[HN Gopher] State Bar of California addresses breach of confiden... ___________________________________________________________________ State Bar of California addresses breach of confidential data Author : borepop Score : 172 points Date : 2022-02-28 17:02 UTC (5 hours ago) (HTM) web link (www.calbar.ca.gov) (TXT) w3m dump (www.calbar.ca.gov) | [deleted] | danso wrote: | According to this LA Times [0] story, the records were apparently | found on judyrecords.com, a project recently discussed in a Show | HN [1] | | > _State Bar officials learned about the posted records on Feb. | 24. As of Saturday night, all the confidential information that | had been published on the website judyrecords.com -- which | included case numbers, file dates, information about the types of | cases and their statuses, respondent and complaining witnesses | names -- had been removed, officials said._ | | > _...Full case records were not published. Officials said they | don't know whether the published information was the result of a | hacking incident. Judyrecords.com is a website that aggregates | nationwide court case records._ | | edit: The "Info" link [2] on judyrecords.com has updates related | to this event. It asserts that the confidential data was | available on the CA Bar's own website: | | > _These records were all (confidential & non-confidential) | previously publicly available at https://discipline.calbar.ca.gov | (now offline)._ | | [0] | https://www.latimes.com/california/story/2022-02-27/californ... | | [1] https://news.ycombinator.com/item?id=30399881 | | [2] https://www.judyrecords.com/info | coding123 wrote: | I thought something was off about that site. I doesn't seem | fair or legal to just publish that data like that. | | I think in the era of go in and get things things should be | "public". | | Now in the search engine age and data available at your | fingertips we need to entirely change our public records | laws... Immediately. | | edit: In fact a HN User said this with NO REPLY from the author | of that Show HN: I have some records that are sealed, but show | up in this database. So there are records that were once | 'public' but are no more, but this database makes them public | again. | | I think that website should be taken offline immediately. | richardbarosky wrote: | It's the first reply. | 5ESS wrote: | Blame the state governments for publishing those records in | the first place. Everyone knows that once information is | published on the internet there is really no "undo" button. | If judyrecords goes down another, perhaps less scrupulous, | operator will release another similar site. | wolverine876 wrote: | Without transparency, including public records, how do we | hold the powerful accountable? Court records are public to | prevent secret government courts from abusing people (among | other reasons). How do we operate a democracy, which depends | on citizens controlling their country? | | And most importantly, who does get access to the records? | That exculsive access will give them a lot of power. | nisegami wrote: | >Court records are public to prevent secret government | courts from abusing people | | Except of course, when "national security" is involved. | sacrosancty wrote: | It's possible to be both not public enough to ruin people's | lives and public enough for journalists or concerned | individuals to find. In New Zealand, voter registration | details are, by law, available to look at but not to copy. | Anyone can walk in to a public library anonymously and | rifle through the book but the book is chained to the desk | and you're not allowed to photocopy it or take photos. | Also, it's only present in the local libraries near where | the voters live. | SllX wrote: | Something that stuck out to me about that website is that | we really do publish a lot. If you ever had a speeding | ticket, that's a matter of public record now. If you ever | had a parking violation, that's a matter of public record. | I mean to be honest, if you just have a car, I can probably | find you on that website if I know your name. | | Also goes for divorces. By and large I agree with your | take, but playing around with the search got me thinking | that maybe we just make too much a matter of public record | and that some things might just be too noisy, even if it | isn't the biggest privacy violation per se. Still mulling | it over though, so I can't say I'm committed to that | position yet, feel free to talk me back. | oh_sigh wrote: | I have owned a car in NY, FL, and CA, have been married, | and have received parking violations in all 3 of those | states, and my very unique name is not present at all on | that website. | SllX wrote: | Fair. I did search out myself and several others I know. | Didn't find myself, but did find out that there's a guy | with a very similar name to me (different middle name) | that likes to live dangerously in the same State but in | several different counties racking up speeding violations | like there's no tomorrow. | | I was able to find almost every single other person I | searched though, chose not to dig into it any further | than I could confirm it was someone I actually knew, | typically by birth