When does “Private Investigators hack Michigan computers, No violations noted” become a story?
Now that the only clear violation is the potential “master of disguise“ appearance at Central Michigan, when does the hacking of Michigan’s computers by private investigators, become a real story?
breaching, confidential computer systems seems like a much bigger, NCAA violation than legally stealing signs or showing up on somebody’s side line to scout. Where is Pete Thamel on this scoop?
November 3rd, 2023 at 1:51 AM ^
Not to mention the possibility that someone could have easily used the breach to steal our signals -- not just watch and analyze, but download the damned playbook.
November 3rd, 2023 at 6:37 AM ^
*Checks game results.* Lotta good it did them.
November 3rd, 2023 at 9:10 AM ^
Not yet, but Frames and Bluto have the talent to beat us if they have any advantage.
November 3rd, 2023 at 11:54 AM ^
They have the talent but I don’t have the coaching intelligence or common sense intelligence for that matter.
November 3rd, 2023 at 12:08 PM ^
How would Frames move the ball, even with our playbook?
November 3rd, 2023 at 7:38 AM ^
I’m worried about players potentially getting hurt because opposing players, in theory, know where they'd be going on plays
November 3rd, 2023 at 11:03 AM ^
...like the tunnel.
November 3rd, 2023 at 9:03 AM ^
OSU probably will download our playbook and justify the means. They're petty and dumb like that.
November 3rd, 2023 at 9:42 AM ^
and steal selfies of coaches wives.
If that happens, we know it's Zach Smith.
s/
November 3rd, 2023 at 10:52 AM ^
i think you mean james franklin is trying to hire some of our assistants
November 3rd, 2023 at 10:00 AM ^
I'm not sure if that's an NCAA violation but I believe it is a felony.
November 3rd, 2023 at 12:10 PM ^
I'm pretty sure committing a felony to gain a football advantage would be a violation.
November 3rd, 2023 at 12:22 PM ^
Neither is raping kids in showers but the NCAA will step in when outrage is there.
November 3rd, 2023 at 1:59 AM ^
Now is the time for all good men to come to the aid of their university. What we need to do is make a statement. And that statement is: Maybe something Harbaugh would say when he is feeling like he is on top of the world. Something like: "A bad workman always blames his tools". Or possibly, "A diamond with a flaw is better than a common stone that is perfect". Anyway, I think Harbaugh should just be himself and know that he's on top of the world. And know that he has the entire fan base behind him.
November 3rd, 2023 at 1:57 PM ^
I was actually thinking why no one has community checked all this bullshit hearsay from ESPN on twitter, but I think it's mostly just OSU potatos living in the echo chamber that are commentin
November 3rd, 2023 at 2:07 AM ^
when does the hacking of Michigan’s computers by private investigators, become a real story
Never, because there's very little chance that this happened.
The information was almost certainly provided / sold by one of Stalions's associates to the PI firm in question. This is how investigative work is done in the real world, as opposed to what you might see on television.
Private investigators who don't follow the law end up in jail; and hackers who capable of an intrusion into a major university's computer system don't work as PIs.
November 3rd, 2023 at 2:27 AM ^
Does this person have the right to sell the information?
November 3rd, 2023 at 2:32 AM ^
As far as the law is concerned, yes.
Any potential harm would be a tort -- a civil wrong, not a criminal one. Essentially, you're talking about breach of contract. The police do not arrest people for breach of contract; the aggrieved party files a lawsuit.
There are some exceptions within the realm of trade secrets, but (a) these would not fit the definition of trade secrets and (b) whistleblower laws would likely shield the leaker even if they were.
November 3rd, 2023 at 3:20 AM ^
This post is an egregious misstatement of the law and should be deleted.
November 3rd, 2023 at 4:10 AM ^
OK, I'll bite. Which part was egregious?
Surely you're not suggesting that a breach of contract would be a crime. I don't see how recordings made of opponents' signals could be classified as trade secrets. Perhaps you're suggesting that whistleblower laws wouldn't apply, and I"ll grant that it's a gray area given that the conduct being disclosed didn't violate the law (merely the NCAA bylaws -- maybe), but I imagine prosecutorial discretion would mean that no charges were brought for this anyway.
So, you must be objecting to my first statement, saying that the person could sell something that they obtained from Stalions without his explicit permission. Let's take a closer look at that.
The law rarely makes a distinction between selling a thing and giving that thing away for free, but there are certainly cases where it does. Let's start by looking at whether or not Bob Leaker, Connor's erstwhile trusted companion, could give the materials from a shared drive away.
