Federal Courts Sound The Alarm Against RECAP; Worried About PACER Profits

from the and-that's-how-it-goes dept

Mon, Aug 24th 2009 1:50pm — Mike Masnick

We've been excited to see what would happen with the RECAP Firefox extension, which is being used to help free up public domain court documents that have been locked up behind the PACER paywall. However, there were also questions about how the folks who run and/or benefit from PACER would react. We now have at least part of the answer: bogus scare tactics. Paul Alan Levy alerts us to the fact that the Federal Court system, which profits from PACER, has started sending out scare notices to try to keep lawyers from using RECAP:

The court would like to make CM/ECF filers aware of certain security concerns relating to a software application or "plug-in" called RECAP, which was designed to enable the sharing of court documents on the Internet.

Once a user loads RECAP, documents that he or she subsequently accesses via PACER are automatically sent to a public Internet repository. Other RECAP/PACER users are then able to see whether documents are available from the Internet repository. At this time, RECAP does not appear to provide users with access to restricted or sealed documents.

Please be aware that RECAP is "open-source" software, which means it can be freely obtained by anyone with Internet access and could possibly be modified for benign or malicious purposes. This raises the possibility that the software could be used for facilitating unauthorized access to restricted or sealed documents. Accordingly, CM/ECF filers are reminded to be diligent about their computer security and document redaction practices to ensure that documents and sensitive information are not inadvertently shared or compromised.

The court and the Administrative Office of the U.S. Courts will continue to analyze the implications of RECAP or related-software and advise you of any ongoing or further concerns.

I especially like the "scare quotes" around "open-source." Of course, I'm not quite sure why the fact that the extension is open source makes it any more vulnerable to being "modified for benign or malicious purposes." Either way, looks like the Federal Courts don't like competition eating away at their PACER profits.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: legal documents, pacer, public domain, recap

41 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

senshikaze (profile), 24 Aug 2009 @ 1:55pm

Open source is teh evil
as a user of open source software, and a (bad) developer, I take exception at that. But then again, its a capitalistic society. TANSTAAFL is ingrained in the psyche.
[ link to this | view in chronology ]
- :Lobo Santo (profile), 24 Aug 2009 @ 2:02pm
  
  Re: Open source is teh evil
  Hey! We have those exact letterd stitched into our flag! (Here on the moon.)
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 2:23pm
  
  Re: Open source is teh evil
  A capitalistic society implies that the federal courts do nothing in terms of laws or precedent to interfere with Recap. If they do that's not capitalism, it's closer to communism or tyranny.
  [ link to this | view in chronology ]
  - senshikaze (profile), 24 Aug 2009 @ 2:25pm
    
    Re: Re: Open source is teh evil
    oh, no i meant the distrust for anything "free"
    [ link to this | view in chronology ]
Anonymous Coward, 24 Aug 2009 @ 2:09pm

Ed Felten's Team of Mavericks
Scare quotes around open-source?

Of course. You see, the plugin was developed by the real simpleton team surrounding Ed Felten. And, to make matters worse, those guys are always researching Government Transparency, finding vulnerabilities with DRM, voting machines and hard drive encryption, commenting on the three-strikes laws.

Those Ed Felten followers... They are such a nefarious group of people. How dare they think this way!

http://www.techdirt.com/search.php?q=Ed+Felten
[ link to this | view in chronology ]
PrometheeFeu (profile), 24 Aug 2009 @ 2:16pm

Apparently, someone believes that open-source means anyone can modify the software and replace the currently distributed version. That is simply not accurate. Almost all open source projects have a person or a group of people in charge of vetting modifications to the software. Now, there is nothing stopping somebody from making changes and distribution their version on their own website, but as long as you get the software from the official project website, you will only get the vetted versions. And guess what? The people that vet and develop are no more and no less liable than a normal corporation that would develop bad software. I trust open source projects that are well maintained because unlike closed source software, there is a guy out there reviewing the code who does not have an incentive to sell the product to me. Let's imagine the software tester at Microsoft finds out Windows is buggy... Who does he report it to? You? Or the guy whose interest it is that you buy the software. Conflict of interest anyone?
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 2:25pm
  
