Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals
from the 'unauthorized-access'-isn't-always-a-bad-thing... dept
We recently wrote about the Rhode Island attorney general’s “cybercrime” bill — a legislative proposal that seeks to address cyberbullying, revenge porn, etc. with a bunch of broadly — and poorly — written clauses. Two negative comments written months apart could be viewed as “cyber-harassment” under the law, separating it from the sustained pattern of abuse that one normally considers “harassment.”
In addition, the proposed law would criminalize “non-consensual communications.” If the sender does not obtain the recipient’s permission to send a message, it’s a criminal act if the recipient finds the message to be distressing — which could mean anything from emailing explicit threats to posting a negative comment on someone’s Facebook page.
But that’s not Attorney General Peter F. Kilmartin’s only bad idea. It appears he’s behind another legislative proposal — one that would amend the state’s computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA.
Here’s the worst part of the suggested amendments:
Whoever intentionally and without authorization or in excess of one’s authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.
This would make the following Google search illegal:
filetype:pdf site:*.gov “law enforcement use only”
Anything deemed “confidential information” — if accessed by people not “authorized” to do so — falls under the protection of this legislation, even if it can be accessed by any member of the public without actually “breaking into” a company/government/etc. server.
The definition of “confidential information” makes the legislation even more problematic.
“Confidential Information” means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.
Something accessible by a Google search is not “protected from disclosure” by any stretch of the imagination. But this phrase, “unless initiated by the owner of such computer…,” makes it illegal to obtain documents not otherwise protected. Uploading a sensitive document to a public-facing website crawled by Google is stupid and the person doing the uploading should take any “unauthorized access” as a learning experience. But under the law, it could successfully be argued that the uploading of a document to a publicly-accessible website is not the same thing as “initiating transmission.”
The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won’t be viewed as criminal acts. But what it doesn’t do is carve out an exception for security researchers, who often access confidential information during the course of their work.
In this form, the legislation is dangerous. It will criminalize security research and punish citizens for the stupidity of others. On top of that, the law would pretty much turn every whistleblower into a criminal by treating the access of confidential information as a crime, no matter what the circumstances are. Running it through an editing process involving politicians surrounded by “cyberwar” hype is unlikely to improve it.
Filed Under: cfaa, computer crimes, peter kilmartin, research, rhode island
Comments on “Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals”
To err is human. To really muck things up, enter the politician.
So this means a lot of fuckers in government will be going to jail without those warrants right?
keep forgetting laws are only for us…
I thought we were supposed to be in control here?
And people wonder why I keep tell them that THEY ARE THE PROBLEM!
If we “citizens” kicked assholes like this out of office the problem WOULD BE SOLVED!
Re: Re:
Replace a jerk with an angel … how does it take for the shitheads to turn said angel into one of their own?
Re: Re: Re:
Well if you think attempting to fix the problem with one angel of course it is likely to fail, but the journey of a 100,000 steps gets started on the first one, and of course…
How about we send more than 1?
As a collective we survive or perish as one. The petty squabbling we do for these farce parties has effectively kept us busy and blind!
History has proven that humans are stupid pack animals. It’s pretty much true that we cannot govern ourselves because every time we try, it is self destructive.
There is not enough space here to point out all the problems but you can rest assured one of the major problems is when someone just decides that the other side is nothing but evil no matter what.
Every philosophy humans have birthed have good & evil elements to them. The trick is taking the best from all of them and leaving their dirty parts right there in the dirt!
Re: Re: Re: Re:
Point being – corruption and coercion are synonymous with those who influence politics, not necessarily the candidates.
You could have thousands of lily white candidates start their new jobs as public servants and it is simply a matter of time before they are corrupted, coerced into doing things they would not otherwise be doing. How do you stop that? Replace them every term? That is hardly a solution.
When politicians and government officials attempt to block researchers, whistle blowers, and journalists, it’s a sign they have something to hide. Most likely corruption at high levels. Since their activities can’t stand the light of day, better to hide it by making exposure illegal.
All this tells me is democracy and the nation itself is a sinking ship. Until money is removed from politics, it’s not going to get better.
Anything deemed “confidential information” — if accessed by people not “authorized” to do so — falls under the protection of this legislation, even if it can be accessed by any member of the public without actually “breaking into” a company/government/etc. server.
