This case hit home for me because, as you may recall, last year we had an entirely similar situation with Yelp. We found that they were accidentally leaking personal user information. We collected data to back our claims if needed, brought it to them, and they fixed it. Moreover, when we told them this leak should be made public (after they had fixed it), they agreed to do so; their blog post on the issue remains up. As I mentioned at the time, it was an exemplary experience. Now I feel even more so.
Did we handle it differently, by contacting the vendor first? Yes. And perhaps these two situations exemplify some of the differences between what some people call full disclosure vs. responsible disclosure. But it's very unclear to me why what Mr. Auernheimer did -- finding a flaw and disclosing it in the manner he did -- would be considered illegal. Or, perhaps more to the point, it's not clear to me at this point what the difference is between what he did and what we did, which worries me, because as far as I can see, we should not have been anywhere close to any legal line in how we dealt with a found data leakage.
Certainly we thought our responsible disclosure approach -- contacting Yelp -- increased the likelihood of good will and a good outcome. And, in retrospect, we may have been depending on our status as university researchers. A legal action against us would have led a lot of negative press for Yelp (I think), and we'd have a lot of support from the academic community. I should emphasize, though, that I'm not clear that we would have gotten much help from our universities. I contacted Harvard legal, and they were very hands-off. Examples of the wording in their response to us. (Note, this was going through another layer, hence the 3rd person "the researchers" wording -- it's not just legalese).
If the researchers move ahead to disclose this publicly, as they intend to do, they should understand that the discovery and announcement is something for which they are responsible in their individual capacities (and should not be held out as an activity done by or on behalf of Harvard).
If there is some liability that results from the discovery or their announcement of it, the researchers should understand that they could not look to Harvard to cover that liability.
There are, as I’m sure you know, laws that prohibit certain kinds of hacking. It’s important for the researchers to be very comfortable that they were not engaged in any activity that could be construed as posing under another name, unauthorized breaking into a site, etc.In the end, I think we were depending on common sense -- we found a leak, we aimed to get it fixed, we wanted it announced afterwards, for the obvious motivations -- credit, and protecting others. Auernheimer didn't go to AT&T first, but what he did does not seem completely outside the realm of common sense to me. (I suppose this is the heart of the full disclosure vs. responsible disclosure debate.) So how as researchers do we protect ourselves from felony charges? How as a practical matter do we improve computer security in this legal environment, or how can we change the legal environment to improve computer security while maintaining researchers' rights?
Auernheimer is due to be sentenced in February, although the articles suggest he will appeal his case.