Should GitHub Be Liable for the Capital One Hack?
Probably the dumbest questions you can ask a lawyer—particularly in the wake of a massive data breach—is, “Can I sue?” The answer is almost always, “Yes.” And what would you sue for? Answer. “A real long time.” In the aftermath of the Capital One data breach, there have already been class action lawsuits filed against the banking behemoth. That is par for the course and to be expected. We can also expect regulators such as the Federal Trade Commission to investigate, and possible lawsuits between Cap One and Amazon, or someone else. There’s another saying in the law biz: “If it moves, sue it. If it doesn’t move, move it—then sue it.”
In addition to the actions against Cap One, lawyers have filed a class action lawsuit against Microsoft subsidiary GitHub. That lawsuit alleges that Microsoft stated that [m]ore than 28 million developers already collaborate on GitHub, and it is home to more than 85 million code repositories used by people in nearly every country. From the largest corporations to the smallest startups, GitHub is the destination for developers to learn, share and work together to create software” and that, “According to the timestamp on the file containing certain Capital One customers’ breached data, the hacker posted the [stolen Capital One] data on GitHub.com on or about April 21, 2019.” The complaint alleges that GitHub did not notify customers that their data was online, and did not suspend the hacker’s GitHub account or her postings on their “Awesome Hacking” page.
Interspersed among the negligence, wiretapping and statutory violations alleged against GitHub, the class action plaintiffs have alleged that GitHub violated California’s social security privacy statute, which provides in part that a person or entity may not “publicly post or publicly display in any manner an individual’s social security number. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public.”
At the same time, on July 31 in New York, the U.S. Court of Appeals for the Second Circuit was considering a claim that Facebook violated U.S. law by providing “material support” to the terrorist group Hamas by permitting them to post and share materials and by failing to adequately filter out such communications. Plaintiffs—family members of Israeli and other citizens killed or wounded in Hamas attacks in Israel—sued Facebook for providing them a platform.
In both the GitHub and the Facebook cases, the aggrieved parties sued the platforms on which the offending behavior took place rather than suing the person or persons who engaged in the offending behavior. In both cases, the aggrieved parties asked that the platform operators—GitHub and Facebook—enforce their own Terms of Service and act “reasonably” to prevent the harmful conduct of others.
Perhaps they should. Perhaps there should be platforms out there that moderate content, that prohibit their use for anything offensive or potentially destructive. Maybe GitHub should prevent people from sharing stolen information. While we are at it, prevent sharing of copyrighted information, bits of code and hacker tools. And let’s have 8Chan block its content as well.
Under current law called Section 230 of the Communications Decency Act: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” As a practical matter, what this means is that platforms including Facebook, GitHub and, yes, 8Chan are not generally liable for what other people say and do on their platform, even if they are negligent, reckless or even if the content that they permit to remain on is otherwise actionable. While certain laws (notably intellectual property and sex trafficking laws) are exempt from this immunity, in general GitHub would have no duty to police, remove, monitor or, frankly, do anything with respect to third-party content on its site.
In this regard, you can partially blame the Wolf of Wall Street. Not the movie, the actual entity: Stratton Oakmont Investments, which in 1995 sued Prodigy (remember Prodigy?) for allowing third parties on Prodigy’s “Money Talks” website to defame the now-defunct investment company. The New York Court found that Prodigy was a publisher of the content it permitted to be disseminated on its service, and in response, Congress passed the immunity found in Section 230.
There are more practical concerns about shutting down sites such as GitHub and others. First, these sites serve many legitimate functions and permit computer programmers, researchers and security professionals to share information, code and useful data. Second, they tend to operate in public view (or semi-public view), unlike their counterparts on the Deep Dark Web, making them easier to access and to monitor. Indeed, while GitHub could likely have used automated DLP solutions to scan for formatted SSNs, as the GitHub plaintiffs assert, anyone with access to the forums on GitHub likely could have done the same. It’s much more difficult to do this on the DDW without good threat intelligence.
It seems unlikely that the lawsuit against GitHub will go very far, and it will likely be dismissed on immunity grounds. That doesn’t mean we shouldn’t still be looking for stolen records and SSNs. We should. It’s just that a lawsuit against a platform may not be the best security solution. That is, if we continue to want a free and open and relatively uncensored internet.