Will Rhode Island Double Down on the CFAA's Faults?
Legislators in Rhode Island have advanced a dangerous bill that would duplicate and exacerbate the faults of the federal Computer Fraud and Abuse Act (CFAA). Four organizations joined EFF this week in signing a letter and supporting memo to state legislators explaining the bill's faults and why it should not pass.
In addition to threatening innocent activities like security research, whistleblowing in the public interest, and anyone who violates a corporate Terms of Service (TOS) agreement to access confidential information, the bill would place enormous power in the hands of prosecutors, impose steep criminal penalties without even requiring an intent to obtain financial gain, and compound the problematic vagueness of terms in existing Rhode Island state law.
Security research could earn you a prison sentence if this bill passes.
Rhode Island House Bill 7406 Substitute A, and companion Senate Bill 2584, would create a new offense of "unauthorized access to confidential information" under the state's existing computer crime statute. According to the bill's proponents, it aims to punish and deter the commercially motivated theft of trade secrets.
Yet under the proposal, severe legal penalties would threaten any number of activities well beyond the theft of trade secrets for commercial gain.
Among the bill's many fault's, the first and foremost is its duplication of existing laws which already address this issue by criminalizing "intentional access" to computer information. There has been no independent showing that previously enacted laws have proven inadequate to protect confidential data.
Moreover, the proposed new crimes would not require prosecutors to prove that a defendant intentionally aimed to steal or monetize commercial secrets. Instead, they would apply to anyone who intends to "view...copy, or download" information that turns out to be confidential, including academic researchers, security researchers, or corporate whistleblowers who act in the public interest. The bill's overbroad state-of-mind provisions threaten innocent activity.
Two sets of terms within the proposed law are especially overbroad.
For instance, it criminalizes anyone who accesses information "without authority," which sweeps broadly and could encompass anyone who violates a corporate Terms of Service ("TOS") agreement. But violations of TOS agreements are ubiquitous, often harmless, and rendering them subject to criminal penalties would unnecessarily restrain the way innocent people use online services.
In addition, the term "access" under Rhode Island state law has been defined to include "approach and communicate with," in sharp contrast to a more traditional definition that would require actually "gaining access to" data that is meaningfully protected. It makes no sense for a computer crime bill to threaten anyone who merely "communicate[s] with" a data source, whatever their intention.
Similarly, the bill protects any data that is "protected by disclosure," without requiring that those protections be effective or meaningful. Under the bill's proposed terms, an Internet user could risk a felony charge by simply accessing an otherwise public link that had not been published. Data so priceless that its owners take no active steps to secure it should not be deemed so sensitive that people who do access it should face criminal penalties.
A more sensible way to define unauthorized access would be to limit the scope of a proposed criminal act to include only efforts to intentionally circumvent effective code-based restrictions on access. This is important to protect people whose innocent actions would place them at legal risk under the bill's current definitions.
This is especially important because the proposed penalties are severe: violations of the proposed Rhode Island law would carry a five year prison term, potentially "stackable" with violations of a substantially similar existing law for a total of 10 years.
Should the law force a security researcher working to protect user privacy to risk being ordered to serve a 10 year prison sentence? Of course not.
We hope that the Rhode Island state House rejects the bill despite the Judiciary Committee's approval, and that the Senate rejects the proposal as it deserves.