The relevant federal statute would appear to be the Computer Fraud and Abuse Act. I'm not going to dig into Michigan law to see if there might be state crimes involved, so if that's your beef, say so and I'll delete the post. (I'd be surprised, as computer crimes are so frequently interstate or international in nature, but I guess it's possible). But, the matter comes down to whether or not Bob Leaker was authorized to access the files in the first place. Merely granting him an account on the system does not authorize him to access files; however, if the files were either (a) his to begin with or (b) intermingled with others, and where collaboration was expected or encouraged, then the answer would be yes -- he'd be authorized to access the file.
If authorized to access the file, is he authorized to make a copy of it? The phrase "exceeding authorized access" is not defined in the statute. However, most reasonable people would believe that if they have access to a shared drive and if they are authorized to read files from it, they're further authorized to copy those files, absent a specific notice to the contrary. (Furthermore, it's not clear to me whether or not such a notice would be enforceable).
At this point, giving the file away would no longer be subject to the CFAA. The original act was authorized; subsequent acts should not then become illegal simply because the file was once on a shared computer. At this point, you're back into the realm of trade secrets -- and I'm still not buying that these are trade secrets.
So, that gets back to the question of whether or not these materials could be sold. The CFAA does not cover motive; if it was legal to access the file, I don't see much of. case for saying it's illegal to sell it under the CFAA. That is, if my analysis is correct that it's legal to give it away, the CFAA does not appear to prohibit selling it. Videotaped recordings of a public performance do not appear to fall under the Copyright Act, so I don't see a violation there.
What am I missing here?
My assertion that this would be a tort stems from the point of view that Stalions presumably did not authorize giving the file away. But that's not a computer crime, except under the most expansive reading possible of the CFAA in which all files ever obtained from a shared system would be forever tainted, which would lead to rather nonsensical outcomes, such as it possibly being a crime to provide the uploaded file directly but not a crime to provide a videotaped or streamed presentation of that file.
----
I'll take it one step further: Bob Leaker might have provided his own files -- the ones he'd recorded himself (not covered under CFAA, possibly covered under a tort), along with a printout of the directory contents. Metadata and data generally have the same protection under the law; however, even in a system where you are unable to access the data, you're frequently allowed to access metadata such as filenames, dates, and sizes. You could get a pretty good idea of exactly what was in the file from just that information, without even seeing it.
The main point of my response was that it's silly for people to sit around expecting the FBI to knock on Ryan Day's door and arrest him for corporate espionage. I stand by that.
November 3rd, 2023 at 9:11 AM ^
I think your end point is what happened. The PI was able to figure out who actually went to the game through the venmos and stadium security footage, then asked Bob Leaker to send the videos they took from the stands. Since the leaker took the videos himself, he can give them to the PI.
I think the sloppy reporting has severly muddied the waters. As in Bob Leaker tells the PI, "I was told to upload the videos to this link." So then that becomes "Stallions had a drive with an unprotected link" and after a game of telephone that gets reported as "Stallions had a drive that other coaches had access to." I've seen nothing that states that this drive was on any University of Michigan IT system (I mean they are looking at his personal laptop and phone) or that any coaches actually accessed the drive.
November 3rd, 2023 at 10:41 AM ^
Right. In all likelihood, Stallions had something like a Dropbox folder that his scouts could upload to. One of the questions is did others on the staff have access to that folder. If they did, then it becomes real hard to explain that they didn't know that Stallions was having others shoot cell phone videos from opposing stadiums because you'd be able to clearly see hundreds of cell phone video clips in there.
November 3rd, 2023 at 10:20 AM ^
"The relevant federal statute would appear to be the Computer Fraud and Abuse Act."
Yes, breaches of contract --including contracts people click through without reading most of the time-- can be criminal in this context and have been prosecuted as such. A recent SCOTUS ruling dialed this back but the entire crux of whether a TOS violation or use which exceeds authorized access is a crime vs. civil matter hinges on the internal definitions and policies of the authorizing entity. So, to the next point:
"If authorized to access the file, is he authorized to make a copy of it?" Not necessarily. It would depend on the university's acceptable use policy and procedure. If they distinguish authorization to access vs. authorization to disseminate, then granting one does not necessarily imply the other. If they specifically restrict disseminating sensitive information which may be damaging to the university, for example, then the "exceeds authorized access" clause of the CFAA could be invoked. More likely it would be limited to a civil matter as a matter of institutional will and appetite, I would think, but the CFAA language leaves the door open. It also depends on how the university treats uses of shadow IT such as, presumably, the Google Drive in question, and whether such systems which were deployed without internal IT authorization or oversight but are used for university business are still included in the scope of their acceptable use, access authorization, data security, etc. policies.
