Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com) 116
Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.
Nope. This involves active sharing and consent. (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2, Insightful)
Twitter did not consent.
That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
However, that doesn't make it any more illegal than me posting an email with my neighbors credentials while fixing/testing his email software.
HACKED BY 'JOHNSON' (Score:2)
"That's what SHE said!"
Re: (Score:2)
That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
It's also against their TOS to login using someone else's credentials, and violating the TOS in that manner may be deemed Wire Fraud under the Act, and Has been before [fortune.com].
See, the Netflix case, where sharing passwords resulted in Jail time, and the Federal Appeals court upheld the password sharing as a Computer Fraud and Abuse Act violation.
Re: (Score:2)
There was a recent court decision, discussed here, which emphasized that access without following the TOS is not unauthorized access as far as the CFAA goes.
Re: (Score:1)
Still not a crime based on the Computer Fraud and Abuse Act, just a possible breach of TOS.
Re: (Score:2)
Gosh I hope it didn't trigger them!
Re: (Score:2)
Twitter did not consent.
It's likely a violation of Twitter's terms of "don't share your password" but that doesn't make it illegal or criminal.
It's stupid to give your password out but to my knowledge not illegal even if it's the password to your bank's website.
You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password,
the end-user has made you the defacto authorized user of that account.
Re:Nope. This involves active sharing and consent. (Score:5, Interesting)
You might even be considered an "unauthorized user" from twitter's perspective
That is precisely what triggers the fraud and abuse act.
but by giving you their password,
the end-user has made you the defacto authorized user of that account.
The end user is not authorized to do that, per the Terms of Service.
Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.
But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.
Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.
Re: (Score:2)
The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee.
How did that turn out?
Re: (Score:2)
This is not stupid at all. It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users. This has been a principle in UNIX since before most of us were born, and it continues to be a principle of every multi-user operating system since. There are distinct privilege levels between user and some form of super-user that has the right to authorize additional users.
Moreover, it's a principle of our d
Re: (Score:3)
This is not stupid at all.
Yes, yes it IS stupid.
It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users.
But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter. (Not the legalese... but in terms of how they think about and interact with it.)
Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".
Exactly right. Its clearly your property, and your delegate has clearly exceeded his authority according to all social conventions. That would be quite the faux pas, and you'd be rightfully upset.
There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.
It doesn't automatically apply everywhere else. It applies whe
Re: (Score:2)
But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter.
No one is talking about ownership of the account, if that's even a well-formed concept. It doesn't matter either way, because what we are talking about is Twitter's actual physical servers.
Twitter has authorized everyone to connect to their servers to do certain operations (like read all tweets)
Twitter has authorized person A to use their physical servers to do other operations (like write a tweet or a DM). To enforce this authorization, Twitter and A agree an authentication token (password, whatever).
Twitt
Re: (Score:2)
By comparison, I might own all the items in my safe deposit box at the bank. But clearly I don't own the bank, or even the bank lobby. And yet I cannot access my owned items except by using the bank's property.
Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.
Well, OK. Then legally a legal court of law will come to a different legal conclusion than a person with no technical or legal expertise might come to.
Where the law varies significantly from people's expectations is where conflict arises, and the law is usually wrong or ultimately unenforceable, because society en masse simply ignores the law.
The law ultimately is supposed to reflect and enforce the social contract, not the other way around.
Also, civil engineer might build a bridge differently than a normal person would. News at 11!
Of course. But if the normal people couldn't cross the
Re: (Score:2)
Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.
I agree and I don't agree. You have the power delegate authority to add or remove items from the box. That is surely your prerogative. So if you fall ill or move to another country, surely you can delegate your rights over the box itself to Bob.
The part where I don't agree is the idea that your authorization to Bob in any way impacts whether he is allows to use the bank lobby to access the box. Under no feasible reading of the safe-deposit-box-owner-protocol did you ever possess any authority over the bank
Re: (Score:2)
Re: (Score:2)
Using a public service like twitter isn't in the same ball park as having a private account at a company where you most likely did sign an agreement that said something like 'you will not share company secrets' your company password would be classified as a company secret.
You are right, but that's kind of the point here -- while you and might see them as very different thing (and indeed most people do) ... the CFAA doesn't differentiate.
Re: (Score:2)
You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password, the end-user has made you the defacto authorized
This is like handing the keys to your rental car to a stranger on the street and telling them to "have at it". Chances are the rental agreement doesn't allow this, and if they're pulled over driving when you're not there, they can be jailed. Unless you're a high-ranking employee or agent of Twitter, then nothing grants you the right to authori
Re: (Score:3)
Twitter did not consent.
Gmail did not consent (and I SURE didn't) when a lady accepted the fB offer to "Help her find her friends" by spamming everyone she had every contacted using Gmail...
BTW, what happens to those lists of contacts once fB has spammed them?
I'll bet they are deleted right away to avoid any appearance of data collection on non-users! Oh, sorry, that cat has been out of the bag for so long I forgot about it...
