Caveat 7.21.22
Ep 134 | 7.21.22

The Supreme Court's supreme security breach.

Transcript

Dov Lerner: VIPs need to understand how are they being mentioned on the dark web, if there are any ideological risks that they're carrying based on who they are. This is something where they really need to pay attention.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today Ben talks through a proposed expansion of video surveillance in San Francisco. I've got the story of an insurance company calling foul on a client's lack of multifactor authentication. And later in the show, Dov Lerner, security research lead at Cybersixgill, on the doxing of the Supreme Court and how things that used to be considered off-limits are now routine. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. We got a lot to cover this week. Why don't you kick things off for us here? 

Ben Yelin: So I know I have a pro-San Francisco bias. 

Dave Bittner: (Laughter). 

Ben Yelin: I am from there. 

Dave Bittner: Right. 

Ben Yelin: It usually manifests itself only with the sports teams, but this article was too good to pass up. 

Dave Bittner: OK. 

Ben Yelin: So there has been a crime wave in San Francisco that's matched the waves in other cities. 

Dave Bittner: Yeah. 

Ben Yelin: There hasn't necessarily been a large increase in violent crime. But petty theft, property crimes, riots, looting... 

Dave Bittner: Right. 

Ben Yelin: Those things have skyrocketed in the past couple of years. 

Dave Bittner: There's that famous video that made the rounds of a guy basically looting - I think it was a CVS. Just kind of... 

Ben Yelin: Yeah - just taking stuff. 

Dave Bittner: ...Helping himself to whatever he wanted. 

Ben Yelin: And no one cared. 

Dave Bittner: Right. 

Ben Yelin: Yeah. And then there was last Thanksgiving in Union Square, where a bunch of the boutique high luxury stores are in the city. There were people just walking out of Tiffany's and Sephora with bags full of goods. 

Dave Bittner: Yeah. 

Ben Yelin: The other important context is there was a individual named Chesa Boudin who was elected as the city's district attorney, so lead prosecutor. He was elected as a reformer, so somebody who was going to reform criminal justice, was not going to pursue aggressive prosecution of nonviolent crimes. That didn't go so well for him, and he was summarily recalled last month. And he is no longer the district attorney. 

Dave Bittner: Oh. 

Ben Yelin: So there's a new district attorney appointed by the mayor. And even though everybody involved in San Francisco politics is liberal or a Democrat, the mayor is more on the conservative side on quality-of-life, property crimes issues. And she appointed an individual by the name of Brooke Jenkins to be the new district attorney and pushed through a policy that would allow the San Francisco Police Department to get a live monitor, private security camera footage from all over the city, including from residential Ring and Nest doorbells. 

Dave Bittner: OK. 

Ben Yelin: This is being considered in front of a committee of the board of supervisors. So the way the policy works now is that SFPD can access these private videos only in a situation where there's a threat of imminent risk of life or serious bodily injury. 

Dave Bittner: There's an emergency form they can fill out, right? 

Ben Yelin: Exactly. 

Dave Bittner: Yeah. 

Ben Yelin: But this policy would extend that to a lesser category of crimes - so property crimes, stealing, looting, that sort of thing. And there are thousands, if not tens of thousands of these private cameras around the city of San Francisco. It's not just outside of major retailers, you know, your Walgreens. It's also, as they mention, Nest and Ring doorbells on individual households. So there are really two pretty compelling policy arguments for and against the expansion of this policy. The argument for this policy is the best way to deter property crime is quick, fast prosecution - show that we are pursuing a strategy of deterrence. And to do that, you need all of the video footage you can possibly obtain. And the footage already exists. You just need to get your hands on it. And that's what the goal of this policy is. San Francisco is really suffering under the weight of these crimes. They've lost a lot of their residents due to both that and also probably more so due to the exorbitant cost of housing there. 

Dave Bittner: Right. 

