According to this LA Times [0] story, the records were apparently found on judyrecords.com, a project recently discussed in a Show HN [1]
> State Bar officials learned about the posted records on Feb. 24. As of Saturday night, all the confidential information that had been published on the website judyrecords.com — which included case numbers, file dates, information about the types of cases and their statuses, respondent and complaining witnesses names — had been removed, officials said.
> ...Full case records were not published. Officials said they don’t know whether the published information was the result of a hacking incident. Judyrecords.com is a website that aggregates nationwide court case records.
edit: The "Info" link [2] on judyrecords.com has updates related to this event. It asserts that the confidential data was available on the CA Bar's own website:
> These records were all (confidential & non-confidential) previously publicly available at https://discipline.calbar.ca.gov (now offline).
Let me guess... judyrecords.com collected these by iterating over some chronological id that didn't properly check if someone has read rights.
edit: would love to check, but[0]
> The State Bar Court Portal will be unavailable from February 25th to February 28th due to maintenance activities. During this time the Case Search and Court Calendar functionality will not be available.
I thought something was off about that site. I doesn't seem fair or legal to just publish that data like that.
I think in the era of go in and get things things should be "public".
Now in the search engine age and data available at your fingertips we need to entirely change our public records laws... Immediately.
edit: In fact a HN User said this with NO REPLY from the author of that Show HN:
I have some records that are sealed, but show up in this database. So there are records that were once ‘public’ but are no more, but this database makes them public again.
I think that website should be taken offline immediately.
>> we need to entirely change our public records laws... Immediately.
I am certain that many people in government would agree with you - they would LOVE to be able to hide what they are doing and not be held accountable for decisions they make (or don't make). We need more public disclosures, not less, imo.
>>So there are records that were once ‘public’ but are no more, but this database makes them public again.
This website didn't make them public, they just gave others a way to access them - once something is public, and in control of others, it is impossible to make them 'un-public' without violating the 1st amendment.
> I am certain that many people in government would agree with you - they would LOVE to be able to hide what they are doing and not be held accountable for decisions they make (or don't make). We need more public disclosures, not less, imo.
Agreed 100%, a local court has been making precedents with that and...it's unnerving.
If they were sealed, they shouldn't be made public until they become unsealed (if ever) - but if they were public at some point, they are for all intents and purposes public forever. Very hard to make something private, after it has been out in the public.
Plenty of things become super hard to find after no one cares about it anymore. High profile cases aren’t like that but most things are not high profile.
Just because you can’t make something 100% perfect doesn’t mean you shouldn’t try. Locks aren’t unbreakable. Seatbelts won’t always save you. Your cloud service won’t always stay up. Yet we use and build all these things and no one has an issue with it.
And for all intents and purposes, if court records are meant to be hidden to protect someone’s future chance of success, by all means we should do what we can.
I don't think the discussion is about sealed records. I think the main point here is that the state needs to adequately seal the record.
As a side note, I don't think Bar complaints should be private. People running the system should be transparent. The only reason transparency should be limited is with the name of the witness. Otherwise, how can we be sure the system is functioning correctly?
Um, yes? Courts can issue injunctions to stop people from publishing material they have. If they breach the injunction they can go to jail, or have some other penalties imposed.
Even in the US there are limits on free speech. A judge would weigh 1st amendment rights vs other considerations, but there are limits. Yelling fire in a theatre and all that.
No one is talking about the reality of removing a million sources from the internet. We’re talking about the legal consequences and 1st amendment rights of individuals.
You do not have a 1st amendment right to post, for example, classified documents or protected intellectual property. If you post those things, even if 2,000 people posted them before you, the law can still come down on you.
You sbsolutely do have a right topost blassified documents if you come across them, but have not attained a security clearance.
There's definitely a massive "should" aspect there, however, the courts will protect you in that case. The one who got them for you, or if you committed a crime in acquiring them however...
