When is Sourcing Candidates Online Actually Hacking?

The Computer Fraud and Abuse Act (“CFAA”) 18 U.S.C. §§ 1030, adopted in 1984, makes it a crime to “intentionally accesses a computer without authorization or [exceed] authorized access, and thereby [obtain] … information from any protected computer,” 18 U.S.C. § 1030(a)(2). A “protected computer” is any computer connected to the internet. See 18 U.S.C. § 1030(e)(2) (2006).

In past presentations, I’ve discussed sourcing methods including robots, spiders and URL manipulation, suggesting there are sometimes high risks for recruiters that use these methods. The Courts interpret the CFAA on a case-by-case basis to determine when “accessing a protected computer” is considered “hacking.” The problem is, many lawyers and computer experts say the CFAA is outdated and over-broad in scope. In some cases, prosecutors go after minor uses of the Internet, like downloading lists or sharing information by email.

There is an important case pending in the US Court of Appeals (Third Circuit) regarding the use of automation to manipulate URLs and scrape email addresses that Sourcers need to pay attention to. The highly controversial ruling tells us that under the CFAA, just because a website is publicly accessible and does not require a password, it does not always mean you have permission to access it and use or collect the information you find.

US v. AUERNHEIMER, Criminal No. 11-cr-470 (SDW) (D.N.Y. Nov. 6, 2012)

In 2010, Andrew Auernheimer (a.k.a. Weev) found a security flaw in an AT&T server that allowed him to collect 114,000 email addresses belonging to iPad 3G users. Auernheimer and a fellow “hacker” created a tool to manipulate URLs and flood an AT&T website with made-up iPad IDs. When it correctly guessed an ID, the email address of the owner was displayed and the tool scraped the information from the site. Only e-mail addresses were obtained – names/passwords were not collected and no accounts were actually accessed. Auernheimer turned over the scraped information to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation. He was indicted in January, 2011 and ultimately found guilty of (1)conspiracy to access a computer without authorization under the CFAA; and (2)fraud in connection with personal information. 18 U.S.C. § 1028(a)(7).

On March 19, 2013, he was sentenced to 41 months in prison followed by three years of supervised release. The court ordered him to pay $73,167 in restitution. Although an appeal has been filed, Auernheimer is currently serving out his sentence in federal prison.

Automation May be the Fatal Flaw

There is one thing that all of the recent cases involving the CFAA have in common: they used some sort of unauthorized tool to exploit a website and pull out information in bulk. Most of them wrote their own script, but there are plenty of Firefox extensions that allow people with very little technical knowledge to do the same things. One tool presented at Sourcecon in Fall 2011 is actually fully capable of doing the same thing the tool created by Auernheimer did when he collected iPad emails – no coding required.

As those of you who have used tools like this know, most of them allow you to set “click speed” or “download rate.” This is because the makers of these tools know that it is highly unlikely that a person typing in a URL to visit one website at a time and glean information is going to be caught by the server they are exploring. Don’t let this fool you – know what your tools are doing, and if it involves a guess and check brute-force attack, exceeds usage limits where they exist, spoofs URLs or in any other way “circumvents a technological barrier” to collect information, you may be subject to criminal prosecution under the CFAA.

Terms of Service/Use for Job boards and Social Media Sites

For private networks that require an account to access pages, the definition of “hacking” sometimes hinges on the terms and conditions of service. Dice.com, for example does not allow the use of “any robot, spider, site search/retrieval application, or other manual or automatic device or process to retrieve, index, “data mine,” or in any way reproduce or circumvent the navigational structure or presentation of the Site or its contents.” In other words, if are using a method other than the search and navigation methods provided by Dice to navigate the site, Dice considers it “hacking.” Dice.com tracks the username, IP address and all activity during the session. Actions in violation of this Code of Conduct may be cause for civil and/or criminal liability under the CFAA.

Article Continues Below

Facebook also restricts the use of automation to crawl or explore the site unless you are using an application with the express permission to do so. However, Facebook’s “Statement of Rights and Responsibilities” does not seem to include language restricting URL manipulation. This is because users can’t access information they would not otherwise have access to without an authentication token (like the special permissions provided when you authorize an App). For example, all of the information provided in the Graph Search is ultimately either public or accessible to the logged-in user. It is also available via the API with a standard developer access token. Facebook even shows us how to “hack the graph” here.

