Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals

from the 'unauthorized-access'-isn't-always-a-bad-thing... dept

We recently wrote about the Rhode Island attorney general's "cybercrime" bill -- a legislative proposal that seeks to address cyberbullying, revenge porn, etc. with a bunch of broadly -- and poorly -- written clauses. Two negative comments written months apart could be viewed as "cyber-harassment" under the law, separating it from the sustained pattern of abuse that one normally considers "harassment."

In addition, the proposed law would criminalize "non-consensual communications." If the sender does not obtain the recipient's permission to send a message, it's a criminal act if the recipient finds the message to be distressing -- which could mean anything from emailing explicit threats to posting a negative comment on someone's Facebook page.

But that's not Attorney General Peter F. Kilmartin's only bad idea. It appears he's behind another legislative proposal -- one that would amend the state's computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA.

Here's the worst part of the suggested amendments:

Whoever intentionally and without authorization or in excess of one's authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.

This would make the following Google search illegal:

filetype:pdf site:*.gov "law enforcement use only"

Anything deemed "confidential information" -- if accessed by people not "authorized" to do so -- falls under the protection of this legislation, even if it can be accessed by any member of the public without actually "breaking into" a company/government/etc. server.

The definition of "confidential information" makes the legislation even more problematic.

"Confidential Information" means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.

Something accessible by a Google search is not "protected from disclosure" by any stretch of the imagination. But this phrase, "unless initiated by the owner of such computer…," makes it illegal to obtain documents not otherwise protected. Uploading a sensitive document to a public-facing website crawled by Google is stupid and the person doing the uploading should take any "unauthorized access" as a learning experience. But under the law, it could successfully be argued that the uploading of a document to a publicly-accessible website is not the same thing as "initiating transmission."

The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won't be viewed as criminal acts. But what it doesn't do is carve out an exception for security researchers, who often access confidential information during the course of their work.

In this form, the legislation is dangerous. It will criminalize security research and punish citizens for the stupidity of others. On top of that, the law would pretty much turn every whistleblower into a criminal by treating the access of confidential information as a crime, no matter what the circumstances are. Running it through an editing process involving politicians surrounded by "cyberwar" hype is unlikely to improve it.

Filed Under: cfaa, computer crimes, peter kilmartin, research, rhode island

Rhode Island Attorney General Pushes Yet Another Terrible Cybercrime Bill

from the narrowly-written-legislation-is-a-criminal's-best-friend-(apparently) dept

In what appears to be an annual tradition in Rhode Island politics, legislators (and the state Attorney General) are pinging the First Amendment to see if any new loopholes have developed since the end of the last legislative session. And, of course, it's being done to save the cyberchildren from internet nastiness. (via Overlawyered)

Social media posts, sexually explicit or otherwise, that cause someone's online embarrassment or insult, would become crimes under a set of bills being advanced by Rhode Island Attorney General Peter F. Kilmartin.

Supposedly, the target is cyber-harassment. But the bill's wording is far, far, far too broad.

Unlike current state "cyber-stalking" laws, which require police to prove a pattern of harassing behavior, someone could be prosecuted under the new Kilmartin bill for a single post if at least two others pile on with "separate non-continuous acts of unconsented contact" with the victim. The original post would have to be made with the intent to cause emotional distress and be expected to cause distress in a "reasonable person."

Note the "unconsented contact." Rather than limiting itself to the non-consensual posts of an explicit nature (itself problematic without extensive exceptions), the bill would apparently require messengers to ask permission before delivering any message that might be construed as offensive.

A person shall not post a message to any other person, through the use of any medium of communication, including the Internet or a computer, computer program, computer system, or computer network, or other electronic medium of communication, without the intended recipient's consent, if all of the following apply:

(1) The person knows or has reason to know that posting the message could cause two (2) or more separate non-continuous acts of unconsented contact with the recipient;

(2) Posting the message is intended to cause conduct that would make the intended recipient feel terrorized, frightened, intimidated, threatened, harassed, or molested;

(3) Conduct arising from posting the message would cause a reasonable person to suffer emotional distress and to feel terrorized, frightened, intimidated, threatened, harassed, or molested; and

(4) Conduct arising from posting the message causes the intended recipient to suffer emotional distress and to feel terrorized, frightened, intimidated, threatened, harassed, or molested.

So, having to obtain permission to send messages someone might take the wrong way is Kilmartin's hamfisted way of dealing with online harassment. This changes social media interactions from "I don't want you to get mad, but... " to "I don't want you to press charges, but…" with $1000 and up to a year in jail awaiting the person who fails to receive the go-ahead to send something distressing.

The 'two or more separate non-continuous acts" language is there to close the loophole in the anti-cyberstalking law -- something that has apparently bothered the AG ever since that badly-written law was abused by law enforcement.

There also seems to be some extraterritorial action built into the legislative proposal.

A person may be prosecuted in this state for violating or attempting to violate this section only if one of the following applies:

(1) The person posts the message while in this state;
(2) Conduct arising from posting the message occurs in this state;
(3) The intended recipient is present in this state at the time the offense or any element of the offense occurs; or
(4) The person posting the message knows that the intended recipient resides in this state.

Note that only one of these needs to apply for charge to be brought, so out-of-state residents who may not even know of the law's existence can be prosecuted for violating it.

And then there's the whole "unconsented contact" wording, which makes simple existence practically impossible if one were so inclined to take the legislation at its word(s).

Unconsented contact includes any of the following:

(i) Following or appearing within sight of the victim;
(ii) Approaching or confronting the intended recipient in a public place or on private property;
(iii) Appearing at the intended recipient’s workplace or residence;
(iv) Entering onto or remaining on property owned, leased, or occupied by the intended recipient;
(v) Contacting the intended recipient by telephone;
(vi) Sending mail, or electronic communications to the intended recipient through the use of any medium, including the Internet, a computer, computer program, computer system, or computer network; or
(vii) Placing an object on, or delivering or having delivered an object on, property owned, leased, or occupied by the intended recipient

It's a restraining order, but without the in-writing, signed-by-the-court, legally-binding paperwork! All anyone must do is "express" their desire to be left alone and everything else following that violates the law. This remains true even if the person takes steps to avoid contact ("appearing within sight") or triggers the Grover Cleveland Clause ("two non-consecutive occasions").

The ACLU of Rhode Island is opposing the bill, just like it has during past attempts to push this through. One would hope cooler (and more Constitutional) heads will prevail during the legislative process, but cooler heads are often in short supply when issues like "cybercrime" are discussed.

Filed Under: attorney general, cybercrime, emotional distress, first amendment, harassment, peter kilmartin, rhode island