by Danielle Bringard, Associate Survey & Symposium Editor

 

I don’t know about you, but my heart skipped several beats after reading the first wave of news detailing the Heartbleed Security Hack.  I changed all of my passwords on various sites only to find if I had changed them before that particular web operation had updated its software I would have to change my passwords again.  Now, I find, by checking the security of a website I may be violating the law?

Heartbleed is not a virus, but a software defect.[1]  It affects OpenSSL software which is used for encryption.[2]  OpenSSL is an open source software, meaning anyone can access the code, review it, and make changes to it.[3]  So what happens when Heartbleed is exploited?  Essentially it allows a hacker to retrieve memory which may contain usernames, passwords, keys, credit card numbers, social security numbers or other useful information.[4]  Each time the hacker access the system it he or she can gain access to more information.[5]  This is a serious problem as many people now do much of their banking and shopping on the internet.

 So before you change your passwords it might be a good idea to check to see if the website is still vulnerable.  If the website hasn’t patched its software then changing your password will do you no good.  McAfee released a free tool to help consumers determine if the website they visit is safe or not.[6]  That tool can be accessed at http://tif.mcafee.com/heartbleedtest

 STOP!  Before you click that link and test a website you have in mind, you should know that some technology experts are worried that doing so could break the law.[7]  These naysayers cite the United States Computer Fraud and Abuse Act.[8]  Software that checks a website to see if it has patched the Heartbleed actually accesses that sites security certificate, which may or may not fall under the purview of 18 U.S.C. §1030.  Since everyone across the globe is experiencing the effects of Heartbleed, and it may take some time before all websites have patched their software[9], I doubt the U.S. government would prosecute a citizen simply seeking to ensure their person information remained protected or taking any proactive steps to do so.

As always, safety first. 

[1] James Lyne, How Heartbleed Happened the NSA and Proof Heartbleed Can Do Real Damage, Forbes (Mar. 14, 2014, 9:27 AM), available at http://www.forbes.com/sites/jameslyne/2014/04/14/how-heartbleed-happened-the-nsa-and-proof-heartbleed-can-do-real-damage/.

[2] Id.

[3] Id. 

[4] James Lyne, Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again (And Yahoo), Forbes (Mar. 8, 2014, 11:39 PM), available at http://www.forbes.com/sites/jameslyne/2014/04/08/heartbeat-heartbleed-bug-breaks-worldwide-internet-security-again-and-yahoo/; Craig Timberg, Heartbleed Bug Puts the Chaotic Nature of the Internet Under the Magnifying Glass, Wash. Post (April 9, 2014), available at http://www.washingtonpost.com/business/technology/heartbleed-bug-puts-the-chaotic-nature-of-the-internet-under-the-magnifying-glass/2014/04/09/00f7064c-c00b-11e3-bcec-b71ee10e9bc3_story.html.

[5] Lyne, Heartbeat Heartbleed supra note 4. 

[6] Robert Siciliano, Heartbleed: Free Tool to Check If That Site is Safe, Huffington Post (Mar. 12, 2014, 10:35 AM), available at http://www.huffingtonpost.com/robert-siciliano/heartbleed-free-tool-to-c_b_5137993.html.

[7] Anthony M. Freed, Running Heartbleed Health Checks May Be Illegal, TripWire (April 11, 2014), available at http://www.tripwire.com/state-of-security/top-security-stories/running-heartbleed-health-checks-may-be-illegal/; Michael Santarcangelo, How You Need To Respond To Heartbleed, and How You Can Explain It To Others, CSOnline (April 11, 2014, 12:27 PM), available at http://www.tripwire.com/state-of-security/top-security-stories/running-heartbleed-health-checks-may-be-illegal/.

 [8] John Leyden, It May Be Illegal to Run Heartbleed Checks, The Register (April 11, 2014), available at http://www.theregister.co.uk/2014/04/11/heartbleed_health_checking_services_may_be_illegal/; supra note 7.

[9] Brian Fung, Heartbleed is About to Get Worse, and Will Slow the Internet to a Crawl, Wash. Post (April 14, 2014, 2:54 PM), available at http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/.