It just became a little cheaper and a little easier to access public court filings through PACER (the Public Access to Court Electronic Records), thanks to RECAP, an open-source Firefox plug-in designed to create a free secondary archive of PACER materials.

Court filings contained in PACER are public documents, and are, in theory, open to the public. But, in the past, the fact that these materials were either maintained in individual courthouses or, once digitized, were behind password-protected log-ins and per-page charges generally prevented them from being widely disseminated. Open society advocates have long criticized PACER for charging the public itemized fees to access public court filings, arguing that this pay-as-you-go system effectively removes public filings from the public domain and discourages a fully transparent legal system.

Princeton University's Center for Information Technology Policy, with assistance from Harvard University's Berkman Center for Internet and Society, unleashed the latest salvo against PACER in the form of RECAP (“PACER” spelled backwards, not by coincidence). RECAP is a free open-source software plug-in for the popular Firefox web browser that automatically uploads all PACER documents a user is viewing onto a growing archive maintained by the non-profit group Internet Archive. When the next RECAP user attempts to view a PACER document that has already been archived, the RECAP plug-in automatically uploads the copy to prevent that user from paying for those materials. This system essentially allows users of PACER to slowly create a secondary archive of these public documents that can be accessed for free.

I have previously discussed the controversy surrounding PACER's security failings and pricing. After the jump, my colleague Aaron Wright and I discuss whether the RECAP plug-in magnifies or minimizes PACER's security problems and risks of identity theft, the pushback RECAP has received from courts, and RECAP's creators' response to criticism about the plug-in's security and privacy safeguards.

The RECAP plug-in may answer critics' complaints about PACER's pricing scheme; however, the plug-in may potentially mimic the serious security failings of PACER -- while raising both unique security problems of its own, on one hand, and on the other hand mapping out a potential roadmap for PACER to effectively screen out sensitive personal information in court filings.

As Ramzi Ajami wrote earlier, the PACER system is littered with filings containing very sensitive information about individuals, including Social Security numbers. While various court rules require that this information be redacted, that obligation is placed firmly and solely on the filer and is not subject to any additional screening. Therefore, if a filer forgets or refuses to redact certain sensitive information, that information may appear in the public system.

The RECAP plug-in poses an obvious risk of creating a more freely-accessible archive of materials that mirrors PACER’s mistakes and contains documents containing very sensitive personally-identifiable information. However, RECAP also poses the unique risk of creating an “outdated” secondary archive of non-redacted PACER documents that are later redacted in PACER, but that have already been copied and archived by RECAP in non-redacted form.

RECAP’s creators acknowledge these privacy concerns in their Privacy and Security FAQs, and have instituted what appear to be promising safeguards, including a scanning program that identifies and excludes any documents with Social Security numbers:

" * At our request, the Internet Archive has disallowed search engine indexing of the documents we submit. (This may be changed in the future if we develop better ways of addressing privacy concerns.)

* The RECAP servers automatically scan all submitted documents for Social Security numbers before they are uploaded to the Internet Archive. Any document in which we detect such information is automatically suppressed.

* We’re relying on RECAP users to report privacy problems. Please email us if you find a document in the repository that contains inappropriate personal information. Your feedback will not only allow us to suppress the document you found; it will also help us improve our automated filters so that fewer problem documents slip through in the future.

However, aside from Social Security numbers, the FAQs do not address whether RECAP screens documents for other sensitive information that must also be redacted from court filings, and that individually or collectively may also pose a serious risk of identity theft, including taxpayer identification numbers, financial account numbers, and full dates of birth.

While it remains unclear whether the creators of RECAP will implement further safeguards to address filings containing sensitive information aside from Social Security numbers, the plug-in’s creators have extended an invitation to courts and the public to submit suggestions to enhance the program’s overall security.

Courts, at least, appear to have rejected that offer, and have so far signaled serious skepticism about the plug-in. Over the past two weeks, various courts have posted bulletins warning filers from using RECAP pending further review of the plug-in, claiming that the open-source software format renders RECAP vulnerable to malicious users who can modify the plug-in for improper uses, and also warning that RECAP may upload filers’ materials (available to attorneys through the EMF log-in) that are not publicly available on PACER. (See, for example, bulletins here and here.) The creators of RECAP responded by clarifying that RECAP only downloads and copies documents through the public PACER portal (and not attorneys’ EMF system), and reiterated that “users can continue using RECAP with the knowledge that it’s designed with privacy as our top priority.”

Whether courts will actually engage in a meaningful dialogue with RECAP's creators to strengthen the program’s security protocol, or whether RECAP’s screening protocol for sensitive information may actually provide a roadmap to strengthen PACER’s own security failings, remains to be seen.

Links: