Turns Out The One 'Good' Change In CFAA Reform... May Actually Be Bad Too
from the ugh dept
So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said was slightly good. We noted that they ever so slightly rolled back what would constitute a crime for "exceeding authorized access" listing out a few qualifications that needed to be met -- including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be "or" statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern -- with multiple sub-statements that don't have an "or" but which are interpreted as being "or" statements. For example, under section (a)(2)(A), there is no "or" between that and (B), but clearly the CFAA doesn't only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill's clauses are connected by "or" statements, rather than "and."
If this is true, then you could run afoul of "exceeding authorized access" for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That's because at least a few courts have recently rejected broad interpretations of the CFAA around "exceeding authorized access," such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming "exceeds authorized access."
It seems like this bill really is all bad. On top of everything else, the one area where it "rolled back" something, it may have rolled it "back" to a place which allows for more ambiguity that existing case law.
So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, cfaa reform, exceeds authorized access, hacking
Reader Comments
Subscribe: RSS
View by: Time | Thread
Is there a bill number yet?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Its laughable that the reforms proposed make it worse. Leave it to our congress to break something that was already badly broken. Now if the CFAA bill was abolished in its entirety that would make me proud of them for once.
Law is supposed to be clear, exact, to the point and not allowing “interpretations” or any reading other than what was (hopefully) clearly and concisely written.
[ link to this | view in chronology ]
Re:
"Corruptissima re publica plurimae leges"
- Tacitus
(Translation: "The more numerous the laws, the more corrupt the government" )
The idea is to make the law as broad, vague, and overreaching as possible. That way, literally every citizen commits at least one felony per week--within the broad interpretation of the law. Then the government has a ready-made excuse to fine, imprison, and generally make life miserable for anyone it chooses to. So the government only selectively enforces the law to make examples out of anyone that challenges, threatens, or even just embarrasses it, thereby keeping the citizens in line and always firmly under control.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Mike there is n need to worry over a mere draft of a bill. When the draft becomes a bill to be sent through house and senate as is, that is when we need to worry. At least they are giving a lot of thought and time into this.
As far as interpretations, the original reason that some broad laws were intended to be written in broad language is so that the US Supreme Court can interpreter them.
[ link to this | view in chronology ]
Re:
There is always a need to have input at every stage. Yes the public scrutiny is increasing and that is such a wonderful thing. Its a crowded hot kitchen but we'll work out the soup recipe somehow. In this case the CFAA soup stank already and the new ingredients smell worse. Best to toss it out and replace it with nothing.
Not worrying about the early details is how bad law is gestated and not caring gives birth to law that tears apart society and culture itself. The magnifying glass under full sunlight inspection is the minimum level attention when politics and special interest groups fornicate.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Oh, so that was you "doing journalism"?
[ link to this | view in chronology ]
Re:
Apparently not since he couldn't even read the bill correctly. A journalist/person-who-does-journalism would have done the research first and then written the article. FUD-packers like Mike can't be bothered with such silly things as basic research.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Everyone seems to agree on this point: Aaron committed suicide. Aaron killed Aaron, not anyone else. Whatever else the prosecution may have done, killing him and "making it look like an accident" isn't something the prosecutors have been accused of, even by the whacked-out conspiracy theorists. (At least, not that I've seen.)
Isn't that supposed to be regarded as de facto evidence that the guy was mentally unstable? People get prosecuted unfairly all the time, and most of them do not kill themselves over it. Did I miss a memo somewhere? Is there an official double standard in place where that only applies if the mentally unstable person in question is not a celebrity who advocates a cause that you support?
If we want to fix bad laws, why not just fix them for the sake of fixing bad laws? Isn't that a worthy goal in itself?
[ link to this | view in chronology ]
Re:
We have a lot of laws that get created as a reaction to something (Megan's Law, etc), and this is a new thing to react to.
