How do we know the CFAA is a terrible law? Because even "civilians" abuse it. Or at least try to.
Back in April, the Colorado Republican Committee's (CRC) Twitter account tweeted out something a bit concerning after Ted Cruz nailed down all 34 delegates at a committee assembly in Colorado Springs.
If you can't see the tweet, it says:
We did it. #NeverTrump
The tweet was taken down minutes later and the official Twitter account explained that someone with "unauthorized access" had posted the tweet and it was not a reflection of the Colorado GOP's official stance.
This led to a brief internet wildfire, where CRC reps were interviewed by reporters about the tweet and enraged Trump supporters [also: 4chan] -- believing the fix was in -- began posting threatening messages to and about Colorado GOP leaders. So far, so internet.
The CRC took this a step further though, attempting to sue the "Doe" with allegedly "unauthorized access" for breaching the "threat to public health or safety" clause of the CFAA. The original complaint [PDF] shows the CRC is perhaps far better at electioneering than investigating.
Over the next three weeks, the CRC conducted an investigation into the origin of the tweet. CRC was able to confirm that the fraudulent tweet was sent using the Twitter for iPhone app, but was not able to determine the identity of the responsible individual.
Armed with info that anyone else could have obtained in seconds rather than weeks, the CRC decided it could mass email the perp into turning themselves in:
On April 19, 2016, the CRC sent an e-mail to all individuals who had at one point been authorized to access to the @cologop account asking that they identify themselves by 5:00pm on Wednesday, April 20, 2016 if they were responsible for the fraudulent tweet.
Unsurprisingly, this failed to uncover the perpetrator. It also made it clear that, until this point, the keepers of the official Twitter account never considered that telling formerly authorized users not to use the account is way less effective than actually revoking their access by changing the password.
The court was unimpressed with the original complaint and ordered the plaintiffs to show cause or GTFO. The amended complaint [PDF] contains much more detail, including the supposed expenses incurred as a result of the short-lived tweet. Apparently, everyone involved in the "investigation" spent "hours" determining that someone used an iPhone to send the tweet.
CRC’s internal staff spent hours communicating with its past and present thirdparty vendors to ascertain if any of their personnel accessed CRC’s Twitter account.
CRC’s internal staff also spent hours communicating to Twitter over the phone and through emails.
CRC’s officers and staff spent time responding to the press over the tweet.
Some of those hours were billable, so to speak.
At least 70 percent of Kohli’s time for the week following the assembly and convention and at least 25 percent of the following week was spent responding to the aftermath of the tweet, including making numerous phone calls and emails about CRC’s progress in identifying the anonymous tweeter, determining who had access to the @cologop Twitter account, and answering media requests. This resulted in a loss to CRC of at least 70 percent of his time for one week and 25 percent of him time for another week. Since his annual salary is $65,000, this loss totals at least $1,187.50.
Internet molehill having been sufficiently mountained, the amended complaint goes on to detail the threats received by CRC officials before trying to claim these threats were somehow induced by a tweet that, itself, was not threatening in any form.
Defendant’s conduct in sending the fraudulent tweet caused damage to CRC in the form of death threats to its officers and employees, closure of its offices, and harm to its reputation.
The threats received by the CRC, its officials, and personnel constituted a threat to public health or safety within the meaning of 18 U.S.C. § 1030(c)(4)(a)(i)(IV).
And there's the CFAA tie-in.
Even with certain deficiencies addressed, the CRC still can't assemble a claim that the court can move forward with. The judge has dismissed the complaint in its entirety, pointing out that just because certain things happened after another thing happened doesn't mean the first thing that happened (the bogus tweet/"unauthorized access") is directly responsible for statements made by a bunch of other internet denizens. (h/t Raul)
CRC argues that its Amended Complaint cures the defects addressed in the Court's Order to Show Cause, specifically: (i) it identifies time spent by its staff investigating the unauthorized access as the "loss" that it suffered under 18 U.S.C. § 1030(e)(11), (g); and (ii) that the "threat to public health or safety" required by 18 U.S.C. § 1030(c)(4)(A)(i) and (g) is satisfied by allegations that it was reasonably foreseeable that the publication of the unauthorized message would induce third parties to respond with threats of harm to CRC officers. Although the Court accepts the first proposition, it finds the second to be deficient as a matter of law.
In the Order to Show Cause, the Court previously addressed why 18 U.S.C. § 1030(g)'s "involves" language requires a plaintiff to allege that the unauthorized computer access itself poses a risk to public health or safety, and that the requirement is not satisfied by an allegation that the unauthorized access indirectly caused such a risk to emerge from another source. CRC's response cites to various cases that have used the term "caused" in discussing other provisions of the Act.
The Court finds these cases to be off-point and unpersuasive.
Fortunately, the court takes the CFAA's public health and safety clause and presents a narrow reading of it -- somewhat of a rarity in CFAA-related cases.
As discussed previously, the threat requirement might be met if the unauthorized access disables computers or deletes data essential to providing medical treatment, public utilities, or emergency response services, but not where the unauthorized access has a benign primary effect but induces others to harmful acts. For example, a user who hacks into the social media account of a classmate and encourages him or her to commit suicide might be liable for engaging in conduct posing a risk to health and safety, but a user who hacks into the same classmate's account and merely taunts the classmate for being unattractive cannot be said to have engaged in conduct threatening public health and safety even if the now-despondent classmate reacts to the taunting by committing suicide. Such example entails the user specifically employing the unauthorized access to bring about the risk to public health, and in such circumstances, the use of a predominantly criminal statute to afford civil relief might be proper. The latter example draws upon the complex, wide-ranging, and sometimes attenuated principles of tort causation, importing that sprawling and imprecise inquiry into a statute that was clearly intended to have a narrow, focused reach.
While the fallout of the bogus tweet may have been inconvenient and surrounded by threats from irate GOP members (oh, and 4chan...), the tweet itself was not threatening nor did it call for threats to be made. That one led to the other is undeniable, but it was in no way definitely foreseeable that the tweet would have this effect.
The CRC's complaint is, at best, an expensive windmill tilt, tossed into court solely for the purpose of exposing the "unauthorized" tweeter to angry CRC officials. It has nothing to do with CFAA violations -- which were apparently added to make a federal case out of the CRC's failure to address its own operational security issues until it was too late.