2

Scenario: I shop at a local retail store. While I am there, I notice that store staff have printed out and placed a long list of cleartext credentials for major internal and external business systems, in plain view of customers.

Question 1: If I take a photo of this list, redact the business name/brand, all passwords and any personally identifiable usernames (or usernames that identify the business), am I opening myself upto a lawsuit for posting this on social media to use as an example of poor security practices?

The only thing identifiable from this post would be the type of store and the city that the store resides in (franchise). Consider that although I have redacted to the best of my ability, someone may read the post and decide to hunt around the area for a store that matches the photos, then find the list and act on it with malicious intent.

Question 2: If I do post this list on social media with the aforementioned items redacted, am I legally required to notify the business first in order to give them a chance to take the list down?

Daniel
  • 21
  • 2
  • If you do decide to post this picture, be careful how you redact the information. Some methods can be reversed. See this question from security.SE –  Apr 20 '18 at 16:01

3 Answers3

1

For the most part, I think you'd be OK.

To start, try to think of the possible claims that might be implicated by this behavior. I come up with the following to start:

  • Theft/conversion;
  • invasion of privacy;
  • negligent infliction of emotional distress; and
  • negligent interference with contractual relations.

I think there are reasonable arguments in favor of liability under any of these theories. If you're also a competitor, I think you might have some exposure through competition law.

At the same time, I think you'd have strong protection under the First Amendment. If we can agree that the risk of a data breach is a matter of public concern -- and probably we can -- it's hard to imagine that you'd be held liable.

For me, the outstanding question is whether taking the picture could open you up to liability, before you've published. The fact that it's out in the open suggests to me that you're in the clear, and I think you'd also have a strong argument that taking the picture is First Amendment-protected newsgathering. But I can also imagine there being some provision in the rapidly growing field of computer-security law that might address this in a way that does not run afoul of the First Amendment. I just don't know enough about that area to lock in an answer.

bdb484
  • 58,968
  • 3
  • 129
  • 184
-4

It's really none of your business. Most people don't appreciate "free advice" and when it comes to hacking, you will be more likely to get accused of a crime or put under suspicion than "thanked". When Richard Feynman once pointed out to a nuclear military base commander that all the safes on the base had an insecure locking mechanism, the commander reacted by revoking Feynman's clearance to enter the base.

I would advise resisting the urge to lecture people about their vulnerabilities or otherwise meddling in their affairs. Don't be a busy body.

Cicero
  • 6,920
  • 5
  • 28
  • 52
-4

Why "shame" the store in a public way? I get the impression you're only looking for recognition for yourself because you noticed the list of passwords and think of yourself as a Lone Ranger of security.

If you are really concerned about this, find the corporate site of the store and email customer relations, or even their security office if they have one. Email from a "throw away" account if you want to be anonymous. (There are many ways to do this; Google).

Or talk to the manager of the store. There's a good chance he/she would appreciate the gravity of the situation. Or talk to an employee who seems open to your advice.

Could you get sued if you posted a redacted photo of the list? At least in the US, anyone can sue anyone for anything. The store could allege that after you posted the redacted photo, you attempted to hack - or did hack - systems using the credentials. Or you aided someone else to hack by giving them the credentials. You'll have to lawyer up to defend yourself; how much money do you have?

I assume you're not an established security expert or journalist, so you don't have any credibility in that respect. Are you sure you could prove you didn't hack? Sure, the online security community could come to your aid if you made it an issue, but that's not certain.

BlueDogRanch
  • 18,824
  • 5
  • 35
  • 61
  • "Anyone can sue anyone for anything" probably doesn't answer the legal question in the way the OP is looking for. – bdb484 Apr 20 '18 at 21:07