  Re:
  What I would be concerned about is that anyone can pretend to be RECAP and they can put fake data on the RECAP databses pretending it came from PACER, and there are malicious people who would do such a thing (heck, Techdirt recently got hacked even).
  [ link to this | view in chronology ]
  - Noah, 24 Aug 2009 @ 2:39pm
    
    Re: Re:
    Yes, but as (almost) everyone learned back in middle school, one source is not enough! I look at RECAP as a good place to start, but I wouldn't bet my life on it.
    [ link to this | view in chronology ]
  - Rich Kulawiec, 24 Aug 2009 @ 2:46pm
    
    Re: Re:
    1. Given the abysmal track security track record of federal, state and local government agencies, I would be far more concerned about fake data on PACER itself.
    2. How do we know that this hasn't already happened?
    [ link to this | view in chronology ]
  - Anonymous Coward, 24 Aug 2009 @ 5:37pm
    
    Re: Re:
    heck, Techdirt recently got hacked even
    
    And you think such a thing couldn't possible happen to PACER? I've got news for you.
    [ link to this | view in chronology ]
Kazi, 24 Aug 2009 @ 2:23pm

Actually, they are just concerned about this:

-------------------------------
(https://www.recapthelaw.org/2009/08/20/a-note-on-recaps-c ommitment-to-privacy/)
We’re confident that RECAP maintains the security model set up by the courts, and that it will never upload documents while a user is logged into CM/ECF. The code is open source, so anyone with concerns is welcome to inspect it for themselves. We’d like to work with the judiciary in the coming weeks to ensure they understand how RECAP protects privacy and security, and to incorporate any further enhancements they might suggest. In the meantime, users can continue using RECAP with the knowledge that it’s designed with privacy as our top priority.

Update: A final reason users should be comfortable with using RECAP is that the extension’s operation is extremely transparent. The little “R” icon in the lower-right-hand corner of every browser window turns blue when RECAP is enabled (which should only happen when you’re logged into PACER) and grey when it’s disabled (which should happen when you’re logged into CM/ECF). We don’t think you’ll ever see a blue icon when you’re browsing CM/ECF, but if you do, you should immediately disable recap and let us know about it so we can investigate the problem. In addition, RECAP notifies you about every document it uploads (unless you choose to turn this feature off). Again, you should never see an upload notification while you’re on an CM/ECF page, but if you do you can contact us and we’ll delete that document from our database. So you don’t have to take our word for it when we say RECAP won’t upload CM/ECF documents, you can monitor what it’s doing and verify for yourself.
-------------------------------

So you might be sensationalizing the news a bit here and the "scare quotes" are not really scare quotes but to identify the name of the program ...
[ link to this | view in chronology ]
- Ryan, 24 Aug 2009 @ 2:37pm
  
  Re:
  Concerned about what? That excerpt just reinforces the argument that RECAP is as safe as anything else. Additionally, the quotes from the federal "court" release are around "open-source", not "RECAP".
  
  Heh, see what I did there? I put quotes around "court" for no reason, as if to imply that they are something less than an actual court.
  [ link to this | view in chronology ]
Fred McTaker (profile), 24 Aug 2009 @ 2:49pm

Executables can always be altered
The worry that executables can be altered by nefarious third parties isn't limited to open source applications at all. Plenty of trojans/malware come in the form of altered proprietary (no public source access whatsoever) executables and drivers. This is where the whole term "trojan" came from - short for Trojan Horse, where in this case the horse is made of an application you know and love instead of wood, like Windows drivers or notepad.exe. That's why the open source community advocates cryptographic signing ALL applications, open source or otherwise, so that you can independently confirm that the source and binaries came from a trusted provider. So giving a warning, about confirming that applications came from a trusted source, isn't bad on its own. The assumption that such precautions should only apply to open source applications is complete FUD-mongering.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 3:05pm
  
  Re: Executables can always be altered
  Is the information on Pacer digitally signed by a governmental private key? I highly doubt it.
  [ link to this | view in chronology ]
  - ..., 24 Aug 2009 @ 6:38pm
    
    Re: Re: Executables can always be altered
    "Is the information on Pacer digitally signed by a governmental private key? I highly doubt it."
    