Oddly, classified documents that could theoretically harm real people are legal to share with others but don’t you dare try to share the latest Beyonce track or there will be hell to pay.
Perhaps the RIAA should be in charge of national security from now on?
> No one is talking about the reality of removing a million sources from the internet. We’re talking about the legal consequences and 1st amendment rights of individuals.
> You do not have a 1st amendment right to post, for example, classified documents or protected intellectual property. If you post those things, even if 2,000 people posted them before you, the law can still come down on you.
Did the reporters who broke the pentagon papers see court? Only the source as I recall, which seems contrary to your statement.
As I understand it, the government is not trying to reverse this ruling with the Assange case. The government posits that Assange helped in the acquisition of the documents, which is separate from their dissemination, IIRC.
Assange faces 18 charges, one of them has anything to do with his allegedly helping acquire documents. The others are violations of the Espionage Act for receiving and publishing documents. So until they drop all other charges, any "acquisition" he may have done is secondary to their attempt to outlaw publishing.
oooh, while reading this thread, it crossed my mind that, well, if this website knows where it got the data from, then it could provide that info to the end-user, so they could actually have the source removed.
It isn't infeasible to see a future where this website could continue to provide the public the benefit of its existence, and also help protect the people who actually do need to have their records protected;
It sort of depends on how anarchistic the maintainers lean, and how much of an appetite courts actually have for fixing record leaks rather than blocking access to the tools or suing...
I guess you could verify a record should be in a sealed state with the file that states the sealing happened, right? I vaguely remember document IDs from the last time I touched anything related to them.
Without transparency, including public records, how do we hold the powerful accountable? Court records are public to prevent secret government courts from abusing people (among other reasons). How do we operate a democracy, which depends on citizens controlling their country?
And most importantly, who does get access to the records? That exculsive access will give them a lot of power.
Something that stuck out to me about that website is that we really do publish a lot. If you ever had a speeding ticket, that’s a matter of public record now. If you ever had a parking violation, that’s a matter of public record. I mean to be honest, if you just have a car, I can probably find you on that website if I know your name.
Also goes for divorces. By and large I agree with your take, but playing around with the search got me thinking that maybe we just make too much a matter of public record and that some things might just be too noisy, even if it isn’t the biggest privacy violation per se. Still mulling it over though, so I can’t say I’m committed to that position yet, feel free to talk me back.
I agree there are limits; there are no absolutes in anything. We don't have absolute free speech: you can't slander, commit fraud, conspire to commit a crime, incite a deadly stampede, etc.
I think the main concern is that the more powerful the actor (e.g., government is very powerful) the more important transparancy is, and the more vulnerable the actor, the more important privacy is.
For example, if an Apple (picking a random company) employee complains to authorities about dangerous working conditions, that employee may be very vulnerable - Apple could blacklist them; other businesses, if they learned of the complaint, could do the same, not wanting a 'troublemaker'. And that employee may be financially vulnerable, needing the job; their privacy should be maintained if possible. But Apple and the government are both powerful and there should be transparency about the working conditions, investigation, and outcome.
So what’s the limiting principle you would use? That’s the problem. I no more care about Apple’s speeding violations than I do Joe Schmo’s, but I probably do care about whether Joe here has a criminal history if I’m interviewing him, and the nature of that history.
You could go by legal entity, just make lawsuits involving corporations public, and lawsuits between individuals private: but while Apple might have global influence, your rich and litigious neighbor in a rural county is probably a more immediate concern to you. Also individuals can sue corporations and corporations can sue individuals.
I’m still inclined to think court records should stay public, but I’m now more interested in seeing if there’s a kind of filter we can put on what we make public than I was two weeks ago.
* There are different levels of availability: For example, some court records could be public but not available outside the courthouse.
* Court records could be public by default, but take into account certain factors: Public interest, the power of the party, the vulnerability of the party. Criminal cases should probably be public - it is not dispute resolution (as with civil cases) but the government taking someone's freedom and/or property. The government's actions should be transparent.
