Should GitHub Be Liable for the Capital One Hack?

Probably the dumbest questions you can ask a lawyer—particularly in the wake of a massive data breach—is, “Can I sue?” The answer is almost always, “Yes.” And what would you sue for? Answer. “A real long time.” In the aftermath of the Capital One data breach, there have already been class action lawsuits filed against the banking behemoth. That is par for the course and to be expected. We can also expect regulators such as the Federal Trade Commission to investigate, and possible lawsuits between Cap One and Amazon, or someone else. There’s another saying in the law biz: “If it moves, sue it. If it doesn’t move, move it—then sue it.”

In addition to the actions against Cap One, lawyers have filed a class action lawsuit against Microsoft subsidiary GitHub. That lawsuit alleges that Microsoft stated that [m]ore than 28 million developers already collaborate on GitHub, and it is home to more than 85 million code repositories used by people in nearly every country. From the largest corporations to the smallest startups, GitHub is the destination for developers to learn, share and work together to create software” and that, “According to the timestamp on the file containing certain Capital One customers’ breached data, the hacker posted the [stolen Capital One] data on GitHub.com on or about April 21, 2019.” The complaint alleges that GitHub did not notify customers that their data was online, and did not suspend the hacker’s GitHub account or her postings on their “Awesome Hacking” page.

Interspersed among the negligence, wiretapping and statutory violations alleged against GitHub, the class action plaintiffs have alleged that GitHub violated California’s social security privacy statute, which provides in part that a person or entity may not “publicly post or publicly display in any manner an individual’s social security number. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public.”

At the same time, on July 31 in New York, the U.S. Court of Appeals for the Second Circuit was considering a claim that Facebook violated U.S. law by providing “material support” to the terrorist group Hamas by permitting them to post and share materials and by failing to adequately filter out such communications. Plaintiffs—family members of Israeli and other citizens killed or wounded in Hamas attacks in Israel—sued Facebook for providing them a platform.

In both the GitHub and the Facebook cases, the aggrieved parties sued the platforms on which the offending behavior took place rather than suing the person or persons who engaged in the offending behavior. In both cases, the aggrieved parties asked that the platform operators—GitHub and Facebook—enforce their own Terms of Service and act “reasonably” to prevent the harmful conduct of others.

Perhaps they should. Perhaps there should be platforms out there that moderate content, that prohibit their use for anything offensive or potentially destructive. Maybe GitHub should prevent people from sharing stolen information. While we are at it, prevent sharing of copyrighted information, bits of code and hacker tools. And let’s have 8Chan block its content as well.

Under current law called Section 230 of the Communications Decency Act: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” As a practical matter, what this means is that platforms including Facebook, GitHub and, yes, 8Chan are not generally liable for what other people say and do on their platform, even if they are negligent, reckless or even if the content that they permit to remain on is otherwise actionable. While certain laws (notably intellectual property and sex trafficking laws) are exempt from this immunity, in general GitHub would have no duty to police, remove, monitor or, frankly, do anything with respect to third-party content on its site.

In this regard, you can partially blame the Wolf of Wall Street. Not the movie, the actual entity: Stratton Oakmont Investments, which in 1995 sued Prodigy (remember Prodigy?) for allowing third parties on Prodigy’s “Money Talks” website to defame the now-defunct investment company. The New York Court found that Prodigy was a publisher of the content it permitted to be disseminated on its service, and in response, Congress passed the immunity found in Section 230.

There are more practical concerns about shutting down sites such as GitHub and others. First, these sites serve many legitimate functions and permit computer programmers, researchers and security professionals to share information, code and useful data. Second, they tend to operate in public view (or semi-public view), unlike their counterparts on the Deep Dark Web, making them easier to access and to monitor. Indeed, while GitHub could likely have used automated DLP solutions to scan for formatted SSNs, as the GitHub plaintiffs assert, anyone with access to the forums on GitHub likely could have done the same. It’s much more difficult to do this on the DDW without good threat intelligence.

It seems unlikely that the lawsuit against GitHub will go very far, and it will likely be dismissed on immunity grounds. That doesn’t mean we shouldn’t still be looking for stolen records and SSNs. We should. It’s just that a lawsuit against a platform may not be the best security solution. That is, if we continue to want a free and open and relatively uncensored internet.

Featured eBook
Open Source Security: Weighing the Pros and Cons

Open Source Security: Weighing the Pros and Cons

Over the past few years, open source has grown in popularity, especially among developers using open source code in their application development efforts. Open source software offers incredible benefits to enterprises IT and development efforts. Free, available software libraries mean cost savings, easy customization, speed, agility and flexibility for development and IT teams. There are ... Read More
Security Boulevard
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 50 posts and counting.See all posts by mark