CFAA Beacon Bill

Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) have introduced a bill to amend the Computer Fraud and Abuse Act. The bill, titled the “Active Cyber Defense Certainty Act,” would allow the defensive use of “beaconing” technology (see H.R. 4036).  A “beacon” is a program that causes traffic to leave a network at regular intervals.  Beacons are frequently employed by malware to signal to the the malware’s proprietor that a network has been compromised so that it can be accessed or connected to a botnet.  H.R. 4036 would allow the defensive use of malware to beacon information that could identify an attacker.  It would immunize this activity from criminal CFAA culpability, but not from civil liability.  It would require notification to the FBI National Cyber Investigative Joint Task Force  before using a defensive beacon and would establish a voluntary pilot program through which the FBI would approve specific tools prior to notification.

There is some good reason for relaxing the CFAA in defensive contexts, but the requirement of prior FBI authorization seems highly problematic to me.  Essentially, this amounts to the cyber-deputization of private entities, which raises privacy and oversight concerns.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xUU5xVWZ3SFdxSU0/preview?usp=drivesdk” title=”hr4036.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

 

Published
Categorized as CFAA

Microsoft and the Law of the Cloud: to the Supreme Court

Last year I wrote about Microsoft’s Stored Communications Act litigation.  The dispute has now worked its way up to the Supreme Court.  Andrew Keane Woods offers a good primer on the case on the Lawfare Blog.  I generally agree with Andrew’s take:  (1) the extraterritoriality issues do not seem to raise major sovereignty concerns; and (2) it is not really a “privacy” case.  It’s also interesting, as Andrew notes, that Silicone Valley seems uncertain about how to approach this dispute.  But here’s where I might go a bit further than Andrew:  the extraterritoriality issues do not raise major sovereignty concerns unless you think the cloud is really something different.  The Supreme Court continues to make Internet-exceptionalist noises, such as Justice Kennedy’s ode to the Net in the Packingham case last year:

While we now may be coming to the realization that the Cyber Age is a revolution of historic proportions, we cannot appreciate yet its full dimensions and vast potential to alter how we think, express ourselves, and define who we want to be. The forces and directions of the Internet are so new, so protean, and so far reaching that courts must be conscious that what they say today might be obsolete tomorrow.

Packingham v. North Carolina, 137 S. Ct. 1730, 1736 (2017).  The cloud, of course, is just a marketing term for storing stuff and running apps on the Internet.  In my view, the Court should avoid rhapsodizing about the cloud or the Internet in the Stored Communications Act context, apply ordinary principles of extraterritoriality to find that Microsoft was required to produce the records in this case, and leave further tinkering with the statutory framework to Congress.