Does the CFAA Apply to Lenovo’s SuperFish Malware Lawsuits?

For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)

One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.

I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.” Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)

How does this apply to the Lenovo SuperFish Malware?

So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?

Ok, did you catch the first part of that quote? The part about a “blanket exemption for manufacturers”?

The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:

Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.

Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed. 

 The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).

So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss? 

Hey Jon, by the way, thank you!



Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

computer-crime-scene1

Will Changes to the CFAA Deter Hackers? | Norse DarkMatters

Read my latest post on Norse’s DarkMatters: Will Changes to the CFAA Deter Hackers?

 

Felony CFAA Conviction for Accessing Former Employer’s Data via Backdoor Upheld on Appeal

former employee = current data thiefAn employee, after leaving a company, is no longer authorized to continue accessing its data–regardless of what steps the company took. This is, and always has been, a no-no. But, not everyone seems to realize it.

The United States Court of Appeals for the Fourth Circuit recently affirmed a Computer Fraud and Abuse Act conviction for a man who used a backdoor into his former employer’s computer system to continue accessing data after he went to a competitor. The fact that his former employer had not changed his password did not dissuade the court.

The district court proceeding

The United States Court of Appeals for the Fourth Circuit, on Christmas Eve 2014, handed down the unpublished opinion United States v. Steele, 2014 WL 7331679 (4th Cir. Dec. 24, 2014). In Steele, the Court upheld the jury conviction for two misdemeanor and twelve felony counts for violating the unauthorized access prong of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2)(C).

Steele, while not establishing new law, does illustrates an important distinction in employee computer and data misuse cases: misuse by current employees versus former employees. The notorious Circuit Split involves misuse by current employees but, when it comes to former employees, the law is clear. When the employment relationship terminates, so too does the now-former employee’s authorization to access the computer system and data.

Robert Steele worked as vice president of business development and also the backup systems administrator for Platinum Solutions, Inc. His role as a systems administrator gave him access to the company’s server, which allowed him to monitor email accounts and employee passwords. Platinum was eventually sold and became SRA and Steele resigned to go work for a competitor who also provided contract IT services to government defense agencies.

For nine months after his resignation from SRA, Steele continued to log in to the company’s computer server using a “backdoor” account he had used during his employment. Using this, he accessed the server almost 80,000 times during which he proceeded to access and download documents and emails related to the company’s contract bids–bids that were competitive to his new employer and, therefore, confidential trade secrets.

A jury convicted Steele for fourteen violations of the CFAA; he received a 48 month prison sentence and was ordered to pay $50,000 in fines, $1,200 in fees, and $335,977.68 in restitution. Steele appealed.

The court of appeals opinion

Of his grounds for appeal, the most relevant is Steele’s argument that his post-termination accesses of the servers were not “without authorization.” Steele argued that because the company did not change the password to this “backdoor” account following his resignation, he continued to have authorization to use the account to access the servers. He based this argument on the Fourth Circuit’s opinion in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).

In WEC Carolina, the Court dealt with the Circuit Split issue of a current employee using his employer’s computer system to obtain information that he then used for improper purposes and whether such use is in “excess of authorization” under § 1030(a)(2). The WEC Carolina Court adopted the narrow view which holds that § 1030(a)(2) prohibits a current employee from unlawfully accessing a protected computer but not from misusing information that he obtained while lawfully accessing the computer.

The Steele Court explained how this distinction applies to this case:

Importantly, this split focuses on employees who are authorized to access their employer’s computers but use the information they retrieve for an improper purpose. Steele’s case is distinguishable for one obvious reason: he was not an employee of SRA at the time the indictment alleges he improperly accessed the company’s server. In WEC Carolina, authorization did not hinge on employment status because that issue was not in dispute. Here, by contrast, the fact that Steele no longer worked for SRA when he accessed its server logically suggests that the authorization he enjoyed during his employment no longer existed.

* * *

Common sense aside, the evidence provides ample support for the jury’s verdict. SRA took steps to revoke Steele’s access to company information, including collecting Steele’s company-issued laptop, denying him physical access to the company’s offices, and generally terminating his main system access. And Steele himself recognized that his resignation effectively terminated any authority he had to access SRA’s server, promising in his resignation letter that he would not attempt to access the system thereafter. Just because SRA neglected to change a password on Steele’s backdoor account does not mean SRA intended for Steele to have continued access to its information.

As the Steele Court hinted, common sense or basic ethics, however one looks at it, should have been enough to tell Steele that after leaving SRA, he was no longer authorized to continue accessing its data. It wasn’t enough. Now he has 48 months to think about where he went wrong as well as how he is going to come up with nearly $400,000.


__________________________________________

Shawn Tuma is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving computer fraud, cybersecurity, privacy and intellectual property law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes across the United States.

 

Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is — and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

No, the CFAA Does Not Require Taking Actions to Prevent the Hacking of Others

For all of the things the CFAA may (or may not) require, it does not require taking actions to prevent the hacking of others. We are not (yet) the guardians of the hacking universe!

In a factually interesting case that offers a great read on attorney professionalism, the United States Court of Appeals for the Seventh Circuit has confirmed that the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, does not require taking actions to prevent others from hacking into websites — even when the allegation is being made of internet service providers (ISP) that allegedly failed to take actions to prevent the hacking of their users websites.

In Lightspeed Media Corp. v. Smith, 761 F.3d 699 (7th Cir. 2014), the court addressed an appeal brought after the district court granted a motion to dismiss all claims, including the Computer Fraud and Abuse Act claim, which the court said was frivolous:

Lightspeed’s suit against the ISPs was premised on the notion that because the ISPs challenged appellants’ subpoena of the personally identifiable information of Smith’s 6,600 “co-conspirators,” they somehow became part of a purported plot to steal Lightspeed’s content. If there was any conceivable merit in that theory, then perhaps fees would have been inappropriate. But there was not.

Count I alleged that the ISPs violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030 and 1030(g), by failing to prevent hacking. The only alleged assistance to hackers, however, was the challenge to the subpoena. As expansive as the CFAA is, see Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 MINN. L. REV. 1561, 1563-65 (2010), this is a frivolous charge.

The Plaintiff’s original allegations are set forth below:

We are not guardians of the hacking universe!

We are not guardians of the hacking universe!

(link to Lightspeed’s full First Amended Complaint)

For all of the criticism of the expansiveness and unpredictability of the CFAA, and much of it is well deserved, we can now be confident that it does not impose a duty to take steps to prevent the hacking of others — and thank God!