Ben Yelin: So it's a huge problem. It's something that has obviously caused political turmoil and is very compelling. The other side of this is law enforcement is now basically deputizing tens of thousands of individuals and businesses in San Francisco to have 24/7 eyes on the citizenry. And there's nothing stopping an aggressive investigator of accusing somebody of rioting in front of their own house or engaging in a low-level drug deal and then getting somebody's Nest or Ring footage and having basically a private eye on the streets of San Francisco at all times. So as you can imagine, this got very heated in the debate in the Rules Committee on the San Francisco Board of Supervisors. And my guess is just the way the political winds are blowing, they will be able to enact this policy. I'm not a hundred percent positive about it, but there has been a major pushback from the American Civil Liberties Union of Northern California, who's heavily involved in this effort, also entities like the Electronic Frontier Foundation. 

Ben Yelin: So it's just a really interesting window into the conflict between the need to crack down on these quality-of-life crimes that really are plaguing cities like San Francisco and having this kind of Orwellian policy of 24/7 eyes in the sky, eyes on the building that we've seen to an extent in other cities but not to the extent that we would see if this policy were adopted. 

Dave Bittner: Well, help me understand here what - the details of this policy. So does this - would this entitle the law enforcement folks to my private feed? 

Ben Yelin: If it was part of an investigation into one of these categories of lesser crimes, yes. They could obtain that feed from you via subpoena, and they would not need a warrant. So there doesn't have to be probable cause that a crime is committed. There would just have to be an allegation that something suspicious had taken place. And that's fully at the discretion of law enforcement. 

Dave Bittner: What if I said no? 

Ben Yelin: Well, then you could be held in contempt of either - if it was a judicial decision, contempt of court. If it was just the police department, there are ways that they could come after you, try to fine you or just make your life generally difficult. So it's going to be difficult not to comply. I'm sure you are going to get some people who are going to choose to not comply with this policy, if it is enacted, out of principle. 

Dave Bittner: Right. 

Ben Yelin: And that might force the police to have to go to court to enforce it and get the sheriff to come seize the footage. But there's certainly going to be an incentive structure in place to make sure that people actually comply with these requests. 

Ben Yelin: And I have to say, you know, most businesses are more concerned about property crime than they are about the people walking in front of their stores who might be the subject of unnecessary video surveillance. They have more of an incentive, if they think that this is actually going to cut down on property crimes, to comply than they would to care about a random person who just happened to be dealing drugs outside their store. So I think there's more of a chance for widespread compliance, especially in more business-friendly districts, than one might expect. 

Dave Bittner: So what's the abuse case here? What's the going-too-far with this footage? I mean, we know - all of us know if we walk down a city street, chances are there's a number of cameras that are going to be capturing us. If we go into a retail store, certainly, I would assume that I'm being watched the whole time I'm in there. So what's the abuse case where that goes too far when that footage is handed over to law enforcement? 

Ben Yelin: So the chilling effect on First Amendment associational rights is a concern here. There have been previous instances in mass surveillance schemes where there's been surveillance of protests, for example - the Black Lives Matter protests, Pride in San Francisco is obviously a big deal, so surveillance in Pride protests. 

Dave Bittner: Right. 

Ben Yelin: There's been kind of an anti-police movement among the LGBT community in San Francisco. So there might be incentive for SFPD to abuse that power. Just the potential for harassment - I mean, you could certainly blackmail somebody. If you just have the vaguest allegation that somebody is committing a crime, you could get footage from somebody's household camera that shows them doing something compromising on the street and can use it against them or can harass them with the force of a rather-large police force that can make your life extremely difficult. 

Ben Yelin: So I think the potential for abuse is certainly there with any type of regime like this. And we're just - from a constitutional perspective, we're going so far aground from our traditional understanding of the Fourth Amendment, which is if the police want to follow you and surveil you, they have to get judicial authorization. But more importantly, it's just going to be logistically difficult because you can't track and trail everybody using traditional policing methods. There simply aren't enough officers. 

Dave Bittner: Right. 