Also, to my knowledge, whistleblower protections apply to persons acting in good faith. If someone simply sold this information, or disclosed it because they were disgruntled about, hypothetically, Stalions not reimbursing them fully for parking at one of these games, then they would have an uphill battle to demonstrate that they were acting in good faith as a whistleblower.
The biggest question, as I see it, is how these contracted videographers will be considered in this case: was the university exercising direct agency over their actions, or were they third parties? If they were not accountable to the university's policies, procedures, and standards (such as those around data use and security) and only bound by the terms of their contract, that puts a lot more of the accountability on Stalions but could be good for the university overall since they could make a solid case that these were not staff/affiliates and thus no violation may have even occurred.
Long story short, exactly how this parses out depends on a lot, but to be entirely dismissive of the possibilities that a criminal act may have been committed indicates 1) a lack of appreciation re: how broadly the CFAA defines computer crimes and 2) a lack of appreciation re: how much PI's tiptoe on the edge of rules and often stray just over the side.
November 3rd, 2023 at 11:19 AM ^
If Stalions stored the files on a university drive, then the school's acceptable use policy would come into effect, sure. I think we've all assumed that he used a shared drive (Google / Apple / Dropbox / etc.) just because of the difficulty of getting random third parties upload permission to a server administered by the UM IT department. :) In that case, the University's terms of service wouldn't apply, and the CFAA would only come into play if users exceeded the access that Stalions authorized. Even a single comment like "check out what Gary Goodguy did" could be enough to provide Bob Leaker with download authorization.
Few whistleblowers are motivated entirely by a sense of public duty; you're right that it would paint them in a bad light, but I suspect there'd be little zeal for a prosecution anyway. It's just not a bad look to prosecute people for divulging information about rule-breaking.
I pretty much only take issue with your word "often" in the last paragraph -- I definitely agree that PIs tiptoe on the edge of the rules, but I don't think they "often" cross the line. It's just too dangerous to cross the line when you have as many enemies as the typical PI does. But I think we can agree to disagree on this one point; I appreciate the thoughtful analysis.
November 3rd, 2023 at 11:38 AM ^
All fair points, but this one is incorrect: "In that case, the University's terms of service wouldn't apply, and the CFAA would only come into play if users exceeded the access that Stalions authorized."
It depends. If the university has a policy which states something like, "Any use of third-party SaaS or cloud-based systems for official university business or to store data related to job functions is covered under and expected to be secured consistent with enterprise data security & access authorization requirements" then it would be covered. Not sure if that exists at UM - there are dozens of ways to handle BYOD and shadow IT. On the other hand, if there is a policy which states something like, "Any use of third-party SaaS or cloud-based systems for official university business or to store data related to job functions is prohibited and any requests for such use must be approved by IT Security" then all the accountability gets heaped on Stalions for creating the security breach in the first place.
November 3rd, 2023 at 12:27 PM ^
You have some good insights into the law but there is a lot of assumptions. For example, the Google drive or shared file or drop box account can be owned by UM. It doesn't have to be a drive owned by UM. In that case, it could be a violation to access it even if one of the users shared it. We just don't know what kind of drive CS used, UM policy, who paid for what account etc. Without that, it is a guess.
November 3rd, 2023 at 1:49 PM ^
Holy self righteousness! Pete Thamel should get you on the payroll. He could make up stories for weeks with your legal justifications.
November 3rd, 2023 at 3:21 PM ^
Let me guess. You live in Seattle or Mount Washington.
November 3rd, 2023 at 3:21 AM ^
You’re guessing at facts and misstating opinion as law…did you go to the Thamel school of posting?
November 3rd, 2023 at 3:39 AM ^
I'm guessing at facts?
Sure, inasmuch as I can't testify to the my interpretation of events. But mine is a far, far, far more likely guess than the one in the original post, which posited that a federal crime occurred. That's just not the way that leaks happen.
November 3rd, 2023 at 8:16 AM ^
Something illegal doesn’t just become legal because someone else committed the crime and gave it to you.
November 3rd, 2023 at 8:21 AM ^
Why is J trying to defend his Buckeyes wrongdoing on a Michigan Blog?? Just go back to eleven warriors and be done with it!