date. | function_seven wrote: | I think their coverage is still spotty. I'm in | California, and searched some names I know. The results | came from some counties, but nothing from others. Notably | I never saw anything from Los Angeles County, but tons of | results from San Bernardino County. | | My own name brought up a couple tickets. In 2014 I got a | cell phone ticket. There's something kind of funny seeing | an all-caps official document explaining that THE PEOPLE | OF THE STATE OF CALIFORNIA were all arrayed against me! | :) | mistrial9 wrote: | there are at least six adults in the USA with my same | first and last name, who are professionals and middle- | aged .. one of the others died of a drug overdose, and | looks a bit like me! | | new world now | ghaff wrote: | AFAIK, a parking ticket would be written against a | car/license plate. Obviously that can be attached to a | registration if the ticket is unpaid but it's not clear | to me that a record of the violation would necessarily | have the name attached in the record. | wolverine876 wrote: | I agree there are limits; there are no absolutes in | anything. We don't have absolute free speech: you can't | slander, commit fraud, conspire to commit a crime, incite | a deadly stampede, etc. | | I think the main concern is that the more powerful the | actor (e.g., government is very powerful) the more | important transparancy is, and the more vulnerable the | actor, the more important privacy is. | | For example, if an Apple (picking a random company) | employee complains to authorities about dangerous working | conditions, that employee may be very vulnerable - Apple | could blacklist them; other businesses, if they learned | of the complaint, could do the same, not wanting a | 'troublemaker'. And that employee may be financially | vulnerable, needing the job; their privacy should be | maintained if possible. But Apple and the government are | both powerful and there should be transparency about the | working conditions, investigation, and outcome. | SllX wrote: | So what's the limiting principle you would use? That's | the problem. I no more care about Apple's speeding | violations than I do Joe Schmo's, but I probably do care | about whether Joe here has a criminal history if I'm | interviewing him, and the nature of that history. | | You could go by legal entity, just make lawsuits | involving corporations public, and lawsuits between | individuals private: but while Apple might have global | influence, your rich and litigious neighbor in a rural | county is probably a more immediate concern to you. Also | individuals can sue corporations and corporations can sue | individuals. | | I'm still inclined to think court records should stay | public, but I'm now more interested in seeing if there's | a kind of filter we can put on what we make public than I | was two weeks ago. | rhacker wrote: | With your same example though, now this employee is | listed in a bunch of Apple lawsuits and will be unable to | ever get a job again because of this kind of search | engine. | mistrial9 wrote: | please recall a basic motivation for the formation of the | United States of America, versus the Kingdom of Britain under | George III. In the legal system of Britain, all Crown records | are SECRET unless cleared. Under the Federal Laws of the USA, | all Federal records are PUBLIC unless classified. | | get the idea? | ejb999 wrote: | >> we need to entirely change our public records laws... | Immediately. | | I am certain that many people in government would agree with | you - they would LOVE to be able to hide what they are doing | and not be held accountable for decisions they make (or don't | make). We need more public disclosures, not less, imo. | | >>So there are records that were once 'public' but are no | more, but this database makes them public again. | | This website didn't make them public, they just gave others a | way to access them - once something is public, and in control | of others, it is impossible to make them 'un-public' without | violating the 1st amendment. | TedDoesntTalk wrote: | > once something is public, and in control of others, it is | impossible to make them 'un-public' without violating the | 1st amendment. | | I do not think that is accurate. | lazide wrote: | Can you be more specific? | | How do you propose someone could stop someone from | releasing a record they acquired publicly, exactly? | | Seize it? Prohibit someone from saying something they | found out via a public route on penalty of fine or | prison? | verve_rat wrote: | Um, yes? Courts can issue injunctions to stop people from | publishing material they have. If they breach the | injunction they can go to jail, or have some other | penalties imposed. | | Even in the US there are limits on free speech. A judge | would weigh 1st amendment rights vs other considerations, | but there are limits. Yelling fire in a theatre and all | that. | lazide wrote: | Which works if it is 1 document, or one publisher, so | someone can do the paperwork and a judge can handle it. | | And does infringe their 1st amendment rights, by the way. | | And if it's a million documents and the publisher is | everyone who got a torrent done in the months