Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals
from the 'unauthorized-access'-isn't-always-a-bad-thing... dept
We recently wrote about the Rhode Island attorney general's "cybercrime" bill -- a legislative proposal that seeks to address cyberbullying, revenge porn, etc. with a bunch of broadly -- and poorly -- written clauses. Two negative comments written months apart could be viewed as "cyber-harassment" under the law, separating it from the sustained pattern of abuse that one normally considers "harassment."
In addition, the proposed law would criminalize "non-consensual communications." If the sender does not obtain the recipient's permission to send a message, it's a criminal act if the recipient finds the message to be distressing -- which could mean anything from emailing explicit threats to posting a negative comment on someone's Facebook page.
But that's not Attorney General Peter F. Kilmartin's only bad idea. It appears he's behind another legislative proposal -- one that would amend the state's computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA.
Here's the worst part of the suggested amendments:
Whoever intentionally and without authorization or in excess of one's authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.This would make the following Google search illegal:
filetype:pdf site:*.gov "law enforcement use only"Anything deemed "confidential information" -- if accessed by people not "authorized" to do so -- falls under the protection of this legislation, even if it can be accessed by any member of the public without actually "breaking into" a company/government/etc. server.
The definition of "confidential information" makes the legislation even more problematic.
"Confidential Information" means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.Something accessible by a Google search is not "protected from disclosure" by any stretch of the imagination. But this phrase, "unless initiated by the owner of such computer…," makes it illegal to obtain documents not otherwise protected. Uploading a sensitive document to a public-facing website crawled by Google is stupid and the person doing the uploading should take any "unauthorized access" as a learning experience. But under the law, it could successfully be argued that the uploading of a document to a publicly-accessible website is not the same thing as "initiating transmission."
The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won't be viewed as criminal acts. But what it doesn't do is carve out an exception for security researchers, who often access confidential information during the course of their work.
In this form, the legislation is dangerous. It will criminalize security research and punish citizens for the stupidity of others. On top of that, the law would pretty much turn every whistleblower into a criminal by treating the access of confidential information as a crime, no matter what the circumstances are. Running it through an editing process involving politicians surrounded by "cyberwar" hype is unlikely to improve it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, computer crimes, peter kilmartin, research, rhode island
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
keep forgetting laws are only for us...
I thought we were supposed to be in control here?
And people wonder why I keep tell them that THEY ARE THE PROBLEM!
If we "citizens" kicked assholes like this out of office the problem WOULD BE SOLVED!
[ link to this | view in thread ]
All this tells me is democracy and the nation itself is a sinking ship. Until money is removed from politics, it's not going to get better.
[ link to this | view in thread ]
So don't punish the little-brain who can't be bothered to make sure confidential information stays, you know...confidential.
Punish the person who finds it.
Makes you wonder if he's considered that given there's a penalty for notifying them that their secrets aren't really secrets, the only other alternative would be to anonymously publicize the secret instead...just so they know that they need to do something about their now-less-than-secret secret.
I mean, it'd be irresponsible to just leave it there unprotected, right?
[ link to this | view in thread ]
Why else create a catch all law that could be used to silence people who might bring to light his bad acts while in office.
If he proposes such an overly broad restrictive law, he is scared of people finding out the dirty secrets he is hiding, he is acting contrary to the law to enable it so it must be a dozy.
After all, if they have nothing to hide why be afraid?
[ link to this | view in thread ]
Subtle as a sledgehammer
Carving out an exception for advertisers of all groups makes it very clear that this has nothing to do with 'protecting personal information', and everything to do with cracking down on those that might expose wrongdoing or weak security on the part of large companies or government agencies, while not so incidentally making whistleblowing a lot riskier.
It's all about serving politicians and those that own them and has nothing to do with protecting the public.
[ link to this | view in thread ]
owner of the software must give permission
[ link to this | view in thread ]
Another way to read that last part
Another way of reading that is that if the computer transmits the data when someone other than the owner merely requests it, the data fails the bolded part of the paragraph and because of that is not considered "confidential information".
[ link to this | view in thread ]
[ link to this | view in thread ]
Let's use it in our favor
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
How about we send more than 1?
As a collective we survive or perish as one. The petty squabbling we do for these farce parties has effectively kept us busy and blind!
History has proven that humans are stupid pack animals. It's pretty much true that we cannot govern ourselves because every time we try, it is self destructive.
There is not enough space here to point out all the problems but you can rest assured one of the major problems is when someone just decides that the other side is nothing but evil no matter what.
Every philosophy humans have birthed have good & evil elements to them. The trick is taking the best from all of them and leaving their dirty parts right there in the dirt!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Let's use it in our favor
[ link to this | view in thread ]
Re: Re: Re:
You could have thousands of lily white candidates start their new jobs as public servants and it is simply a matter of time before they are corrupted, coerced into doing things they would not otherwise be doing. How do you stop that? Replace them every term? That is hardly a solution.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
And
Maybe I'm reading this wrong, but it seems the google search example falls down because data is not confidential unless it's both protected from disclosure and not disclosed by the computer owner. Since the former condition is not met, anything publicly available would not be covered by this statute. Not that I think it's a good law or anything.
[ link to this | view in thread ]
It's purely a run into the Political scene.
Daniel Ellsberg with Anthony Russo did their part, so Nixon couldn't just have either of them killed, right?
From there it moves on over the dozens and dozens, decade after decade, until we get to our most famous whistle-blowing duo... Chelsea Manning and Edward Snowden. Does a short-sighted Rhode Island Attorney believe he will actually make any individual with enough determination, and enough exasperation and outrage, think twice about righting some very wrong wrongs in the future?
Attorney General Peter F. Kilmartin believes he is / has the answer when there has been numerous attempts at getting to the answer for years - including a number of amendments to The Espionage Act. Kilmartin should also re-read the Military Whistleblower Protection Act. AG Kilmartin is playing fast and loose with his entry into politics.
[ link to this | view in thread ]