Honda, Khanna Square Off in Federal Court Over CFAA Allegations of Pilfering Donor Data
A month before November's general election, the campaigns for Rep. Mike Honda, D-Calif., and his Democratic re-election challenger Ro Khanna squared off in a federal court Tuesday over allegations from Honda that his rival pilfered proprietary donor information (see 1609220059) -- which Khanna denied. In a lawsuit filed Sept. 22, Honda said Khanna, his campaign and former campaign manager violated the Computer Fraud and Abuse Act (CFAA) by illegally obtaining the information -- but several experts disagreed whether Honda's campaign is using the anti-hacking statute appropriately.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The U.S. District Court for the Northern District of California was scheduled to hold a Honda motion hearing for a preliminary injunction at our deadline. Vedant Patel, communications director for Honda's campaign, said in an interview Tuesday that it wants the Khanna campaign to "return all the data and documents that they pilfered from our Dropbox account, that they destroy any remnants that they have in their files and whatnot, and they stop using it." The campaign also alleged violation of the Economic Espionage Act.
“There’s not a shred of evidence because it’s simply not true that I or anyone in the campaign knew of or was involved in any way with accessing top proprietary confidential information," Khanna told us. He said Honda is down in polls and the lawsuit is a "Hail Mary pass" and "reeks of political gamesmanship." Khanna also said Honda is trying to distract voters from a House Ethics Committee probe of whether Honda's congressional staff improperly mingled official and campaign business. (Although both Democrats, under California law Honda and Khanna advanced to November's general election because they were the two top vote getters in a June primary in which candidates from all parties compete.)
The lawsuit involves ex-Khanna campaign manager Brian Parvizshahi, who resigned after the lawsuit was filed. In 2012, he interned briefly at the Arum Group, which was the Honda campaign's fundraising consultant until December 2014, the lawsuit said. Parvizshahi signed the firm's non-disclosure agreement saying he couldn't disseminate or discuss any confidential information with anyone outside the firm unless given permission to do so, the suit said. It said the Arum Group gave Parvizshahi access to two Dropbox folders -- one an intern folder and the other containing fundraising information for Honda's congressional campaign at the time, and when he quit that access wasn't revoked. In short, the lawsuit said Parvizshahi continued to access confidential, proprietary campaign information. Patel told us there's evidence Parvizshahi accessed documents almost 50 times and the Khanna campaign was using them inappropriately, but he said other documents beyond the donor list were accessed.
Parvizshahi's attorney, Renato Mariotti, with Thompson Coburn, told us his client didn't have a password to an Arum group server and didn't hack into one or access one, but accessed files on his own Dropbox account. "I think it’s unprecedented to charge someone with a CFAA violation for accessing data that was provided to them on their own computer in their own account," said Mariotti. "The purpose of CFAA is to prevent people from accessing other peoples’ protected computers. Accessing your own account on your own is not a CFAA violation, period." He said Parvizshahi, who joined Khanna's campaign in early 2014, resigned and hasn't access his Dropbox folder.
“For the Honda campaign to use Brian as a political football and to bring a federal lawsuit under the CFAA when there is no evidence that he actually went in to Arum Group’s systems is draconian and it’s a shame that Honda is … filing a federal lawsuit against a young staffer," said Khanna, whose campaign filed a response to Honda's suit.
“My understanding is that the accused staffer had valid credentials at the time he accessed the information, allegedly in violation of the CFAA," emailed Gabe Rottman, deputy director of the Center for Democracy and Technology's Freedom, Security and Technology Project. Politics aside, he said, that's the same issue with a password-sharing criminal case in the 9th U.S. Circuit Court of Appeals. In that case, David Nosal, who left executive search firm Korn/Ferry to start a company, had his computer access credentials revoked by the firm. A firm employee gave colleagues who were defecting with Nosal a password so they could download information from Korn/Ferry's database on Nosal's behalf. A 2-1 majority opinion said Nosal acted without authorization, but the dissenting judge said Nosal didn't violate the CFAA (see 1609130012).
“‘Without authorization’ in the CFAA has to mean bypassing some access restriction -- actual hacking," wrote Rottman. "That doesn't appear to ... be the case here, which again raises the specter of CFAA liability for harmless credential sharing." Redbranch Consulting founder Paul Rosenzweig emailed that he agreed the CFAA is "misapplied," since the campaign manager had valid access that hadn't been revoked. "Of course, the actual facts on the ground may be different," he said. "And, more broadly, I am not sure that the Nosal decision would be followed by other circuits, where a ‘subjective' test of without authorization might apply (instead of the Nosal test, which relies on objective indicia of authorization). But on the narrow question you pose, I don’t think Rep. Honda’s suit is likely to be successful.”
CFAA is "overreaching" and a "miscalibrated tool" and should be scrapped, said Santa Clara University School of Law professor Eric Goldman, but he thinks Honda's allegations "fit very well" with the current boundaries. "It's basically the kinds of situations the CFAA was designed to cover," he said. He also said there's ambiguity in the case. Since Dropbox was involved, he said it raises questions of whether the lessor or the lessee is a victim under CFAA. He questioned whether Khanna's campaign is liable for the campaign manager's acts. "There's not supposed to be a notion of contributory Computer Fraud and Abuse Act violations, that the person who violates the law is responsible. But it is not supposed to be anyone else who's responsible for them," he said. Then questions arise whether the campaign manager was acting privately or on behalf of the campaign with its knowledge, he said.
Another broad question is what's going to happen after the election, said Goldman. If Honda wins, he said, the litigation may become "superfluous." If he loses, it won't change the election outcome, but then what, he asked. "The litigation really only has a role pre-election, and since it's unlikely to resolve itself completely pre-election, I don't really know what's going to happen to it in the long run.”