Did the mathematician who hacked OKCupid violate federal computer laws?
Kevin Poulsen over at Wired has a wonderfully entertaining story on a mathematician at UCLA who hacked OKCupid to help him find the ideal date.
Chris McKinlay, a 35-year-old PhD student, wasn't having much luck with OKCupid's famous questionnaire. Out of a pool of thousands of questions members must answer 350 multiple-choice questions involving religion, movies, sports, etc. and anyone whose answers match 90 percent of the time is deemed a suitable match. But McKinlay found that the questions he chose to answer didn't match up well with many women in Los Angeles. As Poulsen wrote, "On a site where compatibility equals visibility, he was practically a ghost."
So he set up a dozen fake OKCupid accounts and coded a Python script that searched profiles of heterosexual and bisexual women between the ages of 25 and 45, visited their pages, and scraped their profiles "for every scrap of available information: ethnicity, height, smoker or nonsmoker, astrological sign -- 'all that crap,' he says."
Three weeks later, Poulsen wrote, McKinlay had harvested 6 million questions and answers from 20,000 women around the country. Then he grouped the women into seven categories, which he applied to members in the LA area.
I don't want to give too much detail, because you really should click over to Wired to read the article. After I tweeted the story one of my followers who works in computer security reminded me that McKinlay may have run afoul of one of the shabbiest laws in existence: The Computer Fraud and Abuse Act (CFAA) -- the same law that Federal prosecutors used to pressure Aaron Swartz.
CFAA makes it a crime to access a computer without authorization, a catchall chunk of poorly conceived legislation that has been ripe for abuse. For example, there's the case of Andrew "weev" Auernheimer, who, as a member of a hacker group called "Goatse Security" in June 2010, scraped AT&T's website for the email addresses of iPad users then shared the file with Gawker to show the porousness of the telecommunication company's security. No money changed hands. He didn't break into AT&T's computer network or cause any damage. He simply created an automated script to vacuum up information off a publicly available webpage. After being found guilty Auernheimer was sentenced to three and a half years in prison and forced to pay $73,000 in restitution to AT&T, which had to plug the security hole.
Let's hope OKCupid has a better sense of humor than AT&T.
[image via comicbookplus]