huh. Build a house, forget to put a lock on the front door, take a selfie which shows the street address, someone decides to look at it, tries the front door, not locked, walks in, looks around, does no damage.
Not a very good analogy, sorry. Most people know that houses are private property, and an unlocked door means you’ll be finding a dead body Real Soon Now, or that you shouldn’t go in; maybe push the door open a little to yell if anybody is home. Whereas a URL with documents without password protection, how would you know it’s supposed to be secret? Nothing was corrupted, deleted, damaged. On the third hand, the interloper knew they had a treasure trove they probably weren’t supposed to access and just thought it was their lucky day.
I guess to me, that would not be a violation. But IANAL and show it every day.
I should clarify — there is an allegation changed files and paying to undo the damage. But it’s not proven. More proof IANAL to know how much this matters.
Nothing is proven at this point, this is a motion to dismiss. The claim that the defendant deleted files is just an allegation in the complaint—but so is the allegation that the defendant accessed the site in the first place. I’m not sure why at this stage you’re any more skeptical of the former than the latter.
Even if that’s true, the plaintiffs settings allowed anyone who accessed the data thru the URL permissions to modify content, otherwise they couldn’t do it.
I find the decision relying on having a 64 character string very unpersuasive. She was sent the URL by an authorized user, how was she to know they intended the url to be password protected, and she was bypassing the password protection?
I hope to hear Orin Kerr’s take, I’m sure he’ll agree with me, which would make your take, by definition, wrong.
What, may I ask, the fuck are you talking about? I’m responding to Á àß äẞç ãþÇđ âÞ¢Đæ ǎB€Ðëf ảhf’s skepticism that data was deleted or tampered not opining on the legal significance of any deletion.
I believe the bad actors are alleged to have downloaded / made a copy of the drive’s contents, added files that weren’t originally there, deleted others, and subsequently went around presenting the altered drive as the work of the plaintiff. There is a separate defamation suit in state court relating to this.
The defendant would have known very well that the plaintiff would not have intentionally granted access to them in the first place.
IAAL, and in a true no-harm scenario (i.e., just looking) I too would come out on the other side of the “close call” than the court did. But I imagine the thumb on the scale here that might have made the court work a bit harder to find a theory to allow the plaintiff to go forward is the fact there was indeed damage, and quite a bit of it:
Under your analogy, that seems more like taking a spray can, sledgehammer, and six-pack inside with you and leaving with photos of financial documents you found in a desk drawer.
In a true “no-harm” scenario, the other elements of a CFAA claim aren’t met (five grand damages minimum), so there’s no call to make on authorization.
Maybe in this case, but that won’t always be true.
In your home analogy, entering the home without permission, even though the door was left unlocked, would still be trespassing.
The difficulty with the ‘home’ analogy is these things weren’t kept at “home”. It’s more like they were kept in a strong chest hidden somewhere “special” in the public forest preserve. The owner (plaintiff) thought the chest was hard to find and also padlocked and closed, but it wasn’t.
Then, someone (plaintiff’s son) published a treasure map describing the locations of the chest. So someone else with the treasure map went out to have a look. There it was open for all to see.
In the analogy, it does seem defendant removed stuff from the chest knowing that wasn’t their chest. But there was no trespassing in anyone’s home. Everything was in public.
No. If you know your neighbor leaves his house unlocked, entering his house without permission is still trespassing.
A public Google Drive share is not a house, and the rules under CFAA are different than under trespass law. The whole point of this kind of Google Drive use is sharing address to the files across users.
” The whole point of this kind of Google Drive use is sharing address to the files across users.”
Not really, that’s a side bonus. The main purpose is one user having access across multiple devices.
Your claim about “main purpose” would surprise many. Public school teachers routinely use Google Drive to share across multiple users, generally the students in a course.
I have to agree with lucia. If that were it’s “main purpose”, Google wouldn’t have created the ability to share without a password.
Google also promotes educational use of Google Drive encouraging teachers to use it to share materials with students. Until recently, educational accounts had no storage limits. They’ve changed that. But sharing among many is not a “side” use by any means. It’s designed that way.
What if the owner instead had deliberate settings to allow anyone access who had a different string of characters revealed in a photo — say, a password. Would that change your analysis?
The default setting is “private”. In that case only those with a password would be able to access.. The owner (likely Mark Greenburg) had to manually change those settings.
We don’t know whether he understood what they meant. But he had to have changed them.
A web page is not a house. When you manually change the settings from “private” to “public”, the page is displays to whoever passes by (with a url). Sort of like a billboard over a road displays. If someone puts their message on a billboard, passers by can certainly look at it. It’s presumptively “authorized”.
Erecting the billboard in an out of the way cow pasture far from all roads doesn’t change the authorization. It will likely result in fewer people seeing it, but those who do find it and look are not “unauthorized”.
I don’t know that I personally disagree with with the court’s analysis, but it seems difficult to reconcile it with either hiQ or Van Buren.
This is the same issue that arose in Prof. Kerr’s Weev case, which IIRC he won on other grounds.
It was similar, although I believe there it was possible to guess the URLs, which does not seem to be the case here. (And you are correct that the Third Circuit reversed on venue grounds without reaching the merits of the CFAA question.)
CFAA is a bad law, but this is a close case. The URL came from an email which the deft somehow acquired, so the question is whether the material itself is simply beyond the reach of the law by virtue of being exposed to the open web. And data and controls exposed to the web are distinct from web pages not yet intended to be seen — an open AWS silo is distinct from, say, a website article with a guessable URL not yet linked to the main page. To determine whether the portcullis was run down and then defeated, I’d want to know the circumstances of the email transmission. Was the URL made public by a third party, and therefore crawlable or scrapable? Did the URL lead to the content, or to a directory structure? Could the directory structure be derived from the content’s URL, or did the user navigate upward from the controls on the page? Or perhaps the directory structure had to be derived from some composition of the data in the samizdat URL. Was either the directory structure or the content crawlable, with or without indexing metatags? Was the data clearly within the (I assume, #notexpert) domestic scope of the law? If Google had used shorter URLS, would there therefore have been no attempt to limit access to the data? Would a tinyurl in the original email have been sufficient basis for the claim? There are a lot of questions that really should be asked in cases like these, and if you accord each question a presumption for the deft, there’s a chance that Zeno’s arrow never gets to an indictment or survives a motion to dismiss.
On the plus side, the court avoided “pled” (which I’m convinced is on the circuit court clerk bingo card) by using “plead” in the past tense, which is at least spelled correctly, even if it implies an incorrect pronunciation and usage.
Mr. D.
The law tried to solve a real problem but is poorly drafted, probably because the people who drafted it did not understand the technology and because various parties have tried to push rather extreme interpretations, like claiming the violation of TOS is a violation of the CFAA.
The Turtle Dove
There are two forms in which it was made public:
1) The google drive owner changed the settings from private to public. (Private is the default.) That made all urls crawlable and scrapable. (Google bot does crawl google drive folders but needs to be given an initial seed of a url.)
2) Mark Greenburg evidently revealed the URL of the folder by distributing an email containing a screenshot (probably .jpg) that displayed the URL. This was readable by anyone who knew the “alphabet” and understood what the character string represented. That’s how the Wray crowd happened to find the URL.
<blockquote)Did the URL lead to the content, or to a directory structure?
The URL lead to content. Typically,all the files at the url are just links. If you load those links you see the files.
Looks like no.
This is pretty interesting. The links are not “guessable” in the normal sense that a person could predict them. The links can be either to a specific file or to a directory.
Here’s an example of a link to a directory: https://drive.google.com/drive/folders/14pb9upkmtFw1_OVUWL00aklJkX-Rgelz
And here’s an example of a file in that directory:
https://drive.google.com/file/d/1-kB0OrtTtBpbuSARZIE4jedBMUOHEEDz
(I’ve munged the links here so you can’t actually navigate to them, but the pattern shown here is the pattern of the resources on Drive.)
These links are not “guessable” in the normal sense of that word, but may perhaps be “crackable” using cryptographic tools. The links are also not exposed to any public search engine, they are “private” to the Google service in that sense. You have to know the link to traverse the link.
A folder link is what must have been shared, not a link to an individual file. When one traverses a shared file link on Drive, you get just the file in a Google-hosted viewer in a browser tab. You don’t get any information about the “folder” in which it is “stored”.
(I use “stored” in quotes here because I very much doubt that Google stores files in a physical file folder. The file AND the folder are probably just handled as generic objects.)
The latter part of the URL appears to be a random key, which is a standard way to restrict access. I think that the decision was correct because this key provides a non-trivial amount of protection–probably only a bit less than the protection that would have been provided by a password.
