Congressional Rep Mike Honda Sues Challenger Ro Khanna For CFAA Violation Over Access To His Donor List
from the oh-boy dept
So, the CFAA strikes again, and this time right in the heart of a Silicon Valley political fight. If you live in or around the Silicon Valley tech industry, you probably know who Ro Khanna is. He’s often been described as the “candidate for Congress that Silicon Valley prefers.” It feels like he’s been running for Congress against incumbent Rep. Mike Honda forever, but it’s really just in the past two elections. Here’s a big Bloomberg profile of him from 2013 when he first challenged Honda, losing narrowly to him in the 2014 election, despite having support from many Silicon Valley tech industry stars. This year, he’s running again, and in the primary, Khanna narrowly beat Honda, suggesting good things in the general election in November (the top two candidates in the open primary move on to the general election, regardless of party).
Khanna is known for his pro-internet views, while Honda has a reputation for not really understanding or caring very much about the internet.
And now… Honda has sued Khanna under one of the most hated laws on the internet, the CFAA (Computer Fraud & Abuse Act). As we’ve discussed for many years, the CFAA was supposed to be an “anti-hacking law” that was created by politicians who were (literally, no joke) scared by the fictional movie War Games into writing an anti-hacking law in the 1980s. The law has many, many, many problems, but the biggest one, which comes up again and again in cases, is that it has a vague standard of “unauthorized access” or “exceeding authorized access.”
Not surprisingly, that’s the issue in this case as well. In short, Brian Parvizshahi was (until Thursday night) Khanna’s campaign manager. Way back in 2012, Parvizshahi had briefly (as in, for just a few weeks) worked at Arum Group, an organization that helped Mike Honda with fundraising. After he left Arum Group, apparently no one at the company thought to turn off his access to the Dropbox where they stored all their info about donors. Now, to most people, you’d think that the issue here would be Arum Group’s bad policies. But, under the CFAA some can argue that continuing to access that file is a form of “unauthorized access.”
And that’s the central claim here in the lawsuit. Honda claims that Parvizshahi continued to access that Dropbox folder that he was given access to four years ago and which Arum Group never shut down — and thus he, and the whole Khanna campaign — violated the CFAA. You can see the full filing here.
Now, we can say that Parvizshahi continually accessing this info — especially after starting to work for Khanna — was really, really dumb. Especially since his actions were clearly viewable in Dropbox — including cases where he supposedly “edited” the files. From the lawsuit, here’s just one of many, many images:
It is worth noting, though, that some of the screenshots merely show Parvizshahi “adding” the document to his desktop, which might have happened automatically if he was syncing his Dropbox account to his computer, which is the way many people set things up.
One other sketchy thing here is that someone sent a copy of Honda’s donor list to San Jose Inside magazine in late 2015 — and apparently the file they got matched a file in the Dropbox folder that Parvizshahi had accessed.
So while it may have been dumb for him to do so, the real fault here would seem to lie with Arum Group for (1) giving Parvizshahi access on what appears to be his personal Dropbox account, rather than adding a professional account that it controlled and (2) failing to revoke his access after Parvizshahi left, and not even noticing it for years. That seems to be the really negligent move here.
But, with the way courts have been interpreting the CFAA, it does seem entirely possible (if ridiculous) that a California court could interpret this to be a CFAA violation for Parvizshahi at the very least. If that also applies to Khanna, that would seem doubly ridiculous. Either way, as far as I can tell, while Khanna has taken a position on a number of issues related to tech policy, I don’t see anything about the CFAA. Perhaps this particular episode will change that.
Filed Under: brian parvizshahi, campaigns, cfaa, donor lists, hacking, mike honda, ro khanna
Comments on “Congressional Rep Mike Honda Sues Challenger Ro Khanna For CFAA Violation Over Access To His Donor List”
Just a thought
Since they never managed to revoke his access, can he argue that he was indeed (still) authorized to the material in question? Sure, logically, since he didn’t work for them anymore it stands to logic that he *shouldn’t* have access, but he did. It’s a technical differentiation, of course, but sometimes that is how things are decided.
Re: Just a thought
It really depends on the judge. Short version: some seem to accept that exceeding “intended” rather than “actual” authorization is enough.
Yes, it does get that crazy as times.
Re: Just a thought
Since they never managed to revoke his access, can he argue that he was indeed (still) authorized to the material in question? Sure, logically, since he didn’t work for them anymore it stands to logic that he shouldn’t have access, but he did. It’s a technical differentiation, of course, but sometimes that is how things are decided.
Well, yes, that’s an argument — and similar ones have been made in the past. I think it makes sense, but courts haven’t always agreed. And that makes it a risky argument to make in court.
computers do not care about meatspace, to a computer, if you have the proper credentials, you are thus authorized to access it.