November 3rd, 2023 at 11:03 AM ^
LOL, so anybody who doesn't full-throatedly endorse every insane fan conspiracy theory is a closet Buckeye now?
Check my post history if you like, pal. I'm no troll.
November 3rd, 2023 at 3:27 PM ^
JR is not a troll. He is the Spock of Mgoblog.
November 3rd, 2023 at 11:26 AM ^
If the PI is not responsible for his agent's possibly criminal activity, why is everyone so up in arms trying to hold Harbaugh accountable for his staffer's actions, which have not even been adjudicated to be against the rules?
November 3rd, 2023 at 11:46 AM ^
I'd say a likely scenario is that a PI didn't break into the system (because that's patently illegal and would expose the PI to prosecution); more likely, someone in CS's little circle printed out something and showed it to the PI, or simply had access and showed his screen to the PI. It's not that complicated, frankly.
November 3rd, 2023 at 12:29 PM ^
Yes, if their source showed them something he didn't have access to share, then the PI firm viewing it would be illegal. Them sharing it with the NCAA and reporters even more so.
November 3rd, 2023 at 8:55 AM ^
If the NCAA is the governing body of the sport, as well as the compliance body, they can't allow schools to essentially go rogue and conduct their own biased investigations. If, in fact, OSU did hire the PI firm that found this info, we got a big problem in college football. Wealthy schools will use this to their competitive advantage. It's a very bad precedent to set and will be the end of college football as we know it.
November 3rd, 2023 at 9:49 AM ^
"If the NCAA is the governing body of the sport, as well as the compliance body, they can't allow schools to essentially go rogue and conduct their own biased investigations. "
Of course they can.
They shouldn't, and it might ruin college football... but they can do that if they want.
November 3rd, 2023 at 11:58 AM ^
Speaking of ruining football, have we started crowd sourcing NCAA violations at OSU yet? There seems to be enough smart people around these parts that we could investigate their shortcomings too.
November 3rd, 2023 at 12:01 PM ^
It's one thing for them to run their own investigations into other schools, but the NCAA shouldn't accept the findings.
November 3rd, 2023 at 10:38 AM ^
This is a very good and understated point. It's especially concerning regarding the recent posturing of B1G coaches, ADs, and potentially the commish himself. If the precedent is set that a school with a big enough money cannon can hire a PI to dig up some hazy but highly suggestive dirt, feed it to the media to gin up a frenzy, and result in sanctions from the conference before any formal allegations are even levied -- it's uncertain at this point if a violation even occurred-- then holy hell that is a terrible precedent. If that's how it goes, my only hope is that M escalates the pettiness a hundred-fold with full-blown blitzkriegs of sketchy PI muckrakers and media assault... won't be holding my breath, though...
November 3rd, 2023 at 3:28 PM ^
Where is Lee Atwater when ya need him?
November 3rd, 2023 at 10:39 AM ^
Well I guess I'd have to ask why can't the ncaa allow outside investigations?
Would there be a rule against that in their sacred tome?
And haven't we already seen the end of college football as we knew it?!
I mean usc is our B10 conference opening opponent in 2024!
November 3rd, 2023 at 11:37 AM ^
Because the NCAA is supposed to be unbiased in their investigation. That is, the name of the school being investigated shouldn't impact the outcome. We know that is not the case, but it is the myth that the system is built upon. But if Ohio state is behind this whole thing (which seems likely) then their goal is to discredit and take Michigan down, by any means necessary. Which in itself is far more likely to lead to more unethical behaviors. The guys with the torches and pitchforks are not likely conducting an unbiased and legitimate investigation. It would be like paying prosecutors bounties for each case they win.
November 3rd, 2023 at 11:30 AM ^
Ooh, I like the cost angle, especially since the whole rationale against in-person scouting was the cost and the disadvantage for smaller schools. Someone needs to mount a PR campaign, complete with dozens of unnamed coaches who believe that this violates the coaching code of ethics, is "unprecedented," etc.
November 3rd, 2023 at 10:06 AM ^
Wasn't it claimed that the videos were put in some kind of shared iPhone photos album that Stallions had?
November 3rd, 2023 at 10:08 AM ^
Thank you for bringing a bit of fact and reasoning to an otherwise insane thread
November 3rd, 2023 at 10:33 AM ^
Maybe not all PIs use hackers - but Bosch has an internationally recognized hacker on his payroll, at his beck & call!