Interpretation of the Computer Fraud and Abuse Act (CFAA), and similar laws, is often up for debate due to ambiguous terminology, such as “unauthorized access.” This issue has come up in several recent cases. Read the article, “The Arrest of a Florida Data Scientist Demonstrates a Weird Hole in Cybercrime LawLinks to an external site..”
Briefly describe the case, including how the Florida Computer Crime Law and CFAA, are central to it.
Discuss your perspective on whether the type of access Jones performed should make her guilty of unauthorized access and justify your opinion pointing to relevant components of the laws. You can also leverage the other cases presented (Briggs and Rodriguez) on both sides of this debate.
Research and present one other case of unauthorized access that presents a conundrum for current computer security laws and discuss your opinion on the case.
After reading a few of your classmate’s postings, reply to those from which you learned something new or to which you have something constructive to add. For example:
Discuss what you learned.
Ask probing questions or seek clarification.
Explain why you agree or disagree with your classmate’s main points, assertions, assumptions, or conclusions.
Suggest research strategies or specific resources on the topic.
Dante Alighieri played a critical role in the literature world through his poem Divine Comedy that was written in the 14th century. The poem contains Inferno, Purgatorio, and Paradiso. The Inferno is a description of the nine circles of torment that are found on the earth. It depicts the realms of the people that have gone against the spiritual values and who, instead, have chosen bestial appetite, violence, or fraud and malice. The nine circles of hell are limbo, lust, gluttony, greed and wrath. Others are heresy, violence, fraud, and treachery. The purpose of this paper is to examine the Dante’s Inferno in the perspective of its portrayal of God’s image and the justification of hell.
In this epic poem, God is portrayed as a super being guilty of multiple weaknesses including being egotistic, unjust, and hypocritical. Dante, in this poem, depicts God as being more human than divine by challenging God’s omnipotence. Additionally, the manner in which Dante describes Hell is in full contradiction to the morals of God as written in the Bible. When god arranges Hell to flatter Himself, He commits egotism, a sin that is common among human beings (Cheney, 2016). The weakness is depicted in Limbo and on the Gate of Hell where, for instance, God sends those who do not worship Him to Hell. This implies that failure to worship Him is a sin.
God is also depicted as lacking justice in His actions thus removing the godly image. The injustice is portrayed by the manner in which the sodomites and opportunists are treated. The opportunists are subjected to banner chasing in their lives after death followed by being stung by insects and maggots. They are known to having done neither good nor bad during their lifetimes and, therefore, justice could have demanded that they be granted a neutral punishment having lived a neutral life. The sodomites are also punished unfairly by God when Brunetto Lattini is condemned to hell despite being a good leader (Babor, T. F., McGovern, T., & Robaina, K. (2017). While he commited sodomy, God chooses to ignore all the other good deeds that Brunetto did.
Finally, God is also portrayed as being hypocritical in His actions, a sin that further diminishes His godliness and makes Him more human. A case in point is when God condemns the sin of egotism and goes ahead to commit it repeatedly. Proverbs 29:23 states that “arrogance will bring your downfall, but if you are humble, you will be respected.” When Slattery condemns Dante’s human state as being weak, doubtful, and limited, he is proving God’s hypocrisy because He is also human (Verdicchio, 2015). The actions of God in Hell as portrayed by Dante are inconsistent with the Biblical literature. Both Dante and God are prone to making mistakes, something common among human beings thus making God more human.
To wrap it up, Dante portrays God is more human since He commits the same sins that humans commit: egotism, hypocrisy, and injustice. Hell is justified as being a destination for victims of the mistakes committed by God. The Hell is presented as being a totally different place as compared to what is written about it in the Bible. As a result, reading through the text gives an image of God who is prone to the very mistakes common to humans thus ripping Him off His lofty status of divine and, instead, making Him a mere human. Whether or not Dante did it intentionally is subject to debate but one thing is clear in the poem: the misconstrued notion of God is revealed to future generations.
References
Babor, T. F., McGovern, T., & Robaina, K. (2017). Dante’s inferno: Seven deadly sins in scientific publishing and how to avoid them. Addiction Science: A Guide for the Perplexed, 267.
Cheney, L. D. G. (2016). Illustrations for Dante’s Inferno: A Comparative Study of Sandro Botticelli, Giovanni Stradano, and Federico Zuccaro. Cultural and Religious Studies, 4(8), 487.
Verdicchio, M. (2015). Irony and Desire in Dante’s” Inferno” 27. Italica, 285-297.