In this case, defendant was able to gain access because plaintiff took and shared photographs of his compute screen, and the URL appeared in the browser window. That particular scenario would be much less likely to happen with a password, because passwords are normally not displayed by default, and even if they are they are only displayed briefly during the authentication process. So embedding a key in a URL is not a great idea from a security perspective. On the other hand, the scenario described requires an unlikely series of events. How often do people post photographs of their computer screens? I don’t think the existence of this attack vector makes embedding a key in a URL categorically different from password protection.
It’s a key but it’s not to restrict access; precisely the reverse, it is to make access more efficient and reliable. It’s a key in a hash table that relates the string to the file. Hashing it means that it’s less likely to conflict with another file somewhere by giving it an (practically) unique ID. It helps to obscure information (I can’t blindly type in “bankinformation” and some other identifying information into the URL in the hopes someone shared theirs) but it’s not protected in any real sense.
I also opened up public Google docs/sheets I have access to and they have similar hash codes for the URL so it’s not intended to be the means of security.
“How often do people post photographs of their computer screens?”
A lot more than you’d expect, I think. Lots of people don’t know how to take screenshots and will send a picture instead.
Yeah, the long URL is to make it unique and hard to stumble across. It’s not an access control mechanism — as the court (and Krayt above) mentioned, Google does provide effective methods for read and write access control, and the plaintiff did not use them.
Any time you share your screen during a zoom meeting? The party who ‘disclosed’ the URL was a student at the time. I don’t know the timing for this case, but schools were meeting remotely for like a year…
How did you get 2 links in a comment? Usually a second link gets the comment blocked.
I had no idea that linking blocked anything, actually. If that’s an actual moderation rule, it’d be a pretty useless one, I think. Like locking all the windows but leaving the front door open.
That’s what one gets by default — but it is a private folder. By “this kind” of use, I meant giving other people access to folders at all.
I very much doubt that Google stores files in a physical file folder.
This made my day.
Completely flies in the face of not just HiQ but also Van Buren v US, if you’re not technically illiterate. This judge apparently is.
The judge even noted HiQ came to the 9th Circuit *after* LinkedIn put up some rather arbitrary technical measures, which would be analogous to not just posting the URL while granting full access to it when entered.
Anyone with a browser could also access this drive if they know the URL. Seems rather irrelevant that just because it’s harder to discover the location it renders things moot… since the owner made the drive publicly accessible, nobody exceeded authorized access. The judge seems to think a URL and a password are the same thing.
Douglas Leroy Rayes is a United States district judge of the United States District Court for the District of Arizona.
Born: August 22, 1952 (age 69 years)
Yes I’m beginning to see the problem.
“The judge seems to think a URL and a password are the same thing.”
That’s what Google appears to think when they say “anyone with the link can access.” They intended the link to be like a password.
Yeah, but you can and do forward and post links.
People realize they shouldn’t forward or post passwords.
I’m not so sure that’s true. There’s a lot of password sharing going on.
No, the link is just an address. If it’s a personal Google Drive then their password is their Google password. Once it’s shared through the “anyone with the link can access” it’s not password protected. If you want to share with specific people and prevent them from further sharing it there are other settings to use than that one, which is pretty clear in that it makes it effectively public: the lock changes to a green globe and it says “anyone on the internet with the link can view.”
A URL (or link) is not like a password. It’s more like an account name: it identifies what you are trying to access, not how you prove that you are authorized to access the content.
Zoom, for example, allows URLs with or without the password embedded. Both ways are URLs. So does that make the password not a password?
It sounds to me like a matter of definition. Choose your preference.
No. Zoom is not Google Drive, passwords are passwords, and URLs are not passwords.
This case is like prosecuting someone (under CFAA) for connecting to a Zoom meeting with no password: The meeting organizer (or Google Drive share creator) could have used the kind of technical access control measures that are required under case law, but did not.
If Google itself is saying “only people who know the link can access the file,” that seems to be “how you prove that you are authorized to access the content.”
That would seem relevant from the perspective of Google, not from the perspective of the account holder.
Why not? The account holder is the one who set the setting called “Only people who know the link can access the file.”
As noted above I don’t think this decision is consistent with precedent, but to play devil’s advocate:
If it had been password protected, then anyone with a browser could also access this drive if they know the password. And like a password, there doesn’t seem to be any way someone could have discovered the URL without being informed (wittingly or otherwise) by someone who already had it. (If anything, guessing a password is probably easier, since most people use non-random passwords.) So what’s the difference?
Google Drive doesn’t implement access control with passwords. It implements access control based on Google account. The plaintiff’s Google Drive share allowed the general public to have full read/write access — the main alternative is to invite individuals to read and/or write the content. (For Google Workspace accounts, or whatever they call that this quarter, the content owner can also grant access based on organization-defined team membership within the organization that sponsors the content owner’s account.)
Yes, but that’s Google as a whole, not Google Drive. Nobody is being accused of improperly accessing a Google account here.
I don’t know what you mean by “Google as a whole”, sorry. All the services of Google use exactly the same authentication methods.
Yes — that’s Google as a whole. We are talking about Google Drive authorization controls, not whole-of-Google authentication methods. CFAA requires breaking one or the other, not using permissions that are already granted to you.
Well here’s one difference:
If Google detects a URL anywhere on the web, it will crawl the URL and all the links on the URL. (Yes, it routinely crawls googledrive). After visiting, it will post those links in the search engine. Then people searching can find stuff. (I sometimes find stuff I’m looking for on people’s google drives that are linked from google search. )
If the links are password protected with a real password , google will be unable to crawl. (A real password is one that is not part of the url– it must be entered separately.) Then the link will not appear in the search engine.
Mind you, a URL that is not protected may not be visited yet. So it could be hard to find. But that’s true for all very new or not very popular urls.
Or a page google did find and crawl can password protected barring entry afterwards. But the password is separate from the url precisely to have two steps and to prevent unauthorized access including bots and search engine crawlers. Unprotected URLs are accessible to people, crawlers, random bots, what have you.
Honestly, I would have suggested Wray submit the link to googlebot, the internet archive and so on. The whoever could be trying to charge Google with unauthorized access of an unsecured google drive and the back ups would be on the internet archive! That would be fun to watch in court.
Are you sure that Google crawls all Drives? I thought that Google only crawls Drives that are published through a specific mechanism they provide. It certainly doesn’t index all of them; they leave properly set up pages that aren’t to be indexed alone. That’s not to say other bots won’t ignore it but Google has been pretty good about that.
Remember, boys and girls; there is no cloud, it’s just your data on somebody else’s computer.
This is not even close
The analogies are inaccurate
This is not like leaving your door unlocked
It is more like giving the door key to someone you did not intend to
That is your problem
There are still issues if there was damage such as file deletion
But the access is legal
If the CFaa actually barred this
Then it is bad law
But perhaps the best analogy would be if you hid personal papers inside a book in the public library
The shared the Dewey decimal # of the book they were in with more people than you intended
And one of them copied those papers
Even the unguessable number is irrelevant
They shared it
But even if they had not
Outing information on the web is publishing
Using the library analogy
It would not be a violation of law if you did not have the Dewey decimal #
And just found the papers in the library
Or if you did not know where to look but searched the whole library
The planting made info public
That they did not do so intentionally is irrelevant
That for much of the public it was published but in a giant haystack is irrelevant
The plantifs intentions
Can not make an otherwise legal act illegal
If you’re in a library and have no Dewey decimals, at least you (presumably) have permission to be in the library, and once inside, you can choose any book you wish. In order to see the books in this case, you’d need to have been given a very specific URL. This actor manually made a copy of the inadvertently transmitted URL and surreptitiously used it secretly to gain access.
The library in this case would be Google. Presumably they were not barred from using Google.
“The analogies are inaccurate
This is not like leaving your door unlocked
It is more like giving the door key to someone you did not intend to
That is your problem
There are still issues if there was damage such as file deletion
But the access is legal”
If I hand my car key (attached to a front door key) to a guy wearing a valet jacket at a restaurant entrance, and it turns out the guy is an imposter exploiting the legitimate valet’s sprint toward another vehicle, that is my problem to the point of making it lawful for the imposter to drive my car to my house, use the key to enter, and watch a ballgame from my couch?
How did the Volokh Conspiracy assemble a group of followers like this? Other than intentionally, I mean.
It’s more like somebody noticing that in one of you Facebook photos, your keys are visible, and by zooming in, the pattern of ridges and valleys on your housekey can be used to create a duplicate key, then using the duplicate to break in.
That feels very intentional to me. It’s not particulary negligent on the part of the homeowner, and there’s no way the trespasser thought that they were supposed to have access.
Precisely. It was not reasonable for the defendant to assume that security the means to enter was an invitation to do so.
No, it’s not like that at all. Not even remotely like that.