Technically he can say it was automated synchronization and good luck to the plaintiff to prove it was not. Considering we still consider people innocent until proven guilty. Of course some things seem to have changed.
Re: Re:
This is a civil lawsuit. There is no “innocent until proven guilty”. It goes by preponderance of the evidence, not proof beyond a reasonable doubt.
“Technically he can say it was automated synchronization and good luck to the plaintiff to prove it was not.”
He can say that. But if he says that under oath (and he almost certainly will be deposed) then, if it’s a lie, he’s committing perjury, and now he’s potentially facing jail time. If he WAS the one who leaked the list to the paper, how sure is he that it can’t be traced back to him if the paper and/or email providers are subpoenaed?
Re: Re: Re:
Hmmm. Civil? But can’t the CFAA put you in jail? Correct me if I’m wrong but when jail is involved you get into the criminal realm, no?
Re: Re:
Considering we still consider people innocent until proven guilty.
Aiming to take top spot in Funniest Comment already are we?
Of course this begs the question of “Who else have they forgot to cut off access to?” especially for the docs leaked to the press. If they forgot about one guy from 4 years ago, there has got to be others as well.
Re: TripMN's remark
“Begging the question” is a logical fallacy. No doubt you
meant “raises the question”.
Another point not brought up in this write-up: Arum Group was no longer working with Honda’s campaign and hadn’t been for several years. So not only did Parvizshahi still have access to the files when he should not have so did the Arum Group. Immediately upon severing their contract with Honda’s campaign the Arum Group should have deleted the voter information files and rescinded all access.
Trust
One thing I find interesting is that the lawsuit alleges things like loss of trust of the donors. Sorry, but that loss of trust is actually deserved if you don’t secure your donor’s private emails, regardless of whether the defendants actually accessed the list. They didn’t notice that the former intern still had access when they switched to the new election cycle – you’d think they’d review their authorized access list at least that often. They didn’t even notice his continued access when the paper published a leaked copy of the donor list three and a half years after that intern quit the campaign.
Another thing I find interesting is that, at the time they discovered the breach, they apparently felt the need to notify at least five different consulting companies that were apparently already working for them. Do congressional campaigns normally have that many? But maybe that’s one reason why they never noticed. Too many people in the campaign, many of which don’t even directly work for the campaign. And maybe that’s why they didn’t do more diligence when the leak came – too many people they didn’t really know had access to the list anyway.
Of course it’s the Arum Group’s responsibility. But it’s also Parvizshahi’s responsibility. Saying it’s not is like saying that two years ago you lent a key to someone who was once a friend, and forgot to get it back, and then you had a falling out. But you just discovered that he’s been letting himself into your house and making lunch for himself when you’re away.
Even if it was an automatic sync, Parvizshani would have known.
Now, whether Khanna has any culpability is another matter. You’d have to show that he knew, or should have known. Did he think Parvizshani was just a genius at coming up with leads to people with money, or did he hire Parvizshani in the first place knowing that he had Honda’s donor list?
Request For Judicial Notice
At the very bottom of the 240 page PDF, beginning on page 238 in that PDF, plaintiff Mike Honda For Congress requests judicial notice of three items. The first two items are from the Federal Election Commission (FEC). The third item is described as—
This third item is said to be “relevant” as follows—
In the absence, though, of any evidence that the purported “Brian Parvizshahi’s LinkedIn profile” was created or controlled by defendant Brian Parvizshahi, I don’t think a court should rely on that for the truth of anything contained in the profile.
Re: Request For Judicial Notice
Just for convenience, the Sep 20, 2016 Beckendorf declaration (doc 5-19) begins at p.59 within the 240 page pdf. See especially ¶ 8 and footnote 1, both on p.2 (p.60 in pdf) of the Beckendorf declaration.
Exhibit 2 (doc 5-21) attached to that declaration follows the cover sheet on p.71 in the pdf.
Re: Request For Judicial Notice
Also for convenience—
FRE Rule 201. Judicial Notice of Adjudicative Facts
Re: Re: Request For Judicial Notice
And further for convenience, with reference to pp.2-3 (pp.239-40 in PDF) of plaintiff’s request for judicial notice—
Voting Record
According to GovTrackUS, Honda did vote yes on the Amash Amendment, but also yes on CISA and when it was consolidated into the omnibus bill of 2015; though the “internet bill of rights” page on Ro Khanna’s website sounds promising.
Beckendorf to Podesta
This https://wikileaks.org/podesta-emails/emailid/4170
It is a Wikileak of a Podesta email, Mike Honda campaign manager on Ro Khanna