Editorial: The Courts Should Improve The Security of PACER and CM/ECF
Posted on August 8, 2017
Readers, as many of you know, the federal courts make documents available to the public online via the PACER system, and litigants can file documents electronically via the CM/ECF system. Each court has its own website for these purposes. I have an interest in online security, so I decided to run a couple of federal courts’ CM/ECF websites through a standard online tool to check their security, and more specifically, their use of TLS (the successor to SSL, the technology that puts the little padlock in your browser’s address bar).
Here’s how you can do what I did: visit Qualys SSL Labs, click on “Test Your Server,” and then enter “https://ecf.ca1.uscourts.gov,” which is the URL for the First Circuit’s PACER and CM/ECF systems. You have to wait about two minutes, but then you get your result, in a handy letter-grade format:
Yikes! That looks pretty bad. What’s going on? There are several significant problems, but I’ll just highlight two:
- The site does not support TLS version 1.2, the current version. Prior versions have known security flaws.
- Worse, the site is vulnerable to an attack that can lead to decryption of encrypted communication.
Now, you may say, “who cares about this? Court documents are public anyway, so why should we worry about encryption?” I can think of two reasons. First, each lawyer has a CM/ECF username and password, and under applicable local rules in some courts at least, signing in with your username and password is the equivalent of signing a document for purposes of FRCP 11. So it’s important that the username and password be kept secret. Second, at least in newer versions of CM/ECF, you can submit sealed documents via the computer instead of in hard copy. Sealed documents are sealed because they contain confidential information—sometimes very highly confidential information such as valuable trade secrets. It would be worth an unscrupulous person’s while to intercept CM/ECF filings if they contain valuable trade secrets, yes?
I can say pretty authoritatively that there’s no good excuse for the apparently poor security on court websites. Why? With a couple of hours and an IT budget of $0, I managed to do much better here on Letters Blogatory:
There may be some policy reasons that the government couldn’t do quite as well. For instance, it may want to maintain access for really old browsers, and so there may have to be some tradeoffs. Also, it’s important to remember that good TLS configuration is not the be-all and end-all of security. No doubt the government is doing other security-related things behind the scenes. Still, the courts can and should do better.