December 3, 2015 | By Jamie Williams

Court: Breaking Your Employer's Computer Policy Isn't a Crime

The United States Court of Appeals for the Second Circuit issued an opinion rejecting the government’s attempt to hold an employee criminally liable under the federal hacking statute—the Computer Fraud and Abuse Act (“CFAA”)—for violating his employer-imposed computer use restrictions. The decision is important because it ensures that employers and website owners don’t have the power to criminalize a broad range of innocuous everyday behaviors, like checking personal email or the score of a baseball game, through simply adopting use restrictions in their corporate policies or terms of use.

The court also ruled that the government cannot hold people criminally liable on the basis of purely fantastical statements they make online—i.e., thoughtcrime.  

The case, United States v. Gilberto Valle, received a lot of attention in the press because it involved the so-called “cannibal cop”—a New York City police officer who was charged with conspiracy to kidnap for posts he wrote on fetish websites about cannibalism. Valle was also charged with violating the CFAA for accessing a police database to look up information about people without a valid law enforcement purpose, in violation of NYPD policy. The jury convicted Valle on all counts, but the trial court reversed the jury’s conspiracy verdict, stating that “the nearly yearlong kidnapping conspiracy alleged by the government is one in which no one was ever kidnapped, no attempted kidnapping ever took place, and no real-world, non-Internet-based steps were ever taken to kidnap anyone.” The trial court ultimately found that holding Valle guilty of conspiracy to kidnap would make him guilty of thoughtcrime. 

But the trial court upheld the CFAA conviction. And on appeal, we filed an amicus brief with the Second Circuit, urging the court to overturn the lower court’s dangerous ruling.  We argued that the lower court’s ruling would make criminals out of millions of innocent individuals, and the Second Circuit agreed—throwing out Mr. Valle's CFAA conviction and joining two other federal circuit courts in rejecting the government’s attempt to expand the reach of the vaguely worded federal statute: “We decline to adopt the prosecution’s construction [of the CFAA], which would criminalize the conduct of millions of ordinary computer users[.]”  The court went on:

While the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.

The Second Circuit also upheld the trial court’s decision to throw out the conspiracy conviction, as we had urged in a second amicus brief filed in the case, holding that “[t]he mere indulgence of fantasy, even of the repugnant and unsettling kind here, is not, without more, criminal.”

Thanks again to the Center for Democracy & Technology, the National Association of Criminal Defense Lawyers, and the Internet scholars who joined our CFAA amicus brief, and to UCLA law professor Eugene Volokh of the Scott & Cyan Banister First Amendment Clinic for writing our amicus brief regarding the conspiracy charges.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

More Internet rules in secret treaties: the good and the bad of data flows and platform safe harbors in TISA.

Oct 24 @ 3:50pm

It's crucial that we pass an open access law before the White House administration changes. #OAWeek

Oct 24 @ 3:22pm

Peru’s unhappy history with surveillance, and how to fix it

Oct 24 @ 1:45pm
JavaScript license information