Fairfax Underground website ordered to remove Fairfax High School grades

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.washingtonpost.com/blogs/the-state-of-nova/post/fairfax-underground-website-ordered-to-remove-fairfax-high-school-grades/2012/12/21/0326c090-4bb0-11e2-a6a6-aabac85e8036_blog.html

Fairfax Underground is an online bulletin board, not a blog, where
almost anything goes. Anyone can anonymously start or join a
discussion about local drug dealers, complaints about the Fairfax
County police or schools, places to meet women, politics, breaking
news, all manner of things of interest to Northern Virginians. It is
largely uncensored, so the content can be sexist, racist, vulgar or
offensive, sometimes all in one post.

It wasn’t particularly surprising, then, that someone anonymously
obtained and posted a file Tuesday with the detailed grades of more
than 2,000 Fairfax High School students in hundreds of different
courses from the 2011-12 school year. On Wednesday, the Fairfax County
School Board’s lawyers sent the site’s founder and administrator, Cary
Wiedemann, an e-mail requesting that he immediately take the file
down. Wiedemann declined, saying he did not post the file and did not
see any law which prohibited the disclosure of the grades, and that
there was no personal information such as social security numbers or
home addresses. He also asked if anyone could verify that it was
actual, accurate school data.

The school board responded by going to federal court in Alexandria
Friday, requesting and obtaining a temporary restraining order against
the website, ordering Wiedemann to “remove the Student Report Cards
file from the fairfaxunderground.com website.” Wiedemann said he was
not served with the request for the injunction, though the school’s
lawyers e-mailed him a draft of it, and he was not given a chance to
respond to the motion before U.S. District Judge Claude Hilton granted
it Friday afternoon.

The case raises some interesting issues of privacy vs. freedom of
speech, but certainly lots of students and Fairfax school officials
are only interested in getting those grades taken down right NOW.
Wiedemann told me Friday afternoon he would comply, though he was also
considering filing a motion to dissolve the order and redacting just
the student names and ID numbers, but leaving the grades and teachers’
names in the file.

Wiedemann, 28, then went back to his day job as a computer programmer.
Some background on this case, and then a previously unpublished look
at Fairfax Underground is after the jump.

Someone with at least a little computer knowledge somehow obtained the
file from a Fairfax High School computer, Fairfax City police believe.
Sgt. Joe Johnson said at least 200 teachers and administrators had
access to the 2,166-page file, and it could have been downloaded onto
a thumb drive and easily whisked out of the school. Court documents
indicate it was also available over the Internet, so tracking down the
source of the theft could be difficult, Johnson said.

“Technically, it’s stolen property,” Johnson pointed out, “and taken
from the schools without their permission.”

The school district’s outside lawyers, Sona Rewari and Thomas Cawley,
argued that Virginia law prohibits public disclosure of grades and
absences of students without consent, that the federal Family
Educational Rights and Privacy Act bars disclosure of “personally
identifiable student information” and federal law also prohibits
unauthorized access of a protected computer.

Rewari sent Wiedemann an e-mail on Wednesday afternoon, asking him to
remove the file from Fairfax Underground. Wiedemann replied that he
was “unsure of exactly how to proceed. Fairfax Underground has a rich
history of free speech and as such the standard operating procedures
are to NEVER delete any legitimate content from the forums, regardless
of how mundane or childish, so long as the claims made therein are
true, and it doesn’t violate one of the extremely simple rules: No
spam, no complete garbage, no personal attacks, and no impersonation.”

Wiedemann added that the site “takes the security and privacy of its
users very seriously, and routinely removes content that was posted
specifically to harass or embarass other users. The motivation for
this post does not seem to be malicious, rather intellectually
curious, and as such doesn’t qualify for moderation based on a
personal attack.”

Wiedemann asked Rewari for legal citations that would prohibit the
disclosure of the grades, and that he would remove them if she
provided such law. Wiedemann also posted his response on the website
and asked users for their views.

Rewari did not engage in a legal back-and-forth with Wiedemann.
Instead, on Friday at noon, she e-mailed Wiedemann copies of the
motion and order she intended to file. By 1:40 p.m., Hilton had
granted the request. Wiedemann said he was interested in fighting the
request, but didn’t have enough notice and also had to work.

Fairfax schools spokesman John Torre e-mailed that the district was
“pleased the judge agreed to our request” but declined to speak with
me.

Hilton’s temporary restraining order expires Jan. 4, and Wiedemann
said he may try to contest it further then.

In October 2010, Wiedemann faced a similar issue, after someone posted
the home address of a Fairfax County police officer on the site.
Fairfax police obtained a search warrant trying to determine who had
made the posting. At the same time, a lawyer for a Fairfax sheriff’s
deputy had subpoenaed Wiedemann to find out who had posted personal
information about the deputy on the site. Neither attempt succeeded.

I wrote a story about the website at the time, with background on how
it started and Wiedemann’s thoughts on free speech. It was not ever
published, but for those interested, here it is:

- - -

On the popular website Fairfax Underground, users launch discussion
topics and post messages that are frequently profane, sometimes funny,
routinely tasteless, and almost always…

Anonymous.