before the | injunction? | TedDoesntTalk wrote: | No one is talking about the reality of removing a million | sources from the internet. We're talking about the legal | consequences and 1st amendment rights of individuals. | | You do not have a 1st amendment right to post, for | example, classified documents or protected intellectual | property. If you post those things, even if 2,000 people | posted them before you, the law can still come down on | you. | salawat wrote: | You sbsolutely do have a right topost blassified | documents if you come across them, but have not attained | a security clearance. | | There's definitely a massive "should" aspect there, | however, the courts will protect you in that case. The | one who got them for you, or if you committed a crime in | acquiring them however... | | That is a different story. | lazide wrote: | We aren't talking about any of those things - we're | specifically talking about public records however. | djbusby wrote: | What's the point of sealed records then? How would that be | managed? We should let citizens have some privacy right? | ejb999 wrote: | If they were sealed, they shouldn't be made public until | they become unsealed (if ever) - but if they were public | at some point, they are for all intents and purposes | public forever. Very hard to make something private, | after it has been out in the public. | thrashh wrote: | Plenty of things become super hard to find after no one | cares about it anymore. High profile cases aren't like | that but most things are not high profile. | | Just because you can't make something 100% perfect | doesn't mean you shouldn't try. Locks aren't unbreakable. | Seatbelts won't always save you. Your cloud service won't | always stay up. Yet we use and build all these things and | no one has an issue with it. | | And for all intents and purposes, if court records are | meant to be hidden to protect someone's future chance of | success, by all means we should do what we can. | flutas wrote: | > I am certain that many people in government would agree | with you - they would LOVE to be able to hide what they are | doing and not be held accountable for decisions they make | (or don't make). We need more public disclosures, not less, | imo. | | Agreed 100%, a local court has been making precedents with | that and...it's unnerving. | | https://www.thv11.com/article/news/politics/routine-gag- | orde... | sva_ wrote: | Let me guess... judyrecords.com collected these by iterating | over some chronological id that didn't properly check if | someone has read rights. | | edit: would love to check, but[0] | | > The State Bar Court Portal will be unavailable from February | 25th to February 28th due to maintenance activities. During | this time the Case Search and Court Calendar functionality will | not be available. | | [0] https://apps.statebarcourt.ca.gov/dockets.aspx via | https://www.statebarcourt.ca.gov/Public-Records-Information | gnicholas wrote: | On a related note, the California Bar website employs dark | patterns that mislead members into paying inflated annual dues. | | When you renew your membership, there are a variety of addon | payments you can opt into by checking boxes for these items. | Then, on a later page, there are various addon payments that you | have to opt out of. | | Making things even trickier, these aren't pre-checked boxes, | which might lead the user to realize he needs to uncheck them. | Instead, there is a list of "adjustments" with a dropdown menu | for each. The dropdown defaults to "none", which would lead users | to think that they are not paying for an extra item. But when you | click on the dropdown, you see the option to "deduct $x" if you | don't want to pay the additional fee. | | I've never seen a dark pattern like this anywhere else. Perhaps | the folks who run the calbar website could spend less time | finding ways to trick members into overpaying and more time | securing private information. | calrizien wrote: | I noticed this too while trying to renew my bar dues. Its so | devious. It degrades the whole profession when the gatekeeper | is obviously trying to scam you. | robertlagrant wrote: | It's a sad day when you realise most things are like this. | gnicholas wrote: | And it's been this way for at least two years. This isn't an | innocent fleeting mistake. | bastardoperator wrote: | Surprised this site isn't managed by CDT (https://cdt.ca.gov/) | [deleted] | adolph wrote: | Apparently the State Bar has been breaking the law. | | _The State Bar announced today that it is taking urgent action | to address a breach of confidential attorney discipline case data | that it discovered on February 24. A public website that | aggregates nationwide court case records was able to access and | display limited case profile data on about 260,000 nonpublic | State Bar attorney discipline case records, along with about | 60,000 public State Bar Court case records. The site also appears | to display confidential court records from other jurisdictions._ | | _Under California Business and Professions Code 6086.1(b), all | disciplinary investigations are confidential until the time that | formal charges are filed, and all investigations