Ben Yelin: But if we're getting into this world where SFPD is going to get access to private security cameras simply for nonviolent offenses, we're so far beyond the individualized suspicion that would justify surveillance in a court of law and so far beyond this idea that simply by going out in public, you're not necessarily exposing yourself to the whims of law enforcement and their own requests. So I think it might have a chilling effect on what people choose to do outside their homes in San Francisco, knowing that they're under this constant watchful eye and knowing that some of this footage could be very easily obtained. 

Dave Bittner: How could this play out? Could - you know, if someone gets caught up in this, you know, web of surveillance, could they file suit and, you know, challenge this? 

Ben Yelin: Yeah, you could challenge it on constitutional grounds because of the plain view doctrine, where the Supreme Court has said, anything in plain view is generally fair game for law enforcement, if you're not trying to conceal anything or protect your reasonable expectation of privacy. I don't suspect that a constitutional challenge would do particularly well, given current precedence. So I would say, if you are a San Francisco resident listening to this, and that probably includes several of my own family members... 

Dave Bittner: (Laughter). 

Ben Yelin: ...But maybe a few other people - this issue has yet to be decided at the legislative level. So the Rules Committee considered this issue. They intended to vote on it, but they delayed a vote until a new hearing next week to take into consideration public comment. So because I don't think a judicial challenge would necessarily be successful. For activists out there - and I think certainly the activist groups understand this - now is the time. Get yourself in front of that committee, those particular board of supervisors - members of the board of supervisors - and make your voices heard because once the policy is instituted, it's going to be really hard to file some sort of constitutional challenge, although we will certainly see those challenges. I just don't anticipate them being very successful. 

Dave Bittner: I'm just thinking about, you know, the - you and I have talked about this notion of the privacy of one's papers, right? 

Ben Yelin: Yes. 

Dave Bittner: And so I'm thinking, like - you know, I'm just playing out in my mind. Let's say I'm someone who, you know, sits at my front window in San Francisco, and I have a notebook, and I take notes about everything that's happening out front of my door, you know, as I'm allowed to do - right? - as a... 

Ben Yelin: Right. 

Dave Bittner: ...Resident. 

Ben Yelin: You'd be a weirdo, but sure. 

Dave Bittner: Yeah, sure. But - so something bad happens, and I take detailed notes about it. And the police come and they say, hey, we want our notes. And I say, go pound sand, copper (laughter). 

Ben Yelin: Right. Come... 

Dave Bittner: Yeah. 

Ben Yelin: ...Back with a warrant. 

Dave Bittner: Right. Come back with a warrant. So wouldn't my video footage be the same thing as my notes? 

Ben Yelin: Yeah. I mean, but if you think about what, at least the Fourth Amendment says in the Constitution, it protects yourself... 

Dave Bittner: Yeah. 

Ben Yelin: ...Your home... 

Dave Bittner: Right. 

Ben Yelin: ...And your stuff - your papers and your effects. 

Dave Bittner: Yes. 

Ben Yelin: Those are the things it protects. Now, as an extension of that, it also protects the digital versions of some of those things... 

Dave Bittner: Right. 

Ben Yelin: ...Depending on the particular issue. And it's not like courts are settled on how all those things extend to the digital world. And they have - there is more of this focus on whether the person being surveilled has a reasonable expectation of privacy. 

Dave Bittner: Right. 

Ben Yelin: But yeah, there is a huge difference. Your writing is protected. That's the - what you put on paper. Papers are something clearly covered in Fourth Amendment jurisprudence. But the camera you put up that's making observations of what other people are doing in public is not subject to that same type of scrutiny. That's the way the law is written right now. So, I mean, you're right to come up with that as a hypothetical because it's very true. 

Ben Yelin: I think that's kind of the danger of allowing nearly unlimited access to people's private security doorbell cameras citywide, is you're going to end up capturing a lot of innocent activity - somebody stumbles home drunk, you know, you're drugged at 3 a.m., a - somebody gets footage of you outside of a house or a business, and you're subject to prosecution and accused of drug dealing. That's an infringement on civil liberties, and that's something that's certainly going to offend people who care deeply about this stuff. 

