We’ve talked a lot in the past few years about the desperate need to reform the CFAA — an absolutely horrible “anti-hacking” law that has been stretched and broadened and twisted by people over the years, such that it’s frequently used to “pile on” charges when nothing else will stick. If you want to go into a lot more detail, you can listen to the podcast we recently did about the CFAA, or listen to this wonderful podcast that Reply All did about the CFAA (where I also make a brief appearance). But one of the biggest problems with it is that it considers you to be a dangerous hacker if you access a computer/network “without authorization” or if you merely have “exceeded authorized access.” It’s that latter phrase that often causes trouble. What does it even mean? Historically, cases have been brought against employees who use their employer’s computers for non-work related things, against someone for supposedly failing to abide by MySpace’s terms of service and for downloading too many academic journals that were freely available for downloading on MIT’s campus network.
Keep that in mind as you read this Associated Press story about how Presidential candidate and current Florida Senator Marco Rubio’s “low-budget” Presidential campaign office got free internet access for a bit:
At one of the campaign’s Nevada offices, staffers tried to do their part to live up to the less is more mantra. After noticing a pizza place next to a campaign office had free wireless internet that required a password, a staffer walked over and bought two pieces of pizza and asked for the internet access code.
But the cost-cutting measure was short-lived. After about three weeks, the pizza place caught on and asked the Rubio team to stop.
It’s not at all difficult to see how that could be “exceeding authorized access” under the statute. After all, it’s pretty clear that the intent of the access is for customers while they’re in the restaurant. That seems to be confirmed by the fact that the pizza place asked the Rubio campaign to knock it off once it discovered what was going on. Now, for it to be a felony, there needs to be $5,000 worth of damage — but considering that in another recent case, the DOJ turned a single news article defacement (that lasted just 40 minutes) into a supposed $929,977 in damages, I’m sure some creative math can make the use of the WiFi into something greater than $5,000. You just need to argue that the congestion on the WiFi likely turned off customers who may not ever come back, and the value of those losses exceeds $5,000.
Now, Rubio hasn’t really been involved at all in the debate over the CFAA and reforming it. The only official “policy” line he has even closely related to it on his campaign issues page suggests he’d favor making the CFAA punishments even worse: “Use American power to respond harshly to international cyber attacks on American citizens, businesses, and governments.” Of course, that’s focused on foreign attacks, so may not apply directly.
Either way, this seems like something an enterprising political reporter might want to ask the Rubio campaign, seeing as they themselves may have potentially committed a felony under the current CFAA.