[Ancapistani]

If I’m understanding what happened correctly, the archivists here exploited a vulnerability to create numerous administrator accounts on the system, bypassing Parler’s security (as trivial as that was), and used those accounts to access private information from all individuals on the platform.

My question is this: are the people who originally exploited this, created the image, and the users who downloaded it to collect the data going to be subject to federal charges? It seems obvious that they broke the DMCA in using the exploit and the FCAA in collecting and publishing the data acquired.

If so, and the data were obtained through criminal means, is it even admissible in a criminal case?

Full disclosure - I have/had a verified Parler account, dating long before the Capitol stuff. I tend to join pretty much all the new social network stuff to claim my name and so I know what I’m talking about when I discuss it elsewhere. I don’t think I ever posted a “Parley”, and if memory serves the only PMs I sent were asking a friend about LED headlight options for my wife’s vehicle. I’m not concerned about that conversation leaking, but it will amuse to me see if it’s in the collected dataset.

[dragontamer]

IANAL, but... I expect the hackers to be subject to federal crimes.

As I discussed elsewhere: opening mail addressed to someone else is a federal crime, because mail has an expectation of privacy. It doesn't matter how easy it is to open an envelope, all that legally matters is the assumed intent.

If one party clearly wanted a message to be private, it is illegal to open that message.

------

In contrast, a Postcard has no expectation of privacy. And therefore, it is perfectly legal to read a postcard.

[nwsm]

Were these posts private? I've never been on Parler so I have no idea, but I'm not reading anything that suggests they were direct messages or "private" accounts making the posts.

[dragontamer]

They were marked "deleted".

Which means the privacy question is a bit ambiguous. They were public at one point, but at the time they were leaked out, they had a deleted flag and clearly were meant to be private.

IANAL, but I'd expect it to be illegal to grab data marked "deleted". If you were a few hours earlier and archived them before they were deleted, that probably would be legal.

[gknoy]

If I walk up to someone's house and say, "Hey can I have a copy of the seventh book in the third drawer of your nightstand" (e.g. `/api/books/03/07`), and you say "Sure here you go", it seems like it should be hard to argue that you have any expectation of privacy (for things that you are giving out freely) -- even if that book was something like your diary. HTTP codes for denying access exist specifically for this reason.

Of course, the iteration of accounts that Weev was convicted of was nearly exactly this, so we know that this doesn't always hold true, but it really is baffling why.

[webinvest]

> IANAL, but... I expect the hackers to be subject to federal crimes.

Only if they’re in the USA based on their IP address or online testimony.

[inkeddeveloper]

if you're accessing a public api, you're not a hacker.

[dragontamer]

A lot of web-infrastructure is public API these days. If someone misconfigures their S3 instances and allows the public to access it... accessing internal S3 data (despite being from a public API) is considered hacking IIRC.

The law doesn't care about how easy or hard it is to perform the hack. All it cares is about intent.

[nwsm]

> the archivists here exploited a vulnerability to create numerous administrator accounts on the system

I don't see any suggestion that they had elevated accounts or access. They directly hit parler's public backend server that powers the apps and website, asked it for as many posts as they could, and archived them. The backend did not require authentication to do this, and the posts were identified by auto-incrementing IDs, so it was trivial to scrape essentially all posts from 1 - n.

If we we had GDPR I think individual posters could probably sue the archivists? I'm not sure. Otherwise this is essentially webscraping, which doesn't seem to have been successfully prosecuted much [0].

[0] https://en.wikipedia.org/wiki/Web_scraping#Legal_issues

[wmil]

> My question is this: are the people who originally exploited this, created the image, and the users who downloaded it to collect the data going to be subject to federal charges?

Realistically the FBI won't be eager to file charges to protect a company seen as a Biden opponent.