Bunny Bytes: Update on Aaron’s Law

The Rise and Fall (and re-Rise) of Aaron’s Law

The tragic death of Aaron Swartz (see my post Hactkivism & the CFAA for more details) spurred a swarm of criticisms of the Computer Fraud and Abuse Act and proposals of how it could be fixed. These efforts accumulated into a bill that was introduced to Congress in 2013 as Aaron’s Law, which sought to do the following:

  • Narrow the scope of the CFAA to exclude breaches of terms of service, employment agreements, and other contracts.
  • Eliminate redundant provisions to reduce multiple charges for the same conduct.
  • Limit the penalties of stacked charges to avoid overly-severe punishments that are disproportionate to the crime.

Unfortunately, the bill eventually died on the floor (pardon the terminology) after two years of being stalled in committee review. Large tech companies such as Oracle reportedly lobbied against the bill because they allegedly use the CFAA to prosecute their competitors. In an interview with Forbes, Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, commented:

“Some particular companies offered a fierce attack on common sense changes to the CFAA due to certain companies use of the CFAA not as a statute being used in civil suits to prosecute computer hacking as it was originally intended, but being used to protect trade secrets.”

Round Two

In 2015, the bill was reintroduced by Representative Zoe Lofgren of California and Senator Wyden of Oregon, and co-sponsored by Senator Rand Paul of Kentucky. Rep. Lofgren says that she hopes the bill will help “prevent what happened to Aaron from happening to other Internet users.

Unfortunately, Aaron’s Law 2.0 still is not getting much traction, as some members of Congress believe that harsh penalties are necessary to deter hackers and other cyber-criminals.

Knock-Out?

While Aaron’s Law sits waiting in the wings, the Senate has already passed the Cybersecurity Information Sharing Act (CISA) as of October of 2015, which potentially undermines the efforts of Aaron’s Law completely. The Electronic Frontier Foundation voiced its disapproval of CISA:

CISA is fundamentally flawed. The bill’s broad immunity clauses, vague definitions, and aggressive spying powers combine to make the bill a surveillance bill in disguise. Further, the bill does not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

In December of 2015, CISA was surreptitiously rolled into the Military Construction and Veterans Affairs and Related Agencies Appropriations Act, which passed the House and was signed into law by President Obama on December 18, 2015.

To add insult to injury, Senator Sheldon Whitehouse of Rhode Island has introduced his own amendment to CISA that would expand the CFAA by adding more penalties and would allow the Attorney General to file injunctions against suspected violators of the CFAA.

In a final effort to stop Congress from making the CFAA more draconian than it already is, the Electronic Frontier Foundation urges citizens to email their representatives and tell them to vote against Senator Whitehouse’s amendment.

 

Advertisements

Bunny Bytes: Predicting the 10th Circuit

10th crystal ballThere is currently a circuit split over the CFAA and the words “exceeds authorized access,” as I previously discussed in my post Employees + the CFAA = Circuit Split. When a circuit split exists, there is a high likelihood that a petition for writ of certiorari will be granted by the Supreme Court to resolve the dispute among the Federal Circuit Courts of Appeal. Looking forward in a feeble attempt to predict the outcome of the future fate of the CFAA, I decided to start by figuring out which court of appeals SCOTUS tends to agree with the most in a circuit split and see which side of the CFAA chasm they stand on.

Although subject to change with the passing of Justice Scalia, Tom Cummins & Adam Aft have reported in their annual Appellate Review series that in recent court terms, SCOTUS has sided most frequently with the 10th Circuit in resolving a split. After that, they agree second most frequently with the 1st Circuit.

Interestingly, the 10th Circuit has yet to weigh in on the CFAA debate, and the 1st Circuit is on the increasingly unpopular side of the split, pulling for a broad interpretation of “exceeds authorized access” with their decision in EF Cultural Travel BV v. Explorica, Inc. (holding that using a web scraping tool to download all of the content off a competitor’s website “exceeded authorized access”).

Let us take a look at how the lower courts in the 10th Circuit have been interpreting “exceeds authorized access,” and whether the 10th Circuit has denied appeals of those decisions.  Continue reading

Bunny Bytes: Hacktivism & the CFAA

What is Hacktivism?