Dave Bittner: Yeah. 

Ben Yelin: And there're so many different types of cameras. So I've - and I focused a little bit - because it's the most controversial, I focused on the Ring and the other doorbell cameras. But there are box cameras, dome cameras, bullet cameras... 

Dave Bittner: Right. 

Ben Yelin: ...IP cameras, day/night cameras, wide dynamic cameras. So they're everywhere, man. 

Dave Bittner: (Laughter). 

Ben Yelin: I mean... 

Dave Bittner: Right. 

Ben Yelin: ...There are very few spots in the city that you would be safe from surveillance if this policy were to get enacted. And that's why it's faced such prominent opposition... 

Dave Bittner: Wow. 

Ben Yelin: ...Among the populace in San Francisco. 

Dave Bittner: All right. We'll keep an eye on that one. Time will tell, for sure. My story this week comes from the folks over at Insurance Journal. They cover the insurance market. It's an article written by Chad Hemenway, and it's titled, "Travelers Wants Out of Contract with Insured that Allegedly Misrepresented MFA Use." So let me walk you through this 'cause I think it's interesting. So Travelers Insurance Company, you know, big-time, big-name insurance company... 

Ben Yelin: Seen their commercials. Yep. 

Dave Bittner: Yep. Yep. So they wrote up a cybersecurity policy for a company in Illinois. The company name is International Control Services, or ICS. And as part of this policy, Travelers had them fill out a form. And part of that form said, do you use multifactor authentication? And the organization ICS said, absolutely. Yes. We do. So time passes. ICS gets hit by a number of different, you know, cyberattacks, including a ransomware attack back in December of 2020. And when they go to make their claim with Travelers, Travelers does their due diligence and discovers that the company actually was not using multifactor authentication in the ways that they had sworn to when they applied for their insurance policy. They had a signed letter from the CEO of the company saying that they use MFA for administrative and privileged access, but that turned out to not be the case. So now Travelers is going to the court. And evidently this is - according to this article, this is the first case of its kind. Travelers is going to the court to say, hey, we want this insurance policy null and void. We want to rescind the policy and declare that we have no duty to indemnify or defend ICS for any claim, basically because they were dishonest in their application. What do you make of this, Ben? 

Ben Yelin: Would everyone hate me if I took Travelers Insurance side? - 'cause that's kind of where I'm leaning here. 

Dave Bittner: Me too (laughter). 

Ben Yelin: So... 

Dave Bittner: I mean, you feel bad for the little guy who got hit by ransomware. But I'm thinking, like, if I - if Travelers came to me and said, hey, you know, we want to insure your building. Do you have sprinklers and fire extinguishers or fire escapes? And I said, absolutely. And then the building burns down. 

Ben Yelin: With no sprinklers that deploy, yeah. 

Dave Bittner: There's no sprinklers, no fire escapes, right? Well, is this the same sort of thing? 

Ben Yelin: It is. I mean, you can't lie when you are applying for insurance because there are very specific ways that they evaluate your level of risk, and that determines the policy that's going to get covered. 

Dave Bittner: Right. 

Ben Yelin: So I think multifactor authentication is the security measure that's taken to protect information security - just as a sprinkler system protects you from fire, just as every other risk mitigation method that businesses and households take is factored into an insurance policy. 

Dave Bittner: Right. 

Ben Yelin: I'm frankly kind of surprised that this seems to be one of the first cases where we're seeing an insurance company try to null and void a particular policy because of a misrepresentation about multifactor authentication. But from a legal perspective, this seems like a pretty significant material breach of contract that should allow Travelers Insurance to get out of that agreement. The lesson here is you just cannot lie about having multifactor authentication if you don't actually have it... 

Dave Bittner: Yeah. 

Ben Yelin: ...In a meaningful way. And I think - I can't really figure out a way to differentiate that between the hypothetical that you just presented. How is that any different than saying you have a sprinkler system, and the fire happens, and no sprinkler system exists? 

