> State Bar officials learned about the posted records on Feb. 24. As of Saturday night, all the confidential information that had been published on the website judyrecords.com — which included case numbers, file dates, information about the types of cases and their statuses, respondent and complaining witnesses names — had been removed, officials said.
> ...Full case records were not published. Officials said they don’t know whether the published information was the result of a hacking incident. Judyrecords.com is a website that aggregates nationwide court case records.
edit: The "Info" link [2] on judyrecords.com has updates related to this event. It asserts that the confidential data was available on the CA Bar's own website:
> These records were all (confidential & non-confidential) previously publicly available at https://discipline.calbar.ca.gov (now offline).
[0] https://www.latimes.com/california/story/2022-02-27/californ...
edit: would love to check, but[0]
> The State Bar Court Portal will be unavailable from February 25th to February 28th due to maintenance activities. During this time the Case Search and Court Calendar functionality will not be available.
[0] https://apps.statebarcourt.ca.gov/dockets.aspx via https://www.statebarcourt.ca.gov/Public-Records-Information
I think in the era of go in and get things things should be "public".
Now in the search engine age and data available at your fingertips we need to entirely change our public records laws... Immediately.
edit: In fact a HN User said this with NO REPLY from the author of that Show HN: I have some records that are sealed, but show up in this database. So there are records that were once ‘public’ but are no more, but this database makes them public again.
I think that website should be taken offline immediately.
I am certain that many people in government would agree with you - they would LOVE to be able to hide what they are doing and not be held accountable for decisions they make (or don't make). We need more public disclosures, not less, imo.
>>So there are records that were once ‘public’ but are no more, but this database makes them public again.
This website didn't make them public, they just gave others a way to access them - once something is public, and in control of others, it is impossible to make them 'un-public' without violating the 1st amendment.
And most importantly, who does get access to the records? That exculsive access will give them a lot of power.
get the idea?
What are they going to do next, call Missouri's governor and ask for the playbook to follow? The humans behind the scenes at the bar are looking incredibly pathetic here.
Maybe they accept it, but just don't admit to their mistake. Seems to be a growing trend, unfortunately. Perhaps the result of a society who more and more punishes people for admitting to their mistakes, rather than rewarding them for admitting to it and learning from it.
It's very sad to me, that this seems to be getting so much more common.
Closing with "Law enforcement has been notified" doubles-down on "we published everything but maybe if we can get somebody charged for a bogus crime then we won't look so stupid."
Its the bar. Of all the organizations to respond like lawyers covering their own asses as hard as possible, you have to expect this one.
They have nothing but praise for the judyrecords owner, actually!
And they're a bunch of lawyers -- they likely know that.
The very first paragraph of the article seems to contradict that. Do you have a source that says otherwise?
Sounds like Missouri teachers SSN leak again... The website that judyrecords scraped, discipline.calbar.ca.gov, contained all of these "nonpublic" records for anyone to see.
This applies even more when the site you scraped didn't have permission to show the data in the first place. Their mistake does not rise to be your permission; if it was my data, I would have as much a claim against you as them. "The software did it" is not an excuse.
The State Bar announced today that it is taking urgent action to address a breach of confidential attorney discipline case data that it discovered on February 24. A public website that aggregates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. The site also appears to display confidential court records from other jurisdictions.
Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted.
The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute. It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.
edit: If you're wondering if I'm a hardened criminal with a wake of victims left behind, the answer is no. I was 22 and got caught in the midwest with an ounce and a half of cannabis. This website, as far as I'm concerned, is displaying inaccurate information about me that that could have serious negative consequences for myself.
You might want to check with a more thorough source, like a criminal background check agency.
When you renew your membership, there are a variety of addon payments you can opt into by checking boxes for these items. Then, on a later page, there are various addon payments that you have to opt out of.
Making things even trickier, these aren't pre-checked boxes, which might lead the user to realize he needs to uncheck them. Instead, there is a list of "adjustments" with a dropdown menu for each. The dropdown defaults to "none", which would lead users to think that they are not paying for an extra item. But when you click on the dropdown, you see the option to "deduct $x" if you don't want to pay the additional fee.
I've never seen a dark pattern like this anywhere else. Perhaps the folks who run the calbar website could spend less time finding ways to trick members into overpaying and more time securing private information.
I was going to joke that you're a lawyer, you should sue them, but they're not doing anything illegal, just very shady.
Does this part of the code apply to everyone, or only the folks in charge of the investigations, or in charge of safeguarding the information?
If someone is in a bar and overhears a Bar employee talking loudly about an investigation, do they have a legal duty to keep what they heard confidential?