I think I’m with you on the first one, but I think on point two you have too many heuristics that themselves would have to be litigated and eat into court time.
With your same example though, now this employee is listed in a bunch of Apple lawsuits and will be unable to ever get a job again because of this kind of search engine.
I have owned a car in NY, FL, and CA, have been married, and have received parking violations in all 3 of those states, and my very unique name is not present at all on that website.
I think their coverage is still spotty. I'm in California, and searched some names I know. The results came from some counties, but nothing from others. Notably I never saw anything from Los Angeles County, but tons of results from San Bernardino County.
My own name brought up a couple tickets. In 2014 I got a cell phone ticket. There's something kind of funny seeing an all-caps official document explaining that THE PEOPLE OF THE STATE OF CALIFORNIA were all arrayed against me! :)
there are at least six adults in the USA with my same first and last name, who are professionals and middle-aged .. one of the others died of a drug overdose, and looks a bit like me!
Fair. I did search out myself and several others I know. Didn’t find myself, but did find out that there’s a guy with a very similar name to me (different middle name) that likes to live dangerously in the same State but in several different counties racking up speeding violations like there’s no tomorrow.
I was able to find almost every single other person I searched though, chose not to dig into it any further than I could confirm it was someone I actually knew, typically by birth date.
AFAIK, a parking ticket would be written against a car/license plate. Obviously that can be attached to a registration if the ticket is unpaid but it's not clear to me that a record of the violation would necessarily have the name attached in the record.
It's possible to be both not public enough to ruin people's lives and public enough for journalists or concerned individuals to find. In New Zealand, voter registration details are, by law, available to look at but not to copy. Anyone can walk in to a public library anonymously and rifle through the book but the book is chained to the desk and you're not allowed to photocopy it or take photos. Also, it's only present in the local libraries near where the voters live.
One thing to note, judicial and Bar complaints are generally not considered court records.
In theory, anything that went to trial would have transcripts available (unless it's sealed, like for minors). Many of these complaints could still have the transcripts available for the cases associated with them. But it's hard to tell what the alleged problem or misconduct is. I emphasize alleged because I assume the nonpublic ones were ones in which the lawyer was not found "guilty". In my state, the Bar will only investigate prosecutors if the court has already issued a statement determining prosecutorial misconduct occurred. So prosecutors get off without scrutiny most of the time.
please recall a basic motivation for the formation of the United States of America, versus the Kingdom of Britain under George III. In the legal system of Britain, all Crown records are SECRET unless cleared. Under the Federal Laws of the USA, all Federal records are PUBLIC unless classified.
Blame the state governments for publishing those records in the first place. Everyone knows that once information is published on the internet there is really no “undo” button. If judyrecords goes down another, perhaps less scrupulous, operator will release another similar site.
Why is it so impossible for these people/organizations to accept that they made a mistake and own up to it? The entire response by the State Bar of California is nothing but a deflection of blame that rests solely on themselves and their chosen vendor(s).
What are they going to do next, call Missouri's governor and ask for the playbook to follow? The humans behind the scenes at the bar are looking incredibly pathetic here.
> Why is it so impossible for these people/organizations to accept that they made a mistake and own up to it?
Maybe they accept it, but just don't admit to their mistake. Seems to be a growing trend, unfortunately. Perhaps the result of a society who more and more punishes people for admitting to their mistakes, rather than rewarding them for admitting to it and learning from it.
It's very sad to me, that this seems to be getting so much more common.
Closing with "Law enforcement has been notified" doubles-down on "we published everything but maybe if we can get somebody charged for a bogus crime then we won't look so stupid."
There may be liability attached. But this reads more like "a lot of data that we assumed to be private, and legally must be kept private appeared on a website. Here's everything we know and the steps we have taken." Essentially what happens when there's a screw up and lawyers get consulted about how to disclose it.
My sense that is that any written record (especially publicly posted records), an admittance of guilt can later be used as evidence in court. That is, if the bar needs to defend itself in court later, admitting guilt now would make that a lot harder.