Pretty weak reasoning from my perspective. If I had a server up with an obfuscated URL but then posted screenshots to a closed forum that included the URL by accident reasonable people wouldn’t consider their accessing it to be fraud or abuse. Look at the length of the URL above and compare it to the normal 70-80 character URL for Google drive files: it’s twice as long (if you can read this comment). Length of a URL does not indicate security.
Why, as a legal matter, should it matter which boxes the secret information is typed into?
What secret information and what box? The URL isn’t secret, it’s just a hash. If that indicated “secret” then public Google Drives, which use similar hashes, would be secret. Since they’re public, they’re obviously not secret and the hash can’t mean that they’re supposed to be secret. If you want a secret Google Drive you don’t make it publicly accessible like they did.
Google doesn’t publicize the URL or provide the content for indexing. Google gives the URL to the account holder who, in this case, apparently didn’t intend to publicly disclose it. The URL was given to an intended recipient who disclosed it. If you think that disclosure defeats the secret nature of the URL, then you should explain why disclosure of a password would not defeat its secret nature. It’s not good enough for you to say that any disclosure of secret access information makes it public. That would make all access via hacked-data leaks permissible.
As has been pointed out elsewhere, Google does index many Google Drive or Google Doc resources.
Similarly, other search engines can (and do) index them as well, completely independently of any policy Google may desire.
I think the URL in question was in the screenshot. Made of pixels. It was not a “live,” clickable link like you might expect to find in email text. Google Drive URLs are made up of 68 randomized (at the time of creation) characters that are entirely unique. Unique for a reason. The defendant here would have had to manually recreate the long string of alphanumeric characters (perfectly) in a browser window and hit return.
The defendant had to do more than just click the link and see if it worked. They likely saw the screenshot and HOPED that recreating the string would gain access. A reasonable person would NOT assume that the plaintiff had just extended an invitation to enter.
Had the plaintiff intended to give the defendant access to the Google Drive, they would have created a hyperlink in the text of the email itself (email automatically recognizes URL text and creates a working link) and they would have called attention to their giving permission.
What the defendant did was akin to noticing that the plaintiff had dropped their housekeys, waited for them to leave, picking them up, unlocking the door and entering their house while away. Just because they have cleverly accessed the house, doesn’t mean permission has been given. You can’t say “sucka!” after your neighbor makes this mistake and proceed to rob them blind.
To follow with your analogy, it’s akin to noticing they dropped their housekeys, waited for them to leave, picked them up, duplicated the keys, then unlocked the door …
The act of re-typing the photographed link was a conscious act of key copying. They weren’t “sent” the link. That folder wasn’t shared with them.
To the degree that intent is a factor here, clearly this user was not “authorized” by the owner in any way, and access was understood to not be permitted.
A URL is nothing like a key. It’s just an address – nothing but a piece of information.
You and Oloshuan seem confused by “link”, as if it were something special. But what you actually are complaining about is that Google incorrectly misled the user by suggesting that a “link” would be required to access the data, when that was not the case.
Either way, Wray was clearly authorized by Greenburg to access the data, because Greenburg clearly set the access to allow any user to access the data upon request. The fact that Greenburg did not mean to do this does not make Wray’s access retroactively unauthorized.
Is going into a stranger’s unlocked house “clearly authorized” because the owner “clearly set the access to allow any user” to enter?
Look up the standards for criminal breaking and entering. Hint: you generally don’t need to “break” anything, nor do you need to unlock a door or window in order to be convicted of it.
A Google server is not a private home.
This is more like a store in a mall, with the public coming and going all around. Outside the store stands a guard, who was instructed by the owner to let in anyone that asks to be let in.
Then someone comes along and says “Can I get in?”, so the guard acts according to their instructions, and lets the person in.
It doesn’t matter if the owner really meant “Only let in my friends”, that wasn’t the instructions issued.
Of course, physical analogies to computers are usually pretty poor, which is why I wish people – especially non-technical posters here – would not keep trying to shoehorn something they don’t understand into the little boxes think they do.
This kind of a URL is in fact analogous to a “door key” in one important respect: You must know the URL before you use it, it isn’t publicly available via a search engine. The URL incorporates the globally-unique and permanent identifier of the resource. Absent having that URL in your possession, the resource is completely hidden from you.
Now it is true that access to the resource was not further secured beyond this step, but it certainly was secured enough to distinguish it as information that was intended to be private, not public.
The fact that the actual link itself had to be recreated from a photograph should also provide plenty of evidence that the owner never intended for them to have the link.
Is a photograph OF a 68-character URL a “link” that takes you someplace? No. A screenshot is essentially a photograph. The original actor here didn’t just quickly act upon a sent link. They had to (rather deviously) take the raw data from the screenshot and manually reassemble it in the address bar of a browser window.
They had to (rather deviously) take the raw data from the screenshot and manually reassemble it in the address bar of a browser window.
What you describe as a devious method is called “reading”. What you call “manually reassembling” is normal called “typing”.
This “anyone with the link” setting makes it sorta like an electronic card key to a door. Designed to make it easier and faster for AUTHORIZED people to gain access, but still very clearly designed to restrict access to limited numbers of people. If you find a card key outside of a secret NASA building, it’s best to not try and enter.
But it’s not really a “link” yet, as this is a screenshot, where the URL data wasn’t even obvious — or even actionable — without a significant amount of manual work.
If plaintiff wanted to truly share this material with the defendant, they would have copied the URL out of an open browser window and pasted it into the email to create an actionable hyperlink.
No, a URL is not like an electronic key card.
No, typing in a URL is neither “devious” nor a “significant amount of manual work”.
A URL is like a phone number. It describes an address that can be used to connect to something else.
You can have single buttons that auto-dial long phone numbers, or you can “rather deviously” enter the whole thing into your phone one digit at a time.
A QR code is often an address (but not a link!), as well, but it is not “devious” to use it to connect to a website even though you need to take manual steps to input it into your phone.
And email doesn’t necessarily parse HTML – it depends on the client you use. Some will parse URLs into links automatically, even without the markup. So there is no way to guarantee that an email containing a URL is an “actionable hyperlink” or not, or if the sender intended it to be that way.
“Devious” may not be the correct word, but “copy” and “recreate” are. We are not describing a URL, we are describing a photograph of a URL.
Would it be different if it were a printout of a URL? Such as on an advertising flyer?
This suggestion that the media matters is odd – the URL itself is not anything but an address, and you cannot access
anything with just a URL. It requires some other software (an entire stack, in fact) to translate that URL into a connection that retrieves data from a remote server and then translates into some human-usable (usually) form.
And that URL is copied from application to application several times during this process. It also changes format several times – from text to numbers to binary objects. None of that makes it nefarious or circumvents an access control.
No, what’s odd is that you think typing a secret code into the URL box is different from typing a secret code into the password box.
Google clearly doesn’t think they’re different, so I’m not sure why you do.
Google clearly does know they are different, because Google does not ever refer to a URL as an access protection feature. If you think otherwise, please tell me exactly where Google declares that a URL is some form of access protection.
I dial phone numbers into my phone, and I also input PINs. One of those is an access protection feature, one of them isn’t. Can you understand the difference?
Or are you really declaring that everything that someone types into the “URL box” of a browser is a password?
To set permissions for a folder:
1. Select the folder you want to share.
2. Click Share on the top right.
3. Click the drop-down arrow under Get Link.
4. Choose to share the folder with Anyone with the link.
5.Click the drop-down and choose what viewers can do:
Viewer: Anyone with the link can view the files in the folder.
Commenter: Anyone with the link can view and comment on the files in the folder.
Editor: Anyone with the link can view, comment, organize files, add new files, and edit existing files in the folder.
6. Click Copy link.
So, again, your problem is with Google for dumbing down what is actually happening so far that non-technical people don’t understand.
To me, and all the other technically competent people here, that clearly says that anyone that requests access will get it. Because we aren’t confused about what “link” means on the internet.
Ha! Alright technically competent people, have fun never clicking “Share” again, because this is increasingly the way it works. People are tired of continuously setting up granular permissions. For most purposes, limiting access to people who know the obscure link works great.
Anyway, if Google thinks it works this way, and the account holder thinks so too, as well as the trespasser, then it really doesn’t matter how you think it works.
Randal
Google does not think the obscure url is an access control. It is merely the address to enter to request access the item. If there is no control (i.e. password) google drive supplies the resource.
The person requesting access (who you call ‘trespasser’ also doesn’t think the url itself is a control.
So the only one left who thought it might be a control is the account holder. We don’t even know if that person really thought just not sharing the URL would keep things private. He could be like some character in trashy spy novel who ‘hides’ the microfilm in some obscure book on skin diseases in the library and thinks his wish for it to not be found will mean it won’t be found.
Even he knows library patrons are “authorized” to look at books on the shelf and find it. They can hunt for it. They can stumble on it. It’s all authorized.
