Turns Out The One 'Good' Change In CFAA Reform... May Actually Be Bad Too
from the ugh dept
However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be "or" statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern -- with multiple sub-statements that don't have an "or" but which are interpreted as being "or" statements. For example, under section (a)(2)(A), there is no "or" between that and (B), but clearly the CFAA doesn't only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill's clauses are connected by "or" statements, rather than "and."
If this is true, then you could run afoul of "exceeding authorized access" for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That's because at least a few courts have recently rejected broad interpretations of the CFAA around "exceeding authorized access," such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming "exceeds authorized access."
It seems like this bill really is all bad. On top of everything else, the one area where it "rolled back" something, it may have rolled it "back" to a place which allows for more ambiguity that existing case law.
So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.