Re: (Score:2)
Re: (Score:1)
CFAA doesn't care about consent. The second a site inserts language in their Terms of Service that users cannot share accounts, any login not from the person who owns the account in question is a violation of CFAA. Wonder why we hate that law so much?
Re:Nope. This involves active sharing and consent. (Score:5, Insightful)
But for once this insane law will hit "normal" people instead of just "computer geeks". And since people only start to think about insane laws when they have a "this could have been me!" experience, this might finally get something moving there.
Re: (Score:2)
The users who were tricked to sharing a password aren't necessarily the ones who broke the law, per se, although (I suppose) that argument could be made too, since they "Dealt in means of access" with intent.
However, the Pop Star faces more serious trouble for phishing passwords out of followers and accessing their accounts.
Re: (Score:2)
Re: (Score:1)
No need. If you give someone your password you're letting them do what they want with your account. If you didn't want that, you shouldn't have given them your password. There's no point labouring the point with a contract. And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.
Re: (Score:2)
And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.
Are you trolling? You must be, or you're hopelessly pedantic and literal. If all there was, was just the strict interpretation of the law, then the entire country would be one huge prison. Judges and juries exist in part to interpret the law and make appropriate judgements, not just mechanically apply potentially flawed, certainly imprecise text authored by potentially flawed, certainly imprecise biological brains.
Re: (Score:2)
Does not matter, The morons in Congress will call it a terrorist action and put him in Gitmo for 60 years.
This is the problem when laws are passed by dimwits that can barely tie their shoes in the morning, let alone understand something as complex as a computer or twitter.
Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.
Re: (Score:3)
Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.
Worse than that, we actively vote them into office.
Re: (Score:2)
Which is very telling as to the general IQ level of the american populace.
Our public education system is breeding generations of morons.
Re: (Score:2)
That means they're not educated enough regarding the modern world, and are entirely unfit for office in a modern world.
Re: (Score:2)
Possibly absolute lack of concern over their twitter accounts which are utterly worthless, disposable beasts.
Re:Um, what? It isn't that scary of a law (Score:5, Insightful)
No, we're being trolled by a law school professor who's trying to get some media exposure - and she's being aided and abetted by some person trying to get a paid at Ars Technica.
Re: (Score:2)
Is a troll really a troll when they point out laws that are frequently used to abuse common sense?
Why stop there? (Score:3)
Re: (Score:2)
The fans of this Jack (whom I've never heard of) probably won't have much worth stealing. What you want to do is persuade them to get account numbers and PINs of their parents. They'd probably do it for something trivial in return, like a signed photo or, as stated, a personalized message in social media.
And why was the password required anyway? If you have less than 50 followers on Twitter, which I assume would be the case for most people, then any mention of your @accountname stands out. Although there is
Re: (Score:3)
And why was the password required anyway?
It really wasn't, since they could have granted posting privileges via OAuth without giving away the password. Don't pop stars have marketing teams to help them with technical details of this sort of thing?
Re: (Score:2)
Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.
Because there's an order of magnitude difference in affect on a person. That's why you would stop there. Jack can have my Twitter login, because I don't give a shit. The same can't be said about my bank account.
Clinton VP vetting was doing same (Score:1, Offtopic)
Re:Clinton VP vetting was doing same (Score:4, Insightful)
Vice President of the United States isn't your garden variety job. If this was an ordinary job that demanded my social media passwords, I would say, "Oh, hell no!"
On a related note, I'm still waiting for Donald Trump to release his tax returns.
Re: (Score:2, Offtopic)
And I'm still waiting for Hillary to reveal who's all donated to the "Clinton Foundation", her secondary bank account she pretends is a charity.
Under the law, the Clinton Foundation is a charity.
https://www.501c3.org/what-is-a-501c3/ [501c3.org]
Re: (Score:2)
Re: (Score:3)
Family members? I wonder how that would go over with adult children.
"Son. I need to turn over your passwords in order to apply as Clinton's VP."
"Fuck you, dad. By the way, I'm voting for Trump."
Re: (Score:2)
Smart people would change their passwords for the duration and give him these passwords, then change back once the message is in.
Smart people would ignore the whole matter and find another means to entertain themselves.
If you think Twitter is bad... (Score:3)
Re: (Score:2)
What about when you forget to finish wiping your chin whenever you walk out of HR? Do they get mad then?
Your question makes no sense whatsoever. I haven't stepped inside an HR department in 20+ years, as most Fortune 500 companies have outsourced HR to outside agencies.
Re: (Score:2)
Re:If you think Twitter is bad... (Score:4, Insightful)
As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login
So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?
This is an honest question that should not be poo-pooed by the "leet IT Dudes" as the fallout of moron netwrok users...
Re: (Score:2)
So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?
That's an extremely high number of combos. Most jobs that I had only required a single password. My current job has two-factor authentication: Windows login is a PIV card with a PIN, and administrator account has a security login with a complex passwords.
Re: (Score:2)
Most jobs
People have passwords for things other than their job. Hopefully, they don't use the same one for their DoD job and Slashdot.
