Congressional Rep Mike Honda Sues Challenger Ro Khanna For CFAA Violation Over Access To His Donor List

from the oh-boy dept

Mon, Sep 26th 2016 6:33am — Mike Masnick

So, the CFAA strikes again, and this time right in the heart of a Silicon Valley political fight. If you live in or around the Silicon Valley tech industry, you probably know who Ro Khanna is. He's often been described as the "candidate for Congress that Silicon Valley prefers." It feels like he's been running for Congress against incumbent Rep. Mike Honda forever, but it's really just in the past two elections. Here's a big Bloomberg profile of him from 2013 when he first challenged Honda, losing narrowly to him in the 2014 election, despite having support from many Silicon Valley tech industry stars. This year, he's running again, and in the primary, Khanna narrowly beat Honda, suggesting good things in the general election in November (the top two candidates in the open primary move on to the general election, regardless of party).

Khanna is known for his pro-internet views, while Honda has a reputation for not really understanding or caring very much about the internet.

And now... Honda has sued Khanna under one of the most hated laws on the internet, the CFAA (Computer Fraud & Abuse Act). As we've discussed for many years, the CFAA was supposed to be an "anti-hacking law" that was created by politicians who were (literally, no joke) scared by the fictional movie War Games into writing an anti-hacking law in the 1980s. The law has many, many, many problems, but the biggest one, which comes up again and again in cases, is that it has a vague standard of "unauthorized access" or "exceeding authorized access."

Not surprisingly, that's the issue in this case as well. In short, Brian Parvizshahi was (until Thursday night) Khanna's campaign manager. Way back in 2012, Parvizshahi had briefly (as in, for just a few weeks) worked at Arum Group, an organization that helped Mike Honda with fundraising. After he left Arum Group, apparently no one at the company thought to turn off his access to the Dropbox where they stored all their info about donors. Now, to most people, you'd think that the issue here would be Arum Group's bad policies. But, under the CFAA some can argue that continuing to access that file is a form of "unauthorized access."

And that's the central claim here in the lawsuit. Honda claims that Parvizshahi continued to access that Dropbox folder that he was given access to four years ago and which Arum Group never shut down -- and thus he, and the whole Khanna campaign -- violated the CFAA. You can see the full filing here.

Now, we can say that Parvizshahi continually accessing this info -- especially after starting to work for Khanna -- was really, really dumb. Especially since his actions were clearly viewable in Dropbox -- including cases where he supposedly "edited" the files. From the lawsuit, here's just one of many, many images:

It is worth noting, though, that some of the screenshots merely show Parvizshahi "adding" the document to his desktop, which might have happened automatically if he was syncing his Dropbox account to his computer, which is the way many people set things up.

One other sketchy thing here is that someone sent a copy of Honda's donor list to San Jose Inside magazine in late 2015 -- and apparently the file they got matched a file in the Dropbox folder that Parvizshahi had accessed.

So while it may have been dumb for him to do so, the real fault here would seem to lie with Arum Group for (1) giving Parvizshahi access on what appears to be his personal Dropbox account, rather than adding a professional account that it controlled and (2) failing to revoke his access after Parvizshahi left, and not even noticing it for years. That seems to be the really negligent move here.

But, with the way courts have been interpreting the CFAA, it does seem entirely possible (if ridiculous) that a California court could interpret this to be a CFAA violation for Parvizshahi at the very least. If that also applies to Khanna, that would seem doubly ridiculous. Either way, as far as I can tell, while Khanna has taken a position on a number of issues related to tech policy, I don't see anything about the CFAA. Perhaps this particular episode will change that.

324935989-MHFC-Complaint-and-Motion-9-22-2016 (PDF)324935989-MHFC-Complaint-and-Motion-9-22-2016 (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian parvizshahi, campaigns, cfaa, donor lists, hacking, mike honda, ro khanna

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 26 Sep 2016 @ 7:19am

Just a thought
Since they never managed to revoke his access, can he argue that he was indeed (still) authorized to the material in question? Sure, logically, since he didn't work for them anymore it stands to logic that he *shouldn't* have access, but he did. It's a technical differentiation, of course, but sometimes that is how things are decided.
[ link to this | view in chronology ]
- Wyrm (profile), 26 Sep 2016 @ 9:03am
  
  Re: Just a thought
  It really depends on the judge. Short version: some seem to accept that exceeding "intended" rather than "actual" authorization is enough.
  Yes, it does get that crazy as times.
  [ link to this | view in chronology ]
- Mike Masnick (profile), 26 Sep 2016 @ 9:24am
  
  Re: Just a thought
  Since they never managed to revoke his access, can he argue that he was indeed (still) authorized to the material in question? Sure, logically, since he didn't work for them anymore it stands to logic that he *shouldn't* have access, but he did. It's a technical differentiation, of course, but sometimes that is how things are decided.
  
