“I’m not a hacker,” data scientist Rebekah Jones told CNN in December after police executed a warrant to search her home for electronic devices, looking for evidence that she had accessed a Florida state emergency management system without authorization. Despite that protestation, this week Jones was arrested and charged with illegally accessing a Florida state computer. The charges suggest that while what she’s accused of did not entail any sophisticated hacking or technical skills thanks to the state’s lackluster security practices, it may well still have involved illegal use of computers.
Jones has had a fraught relationship with the Florida Department of Health, her former employer, for months. While she helped manage Florida’s COVID-19 tracking dashboard, she publicly questioned the credibility of the state’s case numbers and data reporting and was subsequently fired in May 2020. Following her firing, Jones continued to vocally criticize the Florida case-tracking efforts and data in media outlets and also set up her own COVID-19 tracking dashboard.
Then, on Nov. 10, someone accessed a Florida Department of Health system called ReadyOP, designed for incident and emergency planning, and sent out a text message to about 1,750 people saying, “It’s time to speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be part of this. Be a hero. Speak out before it’s too late.”
The message was sent using credentials that belong to a group on the system called StateESF8.Planning, according to an affidavit cited in the search warrant for Jones’ home. ESF-8 is Florida’s Emergency Support Function for Public Health and Medical, and all members of the group share the same username and password, which was used to log in and send the Nov. 10 message. “Once they are no longer associated with ESF8 they are no longer authorized to access the multi-user group,” the affidavit states, but that’s a fairly weak protection against disgruntled ex-members continuing to use the shared credentials, which seems to be what the state believes Jones did in this case in order to send out the message. According to the affidavit, law enforcement was able to trace the message sender to a particular IPv6 address associated with Comcast, and Comcast was presumably then able to provider further evidence linking the address to Jones.
Giving a group of users a shared credential that doesn’t change when employees leave (or are fired) is clearly a poor security practice—even worse, Kate Cox at Ars Technica points out that the username and password used to access the emergency response system were actually publicly available online. Cox reports that the username and password for logging in to the system were printed in a publicly accessible operations manual on the Florida Department of Health’s website for ESF-8 logistics staff. No question, Florida could—and should—have done a much better job of securing those systems.
But that still leaves unresolved the question of whether Jones, if she did use a username and password that she had been given back when she was working for the state to send out the Nov. 10 message, actually committed a computer crime. Using credentials your employer gave you to do something after you were fired wouldn’t meet most people’s definition of a “hacker.”
But courts are divided on the issue of whether, in order to access a computer without authorization, a person has to actually do anything technical. The Florida Computer Crime Law that Jones was charged under is closely related to the federal Computer Fraud and Abuse Act—both laws define illegal hacking using similar language of “unauthorized access” without clarifying what, specifically, determines whether access to a computer is authorized. Courts have interpreted that language in very different ways in cases centering on the CFAA and other state laws modeled on it. Some of those interpretations might work to Jones’ advantage—for instance, in 1998 the Court of Appeals of Maryland found that Terry Briggs had not committed an act of unauthorized access when he locked some files on his employers’ servers with a password shortly before quitting his job. More recently, in 2012, the 9th Circuit ruled in a CFAA case that employees had to circumvent some form of technical control put in place by their employer—not just a written rule—in order to commit an act of unauthorized access. Since the state of Florida had apparently implemented no technical safeguards to prevent Jones from accessing the emergency response system used to send the message, this interpretation of unauthorized access as a strictly technical activity could help her.
Other rulings, however, suggest that Jones could still be held responsible for using her former credentials after leaving her job. For instance, in 2010, the 11th Circuit found that a former Social Security Administration employee, Roberto Rodriguez, who had used his work credentials to access personal information about people he knew in real life through his employer’s database, was guilty of unauthorized access, even though he had done nothing more sophisticated than log in to his work computer system and use it for personal purposes. The Supreme Court heard a CFAA case in November that should help resolve some of these disagreements, when it’s decided.
In the meantime, it’s certainly not impossible that a court could find Jones guilty of accessing a computer without authorization even though her former employer gave her the credentials to access that system and then failed to update the password after firing her. That determination probably hinges on how the court defines what it means to revoke access to a computer. In other words, was it enough for Florida to simply tell employees in a written policy—as the affidavit does—that they would lose their permission to access an online account when they lost their jobs? Or did Florida bear some responsibility for actively changing those credentials when Jones was fired?
Everyone is at fault in this story—Florida for failing to do a better job of securing its emergency systems, and Jones, if indeed she did send the message, for misusing an application designed for emergency response—and no one is really a hacker, in any meaningful sense of the word. But that still doesn’t mean Jones couldn’t be found guilty of accessing the state computers without authorization.