Erin Jane Illman, Steven Snyder:
The reason the classification of hashed values is critically important is because whether or not the information permits access to an online account can be determinative of whether it is personal information for the purposes of some breach notification statutes, as well as the private right of action in CPRA. This argument has already been advanced in California, in Atkinson v. Minted, Inc., 3:20-cv-03869-JS (N.D. Cal. June 2020) (see First Amended Complaint at Par. 13 “Because passwords that are merely ‘hashed’ and ‘salted’ are not encrypted, they ‘can be accessed and used even while […] redacted with different levels of utility based on how much manipulating of the data is done to protect privacy.’ [Citation omitted]. Therefore, at a minimum, the PII disclosed in the Data Breach included user passwords that would permit sophisticated hackers like the Shiny Hunters to access to an online account.”) To understand the implications of these hacks and the potential impact on litigation requires a bit of technical understanding of hashing and why it is used.
A “hash” of a password is the result of a hashing function applied to the password, and it is used to avoid storing a password in plain text while also allowing a quick and easy evaluation of credentials for a site. The hashing function takes the password and scrambles it up with a large number of simple rote operations with the intent to make it impossible to determine the password from the hash even if the hashing function used is known. As an example, consider a simple computer model of a pool table with a perfectly uniform friction surface, the balls racked precisely at one spot on one end and the cue ball place precisely on the spot in the other. Only a few inputs such as the angle and force of the cue stick hitting the cue ball and a few hard-coded laws of physics will determine the final position of all the balls after they come to rest after a new break. However, even if the laws of physics are simple to apply and mechanical, the complexity of the interaction of all the balls means that it would be impossible to discern the input values by looking at the result — in this case the final position of all the balls. For non-trivial inputs where the balls moved significantly, the resulting position of the balls would give absolutely no information about the inputs, even for someone well versed in the laws of physics. Another feature of this example is that when given a precise set of final positions and inputs that purportedly generate them, it would be trivial to confirm by plugging in the inputs and running the model.