November 27, 2020

Senate File Pilfering Report Released

The report of a preliminary investigation into the Senate file pilfering has been released (in two parts) by Senate Sergeant-at-Arms Bill Pickle.

The report mostly confirms what was reported previously: many files on the shared server were unprotected, so that anybody who knew how could get them; a clerk working for the Republican staff, under the direction of a senior Republican staffer, accessed more than 4,000 of the Democrats’ files; and some of the juiciest files were leaked to the press, probably by the aforementioned Republican staffer.

The report also contradicts some claims made previously. It is clear from the report that the availability of the files was not widely known. The report also shows that the people making the accesses worked to cover their tracks, both during and after the time when the accesses occurred. It also appears that the Republican staff member who oversaw the accesses made false statements to the investigators.

I wrote before that it wasn’t clear whether the accesses violated the Computer Fraud and Abuse Act (CFAA). The key question in applying the CFAA to these facts was whether the staffers were “entitled to” access the particular files they downloaded; and the answer to that question depends on the rules and practices of the Senate.

The issue still isn’t clear-cut, but the facts recounted in the report tend to tip the balance toward violation of the CFAA. The accessors’ efforts to cover their tracks, both during and after the accesses, are revealing. And the report tells how the clerk, on initially discovering the files were accessible, took a pile of printed-out opposition files to one of his supervisors, who shredded the files and “admonished [the clerk] not to use the … documents”. These facts, plus the apparent false statements made to the investigators, tend to support the argument that the clerk and the staffer knew that the accesses were improper.

The report makes no recommendation for or against a referral of the CFAA matter to the Justice Department. That decision is in the hands of the Senators.

Comments

  1. Having just finished my dissertation on the Computer Fraud and Abuse Act I would take issue with your comment that the CFAA analysis should focus on whether or not the staffers had authorized access to view the files in question. That may a part of the analysis but it is only a part.

    Perhaps the more crucial issue is how the parties’, the “principal” that granted the authorization for the staffer’s to initially enter the network felt about the subsequent actions of their “agents” .

    Below is a quote from the Morris case (United States of America, Appellee, v. Robert Tappen Morris, Defendant-Appellant. 928 F.2nd 504 (2nd Cir), cert denied, 502 U.S. 817 (1991). , the first, and still, perhaps, the most important of the CFAA appellate level opinions. This case created the “intended functions” test. Morris, who claimed he had authorization to access the networks he was subsequently charged with causing damage to, concluded that this initial authorization meant he could not later be charged with “unauthorized access”. The court rejected this defense noting that:

    “a computer user, with authorized access to a computer and its programs, was without authorization when he used the programs in an unauthorized way”

    Does the party that granted the authorization in the first place think the staffers’ access meant that the staffers used the program in a manner it was not intended to be used? I think we have to ask, among others, Sen. Hatch.

    The courts confirmed the Morris “intended function” test in the CFAA case Shurguard. ( Shurgard Storage Centers, Inc., v. Safeguard Self Storage, Inc., Defendant 119 F.Supp. 2d 1121 (W.D. Wash. 2000) Here the court declared that the moment an agent commits a serious breach contrary to their principal’s interest they cease to be an agent (and therefore, cease to have access rights) anymore. See the courts language below:

    herefore, following the rational of the Galindo holding, Plaintiff argued that “its[Shurgard’s]former employees were not its[Shurgard’s] agents when they accessed the computers to send trade secrets to defendant”.
    The Galindo court, in turn, had relied on the Restatement (Second) of Agency which states:

    Unless otherwise agreed, the authority of an agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal. [emphasis added]

    Restatement (Second) of Agency § 112 (1958) . Therefore, the Court held, Leland lost his “authorization” to access plaintiff’s data when [he] allegedly obtained and sent the proprietary information to the defendant via email

    So, were the staffers acting in a manner that went against their principal’s interest? Again, I leave that to the Senators.