11 votes

Engineer reports data leak to nonprofit, hears from the police

2 comments

  1. [2]
    RNG
    Link
    No good deed goes unpunished. Cynicism aside, this wouldn't even come close to being a criminal complaint under the CFAA, which is notoriously outdated [1]. The UK Computer Misuse Act isn't...

    Earlier this month, Dyke had discovered an exposed GitHub repository exposing passwords, API keys, and sensitive financial records which belonged to Apperta Foundation.

    To have a record of what he had reported, however, the researcher encrypted the data he had come across and securely stored it aside for 90 days, as a part of the coordinated disclosure process.

    A little over a week later, a letter arrived from Apperta's lawyers stating that they considered Dyke's actions as "unlawful" and demanded a written undertaking that any data the engineer had come across was deleted.

    No good deed goes unpunished. Cynicism aside, this wouldn't even come close to being a criminal complaint under the CFAA, which is notoriously outdated [1]. The UK Computer Misuse Act isn't something I'm terribly familiar with, but I couldn't imagine him actually facing charges. From what's reported, this isn't even the gray area that other similar cases have been. Probably more akin to the prosecution of pen testers in that courthouse case as far as levels of unconscionability go [2].

    [1] https://www.eff.org/issues/cfaa

    [2] https://www.cnbc.com/2019/11/12/iowa-paid-coalfire-to-pen-test-courthouse-then-arrested-employees.html

    3 votes
    1. mxuribe
      Link Parent
      Security disclosures are certainly not my area of expertise (though i am a technologist)...But it sure seems lately like there is enough tech-related activity happening in the world where...

      Security disclosures are certainly not my area of expertise (though i am a technologist)...But it sure seems lately like there is enough tech-related activity happening in the world where some/many/most participants do not understand enough about tech and yet they respond first in a very litigious manner. This leads to technologists - in this case info sec pros - needing to defend themselves before even being found to be guilty. It feels like non-technologists are conducting more witch hunts, and it costs them little or nothing if they're wrong, but is quite costly (in time and money) for the innocent techies needing to defend themselves. I see this at my day job, though admittedly at a very low impact to this article. I guess i can expect if this was more of a thing years ago, when tech was newer to society...but it seems like it has flared up more recently...I wonder if it is because the pandemic has forced so many to depend more on tech, and that triggers the non-techs to lean towards fear as their instinct?

      3 votes