Dave Bittner: Yeah. 

Ben Yelin: That is a material misrepresentation on your insurance application. That's a no-no. And that is a way for your insurance company to say, yeah, we're not covering that. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: So, yeah, I mean, for all the obvious cyber hygiene reasons, make sure that your organization has multifactor authentication. But if you don't, don't lie about it on your insurance application. 

Dave Bittner: Yeah. And I'm trying to imagine - you know, the folks at ICS - I'm just, you know, trying to give them as much benefit of a doubt as possible here, where, you know, they're going through. They're getting their cyber insurance. You know, the boss says, hey, Ben, you know, go get us some cyber insurance. And you go out and you get this - you know, it's your job. 

Ben Yelin: Right. 

Dave Bittner: And so you engage with the insurance company, and you have to fill out this form, right? And it says, do you use MFA? And you're like, oh, man, well, they're not going to give us the insurance if I say no here. You know what? I'm going to put that on my to-do list, right? So, you know, you tell the lie, but in all effort, you're intending to put MFA into place, you Know? But... 

Ben Yelin: And you just don't do it? 

Dave Bittner: ...You just don't get to - you just - well, you know, times are tough, Ben. And you're busy, and you just don't get around to it. And in the meantime, the ransomware attack happens. I guess you rolls the dice, and you takes your chances, right? I mean, that's the risk that they took here, according to, you know, what they're alleging in this article. And I don't see any way they're going to win here. It just seems pretty open and shut to me. 

Ben Yelin: It seems pretty open and shut to me, too. Yeah. I mean, no matter what their intentions were, the insurance policy that they've purchased is based on a mutual understanding... 

Dave Bittner: Right. 

Ben Yelin: ...Of the facts that existed at the time. And what ICS is representing is that they had robust multifactor authentication. And that was false when it was attested to... 

Dave Bittner: Yeah. 

Ben Yelin: ...Meaning that's a material misrepresentation. Contract law 101 - I'm not an expert in insurance, but that's a pretty significant, obvious breach. And so no matter what your intentions were, even if you were saying, OK, well, I'll say I have this in anticipation that we're going to set it up over the next couple of months. You really can't screw around with that in an insurance application. 

Dave Bittner: Yeah. 

Ben Yelin: Because every policy is so individualized to the risks inherent in that business that the insurance company is going to nab you for it. 

Dave Bittner: I also - I mean, it's interesting to me, too, how - and I think rightly so - the insurance companies are now providing the incentives for organizations to set their security right. 

Ben Yelin: Right. 

Dave Bittner: And in the same way that, you know, if I get a homeowner's insurance policy on my house or an insurance policy on my place of business, chances are somebody's going to come out and do even just a casual inspection, right?.. 

Ben Yelin: Right. 

Dave Bittner: To say yes, you actually have smoke alarms. Yes, you actually - you know, the firewall goes all the way up to the peak of the roof, you know, all these types of things they're going to do. I wonder if an organization like Travelers, as these sorts of things happen, are going to say, OK, we can't just rely on this form anymore. 

Ben Yelin: Let me see it. Yeah. 

Dave Bittner: Yeah. Prove it. Right? 

Ben Yelin: I mean, look, let's take a different example - life insurance. I have a life insurance policy. You know, as a relatively young person in my 30s in pretty good health... 

Dave Bittner: Yeah. 

Ben Yelin: ...I can get a great rate. 

Dave Bittner: Right. 

Ben Yelin: But there are things that would increase my risk level. And certainly that's something that the insurance company is going to want to know about. So they asked me a bunch of questions about my medical history... 

Dave Bittner: Yeah. 

Ben Yelin: ...About various metrics... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: They could trust me, or they could do what they actually did, which is have somebody come over to my house and give me a blood test. 

Dave Bittner: Yes (laughter). See, that's where I was going... 

Ben Yelin: Yeah. 

Dave Bittner: ...'Cause I wasn't sure if you were in that zone yet because I am absolutely in that zone yet, having a few years on you. You know, they don't take anything for granted. If you say something, they're coming over, and they're taking blood (laughter). 