It doesn't matter, really, WHY he killed himself. CFAA is largely a "bad law," and really should be fixed. The main argument is that our laws shouldn't make felons of otherwise honest people (not necessarily talking about Swartz here).
There's an interesting book on the subject: Three Felonies a Day (http://www.threefeloniesaday.com/)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If you lost someone who you admired to stupidity or evil, wouldn't you do everything you could to redress things? Probably not, because that requires empathy, a soul and a beating heart...
[ link to this | view in chronology ]
The point here...
But the rub in copyright is that this mercantilist attitude has already hit a massive extreme in terms of their control. What they learned quickly was that DNS is a no-no in terms of breaking the internet and how it would operate on a massive scale while still not preventing piracy.
This takes away that layer but they're bound to continue to pursue these options. In this, we see the dirtiest word in politics... "Compromise"
With compromise, the US became a Constitution. We allowed slavery (ie cheap labor) while professing that "all men are created equal".
The US allowed copyright monopolies on certain items. Now the system is a corporate maximalist's dream job in destroying basic human rights by allowing corporations to snoop into your private life just to see if you paid for a movie.
We've allowed an aristocratic republic to form over the democratic ideals we enjoyed for more than 2 centuries. And now, corporations want to reinstitute the very same type of monarchy that the American Revolution was fought against... Kind of sad that we've lost our democracy while corporations continue to push politicians away from what the public wants.
[ link to this | view in chronology ]
Re: The point here...
What? You don't think EFF, CDT, PK and all of the other groups claiming to represent the public interest are doing anything?
[ link to this | view in chronology ]
Re: Re: The point here...
[ link to this | view in chronology ]
Re: Re: Re: The point here...
[ link to this | view in chronology ]
Re: Re: Re: Re: The point here...
Nope. Congressional approval is at 9% because people know that Congress doesn't represent them or their interests. Of they did, you would have more discussions and debate about these issues and more laws to protect the public, not criminalize them.
" there are a number of so-called, public interest groups raising many of the same issues Masnick and others are sniveling about. "
Those same public interests that are shut out of discussions on copyright because you want more maximalism? Ok...
" Don't come here crying about your view not being heard, it is. "
And I'll make sure that Aaron's law is passed over what you want. Get used to it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The point here...
Nope. Congressional approval is at 9% because people know that Congress doesn't represent them or their interests. Of they did, you would have more discussions and debate about these issues and more laws to protect the public, not criminalize them.
Whose fault is that? Do you vote? Do you campaign for your candidate? Do you donate money to your candidate's campaign? Do you run for office yourself? Have you ever visited your representative's district office? Written a letter? Made a phone call?
" there are a number of so-called, public interest groups raising many of the same issues Masnick and others are sniveling about. "
Those same public interests that are shut out of discussions on copyright because you want more maximalism? Ok...
What are you talking about? They're all over the Hill. They're in Congressional offices every day.
" Don't come here crying about your view not being heard, it is. "
And I'll make sure that Aaron's law is passed over what you want. Get used to it.
Be sure to let me know how that works out for you. As near as I can tell, you don't do shit; other than snivel into the Techdirt echo chamber.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The point here...
The truth is that the game is already over, and you never set foot on the field.
http://www.politico.com/story/2013/02/activist-aaron-swartz-death-aarons-law-87332.html
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: The point here...
Yes to all. Your stunt with SOPA made me want to get involved with politics and ensure people like you won't be in charge of what our government does.
" They're in Congressional offices every day."
Right, but why aren't they allowed onto the same policy circles as the industries that should be regulated?
Oh, right... You don't want them to be... Fancy that.
" As near as I can tell, you don't do shit; other than snivel into the Techdirt echo chamber."
Heh, I don't spend all day on TD and there is plenty to do that ensures you won't win. But keep trying the derisive tactics. I'm sure those will work eventually.
" The truth is that the game is already over, and you never set foot on the field."