Really?
The problem is that this would make the database entirely inaccessible unless you have access to the password. That creates quite a lot of friction in the user experience, the user would have to provide his password on every interaction (ie not just when logging in).
We're basically just discussing end-to-end encryption.
The real reason it's not done more often is that it makes things a lot of things way more complicated from a development perspective. Features like "allow users to send messages to each other" that would normally be really simple to implement suddenly require a whole public key infrastructure and logic to take into account edge cases like "What if the user got a new phone or changed their password and was offline when the message was sent?", or onerous threat models like "What if the server is controlled by an attacker when I sign-in?"
Also, I'm not sure this is an actual breach. I think they accidentally published the data themselves, that's the vibe I'm getting from reading between the lines. It's like the code maybe missed checking a flag that would exclude private records from showing.
Private key cryptography would be better, maybe encrypt a private key with a password and store that along with the public?
We can't determine what their password is based on the hash alone, which is why we couldn't hash all the user data in the DB with their password and store that.
The idea behind crypto shredding is that you have a cryptographic key for each entity in your system and you use that key encrypt all fields for a given record. When it comes time to delete that data, you simply discard the key used to encrypt it. Assuming you've used reasonably good cryptography, this data is now effectively gone.
This is useful in cases where:
* You need to support the right to be forgotten (as defined in the CCPA[2] or GDPR[3]), since all you need to do to "delete" a user's data is to delete the key used to encrypt.
* The data you need to delete exists across multiple data stores/applications/environments and ensuring consistency for the deletion across all these places is difficult. For example: You may have DB backups, long-lived caches, or 3rd party services/vendors that may have copies of this data.
* You want to discard some, but not all, of a user's data. This is important in cases you're required by law to retain specific kinds of information even after a person has required it's deletion. For example, banking and finance companies are required to keep specific records about who they sent money to or performed services for.
1. https://en.wikipedia.org/wiki/Crypto-shredding
2. https://www.oag.ca.gov/privacy/ccpa
3. https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
That method wouldn't stop a determined 12 year old, let alone a competent attacker. Please use a properly engineered and implemented encryption instead of coming up with harebrained schemes.
Most systems will restore access for a user who forgot their password.
I don't care what the org "intended" to do. The org assumed the responsibility of providing an API and with it the responsibility of securing private data. They failed and should be held culpable.
Boeing doesn't call it a "cyberattack" when their altitude control systems fail because of poor design.
Honestly the biggest blocker for me was that I assume blurring/redacting text from a video would be tricky, but I think YouTube might have a tool that blurs moving objects relatively easily. Or I could just include screenshots...
>>>The site owner (of judyrecords) claims that the State Bar’s confidential and public case records were all previously available at a public URL. Is this true?
>>>The State Bar Court website allows the public to search for publicly available case information. The extent to which the external aggregating website was able to obtain nonpublic information that was stored in the Odyssey case management system is still being investigated.
I am inclined to believe judyrecords, until proven otherwise.
A perfect example why MORE public information is better than less.
> We do not know yet. The State Bar’s Odyssey case management system software vendor, Tyler Technologies, has been tasked with investigating what happened, taking the steps needed to rectify the breach, and ensuring something similar does not happen again. The State Bar also retained a team of IT forensics experts to assist in our investigation.
> The site owner claims that the State Bar’s confidential and public case records were all previously available at a public URL. Is this true?
> The State Bar Court website allows the public to search for publicly available case information. The extent to which the external aggregating website was able to obtain nonpublic information that was stored in the Odyssey case management system is still being investigated.
It sounds extremely likely that the state bar had a website misconfigured, and the automated systems of the aggregation site sucked down all the data it was technically (but not legally) given access to.
All of those problems are solvable, but "simply" is hardly the word I'd use to describe designing a secure end-to-end encrypted application. It's way, way more development effort than just "hash user passwords with bcrypt and don't allow access without the password", which is why it's rarely done unless E2E encryption is a major selling point of the application.
Also goes for divorces. By and large I agree with your take, but playing around with the search got me thinking that maybe we just make too much a matter of public record and that some things might just be too noisy, even if it isn’t the biggest privacy violation per se. Still mulling it over though, so I can’t say I’m committed to that position yet, feel free to talk me back.
I think the main concern is that the more powerful the actor (e.g., government is very powerful) the more important transparancy is, and the more vulnerable the actor, the more important privacy is.