    Does what you posted refute anything in the Fred McTaker post?
    Or are you implying that the WARNING was a fake put there by nefarious users.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Aug 2009 @ 7:05pm
      
      Re: Re: Re: Executables can always be altered
      Fred McTaker said
      
      "That's why the open source community advocates cryptographic signing ALL applications, open source or otherwise, so that you can independently confirm that the source and binaries came from a trusted provider."
      
      But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?
      [ link to this | view in chronology ]
      - Anonymous Coward, 24 Aug 2009 @ 7:58pm
        
        Re: Re: Re: Re: Executables can always be altered
        "But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?"
        
        That's a problem that only the courts can solve... by signing the documents in the first place. There has been a push to get them to do this, but they have been resistant.
        [ link to this | view in chronology ]
      - ..., 24 Aug 2009 @ 8:25pm
        
        Re: Re: Re: Re: Executables can always be altered
        "But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?"
        
        You are asking a valid question, however it is unrelated to the post to which you responded.
        [ link to this | view in chronology ]
      - Anonymous Coward, 25 Aug 2009 @ 10:46am
        
        Re: Re: Re: Re: Executables can always be altered
        But how do you know the information on RECAP came from Pacer and not someone posing as RECAP pretending the data came from PACER?
        
        But how do you know the information on PACER came from Pacer and not someone posing as PACER pretending the data came from PACER?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 2 Nov 2010 @ 6:07pm
        
        Re: Re: Re: Re: Re: Executables can always be altered
        The likelihood that someone will get in the middle of each interaction between the PACER server and each user and go unnoticed while changing tons of info is far less than the likelihood that someone posing as PACER will send RECAP invalid information.
        [ link to this | view in chronology ]
Matt (profile), 24 Aug 2009 @ 2:55pm

Legitimate concerns?
It is possible that the court system has some legit concerns. Going to CM/ECF and PACER is scary, in part because some documents get (appropriately) sealed or even stricken entirely _after_ filing. With paper, it was unlikely that a doc that should have been sealed would be released to broad distribution before that happened. With PACER, it is less unlikely. With RECAP, it is still less unlikely. This can be a huge concern in circuits, like the 9th, that are unforgiving about the loss of privilege in the face of inadvertent disclosure. Add to that the concern that a dumb or ill-informed lawyer could install a trojan RECAP.

A law partner I knew had a standing requirement that his secretary power on his computer before he got to the office every day. This was not just a show of power - he did not know where to find the button. And lawyers routinely violate their firms' software installation policies. The court system is right to be concerned that mere lawyers may not understand all of the implications of installing new software.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 5:45pm
  
  Re: Legitimate concerns?
  A law partner I knew had a standing requirement that his secretary power on his computer before he got to the office every day. This was not just a show of power - he did not know where to find the button.
  
  Now let me get this straight, you're claiming that he could use a computer, yet he couldn't press a power button? Uh huh, sure. I bet he made her turn on his office lights too because he was too dumb to operate the light switch, huh?
  [ link to this | view in chronology ]
- ..., 24 Aug 2009 @ 6:41pm
  
  Re: Legitimate concerns?
  "because some documents get (appropriately) sealed or even stricken entirely _after_ filing"
  
  pandora's box, cat out of the bag, etc
  [ link to this | view in chronology ]
Anonymous Coward, 24 Aug 2009 @ 3:04pm

I wouldn't be difficult for someone to take this plugin, tack on some extra code, and turn it into a keylogger or similar. It also wouldn't be difficult to have it log and forward all your https accesses to a third party.

People think it is safe, but honestly, it is easy to put a modified versions of this open source tool online and get people to use it.
[ link to this | view in chronology ]
- william (profile), 24 Aug 2009 @ 3:41pm
  
  Re:
  Valid points.
  
  However, if you are dumb enough to NOT download the OFFICIAL plug-in, from the OFFICIAL WEBSITE but from this random pop-up you see while you were surfing those _____ sites...
  
  Then you probably deserve it.
  