The ambiguity of “unauthorized access” in computer crime laws like the Computer Fraud and Abuse Act (CFAA) is a central and ongoing legal debate. Let’s delve into the Rebekah Jones case, analyze the implications, and examine other relevant cases.
The Rebekah Jones Case and its Centrality to Computer Crime Law
Rebekah Jones was a data scientist for the Florida Department of Health (FDOH) who helped create and manage Florida’s COVID-19 dashboard. She was fired in May 2020 after publicly alleging that the state was manipulating COVID-19 data to suppress case numbers.
In November 2020, someone accessed an FDOH emergency response system called ReadyOP and sent an unauthorized text message to about 1,750 people, stating: “It’s time to speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be part of this. Be a hero.” Law enforcement traced the message to an IP address linked to Jones’s home, and she was subsequently arrested and charged with illegally accessing a Florida state computer under the Florida Computer Crime Law.
The ambiguity of “unauthorized access” in computer crime laws like the Computer Fraud and Abuse Act (CFAA) is a central and ongoing legal debate. Let’s delve into the Rebekah Jones case, analyze the implications, and examine other relevant cases.
The Rebekah Jones Case and its Centrality to Computer Crime Law
Rebekah Jones was a data scientist for the Florida Department of Health (FDOH) who helped create and manage Florida’s COVID-19 dashboard. She was fired in May 2020 after publicly alleging that the state was manipulating COVID-19 data to suppress case numbers.
In November 2020, someone accessed an FDOH emergency response system called ReadyOP and sent an unauthorized text message to about 1,750 people, stating: “It’s time to speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be part of this. Be a hero.” Law enforcement traced the message to an IP address linked to Jones’s home, and she was subsequently arrested and charged with illegally accessing a Florida state computer under the Florida Computer Crime Law.
The core of the legal debate here, and why the Florida Computer Crime Law (which is closely related to the CFAA) is central, revolves around the interpretation of “unauthorized access.” The article highlights that the username and password for the ReadyOP system were reportedly printed in a publicly accessible operations manual on the FDOH website for relevant staff. Jones, as a former employee, had previously been authorized to use these credentials. The state’s argument hinged on the idea that her authorization was revoked upon her termination, even if the technical means of access (the password) remained the same and easily accessible.
The case thus spotlights the “weird hole” in cybercrime law: does “unauthorized access” refer strictly to breaking through technical barriers (like hacking a system without knowing the password), or does it extend to using authorized credentials for an unauthorized purpose or after authorization has been formally revoked (even if technical access wasn’t removed)? This is precisely the ambiguity that the CFAA and similar state laws grapple with.
My Perspective on Jones’s Access and Guilt
In my opinion, if Rebekah Jones did indeed send the message using credentials she had been given as an employee, but after her employment and authorization had been formally revoked, then she should be considered guilty of unauthorized access under a reasonable interpretation of the law.
Here’s my justification, pointing to relevant components of the laws and leveraging other cases:
- “Exceeds Authorized Access” vs. “Without Authorization”: The CFAA and similar laws often distinguish between “accessing a computer without authorization” (like an external hacker) and “exceeding authorized access” (someone with initial permission who then goes beyond their permitted scope or purpose). The Florida Computer Crime Law, specifically Florida Statutes Section 815.06, criminalizes access with “knowledge that such access is unauthorized or the manner of use exceeds authorization.”
- The Intent of the System Owner (Organizational Policy): While Jones may not have engaged in “hacking” in the traditional sense of technical circumvention, the authorization to access a system ultimately rests with the system owner (in this case, the FDOH). When an employee is terminated, their authorization to use company resources, including computer systems, is generally revoked. The argument is that continued access, even with a valid password, is “without authorization” because the permission from the owner has been withdrawn.
- The Van Buren v. United States Precedent: This Supreme Court case (2021) narrowed the interpretation of “exceeds authorized access” under the CFAA. The Court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” This ruling specifically rejected the “purpose-based” interpretation, meaning that merely using authorized access for an improper purpose is not, by itself, a CFAA violation if the areas accessed were within one’s permission.
- Application to Jones: Van Buren might seem to favor Jones initially if her argument is that she still had permission to access the system itself because the password worked. However, the Van Buren case focused on “exceeds authorized access” for current employees using data for an improper purpose. Jones was a former employee. If her overall access to the system was terminated, then any subsequent login, even with old credentials, could fall under the “without authorization” clause, rather than “exceeds authorized access.” The “without authorization” prong typically covers those who were never given permission or whose permission has been explicitly revoked.
