After applauding Judge Paul Gardephe’s bold grant of the Rule 29 motion to Cannibal Cop Gilberto Valle (who shall, in perpetuity, be called “Cannibal Cop,” regardless of anything else), the question was raised whether the good news overshadowed the bad news in the case, that Judge Gardephe upheld his conviction for illegally accessing police computers to check out his fantasy victims.
Count Two alleges a violation of the Computer Fraud and Abuse Act (the “CFAA” or the “Act”). The CFAA, 18 U.S.C. § 1030, imposes criminal liability on anyone who
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States; …
18 U.S.C. § 1030(a)(2)(B). Under the CFAA, ”’exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter[.]” 18 U.S.C. § 1030(e)(6).
EFF’s curmudgeon overlord, Jim Tyre, asked me whether I was concerned about this, given that I failed to make any mention of it at all in my earlier post. Others were, he said, and wondered why I was not.
A very good question, given that there is a deep concern over the use of the CFAA to criminalize the conduct of a person who has authority to access a computer and its databases, but does so in a way or for a purpose that wasn’t intended. Who says what’s intended? What distinguishes the guy who plays a game on a company computer when the boss gave him the password to make money? Aaron Swartz, for crying out loud.
Valle accessed NCIC, the National Crime Information Center database, which is a clearinghouse of “crime data,” from his NYPD computer. Valle argued that since he was authorized to access NCIC, his use of it could not constitute a crime.
According to Valle, Section 1030(a)(2)(B) “only reaches defendants who obtain information, generally by hacking or stealing passwords, that they have no right to access for any purpose.” (Id.) Because Valle was authorized to access and use the OFM pursuant to his duties as an NYPD officer, he argues that he cannot be held criminally liable under Section 1030(a)(2)(B) for his improper query concerning Hartigan.
This, indeed, has been the argument made in limitation of accusations of CFAA charges. Judge Gardephe upheld the conviction based on the plain language of the statute:
Here, Valle’s conduct falls squarely within the plain language of Section 1030(a)(2)(B). Although Valle – as an NYPD officer – was authorized to access the OFM system and thereby perform queries of the associated databases, including the NCIC database, he was not authorized to input a query regarding Hartigan’s name, because he had no valid law enforcement reason to do so. Valle’s conduct fits the definition of “exceeds authorized access”: he “access[ ed] a computer with authorization and … user d] such access to obtain … information in the computer that [he was] … not entitled … to obtain …. ” See 18 U.S.C. § 1030(e)(6).
This, indeed, should give rise to some concern, as this “plain language” is the same shallow interpretation that allows the employer, the database owner, to create a crime for the rest of the world by asserting post hoc how far it allows users to go. Just ask Weev, the hobbit.
So why no rant? When the access is by a government employee to a government computer, to highly regulated private information, subject to express departmental policies that access is available only for legitimate law enforcement purposes, then there is a factual distinction. NCIC and associated law enforcement databases are different, in other words.
Notably, Judge Gardephe’s finding included this language:
…because he had no valid law enforcement reason to do so.
Reliance on the plain language of the CFAA is certainly problematic, as its plain language fails to address the very issue raised by Valle’s defense, as well as raised in the plethora of other CFAA exceeding access cases, and demands a more sophisticated analysis to distinguish between claiming, “well, yeah, he had the password, but we never wanted him to go there,” and what Valle did.
So while the rationale for upholding Valle’s conviction for exceeding access falls short of expectations for a fully conceived justification, the case presented unique circumstances because it involved a police officer accessing databases that are inherently limited to legitimate law enforcement purposes. It’s a factual distinction more than a legal one.
And as reflected in footnote 64, and most (though not all) caselaw cited by the Court, the reliance on previous decisions involved the use of government computers by people for non-governmental purposes. While the line grows increasingly fuzzy as the discussion in the decision goes on, Judge Gardephe ends up here:
What matters is that Valle was not authorized to access the OFM system to perform a query regarding Hartigan’s name because his employer – the NYPD – had restricted his access to the OFM system to circumstances in which he had a valid law enforcement purpose for querying the system and its associated databases.
And when it comes to a government employee accessing a government computer, accessing databases that the government possesses because of its unique authority to obtain information about people under the rubric of law enforcement (putting aside the propriety of the government doing so), it’s different than anyone else.
At least, that’s my argument and I’m sticking to it.
I don’t know if it matters, but I have the certification needed to access NCIC/FCIC (to work on computers that have it; I don’t myself have access to it) and that requires a training course and a signature that you won’t exceed authorized access. So he certainly had full knowledge of what his access was limited to and that there were criminal consequences for exceeding it.
It matters enormously, and it provides a huge distinction between using a cop computer and non-governmental computer users. This is a critical distinction.
We had to go through recurring certification to maintain authorization to access TCIC/NCIC information.
Included in that were warnings against running people without a legitimate LE purpose. Every officer has to get the certification or they can’t access the databases. He knew.
There are so many cases where AUSAs overcharge or misuse CFAA to levy charges that are crazy, it taints charges like this one that are clear violations of the statute in ways everyone understands to be violations (instead of EULA breaches elevated to crimes).
I never quite understood how Swartz became a cause celebre, since he did a lot of things that one might say evidenced cognizance of guilt. One might rationally argue that things he did ought not be illegal, but it was hard to argue that he had not violated the law, even the CFAA without the AUSAs involved torturing the CFAA to get there. Of course, his eventual suicide is tragic, butb
I am not sure it is fair to hold the AUSAs accountable for an unstable defendant (i.e., lots of people would be willing to feign mental illness or instability to avoid charges).
No, no, no. This will not turn into a thread about Swartz. This is absolutely not about Swartz. No. I hope I haven’t been unclear.
Given our exchange in the Hobby Lobby thread, Scott, I was kind of hoping for a, “Because the CFAA isn’t my ism,” response! 🙂
Cross pollinating threads is frowned upon. Otherwise, I would be smiling at your witty comment.
You should totally add that anti-cross-pollination rule to the comments rule paragraph. My bad.
I will totally take it under advisement.
Dude, thanks, bro.
Abide.
Jez, you can get in trouble now for checking out the menu!
According to Jonathan Turley, only if its Haggis
Turley has childhood haggis issues: