Did A Former National Parks Employee Violate The CFAA By Tweeting About Climate Change?
from the the-tweets-heard-round-the-world dept
As you may have heard, over the past few days, there's been a lot of talk about various US government Twitter feeds "going rogue" in what many believe is an attempt at a bit of civil disobedience following gag orders being sent from the White House to various federal departments and agencies, with a particular ban on social media. Soon after that came out, the Twitter feed of the famed Badlands National Park in South Dakota, started tweeting about climate change:
Those tweets have since been deleted, but they certainly caused quite a stir, and there's even what claims to be a private rogue National Parks Service twitter feed that won't be silenced at @AltNatPartSer. That's apparently inspired other government employees to set up similar "rogue" Twitter accounts. As I write this, there are about two dozen such accounts on this list, with some personal favorites being the @Alt_FDA, the @RogueNASA and @AltFedCyberz. Now, it's important to state that there's no direct proof that these are actually run by federal employees, but the whole thing is fascinating to watch.But, that alone doesn't necessarily make it worthy of a Techdirt post (yes, there's a possible Streisand Effect angle on all of this, but it remains to be seen how strong that really is). What caught my eye, however, was how the National Park Service eventually explained those original Badlands tweets, telling BuzzFeed that they were done by an ex-employee who had retained his password, but wasn't authorized to tweet from the account:
National Parks says the @BadlandsNPS climate tweets were deleted because a former employee "compromised" the accounthttps://t.co/4YF1sMJaYa pic.twitter.com/F3fl5f6gnP
— BuzzFeed News (@BuzzFeedNews) January 25, 2017
Now, the exact wording of that statement also made my ears perk up, because "not currently authorized to use the park's account" could have pretty serious legal consequences. As reporter Matt Pearce unfortunately, but correctly, points out, this could be interpreted, by some, to be a violation fo the CFAA.
Oy. Under CFAA, that could be interpreted as criminal hacking, yes? https://t.co/XwJa9B7MDP
— Matt Pearce (@mattdpearce) January 25, 2017
You remember the CFAA, of course. That's the "anti-hacking" Computer Fraud and Abuse Act, that has an unfortunately long history of being twisted and questionably interpreted to mean that just about anything people don't like that you do on a computer is potentially a violation. In particular, many cases have focused specifically on what constitutes "without authorization" or "exceeds authorized access" under the law. The fact that the NPS directly claims that this person was "not currently authorized" certainly could be seen to trip the "without authorization" or "exceeds authorized access" lines.
Of course, the CFAA has different sections -- and most of the cases we talk about tend to focus on 1030(a)(4) which covers accessing information whose value is over $5,000. It's difficult to see how one could twist the Badlands tweets as being about accessing information valued at more than $5,000, but there is also 1030(a)(3), which one would hope also would not apply... but where you could see an overzealous DOJ try to make it stick. That's the section that says it's a violation of the CFAA to access a computer that "is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States."
Now, it's pretty clear that the intent here is to go after someone who hacks into a system and somehow interferes with the government making use of that computer (and, remember, the entire reason we have a CFAA is because some clueless politicians -- including Ronald Reagan -- freaked out about the very, very fictional movie War Games). But, given how the DOJ has stretched the interpretation of the CFAA in the past, would it be possible for them to try to claim that by making unauthorized access to a Twitter account, and tweeting those tweets, it was using a computer that "is used by the Government" and the "conduct affects that use by or for the Government of the United States" and that the access was "without authorization"? It... seems unfortunately possible.
So far, the administration doesn't seem too concerned about this... but just the fact that this is even possible is yet another reminder of just how ridiculous the CFAA is, and how it is in desperate need of serious reform.
Filed Under: cfaa, climate change, donald trump, former employee, national park service, tweets, unauthorized access