are confidential | until a formal proceeding is instituted._ | | _The nonpublic case profile data from the State Bar appears to | have been displayed on this public website in violation of this | statute. It includes case number, file date, case type, case | status, and respondent and complaining witness names. It does not | include full case records. We do not yet know how many attorney | or witness names were disclosed._ | akira2501 wrote: | Is displaying those records in public the violation of the | statute? Or was it merely allowing the documents out of their | control? Such that.. now they're out, does the website actually | have any obligation to follow the "Business and Professions | Code?" | user3939382 wrote: | This is probably a stupid question to those who work with these | concepts often: can all the user data in the DB be hashed with | the user's password so that nothing is gained from a breach? Is | this mostly a CPU resource problem or would would jwt | architecture preclude that from working? (I haven't built auth | systems for several years) | johnmarcus wrote: | The data is read by more than one person, so this likely | wouldn't work. | | Also, I'm not sure this is an actual breach. I think they | accidentally published the data themselves, that's the vibe I'm | getting from reading between the lines. It's like the code | maybe missed checking a flag that would exclude private records | from showing. | mwint wrote: | Hashing would make the content irretrievable; something like | XORing with the password would make the password recoverable if | you know the content. | entelechy0 wrote: | krisoft wrote: | XORing with the password sounds just splendid :D Caesar is | asking for his cipher back. | | That method wouldn't stop a determined 12 year old, let alone | a competent attacker. Please use a properly engineered and | implemented encryption instead of coming up with harebrained | schemes. | jaywalk wrote: | The reason we can store and use password hashes is because the | user provides their password every time they login. So we hash | the password they provided at login and compare that to the | hash that was stored. | | We can't determine what their password is based on the hash | alone, which is why we couldn't hash all the user data in the | DB with their password and store that. | rahimnathwani wrote: | Most systems store data to which more than one user needs | access. | | Most systems will restore access for a user who forgot their | password. | stingraycharles wrote: | You could encrypt it with the user's password instead (rather | than hashing it). This is also the approach taken by e.g. | password managers, they use your password as a seed for | encrypting all your data. | | The problem is that this would make the database entirely | inaccessible unless you have access to the password. That | creates quite a lot of friction in the user experience, the | user would have to provide his password on every interaction | (ie not just when logging in). | Ajedi32 wrote: | Users wouldn't need to provide their password on _every_ | interaction; just when logging in. The browser could save a | derived decryption key in a cookie or local storage and use | that to persist the session. | | We're basically just discussing end-to-end encryption. | | The real reason it's not done more often is that it makes | things a lot of things way more complicated from a | development perspective. Features like "allow users to send | messages to each other" that would normally be really simple | to implement suddenly require a whole public key | infrastructure and logic to take into account edge cases like | "What if the user got a new phone or changed their password | and was offline when the message was sent?", or onerous | threat models like "What if the server is controlled by an | attacker when I sign-in?" | kelseyfrog wrote: | Not exactly following. Couldn't DMs simply not be E2E | encrypted while maintaining encryption for personal info? | Ajedi32 wrote: | End to end encrypted with what key? What if the user | changed their password? What if they got a new phone? | What if the server is only _pretending_ the user got a | new phone to trick you into leaking your messages? | | All of those problems are solvable, but "simply" is | hardly the word I'd use to describe designing a secure | end-to-end encrypted application. It's way, _way_ more | development effort than just "hash user passwords with | bcrypt and don't allow access without the password", | which is why it's rarely done unless E2E encryption is a | major selling point of the application. | kelseyfrog wrote: | Sorry, still not following. I wrote not E2E encrypted. | I'm struggling to understand why messages that are not | E2E encrypted would require key management. | Ajedi32 wrote: | Sorry, misread. | | Yes, you could symmetrically encrypt the _tiny_ portion | of personal data that needs to be read _solely_ by you | without much added complexity. | | However, with few exceptions (password managers, backups, | personal notes, etc), the whole point of uploading data | to an online service is to allow it to be shared with | other people or services. Once that happens, you need all | those