Colorado Republican Committee Tries To Use CFAA To Get Even With A Bogus Tweeter, Fails Completely

from the the-law-even-little-people-can-(attempt-to)-abuse dept

How do we know the CFAA is a terrible law? Because even "civilians" abuse it. Or at least try to.

Back in April, the Colorado Republican Committee's (CRC) Twitter account tweeted out something a bit concerning after Ted Cruz nailed down all 34 delegates at a committee assembly in Colorado Springs.

If you can't see the tweet, it says:

We did it. #NeverTrump

The tweet was taken down minutes later and the official Twitter account explained that someone with "unauthorized access" had posted the tweet and it was not a reflection of the Colorado GOP's official stance.

This led to a brief internet wildfire, where CRC reps were interviewed by reporters about the tweet and enraged Trump supporters [also: 4chan] -- believing the fix was in -- began posting threatening messages to and about Colorado GOP leaders. So far, so internet.

The CRC took this a step further though, attempting to sue the "Doe" with allegedly "unauthorized access" for breaching the "threat to public health or safety" clause of the CFAA. The original complaint [PDF] shows the CRC is perhaps far better at electioneering than investigating.

Over the next three weeks, the CRC conducted an investigation into the origin of the tweet. CRC was able to confirm that the fraudulent tweet was sent using the Twitter for iPhone app, but was not able to determine the identity of the responsible individual.

Um. (Source.)

Armed with info that anyone else could have obtained in seconds rather than weeks, the CRC decided it could mass email the perp into turning themselves in:

On April 19, 2016, the CRC sent an e-mail to all individuals who had at one point been authorized to access to the @cologop account asking that they identify themselves by 5:00pm on Wednesday, April 20, 2016 if they were responsible for the fraudulent tweet.

Unsurprisingly, this failed to uncover the perpetrator. It also made it clear that, until this point, the keepers of the official Twitter account never considered that telling formerly authorized users not to use the account is way less effective than actually revoking their access by changing the password.

The court was unimpressed with the original complaint and ordered the plaintiffs to show cause or GTFO. The amended complaint [PDF] contains much more detail, including the supposed expenses incurred as a result of the short-lived tweet. Apparently, everyone involved in the "investigation" spent "hours" determining that someone used an iPhone to send the tweet.

CRC’s internal staff spent hours communicating with its past and present thirdparty vendors to ascertain if any of their personnel accessed CRC’s Twitter account.

CRC’s internal staff also spent hours communicating to Twitter over the phone and through emails.

CRC’s officers and staff spent time responding to the press over the tweet.

Some of those hours were billable, so to speak.

At least 70 percent of Kohli’s time for the week following the assembly and convention and at least 25 percent of the following week was spent responding to the aftermath of the tweet, including making numerous phone calls and emails about CRC’s progress in identifying the anonymous tweeter, determining who had access to the @cologop Twitter account, and answering media requests. This resulted in a loss to CRC of at least 70 percent of his time for one week and 25 percent of him time for another week. Since his annual salary is $65,000, this loss totals at least $1,187.50.

Internet molehill having been sufficiently mountained, the amended complaint goes on to detail the threats received by CRC officials before trying to claim these threats were somehow induced by a tweet that, itself, was not threatening in any form.

Defendant’s conduct in sending the fraudulent tweet caused damage to CRC in the form of death threats to its officers and employees, closure of its offices, and harm to its reputation.

The threats received by the CRC, its officials, and personnel constituted a threat to public health or safety within the meaning of 18 U.S.C. § 1030(c)(4)(a)(i)(IV).

And there's the CFAA tie-in.

Even with certain deficiencies addressed, the CRC still can't assemble a claim that the court can move forward with. The judge has dismissed the complaint in its entirety, pointing out that just because certain things happened after another thing happened doesn't mean the first thing that happened (the bogus tweet/"unauthorized access") is directly responsible for statements made by a bunch of other internet denizens. (h/t Raul)

CRC argues that its Amended Complaint cures the defects addressed in the Court's Order to Show Cause, specifically: (i) it identifies time spent by its staff investigating the unauthorized access as the "loss" that it suffered under 18 U.S.C. § 1030(e)(11), (g); and (ii) that the "threat to public health or safety" required by 18 U.S.C. § 1030(c)(4)(A)(i) and (g) is satisfied by allegations that it was reasonably foreseeable that the publication of the unauthorized message would induce third parties to respond with threats of harm to CRC officers. Although the Court accepts the first proposition, it finds the second to be deficient as a matter of law.