So that’s why it was disturbing to the site’s creator, and probably to
its 50,000 unique visitors every week, when the Fairfax County police
obtained a search warrant for the site’s records on one of its
anonymous users. The person had posted the home address of a Fairfax
police officer, which can be a felony in Virginia if it’s done “with
the intent to coerce, intimidate or harass.”

The police obtained a search warrant on Sept. 29 for “godaddy.com,”
and several days later, the police received 76 pages of documents,
court records show.

But the search was worthless. Godaddy.com doesn’t have any information
about the website’s users, it only deals out domain names, said Cary
Wiedemann, the founder and operator of Fairfax Underground. The actual
server with information about the users is owned by Wiedemann, and the
police haven’t asked him about it in this case, though they have
worked with him in the past.

“I’m perturbed and concerned why they would take such an approach,”
said Wiedemann, 26, a computer programmer and longtime Fairfax
resident. “They should have at least come to me and let me say ‘no.’”

Fairfax police said they had no interest in invading the privacy of
the site’s users, which often include officers as well as police
critics, but they had a legitimate interest in investigating a crime.

The investigation was conducted by the police internal affairs unit,
Officer Bud Walker said, which was “trying to find out who [the user]
was because [the user] had potentially committed a crime. That was the
focus of the investigation, not the allegations that were made in the
thread.”

[The allegations, perhaps unsurprisingly for Fairfax Underground,
concerned drugs, prostitution and immigration violations.]

Walker added, “As long as someone does not commit a crime, they don’t
need to worry about their anonymity being taken away.” He said police
had not determined who the user was, and that the investigation was
closed.

Matt Zimmerman, a staff attorney for the Electronic Frontier
Foundation in San Francisco, credited the Fairfax police with narrowly
tailoring their request to one user, rather than all of Fairfax
Underground, and with presenting specific evidence of a possible crime
to a magistrate.

But, he added, “There is a certain creepiness factor to it, certainly,
when you have police using police powers to go after people who
criticize them.” He noted that simply posting a police officer’s
address is not definitive evidence of intent to harass or intimidate,
and that obtaining a search warrant from a civilian magistrate, rather
than a judge, can be a way to circumvent jurists with better knowledge
of First Amendment law.

Zimmerman also said that godaddy.com did not have a strong reputation
for standing up for its users in such situations. Wiedemann said the
company did not notify him that they had received the warrant, or that
they had promptly turned over their recrods.

In the days before everyone had their own website, online message
boards were a popular way for people to communicate on the Internet,
and they still exist in many forms. On Fairfax Underground, anyone can
start a topic, read a thread or post a message without having to
register. The topics range from people trying to find the best sports
bar, to discussing the latest crime news, to disrespecting a rival
high school, with plenty of police and politician bashing as well.
Recently launched topics include “Best rapper in Fairfax,” “Stabbing
in Rose Hill,” and “Any Companies in NoVA that DO NOT do a Drug
Test?”, posted by the user “pothead.”

Proceed at your own peril.

Wiedemann acknowledges that much of what is posted is frivolous or
offensive. “Even though some posts are horrible, or racist,” Wiedemann
said, “I generally tolerate it, so long as it originates from Fairfax
County.”
And he fiercely defends his right to maintain the site and protect its
users’ privacy.

“When someone’s at their computer in their home,” Wiedemann said,
“they have a reasonable expectation of privacy.”

Wiedemann launched Fairfax Underground in 2005, after he had collected
about three years worth of publicly available arrest data from the
Fairfax police and converted it into a searchable data base. He wanted
to create a site that was a resource for Fairfax residents, with the
data base as its initial content.

The site has no advertising, and Wiedemann said he makes no money from
it. But he wants it to last for 50 years, and he said user anonymity
is key to that.

“The more information that comes out, the better the community will
be,” Wiedemann said. “We as a civilization will always gain by
knowledge of what our neighbors are up to.”

Fairfax police, from street officers to top-level commanders, monitor
the site closely, partly as a way to monitor the public temperature on
hot-button issues. Sometimes the police even post photos or
information about suspects or missing property they are seeking, in
hopes of getting helpful tips.

And the police have asked Wiedemann in the past for help, which he
says he has provided, so long as it didn’t require providing anyone’s
personal information. He will redact or moderate posts when asked, and
when it’s appropriate, he said.

But Fairfax police have not asked him to remove the officer’s address
in this instance.

As Wiedemann spoke, he was waiting outside a Fairfax courtroom, having
been subpoenaed to testify in a case involving a Fairfax sheriff’s
deputy, whose personal information had been posted on the site. The
sheriff’s office asked him to redact it, and he did, but the deputy’s
lawyer wanted to know who posted it.

On the witness stand, Wiedemann said he had the poster’s IP address,
but told the judge he’d rather not produce it unless ordered. Fairfax
Circuit Court Judge Jonathan C. Thacher said the information wasn’t
relevant to the case, and let Wiedemann go.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.