And they're a bunch of lawyers -- they likely know that.
Doesn't sound like a breach to me - sounds like the state bar association inadvertently gave out the information, and now they are looking for someone to blame - someone else that is.
It wasn’t a breach. Those records were publicly available. It’s a shame the site’s operator complied with the takedown request. Unfortunately that’s what happens when you use a US hosting provider and domain. In the interest of transparency, site operator should consider migrating the site to a provider outside of US jurisdiction and/or making torrents of the record data that can’t be simply taken down.
I don't care what the org "intended" to do. The org assumed the responsibility of providing an API and with it the responsibility of securing private data. They failed and should be held culpable.
Boeing doesn't call it a "cyberattack" when their altitude control systems fail because of poor design.
>>>The site owner (of judyrecords) claims that the State Bar’s confidential and public case records were all previously available at a public URL. Is this true?
>>>The State Bar Court website allows the public to search for publicly available case information. The extent to which the external aggregating website was able to obtain nonpublic information that was stored in the Odyssey case management system is still being investigated.
I am inclined to believe judyrecords, until proven otherwise.
Yep, not unlike the other recent story where someone scraped a website and ended up pulling in SSN's and other personal information that was on the page, but not visible (but in the html) - and then the government threatened to prosecute the person who reported the problem.
A perfect example why MORE public information is better than less.
Well, it’s the CA state bar - it’s the den for all the lawyers in a juggernaut state. Misdirection through deceptive - sorry persuasive - language is literally what a goodly number of them do every day for a living.
> We do not know yet. The State Bar’s Odyssey case management system software vendor, Tyler Technologies, has been tasked with investigating what happened, taking the steps needed to rectify the breach, and ensuring something similar does not happen again. The State Bar also retained a team of IT forensics experts to assist in our investigation.
> The site owner claims that the State Bar’s confidential and public case records were all previously available at a public URL. Is this true?
> The State Bar Court website allows the public to search for publicly available case information. The extent to which the external aggregating website was able to obtain nonpublic information that was stored in the Odyssey case management system is still being investigated.
It sounds extremely likely that the state bar had a website misconfigured, and the automated systems of the aggregation site sucked down all the data it was technically (but not legally) given access to.
> We apologize to anyone who is affected by the website’s unlawful display of nonpublic data
Sounds like Missouri teachers SSN leak again... The website that judyrecords scraped, discipline.calbar.ca.gov, contained all of these "nonpublic" records for anyone to see.
It can be legal for you to scrape something yet very illegal to reproduce it.
This applies even more when the site you scraped didn't have permission to show the data in the first place. Their mistake does not rise to be your permission; if it was my data, I would have as much a claim against you as them. "The software did it" is not an excuse.
I'm assuming the owner of this site has permission to reproduce court documents from each source, generally these types of documents are public record and can be reposted. It sounds like whoever configured this portal where the public can view documents misconfigured it and allowed for private documents to be shown, without any indication that they were supposed to be private.
Apparently the State Bar has been breaking the law.
The State Bar announced today that it is taking urgent action to address a breach of confidential attorney discipline case data that it discovered on February 24. A public website that aggregates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. The site also appears to display confidential court records from other jurisdictions.
Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted.
The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute. It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.
Is displaying those records in public the violation of the statute? Or was it merely allowing the documents out of their control? Such that.. now they're out, does the website actually have any obligation to follow the "Business and Professions Code?"
I used judyrecords to check myself after it was posted here. I had a charge from over a decade ago listed as a felony that had been reduced to a misdemeanor. The state system shows as a misdemeanor. I paid good money to an attorney for a misdemeanor. I'm not sure why judyrecords shows it as a felony, and it has me wondering about the effectiveness of my legal defense.
edit: If you're wondering if I'm a hardened criminal with a wake of victims left behind, the answer is no. I was 22 and got caught in the midwest with an ounce and a half of cannabis. This website, as far as I'm concerned, is displaying inaccurate information about me that that could have serious negative consequences for myself.
