In December of 2018 and January of 2019, the high court had conferences regarding two cases that were looking for the same decision of the Supreme Court, a response to the question how bad does a hack have to be for a victim to sue?
FCA US LLC, et al., Petitioners v. Brian Flynn, et al.
The first case in question is FCA US LLC, et al., Petitioners v. Brian Flynn, et al. The petition was filed September 26, 2018, however this case came about July 21, 2015 after a Wired article by Andy Greenberg including a video of their demonstration of the Jeep Cherokees vulnerability was published. The author is shown going down a highway driving normally in the Jeep Cherokee, then hackers that Wired hired decide to turn the AC on, display a picture on the dashboards digital screen, turn on music and turn it up extremely loud, but most notably kill the cars engine entirely. An 18-wheeler barrels past, honking at the dangerously slow vehicle which only made Greenberg all the more uneasy about the situation. There was nothing the driver could do to change it, despite any fiddling with the dials to try and rectify the situation, and this panic is clear to see as he begs for the hackers to turn the engine back on while they laugh in the safety an entirely different location. They were able to do this through a function in the Jeep called Uconnect, a computer in the dashboard display (called the headunit) that has internet connection. This was a huge issue for Chrysler to deal with, despite them sending out USBs to fix the mistake to 1.4 million owners of the vehicles, people still were very weary and pointed the finger at the cars being “excessively vulnerable” then seeking compensation for the risk. There was no evidence of the vulnerability being exploited maliciously, and that is a big stake Chrysler held in their petition.
Zappos.com, Inc. v. Stevens.
The second case is Zappos.com, Inc. v. Stevens. from an online retail service Zappos.com when they experienced a malicious breach of their database in January 2012. This database contained sensitive information of their clients that included names, account numbers, contact information (ie email addressed and billing addresses), and possibly their credit card information from more than 24 million of Zappos customers. Again, the company found nothing signifying the use of the information in tactics such as impersonation, but the clients claim they experienced otherwise, saying they used the information to hack into their other accounts.
The Conclusion of the Petitions
Each cases petition ended up being denied in the end, the case regarding Chrysler was denied at the first conference on January 4, 2019, however the Zappos petition consideration was dragged out across two conferences, finally being denied on March 27, 2019.
There are several central questions that these cases both bring up, the first being what exactly is the relationship between obtaining and utilizing information from hacks? Neither company found evidence of the vulnerabilities being used in a way that compromised any users’ safety or confidentiality, but could we then judge these cases on the premise of the fact that there was a vulnerability in the first place? The issue with that is that nothing in cyber security is 100% safe from being breached, so anything that is put out will have vulnerabilities that can be exposed, but is it a problem unless the vulnerability is found out and used maliciously? Then we have to wonder about the victims, is it just to have the court decide if a victim has suffered enough to do something about their losses? It just becomes a never ending cycle of ethical and practical questions regarding these topics and what should be put in place to rectify the gray area, or if anything could get rid of gray areas. This emphasizes the difficulty that comes with cyber security as a whole, the subjectivity and uncertainty of so many things that comes with it. The word “concrete” comes up often with the official case documents, but there is very little regarding cyber security that can be wholly defined as concrete, especially as something intangible that you cannot exactly put numbers on damages the way you can a car crash or a fire regarding the monetary standpoint.
What I Think
My main thoughts are first how lucky it is that these cases did not end up going to the Supreme Court, on behalf of big companies and my personal ethical beliefs. The companies are fortunate because the court could have easily swayed far more in favor of the masses that are being put at risk in so many ways because of security vulnerabilities, when the lines are more defined of damages they will likely end up having to throw millions of dollars at settlements. But the companies are the ones who would be losing the least out of most of these situations as they always do, so I’m much more on the side of the masses as someone who would have my information stolen from a database which may be protected by old white men who are using computers that are over half my age (I am 19, for reference). Users should not have to fear their private information being access by those without clearance, especially with some of the questions that are in background checks and such regarding extremely personal matters. I am fully aware that this is not a perfect world and that asking for privacy online is like putting a flyer of information on a wall and begging nobody to look at it, but it’s still really terrible that that’s how things are… Sometimes. But the thing is that I cannot even fathom any pity for companies with the amount of money and power they have. I feel the people who owned Jeep Cherokees were very justified in their concern and request for compensation because they are wondering “what if” situations, but there is nothing that cannot be hacked so I understand why the request is unreasonable on a security standpoint so it is very hard. Overall, I just feel that something run by the government (the Supreme Court) cannot be the one defining how much damage is enough. The word “enough” alone feels like a default invalidation of the victims of the situations in question, and with cyberspace being a forever changing beast that, realistically, cannot be quantified is a catch 22 of sorts. There is no one solution we can come to for it so for now I think it is best to deal with things on a case-to-case basis.
All information and quotes came from the following sources.
Written by Faith Cronister on September 29, 2019