  Well, yes, that's an argument -- and similar ones have been made in the past. I think it makes sense, but courts haven't always agreed. And that makes it a risky argument to make in court.
  [ link to this | view in chronology ]
Ryunosuke (profile), 26 Sep 2016 @ 7:20am

computers do not care about meatspace, to a computer, if you have the proper credentials, you are thus authorized to access it.
[ link to this | view in chronology ]
Ninja (profile), 26 Sep 2016 @ 7:29am

Technically he can say it was automated synchronization and good luck to the plaintiff to prove it was not. Considering we still consider people innocent until proven guilty. Of course some things seem to have changed.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Sep 2016 @ 8:08am
  
  Re:
  This is a civil lawsuit. There is no "innocent until proven guilty". It goes by preponderance of the evidence, not proof beyond a reasonable doubt.
  
  "Technically he can say it was automated synchronization and good luck to the plaintiff to prove it was not."
  
  He can say that. But if he says that under oath (and he almost certainly will be deposed) then, if it's a lie, he's committing perjury, and now he's potentially facing jail time. If he WAS the one who leaked the list to the paper, how sure is he that it can't be traced back to him if the paper and/or email providers are subpoenaed?
  [ link to this | view in chronology ]
  - Ninja (profile), 26 Sep 2016 @ 12:49pm
    
    Re: Re:
    Hmmm. Civil? But can't the CFAA put you in jail? Correct me if I'm wrong but when jail is involved you get into the criminal realm, no?
    [ link to this | view in chronology ]
- That One Guy (profile), 26 Sep 2016 @ 1:08pm
  
  Re:
  Considering we still consider people innocent until proven guilty.
  
  Aiming to take top spot in Funniest Comment already are we?
  [ link to this | view in chronology ]
TripMN, 26 Sep 2016 @ 7:45am

Of course this begs the question of "Who else have they forgot to cut off access to?" especially for the docs leaked to the press. If they forgot about one guy from 4 years ago, there has got to be others as well.
[ link to this | view in chronology ]
- Rammarg, 27 Sep 2016 @ 4:32pm
  
  Re: TripMN's remark
  "Begging the question" is a logical fallacy. No doubt you
  meant "raises the question".
  [ link to this | view in chronology ]
Anonymous Coward, 26 Sep 2016 @ 7:51am

Another point not brought up in this write-up: Arum Group was no longer working with Honda's campaign and hadn't been for several years. So not only did Parvizshahi still have access to the files when he should not have so did the Arum Group. Immediately upon severing their contract with Honda's campaign the Arum Group should have deleted the voter information files and rescinded all access.
[ link to this | view in chronology ]
Anonymous Coward, 26 Sep 2016 @ 7:56am

Trust
One thing I find interesting is that the lawsuit alleges things like loss of trust of the donors. Sorry, but that loss of trust is actually deserved if you don't secure your donor's private emails, regardless of whether the defendants actually accessed the list. They didn't notice that the former intern still had access when they switched to the new election cycle - you'd think they'd review their authorized access list at least that often. They didn't even notice his continued access when the paper published a leaked copy of the donor list three and a half years after that intern quit the campaign.

Another thing I find interesting is that, at the time they discovered the breach, they apparently felt the need to notify at least five different consulting companies that were apparently already working for them. Do congressional campaigns normally have that many? But maybe that's one reason why they never noticed. Too many people in the campaign, many of which don't even directly work for the campaign. And maybe that's why they didn't do more diligence when the leak came - too many people they didn't really know had access to the list anyway.
[ link to this | view in chronology ]
Nerddowell, 26 Sep 2016 @ 8:22am

Of course it's the Arum Group's responsibility. But it's also Parvizshahi's responsibility. Saying it's not is like saying that two years ago you lent a key to someone who was once a friend, and forgot to get it back, and then you had a falling out. But you just discovered that he's been letting himself into your house and making lunch for himself when you're away.

