Enlarge / Rep. Mike Honda (pictured here) sued his challenger, Ro Khanna, “Ro for Congress,” and Brian Parvizshahi, Khanna’s former campaign manager, on Thursday.Bill Clark / Getty Images News
reader comments 16
Share this story
Mike Honda, the congressman who represents a large portion of Silicon Valley, has sued his political opponent, Ro Khanna, under a federal anti-hacking law known as the Computer Fraud and Abuse Act.
Khanna, a former Department of Commerce official, is trying to unseat Honda in the upcoming November 2016 election. Honda, who has been a member of the House of Representatives for 15 years, previously defeated Khanna in a tight race in 2014.
The lawsuit claims that Brian Parvizshahi, who was Khanna’s campaign manager until Thursday evening, worked as an intern for a Honda campaign fundraising firm, Arum Group, for just a few weeks in the summer of 2012. However, when Parvizshahi left Arum Group, his access to a Dropbox account that included data on thousands of donors was not revoked.
Later, after he began working for the Khanna campaign in 2015, Parvizshahi allegedly contacted many Honda donors one at a time to ask them to consider supporting Khanna instead.
“This involves a violation of privacy of our supporters.
They entrusted our campaign with this information,” Honda campaign lawyer Gautam Dutta told Ars. “We consider it a cyberattack. You basically have your political opponent obtaining and using your confidential information, obtained through the Internet in an illegal manner.”
Even after the contract with Arum Group ended in December 2014, the Honda campaign didn’t notice that anything was amiss until May 2016.
According to Dutta, that’s when Dropbox sent an e-mail notification about file access that the current fundraiser could not understand.
“He went to our former fundraiser about this, and she made the discovery that Mr. Parvizshahi still had access to that account, and she immediately revoked it,” Dutta said.
CFAA strikes again
In addition to Parvizshahi, Khanna and the “Ro for Congress” campaign were named in the suit as defendants. Khanna and his campaign were officially served with the lawsuit Thursday night at a campaign event in Fremont, California.
Parvizshahi resigned from his position on Thursday evening and has yet to be served with the lawsuit. He has not responded to Ars’ requests for comment.
The Khanna campaign did not immediately respond to Ars’ requests for comment, but Khanna spokesman Hari Sevugan provided a statement to the Los Angeles Times. He wrote:
By filing this lawsuit with six weeks to go and down in the polls, [Parvizshahi] believes Mike Honda is trying to distract voters from the ongoing ethics investigation into how he sold special governmental access to his VIP donors after accepting $3 million in PAC contributions.
And Brian will not let Mike Honda use him to distract voters from the need for real change.
The criminal portions of the Computer Fraud and Abuse Act have drawn scrutiny in recent years, as they have been the vehicle for numerous high-profile prosecutions, including that of Matthew Keys.
The CFAA is the same law that was used to prosecute activist Aaron Swartz, which ultimately resulted in his suicide.
It is the same law that President Barack Obama has said he would like Congress to expand to encompass broader reach and longer prison sentences.
After Swartz’s death, some lawmakers proposed Aaron’s Law, a Congressional bill that would aim to rein in some of the expansions of the CFAA, but it has languished in Congress.
The CFAA also has a civil portion, which is nearly identical to the criminal section.
It allows anyone to bring a lawsuit.
Ahmed Ghappour, a law professor at San Francisco’s University of California, Hastings, said that the Honda campaign has a strong case. He told Ars:
Under 9th Circuit law, Parvizshahi’s access to the files was arguably “unauthorized” for two reasons.
First, Honda’s termination of Arum Group effectively rescinded any previous grant of permission to Arum Group employees to access the dropbox files.
Second, Arum Group’s termination of Parvizshahi (or his voluntary departure, as may be the case) likely had the effect of rescinding permission to access Arum Group’s client files, past or present.
Professor Ghappour pointed to a notable civil CFAA decision at the 9th Circuit Court of Appeals from 2009, LVRC Holdings v.
In Brekka, the 9th Circuit held that a person uses a computer without authorization “when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” This opens up liability in the post-employment context.
Courts in the Northern District of California have found that the employer doesn’t need to revoke the employee’s access credentials for there to be unauthorized access post termination. Under this interpretation, termination is sufficient to provide notice.
Beyond the civil liability, Parvizshahi could still face criminal prosecution.
“This is a very serious matter, and we would urge the federal authorities to look into it,” Dutta added.