Two similar news stories ended in very different ways this week:
- A 10-year-old kid hacked Instagram, reported the hack, and was rewarded with $10,000and the adoration of the computer cognoscenti.
- A 31-year-old exposed a vulnerability in Lee County, Florida’s election website as well as a state-wide election website, reported the vulnerability to officials, and was rewarded with an arrest and three felony charges.
David Levin, a computer security consultant, exposed the vulnerability of the Lee County and Florida election sites through using an SQL injection attack – basically inserting malicious code into entry forms on a website to make it dump out the entire database.
Levin has been charged with three felony counts under Section 815.06(2)(a), Florida Statutes (the Lee County Court’s docket has him charged under “815.06(1a)” which doesn’t exist, but hey, Lee County isn’t exactly batting a thousand in the computer department). That statute makes it a felony to
“[W]illfully, knowingly, and without authorization accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized”
Keep in mind that the “access” part of this statute is defined really broadly:
“‘Access’ means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network.”
In a video, Levin basically admits to performing an SQL attack on the Lee County website.
The other person in the video is Dan Sinclair, who coincidentally is running against the Lee County Supervisor of Elections in the upcoming election. Sinclair praised Levin for performing a public service, and he was right to do so. The problem is that Levin’s public service is also technically a computer crime under Florida law, no matter his motivation. I mention that because Sinclair had this to say about the prosecution according to the news story:
Sinclair said Levin did not commit a crime because he had no criminal intent. “He didn’t create the holes. They were there,” Sinclair said. “It’s completely legal to test a computer system.”
That’s important because the statute says that for unauthorized access to be a crime, the access just has to be willful, knowing, and without authorization, with knowledge that such access is unauthorized. But the prosecution may have another problem – the definition of computer network.
The plain language of the statutory definitions of “computer,” “computer system,” and “computer network” refer to tangible devices, not the data and other information located on the device. Thus, to prove a violation of section 815.06(1)(a) the State must establish that the defendant accessed one of the listed tangible devices without authorization, not that the defendant accessed a program or information stored on the device without authorization. Crapps v. State, 180 So. 3d 1125, 1127 (Fla. 4th DCA 2015).
To prove the charge against Levin, the prosecutor has to prove that he accessed one of the physical devices, not simply that he performed an SQL injection attack.
The biggest problem isn’t with the prosecution and Levin’s defense – it’s with how unbending the government is towards someone exposing a flaw in their system. Let’s say Levin didn’t see what he was doing as a public service. What then? If he can gain access to the county and state Division of Elections computer system, what could he do? How much is that information worth on the “dark (deep?) web”?
There are no “bug bounties” for Florida government technology systems. The criminal statute has no carve-out for someone finding a bug and reporting it to the proper authorities. Public officials with technology systems are a bit like the emperor on parade with his new clothes – except the penalty for finally speaking up that the emperor actually has no clothes is prison time.