Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals

from the 'unauthorized-access'-isn't-always-a-bad-thing... dept

We recently wrote about the Rhode Island attorney general's "cybercrime" bill -- a legislative proposal that seeks to address cyberbullying, revenge porn, etc. with a bunch of broadly -- and poorly -- written clauses. Two negative comments written months apart could be viewed as "cyber-harassment" under the law, separating it from the sustained pattern of abuse that one normally considers "harassment."

In addition, the proposed law would criminalize "non-consensual communications." If the sender does not obtain the recipient's permission to send a message, it's a criminal act if the recipient finds the message to be distressing -- which could mean anything from emailing explicit threats to posting a negative comment on someone's Facebook page.

But that's not Attorney General Peter F. Kilmartin's only bad idea. It appears he's behind another legislative proposal -- one that would amend the state's computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA.

Here's the worst part of the suggested amendments:

Whoever intentionally and without authorization or in excess of one's authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.
This would make the following Google search illegal:
filetype:pdf site:*.gov "law enforcement use only"
Anything deemed "confidential information" -- if accessed by people not "authorized" to do so -- falls under the protection of this legislation, even if it can be accessed by any member of the public without actually "breaking into" a company/government/etc. server.

The definition of "confidential information" makes the legislation even more problematic.
"Confidential Information" means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.
Something accessible by a Google search is not "protected from disclosure" by any stretch of the imagination. But this phrase, "unless initiated by the owner of such computer…," makes it illegal to obtain documents not otherwise protected. Uploading a sensitive document to a public-facing website crawled by Google is stupid and the person doing the uploading should take any "unauthorized access" as a learning experience. But under the law, it could successfully be argued that the uploading of a document to a publicly-accessible website is not the same thing as "initiating transmission."

The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won't be viewed as criminal acts. But what it doesn't do is carve out an exception for security researchers, who often access confidential information during the course of their work.

In this form, the legislation is dangerous. It will criminalize security research and punish citizens for the stupidity of others. On top of that, the law would pretty much turn every whistleblower into a criminal by treating the access of confidential information as a crime, no matter what the circumstances are. Running it through an editing process involving politicians surrounded by "cyberwar" hype is unlikely to improve it.

Filed Under: cfaa, computer crimes, peter kilmartin, research, rhode island


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Violynne (profile), 27 Apr 2016 @ 12:28pm

    To err is human. To really muck things up, enter the politician.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 12:55pm

    So this means a lot of fuckers in government will be going to jail without those warrants right?

    keep forgetting laws are only for us...

    I thought we were supposed to be in control here?

    And people wonder why I keep tell them that THEY ARE THE PROBLEM!

    If we "citizens" kicked assholes like this out of office the problem WOULD BE SOLVED!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Apr 2016 @ 6:01pm

      Re:

      Replace a jerk with an angel ... how does it take for the shitheads to turn said angel into one of their own?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Apr 2016 @ 6:25pm

        Re: Re:

        Well if you think attempting to fix the problem with one angel of course it is likely to fail, but the journey of a 100,000 steps gets started on the first one, and of course...

        How about we send more than 1?

        As a collective we survive or perish as one. The petty squabbling we do for these farce parties has effectively kept us busy and blind!

        History has proven that humans are stupid pack animals. It's pretty much true that we cannot govern ourselves because every time we try, it is self destructive.

        There is not enough space here to point out all the problems but you can rest assured one of the major problems is when someone just decides that the other side is nothing but evil no matter what.

        Every philosophy humans have birthed have good & evil elements to them. The trick is taking the best from all of them and leaving their dirty parts right there in the dirt!

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Apr 2016 @ 5:20am

          Re: Re: Re:

          Point being - corruption and coercion are synonymous with those who influence politics, not necessarily the candidates.

          You could have thousands of lily white candidates start their new jobs as public servants and it is simply a matter of time before they are corrupted, coerced into doing things they would not otherwise be doing. How do you stop that? Replace them every term? That is hardly a solution.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 12:59pm

    When politicians and government officials attempt to block researchers, whistle blowers, and journalists, it's a sign they have something to hide. Most likely corruption at high levels. Since their activities can't stand the light of day, better to hide it by making exposure illegal.

    All this tells me is democracy and the nation itself is a sinking ship. Until money is removed from politics, it's not going to get better.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 1:00pm

    Anything deemed "confidential information" -- if accessed by people not "authorized" to do so -- falls under the protection of this legislation, even if it can be accessed by any member of the public without actually "breaking into" a company/government/etc. server.

    So don't punish the little-brain who can't be bothered to make sure confidential information stays, you know...confidential.

    Punish the person who finds it.

    Makes you wonder if he's considered that given there's a penalty for notifying them that their secrets aren't really secrets, the only other alternative would be to anonymously publicize the secret instead...just so they know that they need to do something about their now-less-than-secret secret.