Hacktivism is exactly what it sounds like: Activism via Computer Hacking. Hacktivists express their disdain for social or political issues in a number of ways, some more harmful than others. One of the most well known hacktivist groups of the twenty-first century is Anonymous; a self-identified legion of faceless hackers who band together through online networks to launch various cyber attacks, with no specific centralized political or social goal. Another popular hacktivist of the moment is Alexandra Elbakyan, a graduate student and scientific researcher from Kazakhstan. Alexandra has made more than 50 million stolen scientific research articles available on her website, Sci-Hub. Despite reoccurring injunctions against the website, Alexandra has found ways to keep the project going. Her hacktivist goal is “to remove all barriers in the way of science” by “provid[ing] mass & public access to research papers.” Alexandra’s efforts sound hauntingly familiar to another hacktivist whose name is frequently associated with the CFAA: Aaron Swartz.

Who is was Aaron Swartz?

Aaron Swartz was a gifted computer programmer who made several contributions to the

modern Internet experience, including his work to help create RSS and the popular website Reddit. Aaron was also an outspoken activist, openly rallying against political issues such as the proposed Stop Online Piracy Act (SOPA), and was passionate about open access to all scholarship. Unfortunately, Aaron committed suicide on January 11, 2013, at the age of 26. Although no suicide note was found, his death occurred amidst felony charges from the U.S. Attorney after Swartz had downloaded 4.8 million articles from JSTOR, the academic online journal database, utilizing the MIT network.
Continue reading

Bunny Bytes: The Case Against (a)(2)(C)

The Computer Fraud and Abuse Act is a necessary evil.

Computer-police

Why? Because it is necessary to punish individuals who maliciously use computer systems to exploit, harass, and torment others (such as hijacking your computer’s built in camera, infecting your smartphone with malware, or phishing credit card information from popular retail stores). Although some mock the origin of the CFAA, saying that it was spurred by the overreacting to the 1983 movie WarGames with Mathew Broderick, the unfortunate reality is that computer crimes are on the rise.

So why is the CFAA evil?

The CFAA is just a sum of its parts, and it contains one part that is particularly sinister: section (a)(2)(C). The broad scope of this section has the potential to be abused by prosecutors by criminalizing otherwise innocuous behavior that does not cause loss or harm. 18 U.S.C. 1030 (a)(2)(C) reads:

“Whoever—intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—information from any protected computer.

What constitutes a “protected computer” is incredibly broad, as defined in section (e)(2)(B) as any computer “which is used in or affecting interstate or foreign commerce or communication.” The federal courts have determined that under this definition, any computer with a “connection to the internet” qualifies as a protected computer.

The part of (a)(2)(C) that broadens the scope of liability the most is “exceeds authorized access,” because courts and scholars do not agree one what all this encompasses. The most broad and heavily debated meaning of “exceeds authorized access” would include using an authorized account in a way that violates the contractual user agreement. An example of this is would be a Google employee who used his access privileges at work to spy on the internet activities of underage teenagers. This particular case is a great illustration of the kind of computer abuse that deserves to be deterred and punished.

However, under the same theory of CFAA liability from contract violation, you may be prosecuted for violating any terms of services on any website. Let’s look at one such example…

Continue reading

Bunny Bytes: Meanwhile, in Florida…

meanwhile-in-floridaThe broad scope of the CFAA is continuously being challenged among the legal community for ascribing criminal liability to otherwise harmless activities with computers and on the Internet. But why isn’t anyone complaining about the even broader state level computer crime statutes?

Let’s take a moment to talk about Domanik Green. About a year ago, fourteen-year old Domanik sat down at a computer in his middle school in Florida, and with a generic administrative password that was commonly known throughout the school, he changed his teacher’s computer wallpaper to a picture of two men kissing. This childish and immature prank, which Domanik surely thought was funny at the time, resulted in a felony charge under Florida’s Computer-Related Crimes statute. The language of the statute provides felony liability for anyone who:

815.06 (2)(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized.