  It's basic Internet 101 really.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 6:43pm
  
  Re:
  This could happen - open or closed, does not matter.
  [ link to this | view in chronology ]
- Ben Zayb, 25 Aug 2009 @ 5:10am
  
  Re:
  "I wouldn't be difficult for someone to take this plugin, tack on some extra code, and turn it into a keylogger or similar."
  
  For you to say that it wouldn't be difficult, I assume you are able to do this sort of thing. So do it.
  
  "It also wouldn't be difficult to have it log and forward all your https accesses to a third party."
  
  And after getting the thing to do all this, let's see you get us to install that filthy mod- from the official site, no less.
  
  "People think it is safe, but honestly, it is easy to put a modified versions of this open source tool online and get people to use it."
  
  Can't do it? Then don't say it. FUD for the Gods!
  [ link to this | view in chronology ]
duane (profile), 24 Aug 2009 @ 3:43pm

with you on all but one point...
"Either way, looks like the Federal Courts don't like competition eating away at their PACER profits."

The Federal Court System doesn't actually call the shots with PACER and the monies it generates. Congress determines what PACER charges and what money, if any, the Federal Courts get from PACER. This is actually true for all the money the Federal Court System gets. So, PACER could generate a kabillion dollars and it wouldn't make much difference. Congresspeople would just direct it some place else and cut their budget again...
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 5:10pm
  
  Re: with you on all but one point...
  That's not true. Congress delegated the authority to charge fees to the Courts.
  
  http://pacer.uscourts.gov/faq.html#GP8
  
  In fact, there is increasing evidence that the Courts have begun to use PACER as a profit center to support costs other than Electronic Public Access.
  
  http://www.nextgov.com/nextgov/ng_20090819_1886.php
  
  You *might* be able to argue that Congress didn't appropriate funds to pay for PACER, but of course the Courts haven't asked for it. Congress, on the other hand, explicitly told the Courts in 2002 that they should move to no-fee access.
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Aug 2009 @ 7:24pm
    
    Re: Re: with you on all but one point...
    Actually if you read more about the entire system you'll note that Congress actually directed the Courts to charge for the services. Later, with one hand they passed the e-gov act and directed things to be free, but with the other they still directed there to be charges for this sort of stuff. Typical government maneuvering. Also, the Court system doesn't set its own budget, Congress does. Congress gives money to the Court system. Whatever money the courts make it goes into a fund that then Congress has to give back to it. If there is such a concern about the Courts raking in the dough, surely the fact that they have to give it all up for someone else to decide what to do with it might temper that concern. I can assure you the Court's budget is nothing but lean -- less than two tenths of the entire budget or about 6.2 billion dollars for all the federal court systems. Finally, the "other" costs is sort of a loose definition. As the monies are going to improve electronic documentation and things of that nature. Seen one way, the monies are being used not for their original intent. Seen another, they are. Welcome to public administration.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Aug 2009 @ 7:37pm
      
      Re: Re: Re: with you on all but one point...
      The government tries to configure the laws in such a way as to extract as much money as possible away from you. If you work with that assumption lots of things make a lot more sense. It's not about "where the money goes, who gets it, what it's going to fund" it's about extracting as much money as possible away from you.
      
      Where it goes, what it funds, what is the purpose of some law that was passed under noble pretexts; all of that could just be a bunch of smoke and mirrors to confuse you. The assumption you want to make is that the laws are configured to extract as much money away from you as possible and you want to see how well that assumption explains the laws in place. Test every law with that assumption and see how well it explains them. This includes laws to ban things, like banning competing products to reduce competition (because less competition extracts more money away from you) under health and safety or environmental pretexts. It includes laws to ban software under the pretexts of security or national security (ie: peer to peer software maybe?).
      [ link to this | view in chronology ]
    - Anonymous Coward, 24 Aug 2009 @ 7:50pm
      
      Re: Re: Re: with you on all but one point...
      You are correct that at the inception of PACER, Congress directed the Courts to charge in order to support the system. The E-Government Act revised this language to say that the courts may only charge to the extent necessary, and clearly stated Congress' concern with the fact that the Courts were charging more than the cost of disseminating the information. They also made clear their intent that the Courts move toward a free system. This is quite clear.
      
