Turns Out The One 'Good' Change In CFAA Reform… May Actually Be Bad Too
from the ugh dept
So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said was slightly good. We noted that they ever so slightly rolled back what would constitute a crime for “exceeding authorized access” listing out a few qualifications that needed to be met — including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.
However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be “or” statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern — with multiple sub-statements that don’t have an “or” but which are interpreted as being “or” statements. For example, under section (a)(2)(A), there is no “or” between that and (B), but clearly the CFAA doesn’t only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill’s clauses are connected by “or” statements, rather than “and.”
If this is true, then you could run afoul of “exceeding authorized access” for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That’s because at least a few courts have recently rejected broad interpretations of the CFAA around “exceeding authorized access,” such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming “exceeds authorized access.”
It seems like this bill really is all bad. On top of everything else, the one area where it “rolled back” something, it may have rolled it “back” to a place which allows for more ambiguity that existing case law.
So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.
Filed Under: cfaa, cfaa reform, exceeds authorized access, hacking
Comments on “Turns Out The One 'Good' Change In CFAA Reform… May Actually Be Bad Too”
Is there a bill number yet?
Has it been officially introduced yet? It’s a lot simpler to give feedback to congress-critters if I can point to a bill name (or at least the sponsor).
As it’s often said it doesn’t matter if you try to polish turd, it’ll still be… turd. Shiny but just as bad. Scrap it and restart.
Why do we even let these kids meet and write law anyway. Its obvious they don’t know how to write competent constitutional law in the first place. This dis-functionality is the norm and it gets me every time, at press and political events, puffing up and looking like they are actually proud of what they’ve done/do.
Its laughable that the reforms proposed make it worse. Leave it to our congress to break something that was already badly broken. Now if the CFAA bill was abolished in its entirety that would make me proud of them for once.
Law is supposed to be clear, exact, to the point and not allowing ?interpretations? or any reading other than what was (hopefully) clearly and concisely written.
Re: Re:
Law is supposed to be clear, exact, to the point and not allowing ?interpretations? or any reading other than what was (hopefully) clearly and concisely written.
“Corruptissima re publica plurimae leges”
– Tacitus
(Translation: “The more numerous the laws, the more corrupt the government” )
The idea is to make the law as broad, vague, and overreaching as possible. That way, literally every citizen commits at least one felony per week–within the broad interpretation of the law. Then the government has a ready-made excuse to fine, imprison, and generally make life miserable for anyone it chooses to. So the government only selectively enforces the law to make examples out of anyone that challenges, threatens, or even just embarrasses it, thereby keeping the citizens in line and always firmly under control.
Re: Re: Re:
it shows how scared the government is of the people, that it has to now introduce amendments that make a law so much worse than it already was, and also shows the lengths the government will go to to try to prevent those it is so scared of from making any sort of inroads for changing laws for the better and disposing of that government. basically, the USA has become a dictatorship, run by those that are equal to the governments of communist countries, that do whatever it takes to keep the people subdued. when the government doesn’t have the decency, the balls, to face up to and admit to the implementation of outrageous steps that led to the unlawful death of a citizen, then responds by making that process so much easier and more likely to occur again, it makes me fear what the hell it will do next!!
I still see most of the revisions as good. The only action from the FTC towards consumer fraud was fines. This makes it a little less caveat emptor for anyone looking for legitimate services. The funny thing is that most of these new revisions to the CFAA were written by the Judiciary Oversight Committee who practically grilled Eric Holder over the case of Aaron Swartz. B esides, this is only a draft so far and is still being worked on before it gets passed to the House and Senate. It should also be noted that the President has the power to strike out bits of it too before he signs it…but then the bill has to be sent back for approval by congress.
Mike there is n need to worry over a mere draft of a bill. When the draft becomes a bill to be sent through house and senate as is, that is when we need to worry. At least they are giving a lot of thought and time into this.
As far as interpretations, the original reason that some broad laws were intended to be written in broad language is so that the US Supreme Court can interpreter them.
Re: Re:
?Relax and go back to sleep.? is not the lullaby I want to hear.
There is always a need to have input at every stage. Yes the public scrutiny is increasing and that is such a wonderful thing. Its a crowded hot kitchen but we’ll work out the soup recipe somehow. In this case the CFAA soup stank already and the new ingredients smell worse. Best to toss it out and replace it with nothing.
Not worrying about the early details is how bad law is gestated and not caring gives birth to law that tears apart society and culture itself. The magnifying glass under full sunlight inspection is the minimum level attention when politics and special interest groups fornicate.
