Ugly facts often make bad law. But it's important to not let opinions about the specific defendants that appear in court influence how the law will be applied to millions of other individuals. That’s why today, EFF filed an amicus brief urging the Second Circuit Court of Appeals to overturn a dangerous decision that would make employees criminally liable under the Computer Fraud and Abuse Act (“CFAA”) for violating an employer’s computer use restriction.
The case, United States v. Gilberto Valle, has already received a lot of attention in the press, as it involves the so-called “cannibal cop,” a New York City police officer who was charged with conspiracy to kidnap as a result of his participation in chat rooms on fantasy role-playing fetish websites involving cannibalism. Given the unfortunate facts and sensational headlines, many people did not realize that Valle was also charged with violating the CFAA for accessing a police database to look up information about people without a valid law enforcement purpose, in violation of NYPD policy. The jury convicted Valle on all counts, but the trial court reversed the jury's conspiracy verdict, stating that “the nearly yearlong kidnapping conspiracy alleged by the government is one in which no one was ever kidnapped, no attempted kidnapping ever took place, and no real-world, non-Internet-based steps were ever taken to kidnap anyone.” It ultimately believed that finding Valle guilty of conspiracy would make him guilty of thoughtcrime (and we’ll have more to say about that soon).
Despite acquitting Valle on the conspiracy charge, the court upheld the CFAA conviction, believing that the restrictions placed on Valle concerning the database—which permitted him to access any part of the database as long as it was for a valid law enforcement purpose—was an access restriction, not a use restriction, simply because of the way the restriction was phrased. The distinction between "access" and "use" restrictions is critical because serious prison time is at stake. Congress clearly intended the CFAA to criminalize the act of breaking into computer systems a person is not allowed to be in otherwise, but violating a use restriction—a (usually written) policy that governs the purposes for which someone can use their access—is clearly not that.
Now with Valle's case before the Second Circuit, we filed an amicus brief, joined by the Center for Democracy & Technology, National Association of Criminal Defense Lawyers and a number of Internet scholars and professors, arguing that Valle did not violate the CFAA. Our brief explains that although the restriction was phrased in terms of “access”—according to NYPD policy, the database could be accessed only “in the course of [an officer’s] official duties and responsibilities”—a computer use restriction is not an access restriction simply because it is phrased as such. True access restrictions are code-based, technological barriers to entry, not a contractual agreement about the purposes for which a person will use their access. Although Valle’s actions may have been valid grounds for discipline or even termination from the NYPD, a violation of an employer’s computer use policy is not a CFAA violation—even if the employer is a police department. The district court’s conclusion to the contrary is at odds with many other court decisions that have found that violating a computer use restriction is not a CFAA violation, including the Ninth Circuit Court of Appeals’ decision in United States v. Nosal, another CFAA case where we’ve filed multiple amicus briefs.