The statute does not require the offender to actually do anything to the computer system, and mere unauthorized access is enough to be a punishable offense. Surely most people appreciate the absurdity of an eighth-grader being arrested and charged with a criminal felony for playing a stupid prank that did not result in any injury, loss, or harm. Continue reading

Bunny Bytes: Employees + the CFAA = Circuit Split

https://pixabay.com/en/fork-junction-road-caution-forked-32601/In December of 2015, the Second Circuit joined the dispute over whether an employee can be sued under the Computer Fraud and Abuse Act (CFAA) when they use their employer’s computer system in a way that is outside the scope of employment. With the Second Circuit weighing in, seven of the twelve Federal Courts of Appeals have taken up a position in the fight, with four courts on one side of the split and three in opposition. And while the Second Circuit’s interpretation of the disputed part of the CFAA appears sound, the disturbing facts surrounding the case may cause further polarization.

What’s the problem?

The CFAA can be used to prosecute anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S. Code § 1030(a)(2). Under this provision of the statute, several employers have sued their former employees for misappropriating certain information for personal benefit, such as trade secrets or customer contacts. Even though the employee may have had authorized access at the time when they extracted the information, employers argue that authorized access is exceeded when the use of that information falls outside the scope of employment. In other words, the employee may have authorized access for work purposes, but they exceed that authorization when they abuse that access.

Using the CFAA to prosecute former employees in this way makes sense when an employee is surreptitiously collecting confidential information from their current employer with the intent of quitting that job to go work for a competitor. This sort of misappropriation may result in substantial profit loss for the former employer.

However, the same liberal interpretation of the CFAA would also potentially criminalize employees who casually misuse a company computer for personal reasons that is outside the scope of their employment, such as to check their personal email, use social media platforms, or even pay their bills online. The contention among the Circuit courts is whether to employ a broad or narrow interpretation of “exceeding authorized access.”

Continue reading

Bunny Bytes: The CFAA & Trade Secret Litigation— “Undercutting Employee Mobility: The Computer Fraud and Abuse Act in the Trade Secret Context”

The following is a synopsis of Undercutting Employee Mobility: The Computer Fraud and Abuse Act in the Trade Secret Context by Glenn Schieck.

When “rogue employees” misappropriate trade secrets via computer before leaving to work for a competitor, the victim company currently has the option to pursue civil actions against the employee under either the state’s trade secret statute or the CFAA. Glenn Schieck’s article argues that this “reliance on the CFAA threatens to undercut policy considerations of trade secret law.”

The problem is that the CFAA does not accommodate for competitive markets where employees move freely between companies with an accepted risk of some knowledge being compromised, whereas trade secret law does. This article proposes that the CFAA should be amended “to adopt some limited substantive elements of trade secret law” to avoid companies potentially abusing the statute to circumvent trade secret law when it does not accommodate their means.

Schieck explains how the CFAA came to be used in lieu of trade secret litigation after it was drastically amended in 1996 to include all “protected computer[s],” whereas the CFAA was previously limited to protecting computers of “federal interest.” With this amendment, companies found it easier to bring a claim under the CFAA rather than state trade secret law because the latter requires the plaintiff to show that a trade secret exists, there were reasonable efforts to keep that information ‘secret,’ and that there was wrongful appropriation of the information. In contrast, the CFAA only requires that the plaintiff show wrongful appropriation. In addition to lowering the bar for pleading requirements, the CFAA provides federal jurisdiction, unlike state trade secret law, which allows for certain elements of relief that state level jurisdiction may not provide. The CFAA also may allow some plaintiffs to enforce non-compete clauses in states where they would otherwise be unenforceable. Finally, supplemental jurisdiction enables a plaintiff to bring both CFAA and trade secret claims in tandem, occasionally resulting in double recovery for damages.

Schieck’s article proposes legislative amendments to the CFAA to narrow certain interpretations of the statute to avoid the aforementioned contentions with trade secret law. The main issue raised is the CFAA’s broad use of the word “authorization,” which creates liability when an individual’s use of a computer system is either “without authorization or exceeds authorized access.” For now, liability is created when an authorized user of a computer system breaches a written computer use policy, such as an agency agreement between an employer and employee. Schieck supports proposed reform to the CFAA to include an additional barrier to define a breach, such as a physical barrier or possibly a confidentiality/non-compete agreement. He further suggests the addition of a “reasonable efforts” provision that would prevent frivolous claims to be brought against appropriation of information that is not confidential. With these proposed amendments, Schieck believes that the CFAA could be better managed to avoid subverting the policy goals of trade secret law.

Glenn Schieck is a 2014 JD graduate of Brooklyn Law School and is currently an Associate at Harter Screts & Emery LLP in Rochester, New York.