Re: Re: Re:
Oh I only will worry about the details when they are finalized. This is only a rough draft of the bill is all I am saying 🙂
So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse.
Oh, so that was you “doing journalism”?
Re: Re:
Oh, so that was you “doing journalism”?
Apparently not since he couldn’t even read the bill correctly. A journalist/person-who-does-journalism would have done the research first and then written the article. FUD-packers like Mike can’t be bothered with such silly things as basic research.
Re: Re: Re:
Shut up, troll.
Re: Re: Re:
I love how the common them among the trolls in the original article was that these provisions obviously meant all of the other analysis was FUD. So he goes out and addresses that claim directly with some additional research and the trolls come back and still scream FUD.
Re: Re: Re: Re:
Fair enough. Are you more comfortable with the term, “baseless fear-mongering”?
Could someone please explain why the name of Aaron Swartz keeps being invoked as a reason to fix all this stuff? (Please note, I’m not saying that it doesn’t need to be fixed.) Everyone keeps going on about how Aaron killed himself over his prosecution in the MIT case, and so therefore we need to fix things.
Everyone seems to agree on this point: Aaron committed suicide. Aaron killed Aaron, not anyone else. Whatever else the prosecution may have done, killing him and “making it look like an accident” isn’t something the prosecutors have been accused of, even by the whacked-out conspiracy theorists. (At least, not that I’ve seen.)
Isn’t that supposed to be regarded as de facto evidence that the guy was mentally unstable? People get prosecuted unfairly all the time, and most of them do not kill themselves over it. Did I miss a memo somewhere? Is there an official double standard in place where that only applies if the mentally unstable person in question is not a celebrity who advocates a cause that you support?
If we want to fix bad laws, why not just fix them for the sake of fixing bad laws? Isn’t that a worthy goal in itself?
Re: Re:
It’s because the CFAA is what was being used to prosecute him, bringing that particular law into the limelight.
We have a lot of laws that get created as a reaction to something (Megan’s Law, etc), and this is a new thing to react to.
It doesn’t matter, really, WHY he killed himself. CFAA is largely a “bad law,” and really should be fixed. The main argument is that our laws shouldn’t make felons of otherwise honest people (not necessarily talking about Swartz here).
There’s an interesting book on the subject: Three Felonies a Day (http://www.threefeloniesaday.com/)
Re: Re:
This is all part of Masnick’s shameless exploitation of Swartz unfortunate death. You are 100% correct, but I guess it’s easier to advance his agenda using Swartz tragedy than on the merits. Simply pitiful.
Re: Re: Re:
Nowhere near as shameful as the fact that due to bad laws and worse lawmakers, Swartz was pushed into a position where that became a viable option for him.
If you lost someone who you admired to stupidity or evil, wouldn’t you do everything you could to redress things? Probably not, because that requires empathy, a soul and a beating heart…
The point here...
So we know the “trick” here is to create a massive bill that has everything that the industries want with no dialogue from the public. Make it so that it’s so unbearable that the bill with what they really want is the one that gets passed.
But the rub in copyright is that this mercantilist attitude has already hit a massive extreme in terms of their control. What they learned quickly was that DNS is a no-no in terms of breaking the internet and how it would operate on a massive scale while still not preventing piracy.
This takes away that layer but they’re bound to continue to pursue these options. In this, we see the dirtiest word in politics… “Compromise”
With compromise, the US became a Constitution. We allowed slavery (ie cheap labor) while professing that “all men are created equal”.
The US allowed copyright monopolies on certain items. Now the system is a corporate maximalist’s dream job in destroying basic human rights by allowing corporations to snoop into your private life just to see if you paid for a movie.
We’ve allowed an aristocratic republic to form over the democratic ideals we enjoyed for more than 2 centuries. And now, corporations want to reinstitute the very same type of monarchy that the American Revolution was fought against… Kind of sad that we’ve lost our democracy while corporations continue to push politicians away from what the public wants.
Re: The point here...
So we know the “trick” here is to create a massive bill that has everything that the industries want with no dialogue from the public.
What? You don’t think EFF, CDT, PK and all of the other groups claiming to represent the public interest are doing anything?
Re: Re: The point here...
Did you miss how the movie and music industry want these people to not protect their access to culture and information?
Re: Re: Re: The point here...