Ben Yelin: They are taking your blood. 

Dave Bittner: Right. right. 

Ben Yelin: They suck your blood. 

Dave Bittner: Right - the vampires. 

Ben Yelin: They're the vampires of the industry. 

Dave Bittner: (Laughter) Yeah. 

Ben Yelin: Yeah. I mean, I think that they're doing their due diligence... 

Dave Bittner: Right. Right. 

Ben Yelin: ...'Cause there's a huge risk if I'm somebody who has diabetes or, you know, high cholesterol. That's something that's going to increase my actuarial risk... 

Dave Bittner: Yeah. 

Ben Yelin: ...Just as somebody who didn't have multifactor authentication. 

Dave Bittner: Right. 

Ben Yelin: So, yeah, it's incumbent upon the insurance company to check. But there are certain things that you do just put on forms that aren't checked. And there is kind of a level of trust. 

Dave Bittner: Yeah. 

Ben Yelin: You know, if I said that I was a nonsmoker and I was a pack-a-day kind of guy, you know, there wouldn't be somebody watching over me 24/7 to see whether I smoke cigarettes or not. 

Dave Bittner: Right. 

Ben Yelin: But if, you know, I was caught misrepresenting that and somebody realized that I was smoking and drinking and doing all sorts of terrible vices unto my body... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Then that's going to catch up with me. And the insurance policy is - you know, might be rescinded in that context. 

Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes. We would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@thecyberwire.com. 

Dave Bittner: All right, Ben, I recently had the pleasure of speaking with Dov Lerner. He is a security research lead at an organization called Cybersixgill. And we were talking about some things that he and his colleagues have been tracking, specifically the recent doxxing of the U.S. Supreme Court after the overturning of the Roe v. Wade decision. We saw this happen here. And part of our conversation focuses on things that used to be considered off limits seems are now routine. Here's my conversation with Dov Lerner. 

Dov Lerner: The dark web - what we look on in the dark web is generally financially motivated cybercrime - right? - meaning majority of dark web actors are on the dark web to make money. But we also see ideologically motivated cybercrime, right? - the hacktivism. One of the things that we see in hacktivism is doxxing. Someone will out the details of someone else, an adversary, a rival. It began in the gaming world, right? So it was that one gamer felt that another gamer cheated or did something wrong or slighted them in some way, and so they would out their opponent's details. 

Dov Lerner: Now, a colleague of mine, actually - I'm not going to take credit for this - a colleague of mine came across a post on Telegram saying that there was credit card information for Supreme Court justices floating around the dark web. So my colleague passed that to me, and I did some searching, and I found the original post. And that was a wow moment because, again, something that began as a way for one gamer to get back against another turned into a political statement against the highest court in the land. So that was, again, a very big wow moment. And then when I continued researching, I found that this was not the only alleged dox of the Supreme Court justices. I found several other ones. And just to clarify, this is the justices that voted to overturn Roe v. Wade, minus Chief Justice Roberts. He did not appear in any of the doxxes. But the other justices that voted that way did appear on the doxxes. 

Dave Bittner: Yeah, I mean, it is really fascinating here. Can you give us some insights? I mean, is it typical for a high-profile person to have additional protection of things like their credit card details? 

Dov Lerner: Yeah. So I am skeptical, to be honest, if that was actually their real credit card details. That would suggest a level of access to them that requires, you know, hacking, breaking into their phone or computer or something, right? That's - again, I'm skeptical if that data is real. What I do think is real with much higher confidence because, you know, this is information that should be out there, but is not necessarily easy to find - there was information about their siblings, their spouses, their personal email addresses, phone numbers, physical addresses, family members, vehicle make and model - a lot of other information that seemed legitimate, right? That information, I think, is much more likely to be real information. And that's something that, you know, someone could have done a lot of sleuthing. They might have looked through public records and statements. Because these are government officials, they need to file all sorts of public paperwork and everything. So someone dug very deep. 