Just spitballing, it's just a dump of records. They might have records for your arrest, arraignment, charge, plead, whatever (not sure what's in your state). When I was looking through it, it didn't seem like a comprehensive or organized set of documents by case.
You might want to check with a more thorough source, like a criminal background check agency.
On a related note, the California Bar website employs dark patterns that mislead members into paying inflated annual dues.
When you renew your membership, there are a variety of addon payments you can opt into by checking boxes for these items. Then, on a later page, there are various addon payments that you have to opt out of.
Making things even trickier, these aren't pre-checked boxes, which might lead the user to realize he needs to uncheck them. Instead, there is a list of "adjustments" with a dropdown menu for each. The dropdown defaults to "none", which would lead users to think that they are not paying for an extra item. But when you click on the dropdown, you see the option to "deduct $x" if you don't want to pay the additional fee.
I've never seen a dark pattern like this anywhere else. Perhaps the folks who run the calbar website could spend less time finding ways to trick members into overpaying and more time securing private information.
I noticed this too while trying to renew my bar dues. Its so devious. It degrades the whole profession when the gatekeeper is obviously trying to scam you.
I actually made a screen recording and thought about writing up a blog post. But it seemed like the overlap between [people who care about law/lawyers] and [people who care about dark patterns] was too small to warrant much effort. I considered sending it to Above The Law, and I'm open to other suggestions if anyone has any!
I think the theory is that you should try, as you are now by writing that post here.. but make your own efforts and costs very minimal (also as you have done).. maximize the possibility that a random, individual person may find it, who cares (this is a great place for that).. leave breadcrumbs that can lead an interested party to valid actionable information; and lastly, limit exposure to yourself for retaliation if it is that sort of situation..
OK, I'm writing something up and will share a draft with ATL, LegalEagle, and anyone else that folks here recommend!
Honestly the biggest blocker for me was that I assume blurring/redacting text from a video would be tricky, but I think YouTube might have a tool that blurs moving objects relatively easily. Or I could just include screenshots...
LegalEagle has a way of making even the driest of law topics interesting and accessible. Do you think he’s the right messenger for that kind of content?
I'd never heard of LegalEagle, but upon looking him up I see that we graduated from the same law school, one year apart. Perhaps I'll reach out! Thanks for the pointer.
"Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted."
Does this part of the code apply to everyone, or only the folks in charge of the investigations, or in charge of safeguarding the information?
If someone is in a bar and overhears a Bar employee talking loudly about an investigation, do they have a legal duty to keep what they heard confidential?
No. Once confidential information is leaked, it is no longer confidential. The person who leaked the data can be in trouble. But the person who received it isn't... Assuming they didn't break any laws receiving it. In your particular example, the Bar employee shouldn't have been talking about confidential stuff in public, where it can be overheard. There is no expectation of privacy in a bar, so the eavesdropper is most likely on the clear.
This is probably a stupid question to those who work with these concepts often: can all the user data in the DB be hashed with the user’s password so that nothing is gained from a breach? Is this mostly a CPU resource problem or would would jwt architecture preclude that from working? (I haven’t built auth systems for several years)
You could encrypt it with the user’s password instead (rather than hashing it). This is also the approach taken by e.g. password managers, they use your password as a seed for encrypting all your data.
The problem is that this would make the database entirely inaccessible unless you have access to the password. That creates quite a lot of friction in the user experience, the user would have to provide his password on every interaction (ie not just when logging in).
Users wouldn't need to provide their password on every interaction; just when logging in. The browser could save a derived decryption key in a cookie or local storage and use that to persist the session.
We're basically just discussing end-to-end encryption.
The real reason it's not done more often is that it makes things a lot of things way more complicated from a development perspective. Features like "allow users to send messages to each other" that would normally be really simple to implement suddenly require a whole public key infrastructure and logic to take into account edge cases like "What if the user got a new phone or changed their password and was offline when the message was sent?", or onerous threat models like "What if the server is controlled by an attacker when I sign-in?"