Why are you pretending the public has no voice. In addition to having an elected official representing them, there are a number of so-called, public interest groups raising many of the same issues Masnick and others are sniveling about. Don’t come here crying about your view not being heard, it is. You just do not like that it’s not going to end the way you want. Get used to it.
Re: Re: Re:2 The point here...
” addition to having an elected official representing them,”
Nope. Congressional approval is at 9% because people know that Congress doesn’t represent them or their interests. Of they did, you would have more discussions and debate about these issues and more laws to protect the public, not criminalize them.
” there are a number of so-called, public interest groups raising many of the same issues Masnick and others are sniveling about.?”
Those same public interests that are shut out of discussions on copyright because you want more maximalism? Ok…
” Don’t come here crying about your view not being heard, it is.?”
And I’ll make sure that Aaron’s law is passed over what you want. Get used to it.
Re: Re: Re:3 The point here...
” addition to having an elected official representing them,”
Nope. Congressional approval is at 9% because people know that Congress doesn’t represent them or their interests. Of they did, you would have more discussions and debate about these issues and more laws to protect the public, not criminalize them.
Whose fault is that? Do you vote? Do you campaign for your candidate? Do you donate money to your candidate’s campaign? Do you run for office yourself? Have you ever visited your representative’s district office? Written a letter? Made a phone call?
” there are a number of so-called, public interest groups raising many of the same issues Masnick and others are sniveling about. “
Those same public interests that are shut out of discussions on copyright because you want more maximalism? Ok…
What are you talking about? They’re all over the Hill. They’re in Congressional offices every day.
” Don’t come here crying about your view not being heard, it is. “
And I’ll make sure that Aaron’s law is passed over what you want. Get used to it.
Be sure to let me know how that works out for you. As near as I can tell, you don’t do shit; other than snivel into the Techdirt echo chamber.
Re: Re: Re:3 The point here...
And I’ll make sure that Aaron’s law is passed over what you want. Get used to it.
The truth is that the game is already over, and you never set foot on the field.
http://www.politico.com/story/2013/02/activist-aaron-swartz-death-aarons-law-87332.html
Re: Re: Re:4 The point here...
” Whose fault is that? Do you vote? Do you campaign for your candidate? Do you donate money to your candidate’s campaign? Do you run for office yourself? Have you ever visited your representative’s district office? Written a letter? Made a phone call?”
Yes to all. Your stunt with SOPA made me want to get involved with politics and ensure people like you won’t be in charge of what our government does.
” They’re in Congressional offices every day.”
Right, but why aren’t they allowed onto the same policy circles as the industries that should be regulated?
Oh, right… You don’t want them to be… Fancy that.
” As near as I can tell,?you?don’t do shit; other than snivel into the Techdirt echo chamber.”
Heh, I don’t spend all day on TD and there is plenty to do that ensures you won’t win. But keep trying the derisive tactics. I’m sure those will work eventually.
” The truth is that the game is already over, and you never set foot on the field.”
Nah, that game isn’t over until the public wins. Game on.
Re: Re: Re:5 The point here...
Yes to all. Your stunt with SOPA made me want to get involved with politics and ensure people like you won’t be in charge of what our government does.
Really? You ran for office? Which one?
” They’re in Congressional offices every day.”
Right, but why aren’t they allowed onto the same policy circles as the industries that should be regulated?
Oh, right… You don’t want them to be… Fancy that.
They see the same Congressional staffers, the same members, the same committee lawyers as everyone else. Who do you think they can’t see?
Once again, you don’t know what you are talking about.
” The truth is that the game is already over, and you never set foot on the field.”
Nah, that game isn’t over until the public wins. Game on.
I don’t know why you are so sure that the majority holds your opinion. Judging from the collective yawn from Congress; they don’t. You may want to ponder that fact. Even your Patron Saint, Darryl Issa says this thing is going nowhere. At least it can be said that he actually does know what he is talking about.
Re: Re: Re:6 The point here...
” Really? You ran for office? Which one?”
A local office. You wouldn’t have heard about it.
” They see the same Congressional staffers, the same members, the same committee lawyers as everyone else. Who do you think they can’t see?”
Seeing people isn’t write the same as money having a heavy influence on theirvvote. You should know that.
” Even your Patron Saint, Darryl Issa says this thing is going nowhere.”
Hahaha! Issa protecting the US? Man, that’s funny… Stay tuned, you might see the reason you’ll fail a second time…
Re: Re: Re:7 The point here...
Well, I commend you for running. I’m a bit surprised this is the first I’ve heard of it. I’d have thought you’d have used TD as a bit of a launchpad.
