Rhode Island May Expand Computer Crime Enforcement

The Rhode Island House was scheduled to vote Thursday on H-7406 Substitute A, but postponed the roll call until Tuesday. A Senate version (SB-2584) is pending before the Judiciary Committee. The Rhode Island measure “is overbroad and threatens innocent activity,” while attempting to tackle an issue -- computer fraud -- for which laws already exist, said Electronic Frontier Foundation Director-Grassroots Advocacy Shahid Buttar in an interview last week. State Rep. Robert Craven, the bill’s sponsor and Democratic chairman of the House Municipal Government Committee, didn’t comment.

“It’s solving a non-problem and creating some very real problems,” said Buttar. Whistleblower activity that could be criminalized by the bill isn’t just innocent, it’s in the public interest, he said. The vagueness of the bill’s language raises red flags, and it expands on the federal CFAA, a law that's “already constitutionally vague and overbroad,” he said.

The Rhode Island bill largely duplicates the CFAA, and the federal law is "overbroad, vague, and carries disproportionate penalties,” agreed Ross Schulman, senior policy counsel for New America’s Open Technology Institute (OTI). “We should be carefully evaluating what changes need to be made to the federal law, not creating state laws in its image.” The irony is that CFAA-like laws harm cybersecurity, he said. “By criminalizing -- with severe penalties -- the act of discovering security vulnerabilities, even if the researcher attempts to notify the proper software maintainers, we drastically disincentivize a group of scientists who are trying to protect us all.”

The CFAA itself unfairly targeted innocent activity, with sad consequences, EFF and other public interest groups said in a joint letter May 25 to the sponsors of the Rhode Island legislation. “Most infamously, it was the crime that Internet activist Aaron Swartz was charged with after he accessed MIT’s computer network to download academic papers distributed by a subscription service. Potentially facing decades in prison, he tragically committed suicide before his trial.” Penalties resulting from the Rhode Island legislation are overly severe, the public interest groups added in a supporting memo. Violators could get five-year prison terms, and it might even be 10 years if the violator also is convicted of breaking an existing state law banning unauthorized access to computers, they said. Access Now, the Bill of Rights Defense Committee, Center for Democracy & Technology, EFF and OTI signed the opposition letter.

Most states have laws to combat computer crime, but they don't present issues as severe as the Rhode Island legislation, Buttar said. Recent measures in other jurisdictions include a computer-crimes law in Washington state that took effect Thursday, and a Michigan bill pending in a Senate committee that could give life sentences to people who hack into vehicles (see 1604290053).

Signed into law in April by Gov. Jay Inslee (D), the Washington law bans unauthorized and intentional access to a computer system or electronic database, as well as cyberattacks, spoofing, data theft and data tampering. But it's worded more carefully than the Rhode Island bill, said Buttar. “For instance, the definition of ‘without authorization’ in the [Washington] law addresses some of the concerns we raised with the Rhode Island bill.” The law says: “‘Without authorization’ means to knowingly circumvent technological access barriers to a data system in order to obtain information without the express or implied permission of the owner, where such technological access measures are specifically designed to exclude or prevent unauthorized individuals from obtaining such information, but does not include white hat security research or circumventing a technological measure that does not effectively control access to a computer.”

The Rhode Island definition doesn't include such explicit exemptions. It says “a person is ‘without authority' when: (A) he or she has no right or permission of the owner to use a computer, or, he or she uses a computer in a manner exceeding his or her right or permission or (B) he or she uses an Internet service e-mail system offered by a Rhode Island based Internet service provider in contravention of the authority granted by or in violation of the policies set by the Internet service provider.” Buttar said: “All that is to say that from a standpoint of Internet security or public interest transparency, the Rhode Island bill raises more concerns than others that have preceded it.”

“Rather than focusing narrowly on actual malicious hacking, it includes expansive definitions that give prosecutors excessive and unnecessary discretion,” emailed Gabe Rottman, CDT deputy director-Freedom, Security and Technology Project. “That could sweep in legitimate security research, whistleblowers and others who haven't actually hacked anything. It also leads to one of the issues with the federal CFAA, charge ‘stacking,’ where authorities are able to threaten draconian penalties to force plea agreements.” The Washington state law also may suffer from excessive penalties, and the Michigan bill “likewise could threaten legitimate security research,” he said. “And both are redundant of the already overly broad federal CFAA.”