So don’t punish the little-brain who can’t be bothered to make sure confidential information stays, you know…confidential.
Punish the person who finds it.
Makes you wonder if he’s considered that given there’s a penalty for notifying them that their secrets aren’t really secrets, the only other alternative would be to anonymously publicize the secret instead…just so they know that they need to do something about their now-less-than-secret secret.
I mean, it’d be irresponsible to just leave it there unprotected, right?
Re: Re:
Messengers have always been a sad lot of rogues and ne’er-do-wells. They are undeniably, objectively, and empirically nothing but a bunch of bastards.
Re: Re: Re:
Rulers are an even sadder lot, they cannot stand reality and so shoot anybody who breaks their delusions.
Re: Re:
Everyone should put a “confidential information” sticker on their cell phone.
Attorney General Peter F. Kilmartin, has something to hide.
Why else create a catch all law that could be used to silence people who might bring to light his bad acts while in office.
If he proposes such an overly broad restrictive law, he is scared of people finding out the dirty secrets he is hiding, he is acting contrary to the law to enable it so it must be a dozy.
After all, if they have nothing to hide why be afraid?
Subtle as a sledgehammer
The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won’t be viewed as criminal acts. But what it doesn’t do is carve out an exception for security researchers, who often access confidential information during the course of their work.
Carving out an exception for advertisers of all groups makes it very clear that this has nothing to do with ‘protecting personal information’, and everything to do with cracking down on those that might expose wrongdoing or weak security on the part of large companies or government agencies, while not so incidentally making whistleblowing a lot riskier.
It’s all about serving politicians and those that own them and has nothing to do with protecting the public.
owner of the software must give permission
Given that most all software is not sold, rather is licensed, it would follow that the State of Rhode Island would need Microsoft’s permission (assuming the document was created in Word, Office, etc), and Adobe’s permission if the document was in .pdf format as Microsoft only holds a license to Acrobat before it could access it’s own data. Even if Rhode Island obtained blanket permissions from all the software owners to look at their own data. It may be that the state would need specific permissions to allow members of the public to access the data (eg pay my traffic ticket online).
Another way to read that last part
Another way of reading that is that if the computer transmits the data when someone other than the owner merely requests it, the data fails the bolded part of the paragraph and because of that is not considered “confidential information”.
this is the mindset of so many people of power in the USA. they cannot wait to make a name for themselves even if it means changing the country into the Western equivalent of China or N.Korea! instead of this sort of crap, why not come up with some ideas that will actually protect the people rather than doing whatever possible to aid the government turn even more into an arse hole administration that wants nothing except as many people locked up for as long as possible even though they have done nothing except alert the people to what is going on!!!!
Let's use it in our favor
Criminalize “non-consensual communications” could be used by people receiving layoff notices. Talk about distressing.
Re: Let's use it in our favor
It would outlaw spam. Oh, hang on, there’s an exception for advertisers…
Who needs encryption when they can just make stupid laws like this, that’ll keep everyone safe won’t it??
Yes! YES!
A tyrant by any other name
And
“Confidential Information” means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.
Maybe I’m reading this wrong, but it seems the google search example falls down because data is not confidential unless it’s both protected from disclosure and not disclosed by the computer owner. Since the former condition is not met, anything publicly available would not be covered by this statute. Not that I think it’s a good law or anything.
It's purely a run into the Political scene.
Herbert Yardley’s book discussing ‘The Black Chamber’ effectively put a stop to that in 1931, didn’t he? Even though they (The Black Chamber) ceased to be in 1929. The Espionage Act of 1917 was amended blah blah blah. Yardley even got an honourable mention from the NSA.
Daniel Ellsberg with Anthony Russo did their part, so Nixon couldn’t just have either of them killed, right?
From there it moves on over the dozens and dozens, decade after decade, until we get to our most famous whistle-blowing duo… Chelsea Manning and Edward Snowden. Does a short-sighted Rhode Island Attorney believe he will actually make any individual with enough determination, and enough exasperation and outrage, think twice about righting some very wrong wrongs in the future?
Attorney General Peter F. Kilmartin believes he is / has the answer when there has been numerous attempts at getting to the answer for years – including a number of amendments to The Espionage Act. Kilmartin should also re-read the Military Whistleblower Protection Act. AG Kilmartin is playing fast and loose with his entry into politics.