BreachExchange mailing list archives
Fairfax Underground website ordered to remove Fairfax High School grades
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Mon, 24 Dec 2012 09:31:22 -0600
http://www.washingtonpost.com/blogs/the-state-of-nova/post/fairfax-underground-website-ordered-to-remove-fairfax-high-school-grades/2012/12/21/0326c090-4bb0-11e2-a6a6-aabac85e8036_blog.html Fairfax Underground is an online bulletin board, not a blog, where almost anything goes. Anyone can anonymously start or join a discussion about local drug dealers, complaints about the Fairfax County police or schools, places to meet women, politics, breaking news, all manner of things of interest to Northern Virginians. It is largely uncensored, so the content can be sexist, racist, vulgar or offensive, sometimes all in one post. It wasn’t particularly surprising, then, that someone anonymously obtained and posted a file Tuesday with the detailed grades of more than 2,000 Fairfax High School students in hundreds of different courses from the 2011-12 school year. On Wednesday, the Fairfax County School Board’s lawyers sent the site’s founder and administrator, Cary Wiedemann, an e-mail requesting that he immediately take the file down. Wiedemann declined, saying he did not post the file and did not see any law which prohibited the disclosure of the grades, and that there was no personal information such as social security numbers or home addresses. He also asked if anyone could verify that it was actual, accurate school data. The school board responded by going to federal court in Alexandria Friday, requesting and obtaining a temporary restraining order against the website, ordering Wiedemann to “remove the Student Report Cards file from the fairfaxunderground.com website.” Wiedemann said he was not served with the request for the injunction, though the school’s lawyers e-mailed him a draft of it, and he was not given a chance to respond to the motion before U.S. District Judge Claude Hilton granted it Friday afternoon. The case raises some interesting issues of privacy vs. freedom of speech, but certainly lots of students and Fairfax school officials are only interested in getting those grades taken down right NOW. Wiedemann told me Friday afternoon he would comply, though he was also considering filing a motion to dissolve the order and redacting just the student names and ID numbers, but leaving the grades and teachers’ names in the file. Wiedemann, 28, then went back to his day job as a computer programmer. Some background on this case, and then a previously unpublished look at Fairfax Underground is after the jump. Someone with at least a little computer knowledge somehow obtained the file from a Fairfax High School computer, Fairfax City police believe. Sgt. Joe Johnson said at least 200 teachers and administrators had access to the 2,166-page file, and it could have been downloaded onto a thumb drive and easily whisked out of the school. Court documents indicate it was also available over the Internet, so tracking down the source of the theft could be difficult, Johnson said. “Technically, it’s stolen property,” Johnson pointed out, “and taken from the schools without their permission.” The school district’s outside lawyers, Sona Rewari and Thomas Cawley, argued that Virginia law prohibits public disclosure of grades and absences of students without consent, that the federal Family Educational Rights and Privacy Act bars disclosure of “personally identifiable student information” and federal law also prohibits unauthorized access of a protected computer. Rewari sent Wiedemann an e-mail on Wednesday afternoon, asking him to remove the file from Fairfax Underground. Wiedemann replied that he was “unsure of exactly how to proceed. Fairfax Underground has a rich history of free speech and as such the standard operating procedures are to NEVER delete any legitimate content from the forums, regardless of how mundane or childish, so long as the claims made therein are true, and it doesn’t violate one of the extremely simple rules: No spam, no complete garbage, no personal attacks, and no impersonation.” Wiedemann added that the site “takes the security and privacy of its users very seriously, and routinely removes content that was posted specifically to harass or embarass other users. The motivation for this post does not seem to be malicious, rather intellectually curious, and as such doesn’t qualify for moderation based on a personal attack.” Wiedemann asked Rewari for legal citations that would prohibit the disclosure of the grades, and that he would remove them if she provided such law. Wiedemann also posted his response on the website and asked users for their views. Rewari did not engage in a legal back-and-forth with Wiedemann. Instead, on Friday at noon, she e-mailed Wiedemann copies of the motion and order she intended to file. By 1:40 p.m., Hilton had granted the request. Wiedemann said he was interested in fighting the request, but didn’t have enough notice and also had to work. Fairfax schools spokesman John Torre e-mailed that the district was “pleased the judge agreed to our request” but declined to speak with me. Hilton’s temporary restraining order expires Jan. 4, and Wiedemann said he may try to contest it further then. In October 2010, Wiedemann faced a similar issue, after someone posted the home address of a Fairfax County police officer on the site. Fairfax police obtained a search warrant trying to determine who had made the posting. At the same time, a lawyer for a Fairfax sheriff’s deputy had subpoenaed Wiedemann to find out who had posted personal information about the deputy on the site. Neither attempt succeeded. I wrote a story about the website at the time, with background on how it started and Wiedemann’s thoughts on free speech. It was not ever published, but for those interested, here it is: - - - On the popular website Fairfax Underground, users launch discussion topics and post messages that are frequently profane, sometimes