You talked about access not money, remember:
Right, but why aren’t they allowed onto the same policy circles as the industries that should be regulated?
Oh, right… You don’t want them to be… Fancy that.
We’ll see where it goes. But Aaron’s Law won’t move this Congress.
Mike – you’re writing as though there’s some doubt as to the language of the bill, and interpreting it somehow requires the aid of people with special knowledge of the CFAA. But that proposal you cited to is actually pretty clear: it’s a list of several things, separated by semicolons, with an “or” before the last item in the list.
There’s no real question that this list is disjunctive, not conjunctive. No advanced legal knowledge is required, just reading comprehension, albeit of a complicated sentence. Your interpretation yesterday was wrong. No big deal, but how about just a mea culpa, and move on. No need to treat the issue as a matter for “expert” interpretation.
Re: Re:
Your interpretation yesterday was wrong. No big deal, but how about just a mea culpa, and move on. No need to treat the issue as a matter for “expert” interpretation.
Don’t hold your breath. Masnick is seldom right, but never in doubt.
Re: Re:
Mike – you’re writing as though there’s some doubt as to the language of the bill, and interpreting it somehow requires the aid of people with special knowledge of the CFAA. But that proposal you cited to is actually pretty clear: it’s a list of several things, separated by semicolons, with an “or” before the last item in the list.
Statutory construction is not Mike’s strong suit. Nor is getting things right in general.
Re: Re:
If it’s so clear why were the trolls in the thread insisting the previous analysis of the provisions was all FUD because obviously you had to meet all the conditions first?
“No big deal, but how about just a mea culpa, and move on.”
What function, exactly, do you think this article you’re commenting on was meant to serve if not that? Assume bad faith on every part except your own then bitch at people when they call you out on yours. Classic.
Re: Re: Re:
If it’s so clear why were the trolls in the thread insisting the previous analysis of the provisions was all FUD because obviously you had to meet all the conditions first?
Yup. That’s the most amusing part in all of this. The same people now attacking me for getting this wrong (and, yes, I got this wrong) not only got it wrong themselves, but used that wrongness to claim I was wrong in my analysis.
Now when it turns out that my overall analysis was even MORE accurate than originally guessed, rather than admit that they were totally wrong, they attack me for the original misinterpretation.
Funny that.
What function, exactly, do you think this article you’re commenting on was meant to serve if not that?
Exactly. I corrected the error. Some people will never be satisfied.
Re: Re: Re: Re:
Mike, I’m the AC who was quoted, and I never suggested, as troll or otherwise, that the language was conjunctive. Say you original post, and actually thought to myself, mile’s being too sanguine about that passage, I should respond when I get to a keyboard.
My criticism of your follow up was that you leave the impression that this particular point of statutory construction is nuanced, and requires the help of Prof Kerr or his ilk to interpret. And I think that feeds into the idea that everything in the statute is infinitely malleable, and a matter of opinion, rather than subject to rules that nonlawuers can understand just like lawyers. You weren’t saying that, of course, but your framing of the issue reinforces that idea, which was unfortunate. As I said, the misreading was no big deal.
Re: Re: Re:
The problem I mentioned above is that Mile wasn’t just coming out and saying “I was mistaken” or “I misread that bit.” It’s completely understandable how he would – it’s a long passage, and he’s busy. But his follow up post leaves the impression that there’s some legitimate debate about how that passage would be applied, or what it means. There isn’t. There may have been trolls insisting there was a different meaning, but they are – as you say– trolls.
Re: Re: Re:
The problem I mentioned above is that Mile wasn’t just coming out and saying “I was mistaken” or “I misread that bit.” It’s completely understandable how he would – it’s a long passage, and he’s busy. But his follow up post leaves the impression that there’s some legitimate debate about how that passage would be applied, or what it means. There isn’t. There may have been trolls insisting there was a different meaning, but they are – as you say– trolls.
Acronym Usage
Please expand each acronym when first used, such as the “Computer Fraud & Abuse Act (CFAA)”. Old hat to many of you I’m sure, but those of us just in from the front page of Google News tend to need them framed. Thx.
Proposed Drafts
the two proposed drafts of a new CFAA bill lead to two different outcomes (depending on what is adopted). but with this latest abomination, a clever poliitician could suggest that the compromise, between the drafts is to do nothing and let the current CFAA law stand. Another fine job done.