I have 110 uid/passwords for various accounts (everything from banking to Netflix) stored safely (encrypted, pass-phrase protected) on a portable device.
Re: (Score:2)
Hopefully, they don't use the same one for their DoD job and Slashdot.
My DoD CAC pin is 123456. My Slashdot pass is a little more secure.
Re: (Score:2)
Most jobs that I had only required a single password.
You are the exception. Many jobs require indevidual logins to many systems. I've had as many as 25, though right now it's 10. Yes, I write them down.
Re: (Score:2)
I think I had one password back in 1986. Since then, I've kept getting more. They've gone down recently, with a lot of stuff accessible via Lincpass, but I've still got a whole slew of work pws for various systems. Not to mention several slews of non-work pws.
Re: (Score:2)
Small business doesn't get someone to do each job, those are all on my list :(
How does this relate to my comment about Fortune 500 companies where the average worker typically has a single login credential?
Re: (Score:2)
Well, all this IT tech has done is forced the user to come up with a new password and WRITE IT DOWN ON ANOTHER POST-IT. He may think he is being clever, but what he has done is ensure that they will just do it again because it's a new password.
What he should do is come up with a method by which they can create a secure password and write down the hint to remember it, and distribute that process to everyone. In other words, TEACH them how to do good passwords.
1. Think of a very memorable event in your lif
Re: (Score:2)
1. Think of a very memorable event in your life.
2. Come up with a password based on that event.
3. Make it follow convention. (e.g. capitals, letters, length, etc)
4. Make it able to be changed easily without changing the event.
Example: My dog Daisy died in 1998
password: DaisyRIPxx98
Nice.
Remember that through 20 permutations associated with 20 random user accounts.
Like I said, I write them down and secure them. No "hacker" is going to break into my office and pry open my desk. And if they do? They can have 'em, not that important, they would find out how to hack in anyway.
Re: (Score:2)
I am not an admin, I only need to remember my passwords. Personally, I have a less-secure "story" and a more-secure "story". So I basically have 2 variations on the story behind my passwords. That doesn't mean I have only 2 passwords of course. So even if someone cracked one of my passwords they would be able to guess my others. And I have been using the secure scheme since 1996. The password looks totally random, but I know the story behind it, and remember the variations I made. So I can write down
Re: (Score:2)
True, to some degree... I only use this type of naming scheme where I am required to change my password - which is pretty much everywhere except on things that I control. Sometimes you have to deal with reality, and that means having to change your password. Is DaisyRIPyy99 harder to crack than DaisyRIPzz00? Not at all, but it is a method to help the user remember it.
Re: (Score:2)
Password changes (Score:1)
People in my company - including the non-geeks - seem to manage OK without writing them down on a postie. This is with a policy requiring passwords be changed every few months and have a certain complexity.
Sometimes you forget and need to get the password reset, but in general most people seem to be smarter than you credit them for.
If you have trouble remembering, go for something based on a phrase or a common variation for different services.
Re: (Score:2)
People who work at companies follow company policy - or their job is in danger.
I never heard of anyone getting fired for abusing the password policy.
b. b. b. b but, It's illegal... (Score:2)
Re: (Score:2)
I create a Twitter account expressly for this purpose. I send Mr Johnson my password. I now have deniability for anything else done using this account (as long as I obfuscate other identifying details such as my IP).
Dumb on two counts (Score:3)
2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword
Re: (Score:2)
1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts. 2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword
While I agree with your common sense approach, the law may see things differently. If Twitter decided it was an unauthorized use, as they define unauthorized based on their TOS, someone could be charged. It would be a stupid waste of time and one would hope a judge, after he or she stopped laughing, tossed the case. It does illustrate how something that would be considered normal in the physical world, i.e. I give you the key to my diary to let you write in it, could be illegal in cloud space where you don'
Re: (Score:2)
JackHack (Score:2)
Why he didn't go for the shorter and catchier #JackHack, we'll never know.
Saving that for when headphone jacks disappear from smartphones.
Jack Johnson (Score:3)
I don't know any of those Jack Johnsons. The only one I know is the Futurama Presidential candidate Jack Johnson [theinfosphere.org] who ran against his rival and clone, John Jackson.
Re: (Score:2)
The only Jack Johnson I know of is the boxer in The Legend of the Titanic.
#JackHack (Score:2)
Why does it have passwords at all? (Score:2)
Seriously - why do things like Twitter need a password? It's not an email account, it's not that hard to hack and no body is going to lose anything important if someone else takes their twitter account.
a Hacked what? (Score:1)
Yeah Hackedbyjohnson sounds bad but
A hacked Johnson would be way worse.
I'll let myself out.
Presidential response (Score:2)
Hacking (Score:1)
If TPTB say it's illegal, then it doesn't if there's a law or not, at least that's the impression I've gotten over the last decade or two.
Don't some websites work this way? (Score:2)
I know that when done correctly the site provides an authentication token, but the old-style approach was to just require you to provide your mail or bank's password.