search

freelawproject / pacer-issues

A place to discuss and track issues and improvements with PACER
8 stars 1 forks source link

Add 2FA. Insist on it for all filings. #35

Open mlissner opened 4 years ago

mlissner commented 4 years ago

Describe the solution you'd like Two factor authentication greatly enhances the security of any system that uses it.

johnhawkinson commented 4 years ago

Two-factor authentication systems greatly increase the annoyance and frustration of systems that use them. That's especially true in an environment like CMECF where password-sharing is actually encouraged and standard (because paralegals have to file on behalf of their attorneys). And especially true where the technological comfort level of many users is quite low.

I would also argue that it doesn't "increase the security" of the system, it does something more narrow: it strengthens the confidence in the identity of the authenticated user.

But authentication in CMECF is…not the keys-to-the-kingdom that it is in so many other kinds of electronic systems. There's not a rampant problem of forging filings under other users' names (and, indeed, one could just mail a paper filing to the court under somebody else's name). Although it is rarely the case, in a handful of cases there are access-restrictions that are authorized by CMECF authentication (FRCP 5.2c social-security and immigration cases). These are so rare that they don't make a good basis for policymaking.

A proposal to allow opt-in 2FA would be a lot more reasonable. But it's very hard for me to see the case for mandatory ("insist on it") 2FA.

counter: The fact of rampant password-sharing is, of course, a reason to encourage 2FA also. But it needs to be 2FA that works with multiple users with the same password, or some authentication delegation mechanism that works across multiple people.

mlissner commented 4 years ago

I can't help but think of the following and the trouble one could cause:

  1. User lists are published by courts during the transition to NextGen

  2. Password re-use is rampant

  3. Some sealed documents have international impacts if revealed

  4. The names of litigators in those cases are public

Is it unreasonable to think that a nation state would go after sealed filings of national importance? 2FA would fix that.

I'm not sure that all filers should need 2FA, I think @kmayer might be the right person to advocate for that (this was his issue), but I think I will advocate that anybody with access to sealed or otherwise redacted info in PACER should be using 2FA.

At a bare minimum, it should be available.

johnhawkinson commented 4 years ago

Is it unreasonable to think that a nation state would go after sealed filings of national importance?

I don't think that sealed documents in CMECF are generally available to case participants, even in the few jurisdictions that allow uploading of sealed documents. So…if my understanding is correct (and it may not be! Or it may differ from instance to instance), then…yes, it is unreasonable :)

2FA would fix that.

Well, I think that nation-state adversaries probably have other vectors and CMECF isn't even the easiest one, so, "for some values of 'fix'."