Nah, that game isn't over until the public wins. Game on.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: The point here...
Really? You ran for office? Which one?
" They're in Congressional offices every day."
Right, but why aren't they allowed onto the same policy circles as the industries that should be regulated?
Oh, right... You don't want them to be... Fancy that.
They see the same Congressional staffers, the same members, the same committee lawyers as everyone else. Who do you think they can't see?
Once again, you don't know what you are talking about.
" The truth is that the game is already over, and you never set foot on the field."
Nah, that game isn't over until the public wins. Game on.
I don't know why you are so sure that the majority holds your opinion. Judging from the collective yawn from Congress; they don't. You may want to ponder that fact. Even your Patron Saint, Darryl Issa says this thing is going nowhere. At least it can be said that he actually does know what he is talking about.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: The point here...
A local office. You wouldn't have heard about it.
" They see the same Congressional staffers, the same members, the same committee lawyers as everyone else. Who do you think they can't see?"
Seeing people isn't write the same as money having a heavy influence on theirvvote. You should know that.
" Even your Patron Saint, Darryl Issa says this thing is going nowhere."
Hahaha! Issa protecting the US? Man, that's funny... Stay tuned, you might see the reason you'll fail a second time...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: The point here...
You talked about access not money, remember:
Right, but why aren't they allowed onto the same policy circles as the industries that should be regulated?
Oh, right... You don't want them to be... Fancy that.
We'll see where it goes. But Aaron's Law won't move this Congress.
[ link to this | view in chronology ]
There's no real question that this list is disjunctive, not conjunctive. No advanced legal knowledge is required, just reading comprehension, albeit of a complicated sentence. Your interpretation yesterday was wrong. No big deal, but how about just a mea culpa, and move on. No need to treat the issue as a matter for "expert" interpretation.
[ link to this | view in chronology ]
Re:
Don't hold your breath. Masnick is seldom right, but never in doubt.
[ link to this | view in chronology ]
Re:
Statutory construction is not Mike's strong suit. Nor is getting things right in general.
[ link to this | view in chronology ]
Re:
"No big deal, but how about just a mea culpa, and move on."
What function, exactly, do you think this article you're commenting on was meant to serve if not that? Assume bad faith on every part except your own then bitch at people when they call you out on yours. Classic.
[ link to this | view in chronology ]
Re: Re:
Yup. That's the most amusing part in all of this. The same people now attacking me for getting this wrong (and, yes, I got this wrong) not only got it wrong themselves, but used that wrongness to claim I was wrong in my analysis.
Now when it turns out that my overall analysis was even MORE accurate than originally guessed, rather than admit that they were totally wrong, they attack me for the original misinterpretation.
Funny that.
What function, exactly, do you think this article you're commenting on was meant to serve if not that?
Exactly. I corrected the error. Some people will never be satisfied.
[ link to this | view in chronology ]
Re: Re: Re:
My criticism of your follow up was that you leave the impression that this particular point of statutory construction is nuanced, and requires the help of Prof Kerr or his ilk to interpret. And I think that feeds into the idea that everything in the statute is infinitely malleable, and a matter of opinion, rather than subject to rules that nonlawuers can understand just like lawyers. You weren't saying that, of course, but your framing of the issue reinforces that idea, which was unfortunate. As I said, the misreading was no big deal.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Acronym Usage
[ link to this | view in chronology ]
Proposed Drafts
[ link to this | view in chronology ]
Re: Proposed Drafts
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Important facts about CFAA that TechDirt should also consider
I have been researching 18 USC 1030 for over one year. I hold an AAS degree in Data Processing, 1983.
While I believe the issues raised by TechDirt are important, I also believe there is a broader picture that may not be considered here, which is, when ADMINISTRATORS (Those having authority) are allowed to manipulate protected computers in order to further fraud on the largest scale imagineable.