funny, routinely tasteless, and almost always… Anonymous. So that’s why it was disturbing to the site’s creator, and probably to its 50,000 unique visitors every week, when the Fairfax County police obtained a search warrant for the site’s records on one of its anonymous users. The person had posted the home address of a Fairfax police officer, which can be a felony in Virginia if it’s done “with the intent to coerce, intimidate or harass.” The police obtained a search warrant on Sept. 29 for “godaddy.com,” and several days later, the police received 76 pages of documents, court records show. But the search was worthless. Godaddy.com doesn’t have any information about the website’s users, it only deals out domain names, said Cary Wiedemann, the founder and operator of Fairfax Underground. The actual server with information about the users is owned by Wiedemann, and the police haven’t asked him about it in this case, though they have worked with him in the past. “I’m perturbed and concerned why they would take such an approach,” said Wiedemann, 26, a computer programmer and longtime Fairfax resident. “They should have at least come to me and let me say ‘no.’” Fairfax police said they had no interest in invading the privacy of the site’s users, which often include officers as well as police critics, but they had a legitimate interest in investigating a crime. The investigation was conducted by the police internal affairs unit, Officer Bud Walker said, which was “trying to find out who [the user] was because [the user] had potentially committed a crime. That was the focus of the investigation, not the allegations that were made in the thread.” [The allegations, perhaps unsurprisingly for Fairfax Underground, concerned drugs, prostitution and immigration violations.] Walker added, “As long as someone does not commit a crime, they don’t need to worry about their anonymity being taken away.” He said police had not determined who the user was, and that the investigation was closed. Matt Zimmerman, a staff attorney for the Electronic Frontier Foundation in San Francisco, credited the Fairfax police with narrowly tailoring their request to one user, rather than all of Fairfax Underground, and with presenting specific evidence of a possible crime to a magistrate. But, he added, “There is a certain creepiness factor to it, certainly, when you have police using police powers to go after people who criticize them.” He noted that simply posting a police officer’s address is not definitive evidence of intent to harass or intimidate, and that obtaining a search warrant from a civilian magistrate, rather than a judge, can be a way to circumvent jurists with better knowledge of First Amendment law. Zimmerman also said that godaddy.com did not have a strong reputation for standing up for its users in such situations. Wiedemann said the company did not notify him that they had received the warrant, or that they had promptly turned over their recrods. In the days before everyone had their own website, online message boards were a popular way for people to communicate on the Internet, and they still exist in many forms. On Fairfax Underground, anyone can start a topic, read a thread or post a message without having to register. The topics range from people trying to find the best sports bar, to discussing the latest crime news, to disrespecting a rival high school, with plenty of police and politician bashing as well. Recently launched topics include “Best rapper in Fairfax,” “Stabbing in Rose Hill,” and “Any Companies in NoVA that DO NOT do a Drug Test?”, posted by the user “pothead.” Proceed at your own peril. Wiedemann acknowledges that much of what is posted is frivolous or offensive. “Even though some posts are horrible, or racist,” Wiedemann said, “I generally tolerate it, so long as it originates from Fairfax County.” And he fiercely defends his right to maintain the site and protect its users’ privacy. “When someone’s at their computer in their home,” Wiedemann said, “they have a reasonable expectation of privacy.” Wiedemann launched Fairfax Underground in 2005, after he had collected about three years worth of publicly available arrest data from the Fairfax police and converted it into a searchable data base. He wanted to create a site that was a resource for Fairfax residents, with the data base as its initial content. The site has no advertising, and Wiedemann said he makes no money from it. But he wants it to last for 50 years, and he said user anonymity is key to that. “The more information that comes out, the better the community will be,” Wiedemann said. “We as a civilization will always gain by knowledge of what our neighbors are up to.” Fairfax police, from street officers to top-level commanders, monitor the site closely, partly as a way to monitor the public temperature on hot-button issues. Sometimes the police even post photos or information about suspects or missing property they are seeking, in hopes of getting helpful tips. And the police have asked Wiedemann in the past for help, which he says he has provided, so long as it didn’t require providing anyone’s personal information. He will redact or moderate posts when asked, and when it’s appropriate, he said. But Fairfax police have not asked him to remove the officer’s address in this instance. As Wiedemann spoke, he was waiting outside a Fairfax courtroom, having been subpoenaed to testify in a case involving a Fairfax sheriff’s deputy, whose personal information had been posted on the site. The sheriff’s office asked him to redact it, and he did, but the deputy’s lawyer wanted to know who posted it. On the witness stand, Wiedemann said he had the poster’s IP address, but told the judge he’d rather not produce it unless ordered. Fairfax Circuit Court Judge Jonathan C. Thacher said the information wasn’t relevant to the case, and let Wiedemann go. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- Fairfax Underground website ordered to remove Fairfax High School grades Erica Absetz (Dec 24)