complicated key management and security systems I | just talked about. It's effectively end-to-end | encryption. | willcipriano wrote: | That would seem to only work if the user would only be | interested in records created by themselves or that were | explicitly shared with them. When sharing both users passwords | would have to be stored somewhere, either that or the raw | content so that it could be reencrypted. | | Private key cryptography would be better, maybe encrypt a | private key with a password and store that along with the | public? | d4mi3n wrote: | There's concept similar to what you're describing called | crypto-shredding[1]. Hashing isn't a good way ensure the | confidentiality of data--just the authenticity--you really want | to prefer a solid cryptographic algorithm if your goal is to | ensure data remains confidential. | | The idea behind crypto shredding is that you have a | cryptographic key for each entity in your system and you use | that key encrypt all fields for a given record. When it comes | time to delete that data, you simply discard the key used to | encrypt it. Assuming you've used reasonably good cryptography, | this data is now effectively gone. | | This is useful in cases where: | | * You need to support the right to be forgotten (as defined in | the CCPA[2] or GDPR[3]), since all you need to do to "delete" a | user's data is to delete the key used to encrypt. | | * The data you need to delete exists across multiple data | stores/applications/environments and ensuring consistency for | the deletion across all these places is difficult. For example: | You may have DB backups, long-lived caches, or 3rd party | services/vendors that may have copies of this data. | | * You want to discard some, but not all, of a user's data. This | is important in cases you're required by law to retain specific | kinds of information even after a person has required it's | deletion. For example, banking and finance companies are | required to keep specific records about who they sent money to | or performed services for. | | 1. https://en.wikipedia.org/wiki/Crypto-shredding | | 2. https://www.oag.ca.gov/privacy/ccpa | | 3. | https://en.wikipedia.org/wiki/General_Data_Protection_Regula... | ejb999 wrote: | Doesn't sound like a breach to me - sounds like the state bar | association inadvertently gave out the information, and now they | are looking for someone to blame - someone else that is. | 5ESS wrote: | It wasn't a breach. Those records were publicly available. It's | a shame the site's operator complied with the takedown request. | Unfortunately that's what happens when you use a US hosting | provider and domain. In the interest of transparency, site | operator should consider migrating the site to a provider | outside of US jurisdiction and/or making torrents of the record | data that can't be simply taken down. | LordDragonfang wrote: | >Those records were publicly available. | | The very first paragraph of the article seems to contradict | that. Do you have a source that says otherwise? | [deleted] | ejb999 wrote: | According to the Bar website: | | >>>The site owner (of judyrecords) claims that the State | Bar's confidential and public case records were all | previously available at a public URL. Is this true? | | >>>The State Bar Court website allows the public to search | for publicly available case information. The extent to | which the external aggregating website was able to obtain | nonpublic information that was stored in the Odyssey case | management system is still being investigated. | | I am inclined to believe judyrecords, until proven | otherwise. | 5ESS wrote: | It's pretty gross that they won't admit they made a | mistake and instead choose to mislead the public using | deceptive language. | ejb999 wrote: | Yep, not unlike the other recent story where someone | scraped a website and ended up pulling in SSN's and other | personal information that was on the page, but not | visible (but in the html) - and then the government | threatened to prosecute the person who reported the | problem. | | A perfect example why MORE public information is better | than less. | aksss wrote: | Well, it's the CA state bar - it's the den for all the | lawyers in a juggernaut state. Misdirection through | deceptive - sorry _persuasive_ - language is literally | what a goodly number of them do every day for a living. | dahfizz wrote: | > Was this a hack? And how did this happen? | | > We do not know yet. The State Bar's Odyssey case | management system software vendor, Tyler Technologies, has | been tasked with investigating what happened, taking the | steps needed to rectify the breach, and ensuring something | similar does not happen again. The State Bar also retained | a team of IT forensics experts to assist in our | investigation. | | > The site owner claims that the State Bar's confidential | and public case records were all previously available at a | public URL. Is this true? | | > The State Bar Court website allows the public to search | for publicly available case information. The extent to | which the external aggregating website was able to obtain | nonpublic information that was stored in the Odyssey case | management