      You are not correct about the money going into a fund that Congress has to give back. The money goes into the Judiciary Information Technology Fund that the Courts control and have the discretion to spend from without fiscal year limitation. Programs other than PACER are paid for out of this fund, and monies other than PACER fees are deposited into it... but it is all within the Judiciary and decided by them.
      
      You are partially correct that Congress sets the Judiciary's budget. In reality, the Courts propose a budget that is submitted to the President and must be passed along to Congress *without change* (a special condition they fought for), then Congress and the Judiciary debate whether the requests are reasonable, and once the funds are allocated the Judiciary makes the finer-grained decisions. You might feel that the Courts do not have a strong enough position in this process, but it's the same process that all branches of government go through (that's why they call it the "power of the purse").
      
      The reality is that the Courts have not asked for money to pay for PACER, and they appear to actually be making a profit off of the service. The path of least resistance is the status quo. Unfortunately, this may not be the best thing for the public.
      [ link to this | view in chronology ]
      - Anonymous Coward, 25 Aug 2009 @ 8:56pm
        
        Re: Re: Re: Re: with you on all but one point...
        I do have to wonder if by receiving more funds than needed to run the PACER system, and then utilizing these additional funds for purposes other than running the PACER system, the judiciary may unwittingly be at the cusp of violating the longstanding doctrine and rule of law that excess funds may not be used for the augmentation of appropriated funds, the so-called "unauthorized augmentation of appropriated funds"? All such excess funds are by law required to be transferred to the US General Fund.
        
        Am I perhaps unaware of the judiciary having been given some form of a statutory exemption from the doctrine?
        [ link to this | view in chronology ]
Mechwarrior, 24 Aug 2009 @ 4:45pm

The dreaded OPENSOURCE! >:(
[ link to this | view in chronology ]
Dan, 24 Aug 2009 @ 6:30pm

Yeh right
Yes "open source" software, unlike the proprietary software supplied with government "approved and sanctioned" voting machines. The court would never make an unfounded or defamatory claim, would they?
[ link to this | view in chronology ]
Prometheus, 24 Aug 2009 @ 6:46pm

Be afraid - be very afraid
[ link to this | view in chronology ]
orbitalinsertion (profile), 24 Aug 2009 @ 7:17pm

We have apparently missed the clue-train again.
...access and could possibly be modified for benign or malicious purposes. This raises the possibility that the software could be used for facilitating unauthorized access to restricted or sealed documents.

How? RECAP does not access PACER. Someone would have to post the "restricted or sealed" documents after accessing them in the PACER fashion, which would require no code (and no RECAP FF extension) whatsoever. This doesn't make sense, and simply calls to attention how clueless the judiciary is.

The Feds might have some legitimate concerns or warnings, but they were too stupid to voice those. (Simply rephrasing their statement minus the OSS or RECAP comments would have worked, as would have simply questioning the guarantee of provenance.)
[ link to this | view in chronology ]
Ben Zayb, 25 Aug 2009 @ 5:04am

As If
"Please be aware that RECAP is "open-source" software, which means it can be freely obtained by anyone with Internet access and could possibly be modified for benign or malicious purposes."

ROTFL!!! As if "closed-source" software couldn't be modified for malicious purposes. Whoever said this must have never heard of Windows and botnets.
[ link to this | view in chronology ]
ranon, 25 Aug 2009 @ 1:47pm

Everybody need not sign up to RECAP
Everybody need not sign up to RECAP. All that is required is for one person to upload a document and it will be available to all.

Also, you are not going to get sign up's for RECAP just for uploading. A person installs the application initially to download documents. Then when he gets sufficiently comfortable with the application, and it is useful, he will start uploading documents.

At that point, you will not have computer nitwits operating the system, and they can ensure that they take required security measures.
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2009 @ 7:16pm

Is one able to access the RECAP database without having a PACER subscription?
[ link to this | view in chronology ]
Pacer Federal Docket Already Free, 2 Oct 2009 @ 8:31am

Free Pacer Dockets
Pacer dockets have been free for a while. Just go to http://www.freecourtdockets.com. Lots of ads, but in 1 minute without a Pacer account anyone can get a free Pacer docket.
[ link to this | view in chronology ]