End to end encrypted with what key? What if the user changed their password? What if they got a new phone? What if the server is only pretending the user got a new phone to trick you into leaking your messages?
All of those problems are solvable, but "simply" is hardly the word I'd use to describe designing a secure end-to-end encrypted application. It's way, way more development effort than just "hash user passwords with bcrypt and don't allow access without the password", which is why it's rarely done unless E2E encryption is a major selling point of the application.
Sorry, still not following. I wrote not E2E encrypted. I'm struggling to understand why messages that are not E2E encrypted would require key management.
Yes, you could symmetrically encrypt the tiny portion of personal data that needs to be read solely by you without much added complexity.
However, with few exceptions (password managers, backups, personal notes, etc), the whole point of uploading data to an online service is to allow it to be shared with other people or services. Once that happens, you need all those complicated key management and security systems I just talked about. It's effectively end-to-end encryption.
The data is read by more than one person, so this likely wouldn't work.
Also, I'm not sure this is an actual breach. I think they accidentally published the data themselves, that's the vibe I'm getting from reading between the lines. It's like the code maybe missed checking a flag that would exclude private records from showing.
That would seem to only work if the user would only be interested in records created by themselves or that were explicitly shared with them. When sharing both users passwords would have to be stored somewhere, either that or the raw content so that it could be reencrypted.
Private key cryptography would be better, maybe encrypt a private key with a password and store that along with the public?
The reason we can store and use password hashes is because the user provides their password every time they login. So we hash the password they provided at login and compare that to the hash that was stored.
We can't determine what their password is based on the hash alone, which is why we couldn't hash all the user data in the DB with their password and store that.
There's concept similar to what you're describing called crypto-shredding[1]. Hashing isn't a good way ensure the confidentiality of data--just the authenticity--you really want to prefer a solid cryptographic algorithm if your goal is to ensure data remains confidential.
The idea behind crypto shredding is that you have a cryptographic key for each entity in your system and you use that key encrypt all fields for a given record. When it comes time to delete that data, you simply discard the key used to encrypt it. Assuming you've used reasonably good cryptography, this data is now effectively gone.
This is useful in cases where:
* You need to support the right to be forgotten (as defined in the CCPA[2] or GDPR[3]), since all you need to do to "delete" a user's data is to delete the key used to encrypt.
* The data you need to delete exists across multiple data stores/applications/environments and ensuring consistency for the deletion across all these places is difficult. For example: You may have DB backups, long-lived caches, or 3rd party services/vendors that may have copies of this data.
* You want to discard some, but not all, of a user's data. This is important in cases you're required by law to retain specific kinds of information even after a person has required it's deletion. For example, banking and finance companies are required to keep specific records about who they sent money to or performed services for.
XORing with the password sounds just splendid :D Caesar is asking for his cipher back.
That method wouldn't stop a determined 12 year old, let alone a competent attacker. Please use a properly engineered and implemented encryption instead of coming up with harebrained schemes.
> State Bar officials learned about the posted records on Feb. 24. As of Saturday night, all the confidential information that had been published on the website judyrecords.com — which included case numbers, file dates, information about the types of cases and their statuses, respondent and complaining witnesses names — had been removed, officials said.
> ...Full case records were not published. Officials said they don’t know whether the published information was the result of a hacking incident. Judyrecords.com is a website that aggregates nationwide court case records.
edit: The "Info" link [2] on judyrecords.com has updates related to this event. It asserts that the confidential data was available on the CA Bar's own website:
> These records were all (confidential & non-confidential) previously publicly available at https://discipline.calbar.ca.gov (now offline).
[0] https://www.latimes.com/california/story/2022-02-27/californ...
[1] https://news.ycombinator.com/item?id=30399881
[2] https://www.judyrecords.com/info