When Mayor Lovely Warren’s office announced that her Facebook accounts had been “compromised,” they didn’t specify by whom. And we may never know, since they’re not really under any obligation to tell us. But one thing they made absolutely clear is that Lovely Warren’s Facebook accounts are in fact managed by an unspecified but large number of people who are sharing account credentials. That means that, if indeed the account was “compromised,” they didn’t really have any idea who compromised the account themselves.
This is hardly an unfamiliar or uncommon practice in office settings. Among the many and varied jobs I’ve done on my way to becoming a freelance web developer, I’ve done a fair amount of deskside support. And one thing that is universal at every level of deskside support is: everybody shares passwords.
I mean everybody. CEOs can never really be trusted to know their passwords – their assistants do. And if the assistant is out, do you think business stops? No. All those passwords are written down in her desk drawer for just such emergencies.
This habit repeats itself across industries, companies large and small. But what are the consequences of someone breaching security with a shared password? A case before the Ninth Circuit Court asks this very question. The Electronic Freedom Foundation filed an amicus brief in this case, the overview of which is explained in this EFF Article:
David Nosal worked for Korn/Ferry, an executive recruiting company. Korn/Ferry had a proprietary database of information that, under corporate policy, employees could only use for official Korn/Ferry business. After Nosal left to start his own recruiting company, the government claimed he violated the CFAA when he allegedly convinced other ex-employees of Korn/Ferry to access the database by using a current Korn/Ferry employee’s access credentials, with that employee’s knowledge and permission. The district court refused to dismiss the charges, ruling that the act of using someone else’s computer login credentials, even with their knowledge and permission, is a federal crime. Nosal was convicted by a jury, sentenced to one year in prison, and ordered to pay a $60,000 fine and nearly $830,000 to Korn/Ferry in restitution.
The government paints a pretty dire case, but even at face value, what is happening here is fundamentally no different than any CEO – or Mayor – sharing a password. One has an allegedly unethical intent; one has a drearily predictable, utilitarian intent. But both acts are functionally identical.
The government’s position on this makes every night shift help desk jockey the exact same common criminal as the Mayor of Rochester. Has Lovely Warren committed a crime?
As we can see in the Ninth Circuit case and in Lovely Warren’s most recent dust-up, authentication – the act of verifying you are who you say are – is a serious business. What, then, of the declared “compromiser” of Lovely Warren’s account? That member of her team or related party that used Lovely Warren’s credentials to access her account and rail against her detractor? When someone works against authentication and falsely identifies themselves, most of us would call that “hacking,” though the Mayor’s Office has so far avoided that term.
Cornell University’s Legal Information Institute documents the US code on fraud, and it seems to arguably describe what happened in Lovely Warren’s Facebook account, according to reports:
(a) Whoever, in a circumstance described in subsection (c) of this section—
(1) knowingly and without lawful authority produces an identification document, authentication feature, or a false identification document;
(7) knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law
Certainly, unlawful impersonation of a public figure must be a crime. It may even turn out that sharing passwords is illegal. If a crime as been committed, it behooves the Mayor and her newly-minted head of communications to provide some answers. It’s worth the conventional media in Rochester asking some real questions about this and not letting it go.
Was she hacked? Impersonated? Or did something else go on? And who will ask these questions, or does the whole story get swallowed up and forgotten in the Christmas holiday?