PACER and CM/ECF are a Threat to National Security and Must be Urgently Overhauled

Michael Lissner

For more than a decade, we and others have been writing about the many reasons that the PACER and CM/ECF system must be overhauled. We have laid out the numerous reasons why Congress needs to pass the Open Courts Act ("OCA") so that we can finally fix the PACER Problem.

Unfortunately, today we are writing about a new reason why the OCA is so needed. Today we are writing to share the ample evidence that the continued reliance on the outdated and crumbling PACER and CM/ECF system is a risk to Americans' privacy and national security. Overhaul of the system via passage of the OCA can no longer wait.

In 2017, we became concerned about the security of the system when we discovered a frighteningly basic vulnerability in it. The vulnerability allowed the malicious owner of a website you visited to purchase content from PACER using your logged-in account. If the owner of such a website did so, they could spend your money or download your confidential sealed documents. Imagine an accused criminal luring a prosecutor onto a malicious website in order to download confidential documents from their case.

This type of vulnerability is considered "critical" because it is trivial for security auditors or adversaries to discover and exploit. In general, if you have this type of vulnerability, your whole approach to cybersecurity is suspect.

At the time we reported this vulnerability, it took the Judiciary six months to fix it. This is far too long. In the aftermath, we urged the judicial branch to centralize PACER, to make it free, and to rebuild it with modern best practices — all key components of the Open Courts Act.

Unfortunately, this advice was not taken, and it appears foreign adversaries may have now accessed sealed content in the system.

The SolarWinds Cyberattack

The first evidence that there was a problem came earlier this year, after the SolarWinds cyberattack. At that time, a group, suspected to be backed by the Russian government, penetrated into thousands of organizations around the world. One victim of this attack was the Federal Judiciary, which quickly announced they had a problem and noted that "vulnerabilities" in CM/ECF:

greatly risk compromising highly sensitive non-public documents [...] particularly sealed filings.

Although the Judiciary's announcement didn't go into detail about which sealed filings may have been accessed by a foreign adversary, we can guess. Sealed documents contain business secrets, arrest warrants and criminal indictments, the names of minors, refugee applicants, and sexual assault victims — the list goes on. Unfortunately, since the Judiciary didn't supply these details and lacks a FOIA-like public records law, the public may never know which types of documents were accessed.

In speaking with the courts around this time, we heard some frightening stories. One story involved a clerk that was working nearly around the clock to pull sealed documents from the system and print them out on paper. The implication was that they didn't know if an adversary was still in the Judiciary's network, and they felt that they had to do something to pull content offline.

Given the current state of CM/ECF, this instinct has merit: Stacks of paper cannot be hacked. But there is a better way forward. If the Open Courts Act is enacted, we can build and maintain a new, modern, and secure system for the courts. We don't have to give up decades of technological progress just to be secure, but we do need to take action.

The Judiciary's Own Analysis

The second piece of evidence that PACER/CM/ECF needs to be urgently overhauled as prescribed in the Open Courts Act, comes from an analysis of the system that the Judiciary commissioned itself and, to their credit, shared with the public. The analysis was completed by a team within the General Services Administration, who "carried out an 11-week Path Analysis" of the system.

The public version of this analysis is tweaked to remove information about the "security posture" of the system, but there are still many details in this report that are cause for concern.

Here are a few relevant quotes (emphasis added):

Decentralization and complexity are causing system instability, high maintenance costs and security risks.
Dated technology, decentralized deployments, and heavy customization are leading to [...] security and reliability risks
Many courts have developed “local mods” [...] which has created problems ranging from high cybersecurity risks to high operational costs.

From a section entitled, "High cybersecurity risks":

There is the potential for many cybersecurity vulnerabilities resulting from the way CM/ECF software is built, deployed, and maintained. Security and compliance are monumental tasks for courts and the AO’s visibility into courts’ security posture is limited due to the decentralized nature of the application.

Finally, and, tragically, in hindsight:

a headline of a successful cyberattack on CM/ECF will weaken the public’s trust in the judiciary.

If you are following this issue, the whole report is a very good read.

What to do?

Last year, before the SolarWinds hack and before the "Path Analysis" was released, the House of Representatives passed the Open Courts Act by unanimous consent. We ran out of time to get it through the Senate.

The OCA will help resolve the security problem via a few mechanisms:

  1. The OCA removes money from the system.

    By making PACER free to access, a whole class of vulnerabilities is removed. Systems that handle payments and credit cards attract attacks and have juicier data than systems that do not. Remove the money, remove the risk.

  2. The OCA opens the system.

    PACER is designed to be a public access system, but it has always been difficult and expensive to use. Because of the obscurity this difficulty creates, people regularly file private information into the system without understanding the risks.

    When the OCA is passed, it will remove these barriers to access, and filers will fully grasp how publicly-accessible federal filings have always been and will be able to respond accordingly by keeping private information properly sealed or redacted.

  3. The OCA centralizes and homogenizes the system.

    As noted above, one reason PACER is a security nightmare is that it is not one system, but hundreds. Every district, appellate, and bankruptcy court runs their own installation of PACER/CM/ECF with its own bugs, modifications, and administration. This means that when there is a vulnerability discovered or the system is under attack, innumerable servers must be upgraded by myriad staff members of the Judiciary. In our experience, this process takes months. That's far too long to leave systems vulnerable.

    Further, many installations of PACER/CM/ECF have customizations applied to them by their local administrators. It's likely nobody knows what customizations are in use, much less whether they are secure. A new system would remove these risky differences.

  4. Development of any new system would use established and secure practices.

    The current system was built before cloud computing and before the proliferation of robust open source web development platforms. As a result, it lacks the most basic security features that would come out of the box in almost any new system.

    Any new system would also use cloud computing, allowing it to withstand huge spikes in traffic and similar types of attacks.

The bi-partisan Open Courts Act calls for the creation of a new, centralized, modern and secure PACER/CM/ECF system and creates a budget-neutral approach to developing and maintaining it. Last year, it made it through the House, but not the Senate.

At the time, we didn't know that PACER and CM/ECF were a danger to our privacy and to national security, but we do now. Now that we do, Congress needs to act again. The House and Senate need to pass the Open Courts Act, and President Biden needs to sign the Act into law.

A new version of PACER and CM/ECF is no longer just good government. It's now a national security mandate.

© 2022 Free Law Project. Content licensed under a Creative Commons BY-ND international 4.0, license, except where indicated.