Google absolutely does think the link is an access control, they say so all over the place. See e.g. earlier in this very thread.
No, Google is quite aware that a URL is not an access control. Google writes many white papers about security, and nowhere in those will you find them listing a “link” as a type of access control.
You will find them opposing the concept of “security through obscurity”, though – the idea that because something is not easy to find, it is secure. Which is exactly what you claim they do here.
The fact is, you don’t understand what is being said, and insist that your own ignorant interpretation is what others mean. You are the worst soft of non-technical user – the one that, when confronted with expert knowledge, double-down and insists that his wrong idea must be correct.
I’m just quoting Google to you. You can set the access policy on the link! That is, I can create a link that allows editing, or just allows viewing. Those permissions are granted simply through posession of the link.
That flatly condradicts everything you just said.
It’s not particularly secure, obviously, but security is always a matter of degree. It’s secure enough for a lot of things.
You are quoting Goole’s dumbed-down and oversimplified explanation, and you are still failing to understand it.
A link is not a physical object. It is created on the client side, where Google has no control! As I pointed out elsewhere, I can easily create a link on my own computer, and according to you that would meet Google’s “security”. It’s a silly idea, which is why no one who understands computers would make that claim.
Now who doesn’t understand technology!
You can “create a link” to a Google Drive resource. When you do, Google creates a new URL which is an alias to that resource. That alias comes with its own permissions. I can create a read-only “link” to a document and send that to reviewers, and also creat a separate read-write “link” to the same document and send that to my collaborators. Possession of the first link is sufficient for reading the doc, and possession of the second link is sufficient for editing the doc.
That’s the feature the above quoted instructions are describing. I’m sorry if it doesn’t fit into your preconceived notion of what a “link” is, but there’s only so much I can do about that.
(The purpose of the unguessable material in the URL is to make it difficult to “create a link on my own computer.” You would have to guess the unguessable material.)
IMHO, this discussion keeps going off the rails over the issue of “access protection”. Whether or not a method of protection was effectuated is immaterial. The issue here is private vs. public, not “well locked” vs. “poorly locked”.
If you find someone’s keys on the sidewalk, it is presumed that the room behind it is private. Just because you pick up those keys doesn’t all of a sudden make your bedroom public access.
The problem is that no one found someone’s keys. Nor did they enter a “room”.
They found an a piece of paper that gave the location of a book on the shelf at the public library. They went to the library found the book.
Now, they may well have then destroyed the book, which they had no right to do. So that was a bad thing and likely illegal.
But going to the library finding the book on the shelf, looking at it and checking it out is perfectly ok. It’s ok even if the owner didn’t mean to have the book put on the library shelf for check out.
Why would deleting the files be any less authorized than merely accessing them?
I said destroying the library patron would not have a right to destroy a book. If we use a property analogy: A patron tearing up a library book is unauthorized. Merely accessing it, leafing through the pages and replacing it is authorized. So in the physical world analogy that’s unauthorized. I don’t think there is much question of this. I’m not going to go into the “why”, other than it’s simply not their property to destroy.
Whether editing is authorized or unauthorized in the google drive can be debated. Analogies only go so far.
By actively changing permissions from default owner actually did grant everyone in the world permission and power to edit (and even destroy). We’ll see where this goes legally. The case could get appealed quite a long distance no matter who wins.
Randal,
Google treats URLs differently. Google-bot crawls urls, loads the page, continues its crawl and puts those urls in its search engine. Once they appear people can find those urls using search. People click those and visit the URL.
Googlebot doesn’t consider some urls “secret” and others “not secret”. They are all just URLs.
Google-bot does not crawl passwords and put those in its search engine.
Googlebot absolutely does consider some URLs secret, including these ones. (Websites can instruct Google, and other search engines, not to index particular URLs.)
That’s not “secret”, that’s just unindexed.
People often request that pages not be indexed for many reasons completely unrelated to security. The most common types of reasons are avoiding dynamic content, controlled entry, SEO, or controlling performance.
That’s like complaining that the address in a photocopied phonebook is a picture of an address and not the address. The URL is a URL whether it’s a picture of a URL or a link.
Is the URL “permission” or is it just the technological side of the “permission / access” coin?
One can have permission, but no ability to access. One can also gain access, but not have permission. The judge here is saying (and the 9th circuit is backing him up) that you definitely need both to be on the right side of CFAA. This is important case law for the future of privacy rights.
Computer permissions are determined (usually) on the server end, after the request is received. I’m going to ignore firewalls/routers/etc for now.
A URL is not permission for or against anything – it is just an address. If you know the address of the White House, it says nothing about whether or not you will be permitted access. It is revealing of the ignorance involved that this question even arose.
Once the server receives a request for data, it checks to see if the requestor has permissions to a) connect at all and b) access the requested data.
In this case, the court incorrectly decided that because the URL was in some format they didn’t like, it did not matter that Greenburg had set the permissions to allow all connections to access any data. That is stupid, and the court is wrong.
Greenburg screwed up and granted access to all users, anywhere in the world. Wray did not exceed those permissions in requesting the data.
DaveM,
That’s factually incorrect about this “type” of url.
Google crawls google drive. These “type” of URLs appear on google searches. They are available to the general public. Google will even try to crawl the private ones but will be blocked by the password! If you want your google drive to be private, password protect it!
It was visible to the general public – just like any other public website. Anyone that looked would find it.
Type in the URL, you go there and the server gives you the data because it was told to.
If I create a new website for my business, and I want it to be used by the public, it doesn’t automatically appear in Google’s – or anyone else’s – search index. Nor do links to it automatically appear elsewhere. That does not mean my new website is somehow ‘private’ or ‘secret’ until my index request is processed and my site indexed.
When the owner told the server configured the website to send the data to anyone that asks, that was choosing to distribute the data to the public. The fact that the owner did not mean to distribute the URL is not relevant because the server was set to distribute the data to anyone that asked.
You said:
“The fact that the owner did not mean to distribute the URL is not relevant because the server was set to distribute the data to anyone that asked.”
A garage door opener is set to open for anyone with the 4-digit code, but if I invite you into my home and you notice it written down somewhere, you don’t have permission to come back next week and use that code while I’m on vacation.
You have done an excellent job of demonstrating how software engineers have created “technical permissions.” But this has really been no different than explaining how an electronic door lock works.
This defendant knew she was using a garage door code that she was not supposed to have, and proceeded to do things with the data that caused great harm to him. Technical permission was inadvertently given, but nothing the defendant did was inadvertent.
I just wonder why all of these “garage door opener engineers” are coming out of the woodwork to defend the rights of “anyone with the code.”
Congratulations! You’ve discovered another way to be wrong, and doubled down with the bad analogies in the process.
A URL is not a garage door control code. A public website is not a private home.
How many times does this have to be explained? As long as you insist on attempting to treat a public website as a private home, you will be wrong.
The entire internet and computer world is composed of analogies relating to everyday non-computer concepts. Web (like a spider web, which it’s not), site (like a place we can walk in, which it’s not), etc.
“Public” is a word you inserted (which both parties knew it was not). Greenburg’s corner of the internet was his to grant entry to, and the defendant was NOT welcome. She knew she was not welcome. She subsequently behaved as an unwelcome individual would.
You’re a technical person whose entire work environment is digital and expressed through analogies, yet you insist on my using only your interpretation of what these analogies mean. Actually, you use real-world analogies when convenient for yourself, yet deny their use when they threaten your own subjective interpretations of technology.
Our real-world domiciles extend into the internet, and we have created laws to make this known to would-be thieves.
Since your kind chose the analogies, if you didn’t want people like me to misinterpret them, you should have chosen better analogies to begin with.
Using your logic, private homes are really “public” as “anyone with the address” can enter them.
No, again, private homes are not public servers.
Google Drive is hosted on publicly accessible servers.
A private home is not publicly accessibly.
Google owns the Google Drive servers. Google advertises Google Drive, and allows anyone to access them, with or even without a web browser. That means that they are public.
A private home is privately owned. A private home is not open to anyone, and is would not be advertised as such. A private home is not public.
Your insistence that your terrible analogy is actually good shows more and more how little you understand the difference.
And “your kind”? I know you don’t like being called out for being wrong so often, but really.
A private home is privately owned just like Google Drive servers are privately owned. Both are publicly accessible, but the respective owners grant who actually has permission to enter each. And even without permission, a private home can be accessible (but unlawful to enter).
Google can grant permission to a friends / customers to manage portions of their Drive servers, just like a homeowner can grant permission to a friend to manage their home for the summer.
If that friend then inadvertently grants technological permission (like a mistakenly given key) to a person who knows they’re not welcome (ever), and they know it’s inadvertent, there is NO legal way they can enter. The same applies to the Google Drive.