Re: Proposed Drafts
Now you know why the US is in such a financial mess………
If this passes, go to a political meeting with some of the asshats who supported this and walk around looking at your medical records on a laptop. When one of them looks at the screen, have them charged with accessing your personal information without authorization.
Important facts about CFAA that TechDirt should also consider
Greetings Forum,
I have been researching 18 USC 1030 for over one year. I hold an AAS degree in Data Processing, 1983.
While I believe the issues raised by TechDirt are important, I also believe there is a broader picture that may not be considered here, which is, when ADMINISTRATORS (Those having authority) are allowed to manipulate protected computers in order to further fraud on the largest scale imagineable.
Case in point for a serious forum study: I allege that the mortgage housing crisis was ultimately caused by violators of 18 USC 1030, who conspired under 18 1030(b), to abuse authority under 1030(a)(4) and all subparagraphs of 1030(a)(5), by threatening damage to data integrity under 1030 (a)(7)(A), with intent to ultimately extort therefrom under 1030 (a)(7)(C).
I could restate the above intent in numerous ways, but the gist is, masses of underqualified purchasers were granted entry into our national mortgage system by administrators prior to 2008, at all levels, primarily to accelerate loan originations for rapid front-end profit, and without regard to the impairment to data integrity of our property values that could result over the long-term. Now, the abuse continues where administrators ensure that the massive losses to equity are forced upon the unwitting majority of all home owners perpetually. In short, the frauduent process now also self-authorizes the refusal of banks/lenders to reduce the extortive balance owed to the current decimated values for most purchasers, which forces all losses described under 1030 (e)(11) to be placed upon anyone who owns real estate property.
I ask for your assistance here, to help ensure that any revisions to 18 1030 do NOT have an unintended effect of exempting those administrators who may authorize license to sabotage our most vital systems, as we now face with the painful damage and purposefully slow recovery to our mortgage system that was/is “authorized” by those adminstrators in apparent violation of 18 1030. Please investigate further, because the greatest value of 18 1030 that I can see is to prevent, not encourage, abuse by ADMINISTRATORS above all others. I’m not sure if the proposed revisions would authorize such destructive intent or not, because I’ve only just learned of it myself.
We must ensure the integrity our major systems used in interstate commerce are protected, not corrupted by administrators of same. So, can we work together to fully protect citizens in all areas of computer fraud? Because the issues here seem far deeper than what we might be looking for on the surface. I hope this helps.
Important facts about CFAA that TechDirt should also consider
Greetings Forum,
I have been researching 18 USC 1030 for over one year. I hold an AAS degree in Data Processing, 1983.
While I believe the issues raised by TechDirt are important, I also believe there is a broader picture that may not be considered here, which is, when ADMINISTRATORS (Those having authority) are allowed to manipulate protected computers in order to further fraud on the largest scale imagineable.
Case in point for a serious forum study: I allege that the mortgage housing crisis was ultimately caused by violators of 18 USC 1030, who conspired under 18 1030(b), to abuse authority under 1030(a)(4) and all subparagraphs of 1030(a)(5), by threatening damage to data integrity under 1030 (a)(7)(A), with intent to ultimately extort therefrom under 1030 (a)(7)(C).
I could restate the above intent in numerous ways, but the gist is, masses of underqualified purchasers were granted entry into our national mortgage system by administrators prior to 2008, at all levels, primarily to accelerate loan originations for rapid front-end profit, and without regard to the impairment to data integrity of our property values that could result over the long-term. Now, the abuse continues where administrators ensure that the massive losses to equity are forced upon the unwitting majority of all home owners perpetually. In short, the frauduent process now also self-authorizes the refusal of banks/lenders to reduce the extortive balance owed to the current decimated values for most purchasers, which forces all losses described under 1030 (e)(11) to be placed upon anyone who owns real estate property.
I ask for your assistance here, to help ensure that any revisions to 18 1030 do NOT have an unintended effect of exempting those administrators who may authorize license to sabotage our most vital systems, as we now face with the painful damage and purposefully slow recovery to our mortgage system that was/is “authorized” by those adminstrators in apparent violation of 18 1030. Please investigate further, because the greatest value of 18 1030 that I can see is to prevent, not encourage, abuse by ADMINISTRATORS above all others. I’m not sure if the proposed revisions would authorize such destructive intent or not, because I’ve only just learned of it myself.
We must ensure the integrity our major systems used in interstate commerce are protected, not corrupted by administrators of same. So, can we work together to fully protect citizens in all areas of computer fraud? Because the issues here seem far deeper than what we might be looking for on the surface. I hope this helps.