Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals
from the 'unauthorized-access'-isn't-always-a-bad-thing... dept
We recently wrote about the Rhode Island attorney general's "cybercrime" bill -- a legislative proposal that seeks to address cyberbullying, revenge porn, etc. with a bunch of broadly -- and poorly -- written clauses. Two negative comments written months apart could be viewed as "cyber-harassment" under the law, separating it from the sustained pattern of abuse that one normally considers "harassment."
In addition, the proposed law would criminalize "non-consensual communications." If the sender does not obtain the recipient's permission to send a message, it's a criminal act if the recipient finds the message to be distressing -- which could mean anything from emailing explicit threats to posting a negative comment on someone's Facebook page.
But that's not Attorney General Peter F. Kilmartin's only bad idea. It appears he's behind another legislative proposal -- one that would amend the state's computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA.
Here's the worst part of the suggested amendments:
Whoever intentionally and without authorization or in excess of one's authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.This would make the following Google search illegal:
filetype:pdf site:*.gov "law enforcement use only"Anything deemed "confidential information" -- if accessed by people not "authorized" to do so -- falls under the protection of this legislation, even if it can be accessed by any member of the public without actually "breaking into" a company/government/etc. server.
The definition of "confidential information" makes the legislation even more problematic.
"Confidential Information" means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.Something accessible by a Google search is not "protected from disclosure" by any stretch of the imagination. But this phrase, "unless initiated by the owner of such computer…," makes it illegal to obtain documents not otherwise protected. Uploading a sensitive document to a public-facing website crawled by Google is stupid and the person doing the uploading should take any "unauthorized access" as a learning experience. But under the law, it could successfully be argued that the uploading of a document to a publicly-accessible website is not the same thing as "initiating transmission."
The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won't be viewed as criminal acts. But what it doesn't do is carve out an exception for security researchers, who often access confidential information during the course of their work.
In this form, the legislation is dangerous. It will criminalize security research and punish citizens for the stupidity of others. On top of that, the law would pretty much turn every whistleblower into a criminal by treating the access of confidential information as a crime, no matter what the circumstances are. Running it through an editing process involving politicians surrounded by "cyberwar" hype is unlikely to improve it.