In the Order to Show Cause, the Court previously addressed why 18 U.S.C. § 1030(g)'s "involves" language requires a plaintiff to allege that the unauthorized computer access itself poses a risk to public health or safety, and that the requirement is not satisfied by an allegation that the unauthorized access indirectly caused such a risk to emerge from another source. CRC's response cites to various cases that have used the term "caused" in discussing other provisions of the Act.

The Court finds these cases to be off-point and unpersuasive.

Fortunately, the court takes the CFAA's public health and safety clause and presents a narrow reading of it -- somewhat of a rarity in CFAA-related cases.

As discussed previously, the threat requirement might be met if the unauthorized access disables computers or deletes data essential to providing medical treatment, public utilities, or emergency response services, but not where the unauthorized access has a benign primary effect but induces others to harmful acts. For example, a user who hacks into the social media account of a classmate and encourages him or her to commit suicide might be liable for engaging in conduct posing a risk to health and safety, but a user who hacks into the same classmate's account and merely taunts the classmate for being unattractive cannot be said to have engaged in conduct threatening public health and safety even if the now-despondent classmate reacts to the taunting by committing suicide. Such example entails the user specifically employing the unauthorized access to bring about the risk to public health, and in such circumstances, the use of a predominantly criminal statute to afford civil relief might be proper. The latter example draws upon the complex, wide-ranging, and sometimes attenuated principles of tort causation, importing that sprawling and imprecise inquiry into a statute that was clearly intended to have a narrow, focused reach.

While the fallout of the bogus tweet may have been inconvenient and surrounded by threats from irate GOP members (oh, and 4chan...), the tweet itself was not threatening nor did it call for threats to be made. That one led to the other is undeniable, but it was in no way definitely foreseeable that the tweet would have this effect.

The CRC's complaint is, at best, an expensive windmill tilt, tossed into court solely for the purpose of exposing the "unauthorized" tweeter to angry CRC officials. It has nothing to do with CFAA violations -- which were apparently added to make a federal case out of the CRC's failure to address its own operational security issues until it was too late.


Filed Under: cfaa, cfaa abuse, colorado, gop, tweets
Companies: twitter


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 27 Jul 2016 @ 9:55am

    Obviously it's the work of Vladminions or Putiminions in Russia. Time to start a cyberwar against Russia. Beware of their cyber bears with gatling guns.

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 27 Jul 2016 @ 10:06am

      Re:

      We should also extend our territorial intarnets 200 cybermiles off the cybercoast.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Jul 2016 @ 10:16am

      Re:

      Can we bargain down to russian 4chan users and call it a day?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Jul 2016 @ 6:04pm

      Re:

      You recall stuxnet right? You don't think we've been in cyberwar with Russia this whole time? It was released that we bug our own allies we trust, and you think we haven't been in cyberwar with Russia this whole time. That's adorable

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 10:20am

    We're the death treats real or just perceived to be true threats?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 10:26am

    Doesn't make sense

    Even if the court did agree that they had a valid case, what would happen? After all, they didn't have the faintest idea as to who actually sent out the tweet. So what could the court do?

    Seems to me that they just wasted a lot of their own time plus the courts' time for no useful purpose.

    reply to this | link to this | view in chronology ]

  • identicon
    kallethen, 27 Jul 2016 @ 10:33am

    Meanwhile, the cynic in me questions just how "fraudulent" the tweet actually was...

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 27 Jul 2016 @ 5:28pm

    reminds me of the whole costs 5 dollars to change a lightbulb, but since our managers like to be paid for doing noting we are adding an administrative cost of 20k to the bill.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.