system is still being investigated. | | It sounds extremely likely that the state bar had a website | misconfigured, and the automated systems of the aggregation | site sucked down all the data it was technically (but not | legally) given access to. | | https://www.calbar.ca.gov/About-Us/News/Data-Breach-Updates | wslack wrote: | It's still a breach if an org misconfigures an API, allowing | more records to be available than was indended. | uoaei wrote: | _Mens rea_ is honestly a mistake. | | I don't care what the org "intended" to do. The org assumed | the responsibility of providing an API and with it the | responsibility of securing private data. They failed and | should be held culpable. | | Boeing doesn't call it a "cyberattack" when their altitude | control systems fail because of poor design. | reset-password wrote: | Why is it so impossible for these people/organizations to accept | that they made a mistake and own up to it? The entire response by | the State Bar of California is nothing but a deflection of blame | that rests solely on themselves and their chosen vendor(s). | | What are they going to do next, call Missouri's governor and ask | for the playbook to follow? The humans behind the scenes at the | bar are looking incredibly pathetic here. | duped wrote: | There may be liability attached. But this reads more like "a | lot of data that we assumed to be private, and legally must be | kept private appeared on a website. Here's everything we know | and the steps we have taken." Essentially what happens when | there's a screw up and lawyers get consulted about how to | disclose it. | sva_ wrote: | > _Why is it so impossible for these people /organizations to | accept that they made a mistake and own up to it?_ | | Maybe they accept it, but just don't admit to their mistake. | Seems to be a growing trend, unfortunately. Perhaps the result | of a society who more and more punishes people for admitting to | their mistakes, rather than rewarding them for admitting to it | and learning from it. | | It's very sad to me, that this seems to be getting so much more | common. | [deleted] | dogleash wrote: | >Why is it so impossible for these people/organizations to | accept that they made a mistake and own up to it? | | Its the bar. Of all the organizations to respond like lawyers | covering their own asses as hard as possible, you have to | expect this one. | xbar wrote: | Agreed. | | Closing with "Law enforcement has been notified" doubles-down | on "we published everything but maybe if we can get somebody | charged for a bogus crime then we won't look so stupid." | KarlKemp wrote: | They are lawyers. ,,Pathetic" is the after-shave they use. | "Liability" is the nickname for the kid they secretly loath. | "Blame" is a verb. | cyral wrote: | > We apologize to anyone who is affected by the website's | unlawful display of nonpublic data | | Sounds like Missouri teachers SSN leak again... The website that | judyrecords scraped, discipline.calbar.ca.gov, contained all of | these "nonpublic" records for anyone to see. | stefan_ wrote: | It can be legal for you to scrape something yet very illegal to | reproduce it. | | This applies even more when the site you scraped didn't have | permission to show the data in the first place. Their mistake | does not rise to be your permission; if it was my data, I would | have as much a claim against you as them. "The software did it" | is not an excuse. | robertlagrant wrote: | The software didn't do it, indeed. The custodians of the data | who allowed private data to be made public did it. | cyral wrote: | I'm assuming the owner of this site has permission to | reproduce court documents from each source, generally these | types of documents are public record and can be reposted. It | sounds like whoever configured this portal where the public | can view documents misconfigured it and allowed for private | documents to be shown, without any indication that they were | supposed to be private. | tossitafter wrote: | I used judyrecords to check myself after it was posted here. I | had a charge from over a decade ago listed as a felony that had | been reduced to a misdemeanor. The state system shows as a | misdemeanor. I paid good money to an attorney for a misdemeanor. | I'm not sure why judyrecords shows it as a felony, and it has me | wondering about the effectiveness of my legal defense. | | edit: If you're wondering if I'm a hardened criminal with a wake | of victims left behind, the answer is no. I was 22 and got caught | in the midwest with an ounce and a half of cannabis. This | website, as far as I'm concerned, is displaying inaccurate | information about me that that could have serious negative | consequences for myself. | duped wrote: | Just spitballing, it's just a dump of records. They might have | records for your arrest, arraignment, charge, plead, whatever | (not sure what's in your state). When I was looking through it, | it didn't seem like a comprehensive or organized set of | documents by case. | | You might want to check with a more thorough source, like a | criminal background check agency. ___________________________________________________________________ (page generated 2022-02-28 23:00 UTC)