We agree on one thing. Private homes are not public servers. And on the “website” matter, I will yield my sword. I did a poor job of articulating my point. Sure, a Google Drive interface is a website-based interface TO a method of server storage. Making use of a server. That Google owns. Hair-splitting, but true.
However, our rights to grant permission to access our Google Drive “real estate” are definitely analogous to granting people permission to access our private homes. Analogies work in both directions.
Google owns the Google Drive servers. They don’t “allow anyone to access them,” but anyone does have the potential TO access them. Yet having the potential to access does NOT mean permission has been given (universally) to all members of the public. Why? Because Google grants their account holders the right to subsequently determine who ELSE can access their little given portion of Google’s Drive servers.
Google made it very easy to quickly share (with designated others) the ability to see inside your account’s allocated slice of their servers. Very convenient, but with a flaw. They also made it easy for people to inadvertently share access permission with unintended people. Perhaps you will notice that since this matter began gaining press last November, they have made this much more difficult to do. Google themselves are interested in protecting the privacy of its account holders.
You are gaslighting when you try to say that there is no correlation between virtual property storage with Google, and real property storage. The judge saw it the plaintiff’s way.
You’re using the word “access” incorrectly again, as the CFAA clearly shows.
Google Drive’s servers are public the same way a store in a mall is public.
They may both have private owners, but Google’s servers are designed to be accessed by anyone on the internet. This is why they allow access from anonymous connections from any IP address. This is also why Google advertises to the world – to attract users they don’t know.
Private homes are not set up like that, in any respect. If they did allow access to anyone, and advertise that access, then they would be public places.
As for “Google allowing people to store data is like a homeowner allowing a friend in” – No. Google is a business, and the user’s access is strictly controlled by a contract. Go read the Google and Google Drive Terms of Service.
The problem with claiming that Google’s security settings misleading suggestion that a “link” would be necessary therefore it becomes a legal restriction is that a “link” is not a thing that exists for Google (or anyone else) to distribute.
As I asked Randal – if Wray had wrapped the inadvertently shared URL in anchor tags, to cause her client to see it as a “link”, would then say that Wray’s access to the Google Drive resources was permitted?
We’re not talking about their servers. We’re talking about their product. Google Drive is not public the way a store is public. Just because its contents sit on server real estate that could potentially BE made public, does not mean it’s public.
When I use Google Drive, Google has given me the authority to grant and deny access to those members of the public that I approve.
So not like a retail store, but more like a nightclub that I manage. I lease the land from Google (for free), and I let whichever friends in that I wish. But if someone find their way in through an open door, and they are not invited, then they are trespassers.
I don’t get how you think Google Drive is “not public” when it is advertised to any and all, and accepts any user.
Also, trying to differentiate between the server software and the server hardware seems odd to me – are you trying to make another physical-world analogy?
But a typical nightclub would also be considered a public place (see: public accommodation).
If you tell your staff to allow anyone in (by configuring the security settings), and later you find that you also allowed in someone you didn’t mean to, that doesn’t allow you to retroactively claim that you didn’t mean it, therefore the person was trespassing.
You are correct that Google Drive being public does not make the data users store there public. That’s a decision each user makes on their own. And in this case, the user incorrectly chose to make the data publicly accessible.
Remember: there is an explicit request and response that occurs when attempting to access a Google Drive resource. Wray requested the data, and the requested was granted by Google’s software on behalf of Greenburg according to the rules Greenburg had set. The request came in through the front door, same as any other user you would call ‘authorized’. The rules applied were the same ones applied to any other user. There was nothing nefarious in the way Wray accessed the data – it was just the Greenburg didn’t want her to.
And I’ll repeat myself to ask again: if Wray had wrapped the inadvertently shared URL in anchor tags, to cause her client to see it as a “link”, would you then say that Wray’s access to the Google Drive resources was permitted?
Toranth,
If Greenburg’s mode of sharing permissions was “public,” why on earth would Google Drive offer a completely separate access setting that also allows literally anyone (at all) to access? Seems redundant.
One available setting (of three) required Greenburg to literally specify individuals who had access. Another allowed literally anyone in the world to see and access it. So why did “anyone with the link” even need to exist?
Why? Because it’s not just about the security setting in the drive. It’s about the invitation. Setting it to “everyone” is a dual permission & access grant. “Anyone with the link” is for people with permission.
If Amanda could make it accessible simply by tagging her discovery, that’s another form of what would have been her post-access illicit behavior. “Just because one can, doesn’t mean one should.”
An email might not always parse HTML, but at least you can click, drag, copy, and paste it into a browser window rather quickly. And if the URL is valid, most modern email applications WILL parse the URL.
The 68-character URL in this case was not immediately actionable. It existed as pixel data in an attached file. The URL was not the reason the attachment was uploaded.
This URL was deliberately designed to be difficult to manually recreate by hand in situations like this. I wonder how many times this actor got it wrong before gaining access.
Ok, to correct you again, the URL was not “deliberately designed to be difficult to manually recreate by hand in situations like this”. The Google Doc URLs are unique non-sequential identifier plus some metadata. 64 characters is also not too long – URLs can actually be unlimited length, although the most popular browsers only support up to about 2000 characters.
And 2000 random unicode characters (100,000+ choices), rather than just the 62 Google Docs uses, would be far, far more difficult to manually recreate. Yes Google didn’t do that.
And yes, the standards do now allow unicode, although many browsers are not fully compatible yet.
And again, I don’t understand why you think that a URL – nothing but a piece of information – somehow becomes magically different if an applications scans and creates a shortcut for you. This does not change the access permissions in any way! It is purely a client side feature, and does not modify the request object or the server handling in any way.
“Access” permissions are (again) the technological side of the coin, and I have no doubt that in your binary code world (which I suspect is your preferred world) you know what you’re talking about. But I think you might stand to benefit from the other side of the coin. The “people GRANTING you permission” side. CFAA is really concerned with the latter.
Where does it say that?
When you use computer terms to talk about computers, you either need to mean those computer terms, or explicitly define what you mean.
Despite your odd sniping, it is a fact that Congress used computer terms and did not issue some other definition. Until they do, using the correct terms for the subject at hand is what rational people do.
You are my least favorite kind of tech person, the kind who thinks that tech jargon is somehow legally binding. Like, since the L in URL stands for “location,” a URL can’t possibly be secret.
That’s not how the world (or the law) works. The implications of technology are determined by… looking at the real-world implications. Just like with anything else. You don’t whip out the Apache Web Server manual as if it were an amendment to the constitution.
When talking about computers, you use computer terms. Unless defined elsewhere, of course. Can you tell me where in the CFAA Congress defined “unauthorized access” or “without authorization”?
Otherwise, then yes, you should be using the terms relevant to the subject. Same reason you no one but an idiot would expect a computer server to be an electronic waiter.
There’s a difference between understanding the meaning of a term vs. assuming that the thing the term refers to can have no other function than the one defined by the term.
If I jam my housekey in your eyeball and you die, I don’t get to say “I didn’t murder Toranth because a key is by definition not a weapon.”
You’re getting way off track here.
When talking about computers and using terms that are well understood as computer terms, you either mean that – or you clearly define that you mean something else.
Your example is so off base that it doesn’t make any sense. What field are you talking about – the professional field of murder experts? The key experts? Are there even any murder laws that require the killing be done with a weapon, but don’t define the term? I doubt it.
If you insist on stupid analogies, what you are doing is more like telling the IRS that your land didn’t appreciate because no one was grateful for it, and therefor you don’t owe taxes.
The term you are using has a specific meaning in the context, and you are trying to use a different one. That is incorrect.
Perhaps, as I said originally, you need to consider that these same terms are used in everyday contexts, where their meanings and use cases aren’t constrained by technical manuals and protocol specifications.
There is no legal definition.
There is an industry definition.
You want to use a third vague definition, unrelated to the industry in question.
Why do you think anyone would listen to you? Why should your chosen usage be adopted, when the term already exists for this context?
Let’s see… should courts use the common definition of words, or the industry jargon definition?
I feel like the answer is obvious.
In Aurenheimer, the defendant was represented by the EFF’s “dream team” of attorneys who were unable to convince a jury of his innocence. Aurenheimer only made it out of prison because of the Feds choice of venue to prosecute.
The answer is obvious, Randal – if you are talking about computers, then you should use the computer industry terms.
Just like financial cases will use financial terms.
At least, if you want to be understood and accurate. If you don’t mind being wrong and inaccurate, you can use whatever meaning you want! You’ll just sound like an idiot.
Well, fortunately, the courts disagree with you on that.
Can you tell me where in the CFAA Congress said, “Use the IT guy’s definition of these terms rather than the average American’s understanding of these terms?”
Wow. You’re really going to argue that laws are written in language that the average American can understand? Really?
