Student’s Law Journal Article Examines Legal Issues of “Google Dorking”

03/14/2023

Star Kashman ’23 examined the legality of an advanced search tactic commonly referred to as “Google Dorking,” and found that cybersecurity law does not explicitly address the technique, which can be used for legitimate purposes such as research, but can also be used to commit criminal acts, including cyberterrorism, industrial espionage, identity theft, and cyberstalking. 

Her article, titled “Google Dorking or Legal Hacking: From the CIA Compromise to Your Cameras at Home, We Are Not as Safe as We Think,” was published last month in the Washington Journal of Law Technology & Arts.

Below is an excerpt from the introduction of the paper, followed by a section that appears later and examines whether Google Dorking is legal.

Introduction

Although over half of the world has been utilizing the Google Search engine since 2019, hardly any of these individuals have ever even heard of the term “Google Dorking.” There is a vast difference between conducting a regular Google Search and a Google Dork. An average Google search does not yield the most accurate, unbiased, or useful results. Results are organized within a “filter bubble” based on Google's determination of how relevant each result is based on an algorithm of over 210 miscellaneous factors, our computer data, and paid sponsored content pushing products and political ideologies. Internet users are often oblivious to the power that search engines hold with the distribution of knowledge and sole discretion on what is made available to [their] users.

Thankfully, there is a method of searching and bypassing these filters to receive untainted, unedited, and unbiased results called “Google Dorking”  (aka “Google Hacking”, “Search Engine Hacking”, or “Google Scanning”), which is the act of utilizing advanced search queries (“Google Dorks”) to specify the exact results one is seeking while avoiding Google’s filters.

Google Dorking can be a benefit to Google users for numerous reasons. Aside from the perks of avoiding propaganda, advertisements, and search engine optimization (SEO), Google Dorking has been used to protect against cyber theft and data security breaches. In addition, Dorking is a common tool utilized by “White Hat Hackers” who are ethical legal hackers hired to seek out vulnerabilities in computer systems for the purpose of mending gaps in security before malicious hackers exploit them. Journalists and good faith researchers also utilize Google Dorks to obtain more accurate search results, and average Google users can make use of Dorking to yield enhanced results.

However, not all Google Dorking is conducted for legitimate reasons. Unfortunately, hackers and cybercriminals have also made use of Google Dorking to find sensitive personal information, and online vulnerabilities. Countless data, files, and webpage content that data owners do not intend to be displayed publicly can be found via Google Dorking. “That information can be used for any number of illegal activities, including cyberterrorism, industrial espionage, identity theft, and cyberstalking.” There are countless incidents where individuals have their private data and files displayed online without even being aware of it. Additionally, Google Dorkers gaining more accurate search results may unintentionally stumble upon sensitive data, leaving them one click away from committing a cybercrime.

II. Is Google Dorking Legal?

The main issue this article addresses is also the most searched question on Google regarding Google Dorking: “Is Google Dorking legal?” To find out, we must first discuss the most significant federal law in the war against hacking: the Computer Fraud and Abuse Act (CFAA).

The Computer Fraud and Abuse Act (CFAA)  

The federal law that governs most computer crimes including hacking, is the CFAA. Title 18 § 1030 states that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer52... shall be punished”53 §1030(a)(2)(C) by fine or imprisonment.54,55

The CFAA was enacted in 1986 as an amendment to the first federal computer fraud law to address hacking. Over time, this rule has expanded to encompass new technological advances and has redefined old terms stated within the statute to better fit evolving issues in cybercrime. The CFAA was originally intended to protect computers belonging to the United States government and financial institutions.57  However, the scope of the CFAA has expanded to shift the term of “protected computer” to effectively cover “any computer connected to the internet… including servers, computers that manage network resources and provide data to other computers.”58 

This statute remains a broad and vague provision that allows for an enormous amount of legal gray area, inconsistent application of the law, diminished understanding of what is legal, and lack of confidence from the public that justice will be served when they are victims of cybercrimes.59 The CFAA states, “evidence mounts that existing criminal laws are insufficient to address the problem of computer crime.”60 This insufficiency remains true despite multiple revisions made on this vague, overbroad, and unclear statute. Technology is one of the most rapidly evolving fields, and the law is falling behind.

