After applauding Judge Paul Gardephe’s bold grant of the Rule 29 motion to Cannibal Cop Gilberto Valle (who shall, in perpetuity, be called “Cannibal Cop,” regardless of anything else), the question was raised whether the good news overshadowed the bad news in the case, that Judge Gardephe upheld his conviction for illegally accessing police computers to check out his fantasy victims.
Count Two alleges a violation of the Computer Fraud and Abuse Act (the “CFAA” or the “Act”). The CFAA, 18 U.S.C. § 1030, imposes criminal liability on anyone who
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States; …
18 U.S.C. § 1030(a)(2)(B). Under the CFAA, ”’exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter[.]” 18 U.S.C. § 1030(e)(6).
EFF’s curmudgeon overlord, Jim Tyre, asked me whether I was concerned about this, given that I failed to make any mention of it at all in my earlier post. Others were, he said, and wondered why I was not.
A very good question, given that there is a deep concern over the use of the CFAA to criminalize the conduct of a person who has authority to access a computer and its databases, but does so in a way or for a purpose that wasn’t intended. Who says what’s intended? What distinguishes the guy who plays a game on a company computer when the boss gave him the password to make money? Aaron Swartz, for crying out loud.
Valle accessed NCIC, the National Crime Information Center database, which is a clearinghouse of “crime data,” from his NYPD computer. Valle argued that since he was authorized to access NCIC, his use of it could not constitute a crime.
According to Valle, Section 1030(a)(2)(B) “only reaches defendants who obtain information, generally by hacking or stealing passwords, that they have no right to access for any purpose.” (Id.) Because Valle was authorized to access and use the OFM pursuant to his duties as an NYPD officer, he argues that he cannot be held criminally liable under Section 1030(a)(2)(B) for his improper query concerning Hartigan.
This, indeed, has been the argument made in limitation of accusations of CFAA charges. Judge Gardephe upheld the conviction based on the plain language of the statute:
Here, Valle’s conduct falls squarely within the plain language of Section 1030(a)(2)(B). Although Valle – as an NYPD officer – was authorized to access the OFM system and thereby perform queries of the associated databases, including the NCIC database, he was not authorized to input a query regarding Hartigan’s name, because he had no valid law enforcement reason to do so. Valle’s conduct fits the definition of “exceeds authorized access”: he “access[ ed] a computer with authorization and … user d] such access to obtain … information in the computer that [he was] … not entitled … to obtain …. ” See 18 U.S.C. § 1030(e)(6).
This, indeed, should give rise to some concern, as this “plain language” is the same shallow interpretation that allows the employer, the database owner, to create a crime for the rest of the world by asserting post hoc how far it allows users to go. Just ask Weev, the hobbit.
So why no rant? When the access is by a government employee to a government computer, to highly regulated private information, subject to express departmental policies that access is available only for legitimate law enforcement purposes, then there is a factual distinction. NCIC and associated law enforcement databases are different, in other words.
Notably, Judge Gardephe’s finding included this language:
…because he had no valid law enforcement reason to do so.
Reliance on the plain language of the CFAA is certainly problematic, as its plain language fails to address the very issue raised by Valle’s defense, as well as raised in the plethora of other CFAA exceeding access cases, and demands a more sophisticated analysis to distinguish between claiming, “well, yeah, he had the password, but we never wanted him to go there,” and what Valle did.
So while the rationale for upholding Valle’s conviction for exceeding access falls short of expectations for a fully conceived justification, the case presented unique circumstances because it involved a police officer accessing databases that are inherently limited to legitimate law enforcement purposes. It’s a factual distinction more than a legal one.
And as reflected in footnote 64, and most (though not all) caselaw cited by the Court, the reliance on previous decisions involved the use of government computers by people for non-governmental purposes. While the line grows increasingly fuzzy as the discussion in the decision goes on, Judge Gardephe ends up here:
What matters is that Valle was not authorized to access the OFM system to perform a query regarding Hartigan’s name because his employer – the NYPD – had restricted his access to the OFM system to circumstances in which he had a valid law enforcement purpose for querying the system and its associated databases.
And when it comes to a government employee accessing a government computer, accessing databases that the government possesses because of its unique authority to obtain information about people under the rubric of law enforcement (putting aside the propriety of the government doing so), it’s different than anyone else.
At least, that’s my argument and I’m sticking to it.