June 25, 2018

Was the Senate File Pilfering Criminal?

Some people have argued that the Senate file pilfering could not have violated the law, because the files were reportedly on a shared network drive that was not password-protected. (See, for instance, Jack Shafer’s Slate article.) Assuming those facts, were the accesses unlawful?

Here’s the relevant wording from the Computer Fraud and Abuse Act (18 U.S.C. 1030):

Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States … shall be punished as provided in subsection (c) …

[T]he term ”exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

To my non-lawyer’s eye, this looks like a judgment call. It seems not to matter that the files were on a shared server or that the staffers may have been entitled to access other files on that server.

The key issue is whether the staffers were “entitled to” access the particular files in question. And this issue, to me at least, doesn’t look clear-cut. The fact that it was easy to access the files isn’t dispositive – “entitled to access” is not the same as “able to access”. (An “able to access” exception would render the provision vacuous – a violation would require someone to access information that they are unable to access.)

The lack of password protection cuts in favor of an entitlement to access, if failure to protect the files is taken to indicate a decision not to protect them, or at least an indifference to whether they were protected. But if the perpetrators knew that the failure to use password protection was a mistake, that would cut against entitlement. The rules and practices of the Senate seem relevant too, but I don’t know much about them.

The bottom line is that unsupported claims that the accesses were obviously lawful, or obviously unlawful, should be taken with a large grain of salt. I’d love to hear the opinion of a lawyer experienced with the CFAA.

(Disclaimer: This post is only about whether the accesses were lawful. Even if lawful, they appear unethical.)

Comments

  1. This event reminds me of the historical equivalent (somewhat equivalent) where John Quincy Adams would sit “napping” in his chair on the floor of the old House room, and because of the architecture, he could hear the opposition planning (whispering) their moves. Unethical, but not technically illegal then either.

    I would say the accessing of the files is somewhat comparable to a door without a good lock, or an unused lock. We all have locks and are so used to having locked doors everywhere, that if a person left their backdoor unlocked, and then something was taken, because it was easy, would we blame the person who left the door unlocked, or the person who walked in and stole the item?

  2. [quote]mary: would we blame the person who left the door unlocked, or the person who walked in and stole the item?[/quote] We will put the blame on the person who left the door unlocked. We will punish the person who walked in and stole the item.

  3. Where’s the EFF’s planned tutorial on encryption when you need it? It could have a section about securing files on such a network…

  4. Linkage

    I’m running to catch a plane, so I’m taking the lazy blogger’s way out. Read: Steven Berlin Johnson and Jack Balkin (here and here) on whether the Internet is destroying democracy. Ed Felten on why Republican Senate file-snoopers may …

  5. There is another set of words in the statute you refer to, however, which suggest that the statute may not be applicable in this situation.

    The language of the statute you quote seems to apply to information from “any department or agency of the United States”. The question, therefore, is whether the Senate Judiciary Committee is “[a] department or agency of the United States” within the meaning of the statute.

    Usually, such language applies to the Executive branch and its departments [e.g. Department of Justice, Department f Defense, State Department etc.] or the regulatory agencies [e.g., SEC, FCC, FTC] not the Legislative branch [i.e. Congress].

    It would seem to me, therefore, that on its face, the statute you refer to is not applicable in the situation where it is a computer of the Legislative branch that has been accessed without authorization and that any remedy sought may need to be found in the rules and regulations promulgated by the Legislative branch for the conducting of its business.

    Derek

  6. Actually, the law has definitions:

    the term ”exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

    (7)

    the term ”department of the United States” means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;

    ________

    The real key is who has authority to access the materials, and who has authority to grant authorized access…

  7. Skinny,

    Unfortunately, in the law, words often have very specific meanings, particularly when it comes to the allocation of power between the separate branches of government in our federal system.

    The Constitution set up a system of separation of powers and each branch [executive, legislative and judiciary] is extremely protective of its own power and does all it can to preserve it from encroachment by one of the other branches.

    The law was written to cover “departments and agencies of the United States” which, as I said, usually applies to the Executive branch and its departments [e.g. Department of Justice, Department of Defense, State Department etc.] or the regulatory agencies [e.g., SEC, FCC, FTC.] not the Legislative branch [i.e. Congress]. Out of curiosity, what are the agencies and departments of the legislative branch [Congress, in this instance] to which the law would apply? There are none.

    While it may seem “irrelevant” to you as to who or what the language applies to and while 8 out of 10 sensible people may agree that the Senate Judiciary Committee is covered by the language, I believe that 8 out of 10 sensible people would be wrong in this instance. Sometimes, as Dickens’ Mr. McCawber said, “The law is a ass.” You are free to think that in this case, as I am, too, but we should not let our desire to get the “bad guys” blind us to whether or not a particular law applies to them in a particular situation that offends us.

    Derek

  8. Isn’t there a broader provision of the Computer Fraud and Abuse Act that protects any “federally protected computer”? Wouldn’t that provision cover even this situation?

    As for the language “exceeding authorized access” — there’s a good argument that this language cannot merely be whether the access was password protected or encrypted. Don’t confuse “authorized access” with the more subtle “technical measure” language of the DMCA. Authorized access is granted by regulations, license, congressional rules, statute or custom. It is not based on a technical measure, although a technical measure can be good evidence of whether authorized access was exceeded.

    Just as you don’t need a fence around your property to sue for trespassing, and just like you don’t have to keep every file cabinet under lock and key for opposing counsel to know that they are not authorized to access your confidential office flies, this situation is the very heart of unauthorized access.

    (begin rant)
    My worry is that given the propensity of this administration for surveillance at the UN before the Iraq war, and by congressional republicans for the last year in the Senate, one is left to wonder how broadly the administration is reading their Patriot Act powers over … say … the Democratic candidates for president.
    (end rant)

  9. Pretty much everybody has access to your web server. Pretty much nobody has access to your database server (except as authorised via the web server). Anyone who is able to access the data through a defect in the web server (or its security settings) is still *hacking* into the web server. The issue boils down to *can* vs *may*.

  10. Staffer In Senate File Pilfering To Resign

    Senate staffer Miguel Miranda will resign in the wake of the recent scandal over unauthorized accesses to the opposition’s computer files, according to Alexander Bolton’s story in The Hill. Miranda is the highest-ranking person who has been accused pub…

  11. Senate File Pilfering Report Released

    The report of a preliminary investigation into the Senate file pilfering has been released (in two parts) by Senate Sergeant-at-Arms Bill Pickle. The report mostly confirms what was reported previously: many files on the shared server were unprotected,…