1. Google Dorking Under the Computer Fraud and Abuse Act   

Upon reviewing the federal law that regulates hacking and computer crimes, the question arises of whether Google Dorking is legal. To analyze this, we must first define whether the activity of Google Dorking is considered hacking. The CFAA fails to directly address search engine hacking and falls short of properly regulating all of the various issues in hacking. Today, along with technology becoming more prevalent, the methods of hacking are expanding as well:61 “Although the CFAA states that hacking is intentionally accessing a computer without authorization or exceeding the authorization… there are now additional ways for individuals who are not trained hackers, to access and obtain information that they are not supposed to access.”62 This quote refers to acts like Google Dorking, which does not fit into the definition of “hacking” under the CFAA because accessing public information through Dorking does not require exceeding authorized access or accessing something without authorization.

Although Google Dorking would not be considered “hacking” under the CFAA according to its language, it is important to note how commonly it is referred to as an act of hacking in government documents and publications. The Office of Intelligence and Analysis and FBI stated that Google Dorking is “also known as ‘Google Hacking,’” and many contributors to Dorking have utilized these terms interchangeably as well. Johnny Long himself, the creator of Google Dorking, released books titled ‘Google Hacking for Penetration Testers.’” The public, cybersecurity community, and creators of Google Dorking all view the act as some form of hacking.

Google Dorking would not be considered “hacking” under the CFAA’s language, but the question remains as to whether it is treated as legal in court: “Although it may seem intimidating, Google Dorking is not an illegal activity. ”66 Per the CFAA, access to publicly available information is legal, despite public and cyber opinion regarding Dorking. The cases in which courts treat Google Dorking as illegal usually involve another statute or part of the CFAA, not just Dorking itself. Each of the cybercriminals noted above was charged for wrongdoing after Dorking, such as selling personal information, stealing, or hacking SCADA systems or webcams. Thus, Google Dorking as a standalone act remains legal, but it could still facilitate crime resulting in criminal prosecution.

52 18 U.S.C. § 1030(a)(2)(C) 
53 hiQ Labs, Inc. v. LinkedIn Corp., 273 F. Supp. 3d 1099 (N.D. Cal. 2017), aff'd and remanded, 938 F.3d 985 (9th Cir. 2019), cert. granted, judgment vacated, 210 L. Ed. 2d 902, 141 S. Ct. 2752 (2021), and aff'd, 31 F.4th 1180 (9th Cir. 2022). 
54 Order RE: Plaintiffs’ Motion for Preliminary Injunction, Universal City Studios Prods. LLLP v. TickBox TV LLC, (C.D. Cal. Jan. 30, 2018) No. CV 17-7496-MWF (ASx), 2018 WL 1568698, at *9. 
55 18 U.S.C. § 1030 (2013) (Proquest through Pub. L. No. 99-474). 
56 Computer Fraud and Abuse Act (CFAA), NACDL - NATIONAL ASSOCIATION OF CRIMINAL DEFENSE LAWYERS, (last visited Sept. 20, 2022). 
57 Id. 
58 hiQ Labs, Inc., 273 F. Supp. 3d at 1099. 
59 Universal City Studios Productions LLLP, 2018 WL 1568698, at *9. 
60 Computer Fraud and Abuse Act of 1986, S. Rep. No. 99-432, at 2, as reprinted in 1986 U.S.C.C.A.N. 2479, 2479. 
61 Universal City Studios Productions LLLP, 2018 WL 1568698, at *9. 
62 Id. 
64 Id. 
66 Lance Vaughn, What Is Google Dorking, RUETIR (Oct. 3, 2022)