Dave Bittner: Now, were the people who were offering this information up - was it - did it appear as though they're looking to make a profit on this, or are they just out there sort of for the chilling effect of putting all this information in one place? 

Dov Lerner: Yeah. No, all the information was there. There was no payment necessary. Anyone now can access it. And it's there. And these actors - some of them remained anonymous, but the three actors that posted doxxes that were named actors - right? - as an actor, you can be anonymous on this site, or you can be named. And the actors that were named were all relatively new actors. So these were not actors that really had long reputations or anything. So yeah, I mean, it seems like they did it, you know, for political reasons - not just for fun - and, you know, for opposition to the case. Yeah. I mean, they posted it on the very basic level. Doxxing is intimidating. It's an invasion of privacy. It makes someone feel uncomfortable that their information is out there, and their spouse and their siblings and all of that. And I really hope not, but it's also - you know, it could be a call to action, where they're saying, I'm putting this out there, and someone else do something with it. And they - I truly hope that this does not, you know, encourage any further intimidation or violence or threatened violence, but the person that posted it might have wanted that. 

Dave Bittner: Yeah. It also strikes me that, you know, obviously you have the folks who are opposed to the overturning of Roe v. Wade who could take action on this. But also, I suppose there's the possibility that, you know, foreign actors could just be looking to kind of stir the pot. 

Dov Lerner: For sure. You know, once - again, it took a high level of sleuthing to put all of this together. You know, it's not something that a typical person would necessarily want to do or be able to do. And, yeah, once this is out there, then anyone can now access it. And this is not data - you know, this isn't a password that can be changed. Siblings' names are siblings' names, and addresses are addresses. These are things that are real people, you know, with real implications. 

Dave Bittner: Yeah. It also strikes me that this is really a - I don't know - a shifting of - I suppose norms might be a way to say it - you know, that there simply aren't things that used to be out-of-bounds anymore. 

Dov Lerner: Yeah. You know, as someone who very much cares deeply about civility in American political discourse and horrified by any sort of political violence, this is a step further, you know, in the wrong direction. This is something where, you know, again, someone can act on it. And, as I said, it's frightening that something took that leap from the gaming world of, you know, two gamers in a rivalry to, you know, going against the Supreme Court justices. And this one is clearly an actor with political tendencies on the left wing, but, you know, someone on the right wing can do this as well, right? There's no limitation to who can do this - from which political angle. 

Dave Bittner: You know, part - you know, your expertise, with you and your colleagues taking a look at things going on on the dark web - to what degree could someone purchase this sort of service? If I, you know, had it in mind to dox someone, could I hire someone to - with expertise to do that for me? 

Dov Lerner: Yes, you can. There are doxxing services on the dark web, and you can hire someone to dox someone, and they'll post it and everything, and they'll put together as much as they can. 

Dave Bittner: And how are prices set for something like that? 

Dov Lerner: I don't know. I don't know if prices are necessarily listed. It might depend on who the person is or whatever. I haven't - I don't know off the top of my head what the prices are. 

Dave Bittner: Yeah. So I suppose it's the typical supply and demand and how much risk someone would be taking to take something on like this. 

Dov Lerner: For sure. If it's just a bit of Googling, without any intrusion into the network or, you know, that person's devices, then it's going to be less than if it involves some sort of hacking or social engineering. 

Dave Bittner: I mean, do you suppose that this is the kind of thing that could lead to more attention on the dark web itself or, you know, a crackdown on these sorts of activities? This strikes me as the kind of thing that'll get the attention of people in power. 

Dov Lerner: So you asked previously, what does the typical person have to fear with the dark web? The typical person doesn't, you know, have to fear much beyond just stay safe; keep strong passwords; make sure that you're protected. However, VIPs are a completely different story, right? If you're a VIP, if you are the head of a company or a political figure or a media figure, someone who is well known and therefore has some sort of reason to be targeted, then it's a very, very different - it's a different ball game, different rules. And VIPs need to be monitoring their name or the organizations that need to protect them, whether it's enterprise or politics, whatever it is - media - VIPs need to understand how are they being mentioned on the dark web, if there are any ideological risks that they're carrying based on who they are. This is something where they really need to pay attention. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: Yeah. I mean, this is a serious problem. It was interesting for him to go through the history of it. It started as something that was rather niche to the video game industry. 