For example, if an Apple (picking a random company) employee complains to authorities about dangerous working conditions, that employee may be very vulnerable - Apple could blacklist them; other businesses, if they learned of the complaint, could do the same, not wanting a 'troublemaker'. And that employee may be financially vulnerable, needing the job; their privacy should be maintained if possible. But Apple and the government are both powerful and there should be transparency about the working conditions, investigation, and outcome.
You could go by legal entity, just make lawsuits involving corporations public, and lawsuits between individuals private: but while Apple might have global influence, your rich and litigious neighbor in a rural county is probably a more immediate concern to you. Also individuals can sue corporations and corporations can sue individuals.
I’m still inclined to think court records should stay public, but I’m now more interested in seeing if there’s a kind of filter we can put on what we make public than I was two weeks ago.
My own name brought up a couple tickets. In 2014 I got a cell phone ticket. There's something kind of funny seeing an all-caps official document explaining that THE PEOPLE OF THE STATE OF CALIFORNIA were all arrayed against me! :)
I was able to find almost every single other person I searched though, chose not to dig into it any further than I could confirm it was someone I actually knew, typically by birth date.
In theory, anything that went to trial would have transcripts available (unless it's sealed, like for minors). Many of these complaints could still have the transcripts available for the cases associated with them. But it's hard to tell what the alleged problem or misconduct is. I emphasize alleged because I assume the nonpublic ones were ones in which the lawyer was not found "guilty". In my state, the Bar will only investigate prosecutors if the court has already issued a statement determining prosecutorial misconduct occurred. So prosecutors get off without scrutiny most of the time.
Except of course, when "national security" is involved.
Yes, you could symmetrically encrypt the tiny portion of personal data that needs to be read solely by you without much added complexity.
However, with few exceptions (password managers, backups, personal notes, etc), the whole point of uploading data to an online service is to allow it to be shared with other people or services. Once that happens, you need all those complicated key management and security systems I just talked about. It's effectively end-to-end encryption.
Agreed 100%, a local court has been making precedents with that and...it's unnerving.
https://www.thv11.com/article/news/politics/routine-gag-orde...
Just because you can’t make something 100% perfect doesn’t mean you shouldn’t try. Locks aren’t unbreakable. Seatbelts won’t always save you. Your cloud service won’t always stay up. Yet we use and build all these things and no one has an issue with it.
And for all intents and purposes, if court records are meant to be hidden to protect someone’s future chance of success, by all means we should do what we can.
As a side note, I don't think Bar complaints should be private. People running the system should be transparent. The only reason transparency should be limited is with the name of the witness. Otherwise, how can we be sure the system is functioning correctly?
I do not think that is accurate.
How do you propose someone could stop someone from releasing a record they acquired publicly, exactly?
Seize it? Prohibit someone from saying something they found out via a public route on penalty of fine or prison?
Even in the US there are limits on free speech. A judge would weigh 1st amendment rights vs other considerations, but there are limits. Yelling fire in a theatre and all that.
new world now
* There are different levels of availability: For example, some court records could be public but not available outside the courthouse.
* Court records could be public by default, but take into account certain factors: Public interest, the power of the party, the vulnerability of the party. Criminal cases should probably be public - it is not dispute resolution (as with civil cases) but the government taking someone's freedom and/or property. The government's actions should be transparent.
And does infringe their 1st amendment rights, by the way.
And if it’s a million documents and the publisher is everyone who got a torrent done in the months before the injunction?
You do not have a 1st amendment right to post, for example, classified documents or protected intellectual property. If you post those things, even if 2,000 people posted them before you, the law can still come down on you.
There's definitely a massive "should" aspect there, however, the courts will protect you in that case. The one who got them for you, or if you committed a crime in acquiring them however...
That is a different story.
> You do not have a 1st amendment right to post, for example, classified documents or protected intellectual property. If you post those things, even if 2,000 people posted them before you, the law can still come down on you.
Did the reporters who broke the pentagon papers see court? Only the source as I recall, which seems contrary to your statement.
It isn't infeasible to see a future where this website could continue to provide the public the benefit of its existence, and also help protect the people who actually do need to have their records protected;
It sort of depends on how anarchistic the maintainers lean, and how much of an appetite courts actually have for fixing record leaks rather than blocking access to the tools or suing...
I guess you could verify a record should be in a sealed state with the file that states the sealing happened, right? I vaguely remember document IDs from the last time I touched anything related to them.
Perhaps the RIAA should be in charge of national security from now on?
Yes. https://en.wikipedia.org/wiki/New_York_Times_Co._v._United_S...
And the ruling was printing classified documents was protected, though the government is trying to reverse this ruling with the Assange case.