Turns Out The One 'Good' Change In CFAA Reform... May Actually Be Bad Too

from the ugh dept

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said wasgood. We noted that they ever so slightly rolled back what would constitute a crime for "exceeding authorized access" listing out a few qualifications that needed to be met -- including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be "or" statements. They point out that if you look elsewhere in the existing CFAA , you see the same pattern -- with multiple sub-statements that don't have an "or" but which are interpreted as being "or" statements. For example, under section (a)(2)(A), there is no "or" between that and (B), but clearly the CFAA doesn't only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill's clauses are connected by "or" statements, rather than "and."If this is true, then you could run afoul of "exceeding authorized access" for anyof those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of, not contracting, that clause in the CFAA. That's because at least a few courts have recentlybroad interpretations of the CFAA around "exceeding authorized access," such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA wouldfor which prosecutors could use against people claiming "exceeds authorized access."It seems like this bill really is. On top of everything else, the one area where it "rolled back" something, it may have rolled it "back" to a place which allows for more ambiguity that existing case law.So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA mayand create more such activity.

Filed Under: cfaa, cfaa reform, exceeds authorized access, hacking