Can you show me any law ever written that relies on the average American’s understanding of words?
Well, to start with, it is the same reason that we use “money guy” terms in financial contexts, or “boat guy” terms in discussing shipping.
There’s also the fact that the law is already using the technical terms in their technical meanings.
The average American, as these discussions have shown, is the sort that thinks a link is a magical object controlled by Google, says things like “Google Drive isn’t a website, it’s a server”, and thinks that an encryption key and a password are the same thing.
And I’ll agree – it’s hilarious that a law guy is complaining about others using precise context-relevant terminology.
Funny, almost all computing terms are taken from everyday living analogies, yet when people here start to employ that practice in reverse fashion, it gets you upset. As if the technological aspect outweighs the human experience aspect. Just because systems are set up with certain sequential rules, doesn’t mean that human experience and analogies can’t (or shouldn’t) apply.
Computers and networks serve us, not the other way around.
A secret shared is a secret bared. Do not trust Alphabet G00gle.
Isn’t this the wrong plaintiff? Isn’t Google the real owner of the files?
If Google can take away your access to those files, then they aren’t really yours.
No, Google doesn’t claim any ownership of your files. From https://www.google.com/drive/terms-of-service/ :
As the host of your content, yes Google can control access to your files, and in fact that is something you are paying them to do for you. But the files are yours.
So they’re yours, but they can take away your access to them? Can they delete them? Process them for their data mining to sell to others? Give access to your files to others?
Seems like you only nominally own them.
You’re only uploading copies of what you already have.
You’re just being intentionally daft. You remain the owner, and Google is the custodian. Their duties as custodian, including all the things you mentioned, are all spelled out in the terms of use. If Google were to violate their custodial duties, then you might have a case against Google. There’s no such claim here.
Volokh is being distorted and misused by a local in Scottsdale.
https://m.facebook.com/story.php?story_fbid=5728978957130834&id=593390197356428&fs=1&focus_composer=0
This is the most accurate comment here and I genuinely hope that Volokh wasn’t duped by a local idiot. Somewhere in this thread lurks a user under the name “The Real MJ.” He is the instigator behind the linked page. It’s common knowledge around town that anything that he says is likely false or intensely fabricated, and his credibility is toast. Plus, for someone who has a plethora of his own legal problems, he seems to have lots of time to insert himself into the problem of others. In his ridiculous diatribe in this thread, there are MANY inaccuracies and lies. I am not certain if he states these things because he truly believes the version in his head, or if because he thinks that posting online will draw someone out to provide the information he wants. Regardless, take anything he states with a grain of salt.
This is not a close call. The judge is flat wrong. A 68-character exposed URL with no password is still an exposed URL with no password. Inadvertent disclosure by the plaintiff is still disclosure.
CFAA is a bad law – and it’s made worse by technologically ignorant decisions like this one.
Would you care to take a stab at explaining why inadvertently disclosing a secret URL is different from inadvertently disclosing a secret password?
Please try to do it without resorting to irrelevant tech analogies like “a URL is an address” (which, show me an address with 68 random characters in it). How is it different in practice?
Passwords are inherently access control devices and so it can be assumed that if a person obtains an inadvertently exposed password they would know it is used to restrict access and if used they would be gaining access to a restricted area without authorization.
On the other hand URLs are generally not access control devices. It cannot be expect that the general public, seeing a given URL, should know it is a “secret URL” being used as an access control device and that they are not authorized to use it.
That said, it may be possible for the plaintiff to prove that in this specific case the defendant did know their access was unauthorized, so I don’t think this denial of a motion to dismiss was a bad ruling in that regard.
I agree, this is the best possible case: people’s expectations about URLs and passwords differ. Unfortunately it’s not always clear what those expectations are. I also think we’ll see these expectations shift in the near future: people want privacy, but also easy sharing, and I’ve noticed that’s resulting in more and more websites and apps using secret URLs like this as a solution.
I wonder if Google should help in setting the right expectations by including a warning in the URL itself. Someone mentioned Zoom links, which can have a “password” field in them. Like:
https://drive.google.com/file?secret-passcode=HDBDYU85GR7GV4D7B4
There’s no such thing as a “secret URL”. I’m not sure how to explain it when you start from such an obvious mistake.
Oh, since I missed this last time:
Here’s a longer than 68 character address I used just a few months ago:
As you might guess, that’s where I had to mail my taxes – as did millions of other people.
And no, Google Drive URLs are not random, you just don’t know how they’re generated.
These comments have persuaded me that the IT help deskers buried in the bowels of my law firm on graveyard shift were not just reading comic books and science fiction or scouring the internet for photographs of Emma Watson while awaiting that once-a-month request for assistance . . . they also were reading the Volokh Conspiracy and becoming amateur legal theorists.
Bingo. I assume Rossami and Toranth work in your IT basement.
Along with Michael P, jbsay, and gormadoc. Why does Volokh attract so many techies?
Let’s not forget Krayt, fafalone, and Kazinski.
While not stated in his Order, it is possible that the Judge was influenced by the apparent malicious intent of those who sought to gain access to the folder and did so. If the matter is reviewed at the 9th Circuit level, it will be interesting to see how the malicious intent will play out.
I know the person who not only admits having created the misused link to the Greenburg Google Drive account, but brags about it. He emailed using his wife’s email address the night that the Scottsdale Independent published a link to a folder which was [then] reported to be the “Greenburg Dossier”. He is now one of three plaintiffs in yet another lawsuit involving this issue. [By my count there are at least three].
Subsequent Scottsdale Police Department investigations and ensuing reports have also been accessed. A couple of dozen interviews were conducted. Those who were doxed by the Scottsdale Independent were asked to identify any of their own records that had been disclosed that they believed might have been unlawfully [improperly] obtained by Greenburg. SPD noted – and reported – that [1] in the approximately three months between the date that the Defendants in this case gained access to the Google Drive account and then leaked it to press, they had first downloaded its contents and created a new Google Drive Folder; [2] those who created the new folder then shared it with many others; [3] those who received the link to the newly created folder could modify the folder – and many did; and [4] by the time SPD conducted its investigation, none of the people interviewed could find a clean and unaltered copy of the original download of the contents of Greenburg’s Google Drive folder. To this day, law enforcement agencies are still not certain which folders are which and who played with their contents.
The Scottsdale Independent story went viral. Greenburg was portrayed as having engaged in potentially pedophile behavior since photos he had screenshot from Facebook posts included children standing with their parents [posted on the parents FB pages].
The Independent story was picked up and re-reported by national and international news and social media. The reporting repeated the untrue statement that the contents that had been leaked were – in fact – the actual “Greenburg Dossier” as it has become known. When in truth, the contents that were leaked to the media were more like the “A-Wray Files”.
Discovery on the total impact of the modification of the contents of the folder is about to commence. Greenburg retained a forensic expert who will provide testimony about the nature and quantity of additions, deletions, or modifications to the documents that were e-blasted to the internet world.
A pivotal question involves a Social Security Number of a person yet to be named. Original news reports claimed that “social security numbers were found in the folder” [a link to which those news media had just published]. By publishing the folder not only did the A-Wray crowd expose themselves to potential criminal charges but so did the news media who knowingly repeated those claims as well as the link to the folder that allegedly contained the SS#’s.
That story has gone through multiple iterations – most recently the legal counsel for Wray claiming once again in a press conference that “a [not many – “a” as in “one”] social security number was in the folder”.
Gaining access to someone’s social security number without their knowledge or consent is one thing. Publishing it takes the matter to a massively higher level. And since the only person or persons or parties who published that social security number were “everyone involved except Greenburg”, many are waiting anxiously to find out whose number was exposed and whether that person will pursue criminal sanctions against the many parties who did the dirty deed.
Interesting. But I think, if Greenburg put someone’s SSN on his original Google Drive folder without protecting the folder, he also published it. If not password protected, (which it was not) Google will crawl google drive files. It just needs to see the url published somewhere to start.
I had not thought of that. Great point. So we could have a battle between two culpable felons.
One will say “I had no idea anyone would publish the stuff that I should have locked up” and the other will say “I should not be punished for publishing stuff that I didn’t know I should not publish”.
War of the weak.
Why, as a legal matter, should it matter which boxes the secret information is typed into?
It was more likely that Prof. Kerr would contribute some useful insight in this context before Volokh Conspiracy’s hard dive toward polemical, partisan delusion diminished his interest in this white, male, right-wing blog.
Plain and simple, there are real places in the world we’re not supposed to go without permission, as well as virtual places. Just because you found a way inside doesn’t give you permission to enter.
True. But the analogy here isn’t buildings but open spaces. If you put something on the web, the general presumption is that you want other people to see it. It’s like posting a sign in your yard. And if you’ve opened up your front yard for casual visitors to enjoy, how are they to know where the boundaries are? The answer is that you put up ‘no trespassing’ signs. Or better, some walls and a gate with a lock. Only then are the visitors on notice that you really want to keep the information private.
