Turns Out The One 'Good' Change In CFAA Reform… May Actually Be Bad Too
from the ugh dept
So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said was slightly good. We noted that they ever so slightly rolled back what would constitute a crime for “exceeding authorized access” listing out a few qualifications that needed to be met — including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.
However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be “or” statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern — with multiple sub-statements that don’t have an “or” but which are interpreted as being “or” statements. For example, under section (a)(2)(A), there is no “or” between that and (B), but clearly the CFAA doesn’t only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill’s clauses are connected by “or” statements, rather than “and.”
If this is true, then you could run afoul of “exceeding authorized access” for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That’s because at least a few courts have recently rejected broad interpretations of the CFAA around “exceeding authorized access,” such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming “exceeds authorized access.”
It seems like this bill really is all bad. On top of everything else, the one area where it “rolled back” something, it may have rolled it “back” to a place which allows for more ambiguity that existing case law.
So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.