    I mean, it'd be irresponsible to just leave it there unprotected, right?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Apr 2016 @ 4:36pm

      Re:

      Punish the person who finds it.
      Messengers have always been a sad lot of rogues and ne'er-do-wells. They are undeniably, objectively, and empirically nothing but a bunch of bastards.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Apr 2016 @ 5:25am

      Re:

      Everyone should put a "confidential information" sticker on their cell phone.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 27 Apr 2016 @ 1:07pm

    Attorney General Peter F. Kilmartin, has something to hide.
    Why else create a catch all law that could be used to silence people who might bring to light his bad acts while in office.

    If he proposes such an overly broad restrictive law, he is scared of people finding out the dirty secrets he is hiding, he is acting contrary to the law to enable it so it must be a dozy.

    After all, if they have nothing to hide why be afraid?

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 27 Apr 2016 @ 1:11pm

    Subtle as a sledgehammer

    The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won't be viewed as criminal acts. But what it doesn't do is carve out an exception for security researchers, who often access confidential information during the course of their work.

    Carving out an exception for advertisers of all groups makes it very clear that this has nothing to do with 'protecting personal information', and everything to do with cracking down on those that might expose wrongdoing or weak security on the part of large companies or government agencies, while not so incidentally making whistleblowing a lot riskier.

    It's all about serving politicians and those that own them and has nothing to do with protecting the public.

    reply to this | link to this | view in chronology ]

  • identicon
    todd andersen, 27 Apr 2016 @ 1:37pm

    owner of the software must give permission

    Given that most all software is not sold, rather is licensed, it would follow that the State of Rhode Island would need Microsoft's permission (assuming the document was created in Word, Office, etc), and Adobe's permission if the document was in .pdf format as Microsoft only holds a license to Acrobat before it could access it's own data. Even if Rhode Island obtained blanket permissions from all the software owners to look at their own data. It may be that the state would need specific permissions to allow members of the public to access the data (eg pay my traffic ticket online).

    reply to this | link to this | view in chronology ]

  • icon
    TKnarr (profile), 27 Apr 2016 @ 1:48pm

    Another way to read that last part

    "Confidential Information" means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.


    Another way of reading that is that if the computer transmits the data when someone other than the owner merely requests it, the data fails the bolded part of the paragraph and because of that is not considered "confidential information".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 2:30pm

    this is the mindset of so many people of power in the USA. they cannot wait to make a name for themselves even if it means changing the country into the Western equivalent of China or N.Korea! instead of this sort of crap, why not come up with some ideas that will actually protect the people rather than doing whatever possible to aid the government turn even more into an arse hole administration that wants nothing except as many people locked up for as long as possible even though they have done nothing except alert the people to what is going on!!!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 2:51pm

    Let's use it in our favor

    Criminalize "non-consensual communications" could be used by people receiving layoff notices. Talk about distressing.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 4:24pm

    Who needs encryption when they can just make stupid laws like this, that'll keep everyone safe won't it??

    reply to this | link to this | view in chronology ]

  • identicon
    Whatever, 27 Apr 2016 @ 5:32pm

    Yes! YES!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2016 @ 8:58pm

    A tyrant by any other name

    reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 28 Apr 2016 @ 9:43am

    And

    "Confidential Information" means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.

    Maybe I'm reading this wrong, but it seems the google search example falls down because data is not confidential unless it's both protected from disclosure and not disclosed by the computer owner. Since the former condition is not met, anything publicly available would not be covered by this statute. Not that I think it's a good law or anything.

    reply to this | link to this | view in chronology ]

  • icon
    Monday (profile), 28 Apr 2016 @ 10:31am

    It's purely a run into the Political scene.

    Herbert Yardley's book discussing 'The Black Chamber' effectively put a stop to that in 1931, didn't he? Even though they (The Black Chamber) ceased to be in 1929. The Espionage Act of 1917 was amended blah blah blah. Yardley even got an honourable mention from the NSA.

    Daniel Ellsberg with Anthony Russo did their part, so Nixon couldn't just have either of them killed, right?

    From there it moves on over the dozens and dozens, decade after decade, until we get to our most famous whistle-blowing duo... Chelsea Manning and Edward Snowden. Does a short-sighted Rhode Island Attorney believe he will actually make any individual with enough determination, and enough exasperation and outrage, think twice about righting some very wrong wrongs in the future?

    Attorney General Peter F. Kilmartin believes he is / has the answer when there has been numerous attempts at getting to the answer for years - including a number of amendments to The Espionage Act. Kilmartin should also re-read the Military Whistleblower Protection Act. AG Kilmartin is playing fast and loose with his entry into politics.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.