A hashed URL, by the way, is not a wall. It’s not even a ‘no trespassing’ sign. It’s just a place on the path in your still-open garden.
This decision is clearly an overreach of cfaa. Most specious of all is the claim but there was more than $5,000 Damage Done. Google drive files are the copy, not the original. If the holder of Google drive space finds that their documents have been adulterated by whatever means, they merely have to reüpload those documents from their own computer. It takes about 5 minutes.
The altered files factor into a separate state defamation case currently in litigation against the same defendant.
Unless the Google drive files were the original and he didn’t keep local copies. Why are you making up facts without knowing anything about the case?
If his only copies were on the Google Drive, to which he didn’t even restrict access for the purpose of modifying those files, then he is a fool and deserves whatever happens to him.
That’s… not how the law works. You can’t take a car just because you think the owner was a fool to leave the doors unlocked and his keys in the ignition.
That analogy is completely off base. A car is a physical item that can be stolen. The issue in this case is that someone looked at files that the owner didn’t intend them to be able to look at. The owner didn’t even do the minimum diligence of requiring someone to set up a username and password to look.
Um, please pay attention: we were talking about altering — or, to use your term, “adulterat[ing]” — the files, not reading them.
This case seems just like United States v. Aurenheimer. There too, AT&T subjectively intended that its information be kept private, but it didn’t do anything to protect it. There too, the URLs involved were long serial numbers that wouldn’t be readily apparent to the public.
I think the 3rd Circuit is correct. If you permit the public to access the information just by typing in a URL, you have made the information public. It doesn’t matter that the URL is hard to guess or isn’t on search engines. A web site accessible simply by typing in a URL is a public web site. If you want to make it private, you have to do more to protect privacy than that.
The 9th Circuit should reverse.
Google is a big company. It can be held to regulatory standards. If it isn’t offering customers genuine privacy protection, it and its customers have to accept the consequences.
And if its customers simply failed to set up adequate privacy protection, they have to accept the consequences.
Except it’s not a website. It’s a server. Websites are published content that are accessed by visiting a server. A Google Drive is a file storage server. The only thing common is the data transmission protocol (internet).
Google Drive is most certainly a website.
It uses the HTTPS 1.2 protocol (not ‘internet’) to present a user interface written in HTML to be rendered by any one of a set of common browsers according to the defined standards.
You can go to the Google Drive website and click “view source”, and you’ll see on the top line doctype HTML. In fact, in the page metadata, you’ll even see type described as website by Google.
The fact that the website is an interface for interacting with files stored on the server does not change this at all.
There you go again with the technological splitting of the hairs. This is a matter of the human side of using technology, not the electromechanical. Question is “DID the defendant have authorization to access the drive?” HUMAN authorization, not electromechanical. I’m interested in seeing how the forensics reveal the post-access behaviors of the defendant. Did she behave like someone who’d just done something perfectly acceptable or did she behave differently? Discovery should get interesting.
“technological splitting of the hairs”
Amusing coming from someone unsuccessfully differentiating between websites and servers to call a Google Drive a server.
“HUMAN authorization”
When you change the authorization settings in Drive it tells you “Anyone on the internet with the link can view.” If you only want to restrict access to specific people on the internet there’s a separate setting for that.
Did you not read the quote you quoted? Anyone with the link can view it. Knowledge of the link is the access control mechanism. The perpetrator wasn’t supposed to have the link, so they weren’t supposed to have access, and they knew they weren’t supposed to have access. The judge got this one right on.
“Anyone with the link” is also crucial. The defendant didn’t have a link. They had a photograph OF a string of Unicode characters. They had to seize upon the plaintiff’s inadvertent disclosure of an (otherwise secret) link to even gain the access.
“Knowledge of a link” is not a security control mechanism.
Passwords, routing tables, IP whitelists, MAC filtering, geofencing – these are all examples of access control mechanisms.
“Someone intending for you to use the resource” is not.
A “link” is nothing but an address that is automatically parsed to open in a web browser when clicked. The exist only on the client. If I take the URL, type it in to Wordpad with anchor tags, I’ve created a “link”.
Would this somehow mean I’ve become ‘authorized’?
It’s an absurdity to believe so, but in your world, it would.
I dunno, that’s how passwords work, why not links? Only because your mind is locked into a specific, rigid conceptual model. Break on through to the other side!
Passwords ‘work’ because your software does a match between what it typed in and what is on record for the account. That’s the access control mechanism.
Sometimes passwords can be shared. Sometimes they’re even posted publicly! But the security is in the requirement to enter the password, not in hoping that someone else doesn’t know it.
I feel like you can substitute “URL” for “password” (and “resource” for “account”) in your post and it all works fine. So what’s the problem exactly?
No, you can’t.
A URL is an address, and abstract concept of location.
A password is used to establish identity and perform authorization.
A URL is used to guide your request to the correct server.
A password will not guide your request anywhere.
Again, these are not the same thing. Do you really not understand the difference between these two things?
No, it is not a security control mechanism, an access control mechanism, or an access restriction.
I know you don’t understand computers, but when the expert is talking, how about you learn something rather than reveal your ignorance?
The real tech experts that I know are experts because they understand how tech relates to the real world.
You only understand tech within its own self-described bubble. That might make you an expert in tech terminology, but not in tech. You seem to have very little understanding of tech, actually.
You’re like the “expert” in horse-drawn carriages exclaiming, “there’s no such thing as a carriage that moves around on its own, by definition carriages are drawn” and going on to invent something like this while denouncing the idea of a car:
https://www.nextnature.net/story/2009/steam-horse
I’m glad to see you’ve come to the stage of the argument where you stop trying to pretend your position is right, and instead devolve to silly insults.
As it happens, I’ve tried explaining what URLs, websites, access restrictions are in real terms. You simply don’t understand.
And your doubling down on dumb analogies, now aimed at being insulting rather than advancing your argument, shows exactly how badly you know you are losing this argument.
I already won the argument. Now I’m trying to help you understand why you lost and how to learn from it.
For more proof that you’re wrong, here, again, is some Google Drive documentation. Can you explain the difference between options A and B?
Changing the Privacy Settings on your Personal Google Drive
1. Start by clicking on the storage folder that you wish to make private.
2. Click on ‘Share,’ then ‘Advanced.’
3. Next, click ‘Change,’ and you’ll be presented with multiple access permissions to set.
4. You can either make it
a. a public document to the web,
b. private so only the people with the shared link can view it, or
c. private so only designated viewers can read the shared document.
5. Save and complete the new settings.
Toranth says we are doubling-down on dumb real-world analogies.
“Web” is an analogy.
“Server” is an analogy.
“Client” is an analogy.
“Host” is an analogy.
“Password” is an analogy.
“Login” is an analogy.
“Link” is an analogy.
Need I go on pointing-out “ridiculous analogies?”
All of this internet stuff is human behaviors and tools CONVERTED to a digital and mathematically-based expression, but then (and most importantly) it all gets converted back into the world of the living. Living people created these digital tools to serve others in the day-to-day living of their lives.
We’re dealing here with the human side of human-computer interaction, not the irrelevant execution mechanisms that engineers like you curiously defend.
Randal, are you claiming that court rulings are never wrong? That’s an even sillier argument than most of the ones you made here.
The judge is wrong, just as if he had declared “1+1=3”.
You are just as wrong. Repeatedly reposting the same dumbed-down instruction designed for people like you that do not understand what a link is or means i does not make you correct. It makes you repetitively wrong.
Your position is incoherent and non-sensible. A link is not something that exists outside of a client. It is an interpretation of an abstract concept of an address into convenient human interactive terms. You cannot send a “link” to someone; all you can do is send the address in some particular formats and hope their software will perform the translation correctly.
According to you, if Wray had wrapped anchor tags around the URL, her access would have become “authorized”! That’s absurd.
Before you try again, explain that one specific point: Even after the URL was ‘inadvertently revealed’, if Wray had added anchor tags, would you say that her access of those resources was OK?
And Oloshuan, claiming that a public server is like your home, or a URL is like a key, is a terrible analogy. When you double down on it, you are making a bad argument worse.
The fact that computer terms originated as metaphors doesn’t change that. Sometimes there are near perfect analogies! But you’ve never come close to presenting one – you’re still too busy insisting that Google Drive isn’t a website.
And if you think that computer security isn’t something that involves the real world, you’re more ignorant than I thought. The entire field exists because everyone knows that humans are not some ideal well-behaved imaginary creature.