One Facebook user was recently sent a cease and desist letter for scrapping public phone numbers using the API. Facebook has a White Hat Bounty program that allows users to submit security flaws and bugs, but it requires you follow “terms of service” and offers test accounts to demonstrate vulnerabilities. Facebook recently refused a bounty to one user after he exposed an issue that allowed him to post to other people’s walls. They told him it was not an issue, so he used the security hole to post a status update as Mark Zuckerberg. Based on these recent situations, it seems that when it comes to Facebook “hacks” you should ask the security team if it’s something they are aware you can do – if it is a known “feature” and not a bug, then feel free to search as allowed by the “terms of service.”

Should I be worried as a Sourcer?

Have you ever edited a URL to see information you would not normally be able to access via standard navigation? Have you ever used any type of automation to take advantage of a search result “goldmine” and harvested personal information off the web? More importantly, are you exploiting a security hole while collecting the information? Did you circumvent any technology barriers or engage in a “brute-force attack” – guessing possible URLs or email addresses via automation until you got a hit?

For the first time, it is becoming very clear that some of the tools and tricks used by the industry’s leading sourcers could very well be considered “hacking” under the CFAA.

DISCLAIMER:  This article and any links provided are for general informational purposes only and should not be construed as professional or legal advice. Receipt of these materials does not create an attorney-client relationship nor is it a solicitation or advertisement to provide legal services.  The views expressed in this article may be outdated or repealed by current law. Do not act upon this information without seeking professional counsel in the appropriate jurisdiction.

Hacker image is from bigstockphoto.com

Nicole Greenberg, Esq. serves as a principal consultant and chief legal advisor at STA Worldwide, a global professional services firm specializing in IT staffing, project management, and consulting services. A licensed Illinois attorney and member of the American Bar Association, she has over a decade of experience in talent acquisition and recruiting strategy.

Recognized as “the world’s only lawyer with a focus on sourcing,” she is a highly sought after public speaker, presenting on compliance, sourcing, and technology topics to industry audiences around the world, and her writing on these subjects has been recently featured by top publications like SourceCon, Recruiting Daily, and HRExaminer.

​A lifelong native of Chicago, she is a graduate of Lake Forest College and received her Juris Doctor from the John Marshall Law School.


10 Comments on “When is Sourcing Candidates Online Actually Hacking?

    1. The video discusses tracking of user activity. Are you interested in potential privacy issues or something else?

      1. Yes specifically how this would apply to the users privacy when providers also collect this data at times in a egregious manner like a fangate or use policy?

  1. Nicole, your article was very thought provoking and interesting. It seems to emphasize how society and technology both continue to evolve, although not necessarily at the same pace and in the same direction. I also liked the examples you cited, which helped clarify some of the issues. These issues continue to suggest that we’re on a “journey” without a definitive “destination.” Regarding the Auernheimer case which you cited, while I’m clearly not an expert on the issues, unless there were other unmentioned facts, as stated it appears that there was no “malicious intent” here. I know that “intent” is often not a major consideration in legal issues where laws have been broken, yet from what is shown, and with the assumption that the ramifications may have been unclear, the sentence appears to be harsh. The questions you provoke also involve issues surrounding the “currency” of the CFAA (have there been updates since it was formed in 1984, since technology and its uses have evolved exponentially since then), and whether there is there sufficient clarity to prevent an interpretation culture. Thank you.

    1. Thanks for the comments Harvey! There are a number of facts including IRC logs and Auernheimer’s reputation as a well-known internet troll that may have contributed – check out some of the embedded links for more info. There have been amendments since 1984, but the biggest change currently pending is “Aaron’s Law” – maybe that will be the topic of another post!

  2. This is wonderful commentary and thought provoking questioning. I hope to see some robust discussion around this issue – scary as it seems to address I find the more people talk about these things (scary topics) the more understood they become!

  3. Nicole, this law was written before the days of the Internet and browser and barely when the IBM PC first came out. It is like following road usage laws that were written in the carriage horse days on current freeways.

    The CFAA as it reads makes every researcher who uses a browser and collects data as being a hacker of sorts.

    On strict interpretation all search engines including Google, Bing, Yahoo that crawl sites and every information aggregator is violating this law at some point.

    Is there an organization or effort that is behind changing this law? Is the aaron’s law you eluded to in the comments a replacement of this law?


Leave a Comment

Your email address will not be published. Required fields are marked *