Account breaches and the CFAA

The media recently reported that information from over 500 million Yahoo accounts was breached. According to USA Today, the information may have included “names, email addresses, telephone numbers, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers.” Aside from the fact that this breach is one of the largest of its kind, the usual advice that has been rehashed so many times seems to apply: 1) Don’t use the same password on different sites. 2) Use a strong password. 3) Change your Yahoo password if you have one.

The reasoning behind #1 is fairly simple. The weak link seems to have been Yahoo itself this time, rather than 500 million people being deceived by some mass-phishing campaign, at least based on the initial report. So if it wasn’t your fault that your password was compromised, then all you can do to directly protect yourself is to make sure you’re using different passwords on different sites. That way, when one company’s misfortune or incompetence exposes your password, at least your credentials on other sites are safe.

#2 is also fairly obvious. If you use a stronger password, you are less likely to be a victim when sites that store their users’s passwords in plain text or using a weak hash.

#3 is the typical response to a breach. You change what you can, such as passwords, security questions, and the answers to those security questions. But some things potentially stolen in this breach aren’t so easily changed. Unless you plan to immediately migrate away from compromised e-mail addresses, I wouldn’t be surprised to see phishing or spear-phishing attacks directed at them. You can change your phone number, but your telephone company might charge you a fee to do it, and it would be a massive inconvenience to have to give the new number to all the companies you do business with and all the friends you talk to. Finally, you can never change when you were born.

One might ask: What if we just stopped trusting companies with our information? For example, what if you gave a pseudonym instead of your real name? Perhaps you also gave a fake birthday instead of your real one; not out of any intent to defraud, but simply to protect your identity from companies who have failed time and time again to safeguard your personal information. In our culture, it’s often said “Fool me once, shame on you; fool me twice, shame on me.” And Descartes himself said “it is wiser not to trust entirely to anything by which we have once been deceived.” Just look at the number of breaches that have occurred over the years due to company error, and you’ll see that we have been fooled not once, and not twice, but many times.

While using false information would be clever from the perspective of self-protection, it unfortunately may run afoul of the law. Yahoo’s Terms of Service, which all users are required to agree to when signing up, explicitly requires that users “provide true, accurate, current and complete information about yourself as prompted by the Yahoo Service’s registration form”. Most people probably won’t look twice at these terms, but providing false information may be a breach of contract, as well as a potential violation of the CFAA‘s prohibition against exceeding unauthorized access.”

Yahoo is not the only company to require in their terms of service that users provide true, accurate, or correct information. If you simply Ctrl + f these words, you will find them in many other companies’s terms as well. In practice, the chance that everyday users will be prosecuted is likely to be extremely low. But this doesn’t change the current uncertainty in the law and the fact that such companies technically forbid you from providing false information of any kind.

It is time for this to change. At the legislative level, lawmakers should be made aware of the potential misuse of the CFAA to prosecute otherwise innocuous actions. Contractually, consumers again to need to stand up for their privacy and the security of their personal information. By voting with our time and our wallets, we must show companies that it is unacceptable to require us to provide sensitive and personal information when that information is not required to serve us. Until then, we are forced to 1) Avoid all the companies that unnecessarily require the provision of true information, 2) Provide correct information and watch it get stolen by hackers, or 3) Lie and break the law. None of these options are acceptable.

Leave a Reply

Your email address will not be published. Required fields are marked *