Question. The federal database of judges identifies judges by assigning a serial number, which forms part of the URL. You can bypass the official website simply by typing in the serial number directly. The district judge who decided this case, Douglas L. Rayes, is serial number 1394521. He is at URL:
https://www.fjc.gov/node/1394521
Question: Can you be prosecuted or sued under the Federal Crime and Abuse Act for clicking on this link? Can the government say that you weren’t supposed to know this serial number, so your direct access to this URL is unauthorized?
Google Drive IS effectively a server — presented within the GUI shell of a website — which in turn is hosted on a server. Modern server farms are all managed within the presentation shells of “websites,” but that hardly makes them “websites” from a practical perspective.
Back to “access” and “permission.” The defendant knew that the plaintiff wasn’t giving them permission to access, but chose to exploit an inadvertent mistake they’d noticed.
When Uncle Billy handed old man Potter that newspaper in “It’s a Wonderful Life” he inadvertently handed him the monthly cash deposit for the building and loan. Potter committed a crime by seizing upon Billy’s mistake.
In this case, “Potter” made the mistake of boasting of his crime. You are adopting the legally untenable position of “finders keepers.”
Please, stop.
You don’t understand the difference between a server and a website, and your post showed it. Don’t double down on something you don’t understand by using more words you don’t understand.
Your analogy is, again, terrible, as all your others have been. A URL is not money. It is not a newspaper. It is just an address for a virtual resource on the internet. There is nothing in the CFAA that implies that the method used to gain that knowledge in any way impacts whether or not access is “authorized” or not.
There is no “finders keepers” because there is nothing to be “lost” in the first place!
By your logic, if a user inadvertently reveals the URL of a top-secret government web-based file folder directory, an exploiter of that secret information is immune from any responsibility regarding their subsequent actions.
That’s absurd. Split all the hairs you wish.
Hey! Guess what my day job is?
And yes, anyone that gets data – even classified data – from a website that was not secured, through a URL that the government accidentally revealed, is safe. It’s happened before, as have other varieties of data spills – bad redaction, for example.
The person that screwed up the security configuration is going to be in big trouble, though.
Yes, the human did have authorization.
All humans have authorization and access to use the general internet. So if your web site can be accessed simply by using the general internet, all humans have authorization to access your web site.
It has nothing to do with what you subjectively intend. It is strictly what you onjectively do. That’s not a technical sitting of hairs. That’s the core of the case.
In this case, the plaintiff may not have subjectivelyintended to allow others to access its web site. But it in fact objectively allowed them to do so. That means access was allowed.
A HUMAN could access this web site just by typing in a URL, just like any other public web site.
Can landowners who don’t post “No trespassing” signs prosecute others for trespassing on grounds that because they had long and complicated street addresses hard to figure out, everyone shoild have realized this meant they didn’t want anyone else on their property?
An argument like that would have been laughed out of court. This case isn’t any different.
Want to be able to sue people for going on your property? You have to take objective measures, post no trespassing signs. Want to be able to sue people for accessing your data? You should have to take objective measures to protect it. If you don’t, your subjective intent shouldn’t matter. And no matter how long and complicated it may be, any address is a public address. The internet here is the same as the real world. That’s not at all a mere technicality.
No, the human did not have authorization.
All humans have authorization and access to use streets and sidewalks. But if your home can be accessed simply by using one of these streets or sidewalks, not all humans have authorization to access your home.
I do not need a “no trespassing” sign to assume the sanctity of my domicile, even if the door is left unlocked. Cross the boundary of my domicile without my permission, and you could be charged with breaking and entering. “Breaking” refers to violating the boundary of my domicile. One need not break down a door, smash a window, or jimmy a sliding door to be guilty of breaking and entering.
Even if you have been given a key by another individual, and you have “technological permission” to enter (IE, key unlocks door), you most certainly do not have the “rightful permission” that I alone must give to you in order to legally enter. This is especially true if you knew that there was no way that I would ever have given you such permission.
We don’t live our lives on process flow charts. And just because a process flow chart exists (with neato names that seem to indicate “permission”), we must always keep our feet planted in the side of how we actually live our lives. These laws exist to guide human behavior, not technology white papers.
And yes, my Google Drive is an extension of my home. A digital extension of my home. CFAA is designed to protect our virtual property.
The Third Circuit overturned the conviction based on venue. The holding did not address whether or not the conduct would have been enough to violate the CFAA had the case been charged in an appropriate district.
Question – if Greenburg is guilty of criminal negligence by failing to secure the link to a folder that contained at least one social security number, are not Wray, Carney, Werner, the Scottsdale Independent and others guilty of willful violation when they published their own manipulated version of the Greenburg folder knowing that what Greenburg did by mistake, they did with intent?
Want to hear your thoughts.
Randal wrote:
“Knowledge of the link is the access control mechanism.”
Bingo. This is the most elementary part of this whole matter.
More elementary is the fact that he is flat out wrong, though.
Restricting access to only specific users would be an access control mechanism.
Requiring a password would be an access control mechanism.
Granting anyone that requests the data access to it is also an access control mechanism – the one in effect here.
Hoping that no undesirables find out the URL is not an access control mechanism.
“Hey, you seem to have included a snapshot of the URL for something in this attachment. Mind if I visit that directory?”
That’s all the defendant would need to ask. But they knew what the answer would be, so they proceeded in secret.
So?
Suspecting that someone would not want you to know something does not make it illegal to learn it. It also doesn’t make it illegal to going looking for it in public.
The federal database of judges identifies judges by assigning a serial number, which forms part of the URL. You can bypass the official website simply by typing in the serial number directly. The district judge who decided this case, Douglas L. Rayes, is serial number 1394521. He is at URL:
https://www.fjc.gov/node/1394521
Question: Can you be prosecuted or sued under the Federal Crime and Abuse Act for clicking on this link? Can the government say that you weren’t supposed to know this serial number, so your direct access to this URL is unauthorized?
If you can’t be, what makes the two URLs different? Both involve an address that’s an arbitrary string of characters.
The Conspiracy’s own Oren Kerr raised this argument in an amicus brief in the Aurenheer case. Federal judges are identifed by serial numbers. But those numbers are not passwords, and typing in the serial number associates with a judge directly and accessing that judge’s URL directly is not a violation of the Federal Computer Fraud and Abuse Act. And simce complicated strings of characters are often used in URLs, the punlic cannot possibly be expected to know when the use of a complicated URL means the owner subjectively intended not to make the site accessible and when it didn’t.
In Aurenheimer, the 3rd circuit found that by making the Information available to anyone typing the URLs in, AT&T inadvertently published the information and made it public.
In Aurenheimer, the 3rd circuit actually found that NJ was not the proper venue for the prosecution. That’s it.
Well, one obvious difference is that the FJC page in question actually is public, and intended to be. Clicking on that link gets you to the same place that going through the official site does. You are authorized to access that information.
And if the serial numbers are public, then putting one in a URL doesn’t make the URL unguessable.
You’ve chopped this all up into parts, and act as if the complexity of the URL (or “guessability”) alone is the plaintiff’s sole foothold for saying the defendant was unwelcome in this Google Drive. The complexity of the URL really just shows that it was a tedious task for defendant to recreate from looking at photographic reference. They didn’t surreptitiously click on it and end up in the directory. Someone with malicious intent deliberately sought to gain entry to the drive, and tediously recreated a live link for themselves.
The guessability aspect goes to the logic of the CFAA. IIRC, the data has to be protected by some affirmative protection scheme, and the thief has to have thwarted that scheme, for the CFAA to apply.
Including hard-to-guess characters in the URL counts as a protection scheme, and manually copying them out of an inadvertent screenshot counts as thwarting that scheme, probably.
I think the “access” issue is an unnecessary red herring in this case, though. Assuming arguendo that because the URL was (inadvertently) made public the person reasonably believed she had authority to read the documents in the drive, she couldn’t have reasonably believed she was also authorized to edit or delete them.
There was a situation a few years ago where a high school assistant football coach decided to sabotage his own school’s team by sending their secret playbook to the competition via email. One competitor (of many) tipped them off, sharing the perp’s email with the head coach.
The head coach’s son tracked down the perp by attempting to reset the password to the email account. He posed as the rightful account owner (as “anyone on the internet” could do), hit submit, and the system revealed several / many digits of the perpetrator’s phone number, asking if they wished to have a enabling code texted to this phone.
They recognized the perpetrator’s likely phone number, invited him to a meeting — where the son hit the submit button that texted a reset code to his phone — confirming his identity. The perp was confronted, fired, nationally ridiculed, and then disappeared.
Did the head coach and his son break the law by causing that password reset text to be sent? “Anyone could do it.” But just because anyone “could” trigger that password reset text, doesn’t mean these guys had the true authority to do so.
I don’t know if maybe there’s some law they broke, but I don’t think that would violate the CFAA, since they never accessed or modified any protected data. They figured out the full phone number, but they did that with physical surveillance, not computer fraud.