Apr 3, 2018

Axios Codebook


Welcome back to Codebook. As always, please reply with tips, leaks or more terrifying green hands adrift in a sea of computer data (see below).

Suit to let researchers break website rules wins a round

Photo: Thomas M. Scheer/EyeEm via Getty Images

Anyone following Facebook’s recent woes with Cambridge Analytica might be surprised to hear that there's a civil liberties argument for swiping data from websites, even while violating their terms of service. In fact, there's a whole world of situations where that thinking could apply: bona fide academic research.

What's new: On Friday, a judge in a D.C. federal court ruled that an American Civil Liberties Union-backed case trying to guarantee researchers the ability to break sites' rules without being arrested could move forward, denying a federal motion to dismiss.

“What we’re talking about here is research in the public interest, finding out if there is discrimination,” Esha Bhandari, an ACLU attorney representing the academics, told Axios.

The details: A handful of researchers and First Look Media (which operates The Intercept and other sites) would like to use bots and create dummy accounts to test the behavior of employment and real estate websites.

  • The researchers are studying whether machine-learning algorithms on employment and real estate websites might have developed gender or racial bias. To do that, they would set up multiple similar accounts, changing only minority or gender status between them, and apply for jobs or housing.
  • That might violate the sites’ terms of service — and doing so, some courts have ruled, constitutes a violation of the Computer Fraud and Abuse Act (CFAA), the major U.S. anti-hacking law.

Why it matters: Knowing whether or not websites are biased against women and minorities is a public good. But sites aren’t always eager to help researchers reach those kinds of conclusions about them. Without courts clarifying the law (or legislators changing it), that threat could hang over researchers and their work.

Go deeper: Read the full story on Axios.com.

Never use the default password (Magento edition)

At least 1,000 websites built on the Magento platform were breached by attackers simply guessing default or common passwords. Flashpoint, the intelligence company that announced the breaches in a report released Monday, believes there are likely more breached sites it didn’t find.

Why it matters: Magento is the second most popular e-commerce platform in the top million websites. That suggests a target-rich environment. And the attackers in this campaign appear to have made thorough use of their access.

The technical details: The compromised Magento sites force visitors to run several malicious Javascript modules. One mines Monero cryptocurrency, another steals credentials and a third swipes credit card numbers.

Following outcry, Grindr stops sharing HIV status with third parties

The Grindr logo on a phone. Photo: Leon Neal/Getty images

Axios' Ina Fried reports that, following public outcry, Grindr has stopped sharing users' HIV status with its third-party vendors. From Ina:

The bottom line: Grindr may have been sharing more information than needed, but it insists the most sensitive information was encrypted and not shared with advertisers.

The vendors in question — Localytics and Apptimize — help Grindr manage its app performance and, in the case of Apptimize, test features on only a certain percentage of users.

No Cambridge Analytica: Grindr's security chief said people hear the term third parties and think that the company has been sharing information the way that Facebook user data ended up in the hands of Cambridge Analytica.

Users still unhappy: Plenty of people were unsatisfied with Grindr's explanation, pointing out that most other sites aren't trusted with someone's HIV status.

Making changes: Case said the company decided to change its policies around particularly sensitive information, including HIV status, after the user outcry.

  • Grindr also notes that, while HIV status can be a particularly sensitive issue in many parts of the world, and even in the U.S., it is an optional field on Grindr. When users do share that information, it is available publicly to anyone viewing their profile.
Malaysia to punish fake news with six-year prison sentences

Reuters reports that Prime Minister Najib Razak's government in Malaysia approved a law banning the malicious spread of false news reporting on Monday, instituting penalties of up to six years in prison and $125,000.

Why it matters: Fake news — the term used in the law — is an international concern after its starring role in the 2016 U.S. elections. This is an early post-2016 attempt to regulate a potential scourge.

Yes, but: Malaysia's free speech record is heavily criticized, and some observers view the new law as a tool for punishing dissent. United Nations special rapporteur on freedom of opinion and expression David Kaye said that the bill was being passed too quickly, without proper deliberation on consequences.

"[I] urge the Government to reconsider the bill and open it up to regular and genuine public scrutiny before taking any further steps," Kaye tweeted, hours before it passed.

Deeper dive: One of the fears of President Trump's more politicized use of the term fake news is that strongmen could view it as a green light for repression.

Odds and Ends
  • Congress is turning an eye to the security of open source software. (House Energy and Commerce Committee)
  • Accused leaker Reality Winner is subpoenaing a ton of intelligence agencies, states and private firms. Also: The White House, the National Archives and the publication Motherboard. (Politico)
  • Panera's website was leaking millions of users' contact info. (Krebs On Security)
  • CloudFlare launched, a secure domain name resolution service — the web's equivalent of a telephone operator. It joins the recently announced Quad9 (internet address in that space. (
  • Google's Chrome web browser announced a ban on cryptocurrency mining extensions. (Chromium Blog)
  • The Vatican is calling for more exorcists. (The Guardian, via Boing Boing)
  • The DOJ asks the Supreme Court to dismiss its now moot scuffle with Microsoft. (The Hill)

See you Thursday!