Even if it was an automatic sync, Parvizshani would have known.

Now, whether Khanna has any culpability is another matter. You'd have to show that he knew, or should have known. Did he think Parvizshani was just a genius at coming up with leads to people with money, or did he hire Parvizshani in the first place knowing that he had Honda's donor list?
[ link to this | view in chronology ]
Anonymous Coward, 26 Sep 2016 @ 8:39am

Request For Judicial Notice
At the very bottom of the 240 page PDF, beginning on page 238 in that PDF, plaintiff Mike Honda For Congress requests judicial notice of three items. The first two items are from the Federal Election Commission (FEC). The third item is described as—
3. LinkedIn profile of Brian Parvizshahi, attached as Exhibit 2 to the accompanying Declaration of Michael Beckendorf (downloaded from http://www.linkedin.com/in/brianparvi (last visited Sept. 17, 2016).
This third item is said to be “relevant” as follows—
Brian Parvizshahi’s LinkedIn profile is relevant, for it shows that Mr. Parvizshahi (1) was already employed by Defendant Ro for Congress, Inc. when he repeatedly accessed Mike Honda for Congress’ confidential, proprietary data, (2) was working as Ro for Congress, Inc.’s Data Director when he repeatedly accessed Mike Honda for Congress’ confidential, proprietary data, and (3) was promoted to Campaign Manager and was working as Campaign Manager for Ro for Congress, Inc. when he repeatedly accessed Mike Honda for Congress’ confidential, proprietary data.
In the absence, though, of any evidence that the purported “Brian Parvizshahi’s LinkedIn profile” was created or controlled by defendant Brian Parvizshahi, I don't think a court should rely on that for the truth of anything contained in the profile.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Sep 2016 @ 9:00am
  
  Re: Request For Judicial Notice
  attached as Exhibit 2 to the accompanying Declaration of Michael Beckendorf
  Just for convenience, the Sep 20, 2016 Beckendorf declaration (doc 5-19) begins at p.59 within the 240 page pdf. See especially ¶ 8 and footnote 1, both on p.2 (p.60 in pdf) of the Beckendorf declaration.
  
  Exhibit 2 (doc 5-21) attached to that declaration follows the cover sheet on p.71 in the pdf.
  [ link to this | view in chronology ]
- Anonymous Coward, 26 Sep 2016 @ 9:54am
  
  Re: Request For Judicial Notice
  judicial notice
  Also for convenience—
  FRE Rule 201. Judicial Notice of Adjudicative Facts
  (a) . . .
  (b) Kinds of Facts That May Be Judicially Noticed. The court may judicially notice a fact that is not subject to reasonable dispute because it:
  (1) is generally known within the trial court’s territorial jurisdiction; or
  
  (2) can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.
  (c) . . .
  . . .
  [ link to this | view in chronology ]
  - Anonymous Coward, 26 Sep 2016 @ 10:32am
    
    Re: Re: Request For Judicial Notice
    FRE Rule 201
    And further for convenience, with reference to pp.2-3 (pp.239-40 in PDF) of plaintiff's request for judicial notice—
    • US v Ritchie (9th Cir. 2003)
    • Colonial Penn Ins v Coil (4th Cir. 1989)
    • US ex rel Robinson Rancheria Citizens Council v Borneo (9th Cir. 1992)
    [ link to this | view in chronology ]
Anonymous Coward, 27 Sep 2016 @ 12:43pm

Voting Record
According to GovTrackUS, Honda did vote yes on the Amash Amendment, but also yes on CISA and when it was consolidated into the omnibus bill of 2015; though the "internet bill of rights" page on Ro Khanna's website sounds promising.
[ link to this | view in chronology ]
blah, 15 Oct 2016 @ 12:23am

Beckendorf to Podesta
This https://wikileaks.org/podesta-emails/emailid/4170

It is a Wikileak of a Podesta email, Mike Honda campaign manager on Ro Khanna
[ link to this | view in chronology ]