Palin Email Hack: Probably Quite Common

The media and blogosphere are reporting the story of the break-in at Sarah Palin’s yahoo email account. Information is filtering in about who is responsible and how it was done, but it appears like there is also a lot of speculation based on lack of knowledge of Internet subcultures.

My guess is that this was done with Yahoo’s password reset feature. When you forget your password, you can retrieve it by giving some biographical details such as date of birth, zip code. Further they usually require that you answer a  question (“what is the make of your first car,” “what is your high school mascot,” etc…).  A recent article discusses the vulnerability: ‘Forgot your password?’ may be weakest link:

Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar “Forgot your password?” link and, after entering your pet’s name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there’s a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You’d be surprised how easily someone can uncover Fido’s name or your alma mater with a little creative searching.

The break-in has been disclosed by and linked to individuals who participate in an anonymous web forum, 4chan (link goes to Wikipedia, not 4chan). Items on 4chan exist only temporarily, and its youthful audience has been linked to attacks on feminist blogs, among others. At a panel at the Computers, Freedom and Privacy conference, blogger and law professor Ann Bartow discussed these attacks.

Paul Ohm at Concurring Opinions makes a great point — expect the Sarah Palin Email Privacy Act of 2009.  We got a Video Privacy Protection Act after Robert Bork’s video rental records were leaked. And now we can expect more email privacy laws. Further legal analysis comes from Orin Kerr at The short answer? The break in is a federal crime, possibly a felony. However, reposting the material by people not involved with the break-in is likely not criminal and will be protected by the First Amendment.

Federal law enforcement officials are involved.

Feds Everywhere?

But here’s the thing. I think this activity is actually quite common. In a short career representing domestic violence survivors, I’ve represented a client in a protection order hearing whose account was broken into in this manner.  The client and opposing party used to date, and the opposing party knew my client’s high school mascot — the question the webmail service asked. Thus he accessed her webmail account easily.  I prepared for the court a brief memorandum on how this was a crime, and thus should entitle my client to a protection order — in DC you need to show by a preponderance of evidence that an intrafamily offense occured.

The Feds aren’t involved, and no-one is going to jail. The other party did consent to a protection order, however, so we never had a hearing. He has to stay away from her, and not contact her. I added to the order we negotiated that he is to not break into her email accounts again. Maybe if he does it again, the court would order him jailed — courts do not like their orders violated. But I do not think the feds would get involved. And it may take quite a bit to convince this court that a violation occurred. The court is familiar with other allegations — threats, physical abuse, the presence of children — and not so much with Internet abuse.

So what do I hope comes out of this? What’s my hope for the as of now fictional “Sarah Palin Email Privacy Act of 2009”? I hope this leads to webmail providers  beefing up their security and cooperation with victims when breaches occur. I hope this leads to more awareness of this crime.  I hope this leads to more enforcement of this crime. Not necessarily more Feds putting more people in jail, but the use of protection orders and other intervention as happens in many other cases of abuse.  Not all of us  get headline treatment when our email is broken into. But we should all be entitled to justice and protection.

Posted: September 18, 2008 in: