- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
At which step should it turn illegal? You accessing publicly available website? How exactly are you to know if it is supposed to be public or not, if there is not even an attempt at security?
The thing is we don’t need to come up with some absolute definition of what should and shouldn’t be illegal to talk about this case specifically. They didn’t accidentally stumble on this. They doxxed the users instead of responsibly disclosing the problem. This is extremely cut and dry.
If the story here was “I mistyped something and got to a page I shouldn’t have access to, I disclosed it to the company, didn’t dox anyone by sharing the problem, and now the FBI is after me” it would be different.
They were looking through publicly accessible buckets on firebase. They literally did stumble upon this by accident while going through public data. And then just told other people about what they found. Should they have disclosed it once they realized what it was instead of spreading it? Sure, morally speaking. But I don’t see how you could write a law to make this illegal without just trampling on free speech.
That’s a weird way to say they doxxed people instead of ethically disclosing what they found. Hiding that detail is why I have a problem with defending this.
If someone steals something they didn’t know belonged to someone (say through an unlocked door), should we prosecute them? I don’t know. What did they do next after they found out they shouldn’t be there? Did they give it back and tell the building owners “hey, you have an unlocked door” or did they yell to the street “hey everyone, come get free stuff!” How did they behave once they knew they did something wrong.
From what I have seen, they initial guys shared a link to the database, not any content. The equivalent of telling people: “Look at this unlocked door I found.” They did not “steal” anything as far as I know.
Also, the analogy doesn’t work either. What if it really was intended to be public? Making a copy is not analogous to stealing something, it’s analogous to taking a picture.
PS: Maybe to make it clearer what I am thinking of. A real court case that happened: A person found a bunch of documents on a government website, just sitting there. He decided to share them. Turns out they were not supposed to be public. The government tried to prosecute the guy who had no idea the files were not public. They thankfully lost.
How can it be the responsibility of a person to try to figure out if these files are supposed to be public or are public on accident? Yes, these guys had a good guess that this was an accident, but so what. We don’t prosecute people for having good guesses.
Damn, do you think this link I found that has a ton of women’s drivers licenses is supposed to be public? Better share it to 4chan. They’ll know what to do.
So it’s just about the drivers licenses? We should make a law to ban sharing drivers licenses? Or is it posting to 4chan that should be illegal?
What do you believe should be the law here? You just keep arguing this specific case should be illegal, but based on what? Which specific part?