> State Bar officials learned about the posted records on Feb. 24. As of Saturday night, all the confidential information that had been published on the website judyrecords.com — which included case numbers, file dates, information about the types of cases and their statuses, respondent and complaining witnesses names — had been removed, officials said.
> ...Full case records were not published. Officials said they don’t know whether the published information was the result of a hacking incident. Judyrecords.com is a website that aggregates nationwide court case records.
edit: The "Info" link [2] on judyrecords.com has updates related to this event. It asserts that the confidential data was available on the CA Bar's own website:
> These records were all (confidential & non-confidential) previously publicly available at https://discipline.calbar.ca.gov (now offline).
[0] https://www.latimes.com/california/story/2022-02-27/californ...
edit: would love to check, but[0]
> The State Bar Court Portal will be unavailable from February 25th to February 28th due to maintenance activities. During this time the Case Search and Court Calendar functionality will not be available.
[0] https://apps.statebarcourt.ca.gov/dockets.aspx via https://www.statebarcourt.ca.gov/Public-Records-Information
I think in the era of go in and get things things should be "public".
Now in the search engine age and data available at your fingertips we need to entirely change our public records laws... Immediately.
edit: In fact a HN User said this with NO REPLY from the author of that Show HN: I have some records that are sealed, but show up in this database. So there are records that were once ‘public’ but are no more, but this database makes them public again.
I think that website should be taken offline immediately.
I am certain that many people in government would agree with you - they would LOVE to be able to hide what they are doing and not be held accountable for decisions they make (or don't make). We need more public disclosures, not less, imo.
>>So there are records that were once ‘public’ but are no more, but this database makes them public again.
This website didn't make them public, they just gave others a way to access them - once something is public, and in control of others, it is impossible to make them 'un-public' without violating the 1st amendment.
And most importantly, who does get access to the records? That exculsive access will give them a lot of power.
get the idea?
What are they going to do next, call Missouri's governor and ask for the playbook to follow? The humans behind the scenes at the bar are looking incredibly pathetic here.
Maybe they accept it, but just don't admit to their mistake. Seems to be a growing trend, unfortunately. Perhaps the result of a society who more and more punishes people for admitting to their mistakes, rather than rewarding them for admitting to it and learning from it.
It's very sad to me, that this seems to be getting so much more common.
Closing with "Law enforcement has been notified" doubles-down on "we published everything but maybe if we can get somebody charged for a bogus crime then we won't look so stupid."
Its the bar. Of all the organizations to respond like lawyers covering their own asses as hard as possible, you have to expect this one.
They have nothing but praise for the judyrecords owner, actually!
And they're a bunch of lawyers -- they likely know that.
The very first paragraph of the article seems to contradict that. Do you have a source that says otherwise?
Sounds like Missouri teachers SSN leak again... The website that judyrecords scraped, discipline.calbar.ca.gov, contained all of these "nonpublic" records for anyone to see.
This applies even more when the site you scraped didn't have permission to show the data in the first place. Their mistake does not rise to be your permission; if it was my data, I would have as much a claim against you as them. "The software did it" is not an excuse.
The State Bar announced today that it is taking urgent action to address a breach of confidential attorney discipline case data that it discovered on February 24. A public website that aggregates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. The site also appears to display confidential court records from other jurisdictions.
Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted.
The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute. It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.
edit: If you're wondering if I'm a hardened criminal with a wake of victims left behind, the answer is no. I was 22 and got caught in the midwest with an ounce and a half of cannabis. This website, as far as I'm concerned, is displaying inaccurate information about me that that could have serious negative consequences for myself.
You might want to check with a more thorough source, like a criminal background check agency.
When you renew your membership, there are a variety of addon payments you can opt into by checking boxes for these items. Then, on a later page, there are various addon payments that you have to opt out of.
Making things even trickier, these aren't pre-checked boxes, which might lead the user to realize he needs to uncheck them. Instead, there is a list of "adjustments" with a dropdown menu for each. The dropdown defaults to "none", which would lead users to think that they are not paying for an extra item. But when you click on the dropdown, you see the option to "deduct $x" if you don't want to pay the additional fee.
I've never seen a dark pattern like this anywhere else. Perhaps the folks who run the calbar website could spend less time finding ways to trick members into overpaying and more time securing private information.
I was going to joke that you're a lawyer, you should sue them, but they're not doing anything illegal, just very shady.
Does this part of the code apply to everyone, or only the folks in charge of the investigations, or in charge of safeguarding the information?
If someone is in a bar and overhears a Bar employee talking loudly about an investigation, do they have a legal duty to keep what they heard confidential?
The problem is that this would make the database entirely inaccessible unless you have access to the password. That creates quite a lot of friction in the user experience, the user would have to provide his password on every interaction (ie not just when logging in).
We're basically just discussing end-to-end encryption.
The real reason it's not done more often is that it makes things a lot of things way more complicated from a development perspective. Features like "allow users to send messages to each other" that would normally be really simple to implement suddenly require a whole public key infrastructure and logic to take into account edge cases like "What if the user got a new phone or changed their password and was offline when the message was sent?", or onerous threat models like "What if the server is controlled by an attacker when I sign-in?"
Also, I'm not sure this is an actual breach. I think they accidentally published the data themselves, that's the vibe I'm getting from reading between the lines. It's like the code maybe missed checking a flag that would exclude private records from showing.
Private key cryptography would be better, maybe encrypt a private key with a password and store that along with the public?
We can't determine what their password is based on the hash alone, which is why we couldn't hash all the user data in the DB with their password and store that.
The idea behind crypto shredding is that you have a cryptographic key for each entity in your system and you use that key encrypt all fields for a given record. When it comes time to delete that data, you simply discard the key used to encrypt it. Assuming you've used reasonably good cryptography, this data is now effectively gone.
This is useful in cases where:
* You need to support the right to be forgotten (as defined in the CCPA[2] or GDPR[3]), since all you need to do to "delete" a user's data is to delete the key used to encrypt.
* The data you need to delete exists across multiple data stores/applications/environments and ensuring consistency for the deletion across all these places is difficult. For example: You may have DB backups, long-lived caches, or 3rd party services/vendors that may have copies of this data.
* You want to discard some, but not all, of a user's data. This is important in cases you're required by law to retain specific kinds of information even after a person has required it's deletion. For example, banking and finance companies are required to keep specific records about who they sent money to or performed services for.
1. https://en.wikipedia.org/wiki/Crypto-shredding
2. https://www.oag.ca.gov/privacy/ccpa
3. https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
That method wouldn't stop a determined 12 year old, let alone a competent attacker. Please use a properly engineered and implemented encryption instead of coming up with harebrained schemes.
Most systems will restore access for a user who forgot their password.
Really?