- The United States v. Nosal (9th Circuit) Cases: These cases offer a contrast. In Nosal II, the court held that a former employee who directed others to use a current employee’s password to access his former employer’s system acted “without authorization.” This emphasizes that when authorization is revoked, subsequent access, even through indirect means or shared credentials, can be unauthorized.
- Application to Jones: While Jones didn’t use someone else’s active credentials in the same way, the Nosal cases support the idea that revocation of permission makes subsequent access unauthorized, regardless of technical difficulty.
- Florida’s Rodriguez v. State: This specific Florida case, cited by legal analyses of Florida’s Computer Crime Law, stated that “someone who accesses a computer network while acting in the scope of their lawful employment cannot be found guilty under the statute.” However, it also clarifies that if the access itself was not lawful, or occurred outside the scope of employment/authorization, the statute can apply. Jones was explicitly not in the scope of lawful employment.
The crucial distinction lies in whether Jones’s permission to access the system at all was revoked, not just whether her purpose was improper. If her employment termination unequivocally meant an end to her authorized access, then her subsequent login, even with a known password, constitutes “without authorization.” The state’s failure to revoke credentials is a security lapse, but it doesn’t necessarily grant a former employee perpetual authorization.
Another Conundrum: The Case of United States v. Lori Drew
One case that presented a significant conundrum for current computer security laws, specifically the CFAA, is United States v. Lori Drew (2008-2009).
Brief Description: Lori Drew, an adult mother, created a fake MySpace profile, posing as a teenage boy named “Josh Evans,” to cyberbully a 13-year-old neighbor, Megan Meier. Megan had been friends with Drew’s daughter and had reportedly fallen out. After online exchanges between “Josh” and Megan, “Josh” sent a message to Megan stating that “the world would be a better place without you.” Megan tragically committed suicide shortly thereafter.
The Conundrum: Drew was prosecuted under the CFAA, specifically for “accessing a computer without authorization or exceeding authorized access.” The prosecution argued that by creating a fake profile and violating MySpace’s Terms of Service (TOS) (which prohibited false identities and harassment), Drew had “exceeded authorized access” to MySpace’s computers.
My Opinion on the Case: This case presents a massive conundrum and highlights the overbreadth issue of the CFAA. In my opinion, Lori Drew should NOT have been found guilty under the CFAA.
- CFAA’s Original Intent: The CFAA was primarily designed to combat malicious hacking, espionage, and computer fraud – activities that undermine the security and integrity of computer systems. It was not intended to be a broad “internet policing” tool for enforcing website Terms of Service.
- Terms of Service as Criminal Law: The prosecution’s argument essentially elevates a website’s TOS into a criminal statute. If violating a TOS constitutes “unauthorized access,” then millions of people could be prosecuted under the CFAA for commonplace online activities, such as:
- Using a fake name on social media.
- Sharing an account password (e.g., Netflix, despite Nosal II pushing against this, it’s still a real-world behavior).
- Scraping data from a website, even if publicly available, if the TOS prohibits it.
- Lying about age during sign-up.
- Automating tasks on a website that the TOS disallows.
- The Van Buren Impact: The Supreme Court’s ruling in Van Buren v. United States (2021) has largely, though not entirely, resolved the Drew-like conundrum by rejecting the “purpose-based” interpretation of “exceeds authorized access.” Van Buren emphasized that “exceeds authorized access” means accessing files or information that are off-limits to them, not merely using authorized access for an improper purpose that violates a policy or TOS. While Van Buren was decided long after Drew, its reasoning underscores the fundamental flaws in using the CFAA to criminalize TOS violations.
- Alternative Legal Avenues: While Lori Drew’s actions were morally reprehensible and tragically led to a child’s death, the CFAA was the wrong legal tool. Laws related to cyberbullying, harassment, stalking, or even child endangerment (where applicable) would have been more appropriate for addressing the specific harm caused, rather than stretching a hacking statute to cover TOS violations.
The Lori Drew case exemplifies the dangers of broadly interpreting “unauthorized access” to encompass violations of private contractual agreements (like TOS), potentially criminalizing vast swathes of everyday internet behavior and creating a “trap for the unwary.” The Van Buren decision, while not directly overturning Drew, significantly undermined the legal theory upon which Drew‘s conviction rested, pushing the interpretation of the CFAA back towards its original intent: preventing unauthorized intrusion into computer systems, rather than policing internal use policies or TOS.