Dave Bittner: Right. 

Ben Yelin: But we've started to see instances where this has very serious consequences on the people that are affected. It's happened to people who are public officials, as the example with the Supreme Court justices. And it's happened to private individuals who say the wrong thing online and then have an army of trolls who come try and find them based on their address, any publicly available information. 

Dave Bittner: Right. 

Ben Yelin: And it really is a scourge. 

Dave Bittner: We saw, you know, election officials, you know, volunteers being harassed with this sort of thing. 

Ben Yelin: Right. Right. And that's obviously very wrong. You know, whether you have sympathy for the specific Supreme Court justices is, I think, besides the point. Going to anybody's private home based on leaked information online presents a certain level of risk. And just presenting that information online introduces a level of risk, 'cause as we saw, I mean, there was a crazed person who was intending to kill Justice Kavanaugh... 

Dave Bittner: Right. 

Ben Yelin: ...And was arrested before he got to his house. So even if you think your protest is going to be peaceful, having the information out there is inherently dangerous. So I just think the interview made that point. It was well taken. And it's certainly a present danger in our current environment. 

Dave Bittner: But how much of this is just - you know, we've seen, certainly through the last - well, through the previous presidential administration - during the Trump years - we saw a lot of jettisoning of norms. And I think a lot of us learned that there were things that we'd taken for granted that were not policy... 

Ben Yelin: Right. 

Dave Bittner: ...That were just courtesy. 

Ben Yelin: Right. 

Dave Bittner: And if people are going to throw courtesy out the window, which I think this is an example of - I don't know that there's anything illegal about demonstrating outside of someone's home, right? 

Ben Yelin: In some states, there is. 

Dave Bittner: OK. 

Ben Yelin: I mean, there was a - I know locally here in Maryland, there's an ordinance in Montgomery County against protesting outside the homes of public officials. And there has been a letter from the - I mean, maybe it's the state police asking the county to enforce it... 

Dave Bittner: OK. 

Ben Yelin: ...Enforce that law. So it does exist somewhere. 

Dave Bittner: Yeah. 

Ben Yelin: But generally, you do have a First Amendment right, as long as, you know, you're not violating any time, place and manner restriction. 

Dave Bittner: Right. 

Ben Yelin: But, yeah, as you say, it's a thing that was just not done. And we're now in an era where when norms are thrown out the window, that's just - that's not just the norms that you disfavored. 

Dave Bittner: Yeah. 

Ben Yelin: It's also the norms that kept us as a civil society. And that's the risk, of something like this happening. 

Dave Bittner: I suppose the flipside of that argument would be that if things get serious enough, it's no longer time to be polite. 

Ben Yelin: Right. I mean, yeah, I think that - the real solution is, if this is something that is actually a societal problem, then you have to codify it into policy. Now, some of that is going to be possible. Some of it is not going to be possible because of the structure of our Constitution. But I think just expecting everybody to follow norms in an era where we're so polarized and so angry certainly presents its level of risk. 

Dave Bittner: Yeah. Go protest at the Supreme Court. Leave them - leave their kids alone. 

Ben Yelin: Yeah. Now, in fairness, I will say, they put up a giant fence in front of the Supreme Court... 

Dave Bittner: Right. 

Ben Yelin: ...So they're not exactly helping in that regard. 

Dave Bittner: Right. 

Ben Yelin: But, yes, protest outside the fence. Exactly. 

Dave Bittner: Yeah. Yeah. All right. Well, our thanks to Dov Lerner again. He's a security research lead at Cybersixgill. We do appreciate him taking the time for us. 

Dave Bittner: And that is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.