Case in point for a serious forum study: I allege that the mortgage housing crisis was ultimately caused by violators of 18 USC 1030, who conspired under 18 1030(b), to abuse authority under 1030(a)(4) and all subparagraphs of 1030(a)(5), by threatening damage to data integrity under 1030 (a)(7)(A), with intent to ultimately extort therefrom under 1030 (a)(7)(C).
I could restate the above intent in numerous ways, but the gist is, masses of underqualified purchasers were granted entry into our national mortgage system by administrators prior to 2008, at all levels, primarily to accelerate loan originations for rapid front-end profit, and without regard to the impairment to data integrity of our property values that could result over the long-term. Now, the abuse continues where administrators ensure that the massive losses to equity are forced upon the unwitting majority of all home owners perpetually. In short, the frauduent process now also self-authorizes the refusal of banks/lenders to reduce the extortive balance owed to the current decimated values for most purchasers, which forces all losses described under 1030 (e)(11) to be placed upon anyone who owns real estate property.
I ask for your assistance here, to help ensure that any revisions to 18 1030 do NOT have an unintended effect of exempting those administrators who may authorize license to sabotage our most vital systems, as we now face with the painful damage and purposefully slow recovery to our mortgage system that was/is "authorized" by those adminstrators in apparent violation of 18 1030. Please investigate further, because the greatest value of 18 1030 that I can see is to prevent, not encourage, abuse by ADMINISTRATORS above all others. I'm not sure if the proposed revisions would authorize such destructive intent or not, because I've only just learned of it myself.
We must ensure the integrity our major systems used in interstate commerce are protected, not corrupted by administrators of same. So, can we work together to fully protect citizens in all areas of computer fraud? Because the issues here seem far deeper than what we might be looking for on the surface. I hope this helps.
[ link to this | view in chronology ]
Important facts about CFAA that TechDirt should also consider
I have been researching 18 USC 1030 for over one year. I hold an AAS degree in Data Processing, 1983.
While I believe the issues raised by TechDirt are important, I also believe there is a broader picture that may not be considered here, which is, when ADMINISTRATORS (Those having authority) are allowed to manipulate protected computers in order to further fraud on the largest scale imagineable.
Case in point for a serious forum study: I allege that the mortgage housing crisis was ultimately caused by violators of 18 USC 1030, who conspired under 18 1030(b), to abuse authority under 1030(a)(4) and all subparagraphs of 1030(a)(5), by threatening damage to data integrity under 1030 (a)(7)(A), with intent to ultimately extort therefrom under 1030 (a)(7)(C).
I could restate the above intent in numerous ways, but the gist is, masses of underqualified purchasers were granted entry into our national mortgage system by administrators prior to 2008, at all levels, primarily to accelerate loan originations for rapid front-end profit, and without regard to the impairment to data integrity of our property values that could result over the long-term. Now, the abuse continues where administrators ensure that the massive losses to equity are forced upon the unwitting majority of all home owners perpetually. In short, the frauduent process now also self-authorizes the refusal of banks/lenders to reduce the extortive balance owed to the current decimated values for most purchasers, which forces all losses described under 1030 (e)(11) to be placed upon anyone who owns real estate property.
I ask for your assistance here, to help ensure that any revisions to 18 1030 do NOT have an unintended effect of exempting those administrators who may authorize license to sabotage our most vital systems, as we now face with the painful damage and purposefully slow recovery to our mortgage system that was/is "authorized" by those adminstrators in apparent violation of 18 1030. Please investigate further, because the greatest value of 18 1030 that I can see is to prevent, not encourage, abuse by ADMINISTRATORS above all others. I'm not sure if the proposed revisions would authorize such destructive intent or not, because I've only just learned of it myself.
We must ensure the integrity our major systems used in interstate commerce are protected, not corrupted by administrators of same. So, can we work together to fully protect citizens in all areas of computer fraud? Because the issues here seem far deeper than what we might be looking for on the surface. I hope this helps.
[ link to this | view in chronology ]