Nobody Wants To Hear Bad Things

Plenty of lawyers spend their time writing about the intersection of law and technology, but few if any are qualified to know what they’re talking about.  Aaron Greenspan, on the other hand, knows about technology.  Unfortunately, he learned a little something about law in the process.

In 2004, shortly after graduating from college, I found a series of serious security flaws in one system after another, and even considered starting my career as a computer security consultant. I discovered that the username and password needed to control South Station’s merchant wireless network were “south” and “station,” respectively (see…). I then realized that my company’s payroll vendor, a company called PayMaxx, was exposing my social security number, home address, and salary data, along with the data of many thousands of others (see…).

No, he wasn’t sent a warm thank you for discovering security flaws.  The company threatened to sue him instead.  And yet he didn’t learn.

As a slew of other security breaches appeared in the press in 2005, the GSA contracted with Unisys, a large government IT contractor, to build a software application called eOffer. The goal of the eOffer initiative was to automate the incredibly complex paper workflow necessary to approve companies for selling goods and services to the federal government. It was an expensive project requiring many programmers and resources. To secure the contract, Unisys employed one Jack Abramoff, among others, as a lobbyist in Washington, D.C. via the law firm of Greenberg Traurig LLP.

When I signed up for eOffer I was informed that I needed a digital encryption certificate from AT&T, which I obtained and installed. It quickly became clear that the system had an enormous design flaw: anyone with such a certificate–and anyone could get one–could sign in as any company in the Department of Defense’s Central Contractor Registration (CCR) database. At the time, approximately 400,000 companies nationwide were registered, including of course every major defense contractor, technology company, and almost all of the Fortune 1000. Once signed in, it was possible to add fake records, delete legitimate records, and edit records. It was also clear that the system did not actually delete data properly, which carried additional security risks. (See… .)

No, he didn’t get a medal.  Instead, he got a visit from a couple of representatives of the government.

Not long after, two armed federal agents appeared at my doorstep. One of them, who had no background in computer crime, handed me a copy of the Computer Fraud and Abuse Act of 1986, and told me that I should read it.

When the government didn’t show its appreciation for Greenspan’s informing the inspector general of the GSA about its massive computer screw up, he went to the media, generating a  New York Times article that revealed the problems.  The government was not amused, which is why federal agents appeared to enlighten him.  After going to Washington, paying a lawyer (“My lawyer, who sat silent for two hours as I answered the government’s questions, charged several thousand dollars, which the GSA refused to reimburse later on.”) and persuading the United States Attorney that he was not a malicious hacker, but just a guy trying to alert the government to some significant problems.

The GSA was eventually constrained to deal with the issue, In it’s letter to Congress, GSA Acting Administrator David Bibb wrote:

As a result of this weakness, GSA has revised its security practices and has begun to execute additional reviews during software development. This practice will enable GSA to identify vulnerabilities prior to placing the software into production,

GSA takes the integrity of its systems seriously and will make every effort to ensure that weaknesses, such as discovered in eOffer, do not occur again.

If you say so.  But that doesn’t mean there wasn’t a bad person to blame:

From the information provided, we determined that if the weakness described by the authorized user did exist, it could be exploited only by another authorized user and that the eOffer system was not exposed to unauthorized public access. Moreover, in order for even an authorized user to gain access to another party’s information, that user would have to abuse his or her system privileges and masquerade as another user by using the other party’s unique numerical identification code before any information could be accessed.

That’s right, the problem wasn’t the security hole big enough to drive a virtual Mack truck through, but the evil abusive masquerading geek who would exploit it.

The lessons about dealing with the government, rhetoric versus reality, are all too familiar to lawyers at the intersection of law and prosecution.  The government doesn’t want to hear its baby is ugly, and won’t appreciate your information or candor.  They will, however, make sure they aren’t to blame, which usually means you are.  Somebody has to be, and its not going to be them.

But there are lessons here for lawyers as well, not about the joys of federal agents or the vagueness of the Computer Fraud and Abuse Act, 18 U.S.C. §1030.  We already know that all too well.  The message is that our newest, latest, coolest thing in the future of law, technology, the stuff that makes techno-lawyers ooze from every orifice, may be replete with problems, security issues, gaps, holes, whatever, and we wouldn’t have the slightest clue.

We’re lawyers. Some may be more tech-savvy than others, but if they think they’ve got enough on the ball to find the gap that Unisys left behind, they’re nuts.  We don’t know what we’re dealing with, and the best we can hope for is to trust that someone, somewhere did a far better job than we could in making sure that our groovy technological tool isn’t a monumental sinkhole of crap.

Chances are pretty good that unless you happen to hang around with a geek like Greenspan, the only entity you have to trust is the enterprise that invented the tech itself, or the government.  Is that good enough for you?

As for some outsider who blows the whistle on technological flaws, consider how well Greenspan was treated for his efforts, and wonder how many others are prepared to stare down some armed federal agents more than once.  This is the real intersection of law and technology, and it has nothing to do with how cool you would look carrying the iPad2.

2 thoughts on “Nobody Wants To Hear Bad Things

  1. Keith Lee

    Coincidentally, I was just reading about a very similar situation in Australia. [Ed. note: link deleted.]

    I very much agree about lawyers and technology. I consider myself functionally literate in regards to information technology, but that’s a far stretch from expertise. Lawyers should definitely find a reliable IT consultant/company and lean on them hard.

    Along these lines, I recently got fed up with all the talk by legal consultant dweebs talking about the glories of cloud computing and outsourcing data. Not that I am necessarily opposed to law firms using cloud computing, but there seemed to be a lot of “blind leading the blind” in regards to the advice being given by consultants AND attorneys. So, I decided to look into it myself

    It took a bit of finagling, but I managed to get Google’s Senior Counsel for Global Compliance, (who wrote much of Google’s Terms of Service), on the phone for a conversation about law firms using Google’s cloud services. He had a very definitive take on the situation and expressed a more nuanced view than I have seen give by “experts.” I’m working on a post / article about it now.

    In the interim, if anyone out there is running a law firm and is using Google Consumer accounts for firm employees & lawyers – you should probably re-consider the idea.

Comments are closed.