The following is a guest post by Tom Lee, former chief technology officer for the Sunlight Foundation.


When hackers are able to steal your money, it’s usually safe to call that a website’s least appealing feature. Astonishingly, that’s not true of PACER—the Public Access to Court Electronic Records system, run by the Administrative Office of the Courts—which charges for downloads of federal essential court records. In its case, hackability comes second to the bad and perhaps even illegal deal that it offers the public.

The exploit is real, mind you. The good people of the Free Law Project uncovered it months ago as part of their work to democratize legal information. Now that PACER has patched the vulnerability, FLP has disclosed the gory details.

The problem revolves around a cross-site request forgery attack. When you connect to a website, it’s normally able to store small amounts of data called “cookies” on your computer. Any time your browser makes a request to that site, it will send those cookies, along with the request. Sites can tell if a request comes from a logged-in user by examining the request for unique cookie values that were set after a successful authentication attempt and comparing those values to copies stored in the site’s database.

Code running on a different malicious website that you visit can’t look at the cookies of other websites. But it can make requests to other websites, and those requests will carry the other sites’ cookies. If those cookies identify a logged-in user, the malicious site can make invisible requests that trigger real actions on that user’s behalf on the target site.

There are standard ways to detect and defend against this, but PACER hadn’t used them. Although there is no proof that it happened, a malicious site could have made requests on behalf of logged-in users, downloading documents and racking up fees.

That’s bad. But it’s not the worst thing about PACER—that would be the fees themselves. PACER makes some kinds of documents free, but for many others, it charges 10 cents per page. Barring some truly incredible technical mistakes, that number is vastly more than the cost of serving a page of content. And it has remained at that level for many years, despite advancing technology and falling bandwidth and storage costs.

Legal actions often involve huge page counts, which means that PACER fees add up. And they render some kinds of research and scholarly work totally impractical.

Even worse, those fees might be illegal. The Administrative Office of the Courts is barred by the E-Government Act of 2002 from charging more for PACER than it costs to maintain the system. But there is evidence that AO is not in compliance with the law. In 2014, PACER collected $145 million in fees. Five years earlier, it had been projected to cost $30 million per year to maintain. Many suspect that PACER fees are being used to subsidize other line items in the agency’s budget.

A class-action lawsuit is underway that aims to untangle all of this; if you used PACER between 2010 and 2016, you might be a part of it. But even if you’re not, you can still help to democratize the system’s information. Since the government doesn’t hold copyright over PACER records, there’s nothing stopping you from sharing them with the world after you pay your 10 cents per page. The RECAP project is run by the Free Law Project and Princeton University’s CITP program, and provides browser extensions that automate and centralize this process. It will let you download records from the RECAP archive when they’re available, or contribute newly purchased PACER records to the archive automatically when they’re not.

PACER doesn’t charge for balances less than $15 per quarter, so if you’re feeling civic-minded, why not download RECAP, make a PACER account and liberate some court records for the public good? Now that they’ve patched their vulnerability, it might even be safe to do so.


Image by fizkes