United States v. Valle: The Second Circuit agrees with the Fourth and Ninth Circuits on the Meaning of “Exceeds Authorized Access” under the CFAA

If an employee used their work computer in a way prohibited by their employer, should that be a federal crime? What if it was a police officer looking up women in a police database?

This issue was recently addressed by the 2nd Circuit Court of Appeals in United States v. Gilberto Valle[1], decided on December 3rd, 2015, also known as the ‘Cannibal Cop’ case.

Valle, a policeman in the NYPD, often used his computer to visit websites dedicated to dark and torturous fetishes, and corresponded with several community members there. As part of those discussions, he’d fantasize about planning to kidnap, rape, torture, kill, and eat women. Valle also used his position in the NYPD to search for women he knew in police databases such as the National Crime Information Center database, further indulging in his fantasies. After his wife found out about his activities, Valle was charged and convicted by a jury on two counts. While the first count, conspiracy through online forum conversations to commit kidnapping, is what gives the case its fame, the second count is just as important: violation of the Computer Fraud and Abuse Act (CFAA)[2] in conducting searches that exceed his authorized access to the police computers. While the district court overturned the conspiracy count, the CFAA count stood, and both were appealed to the 2nd Circuit.

The Computer Fraud and Abuse Act was created to criminalize unauthorized hacking/cracking. The critical section for this case is section (a)(2)(B), which criminalizes conduct by those who: “…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States.”[3] (emphasis added)

While it is clear that Valle was authorized to access the police computers as a police officer, the question of whether he exceeded his authority is much more murky. Under section (e)(6), “the term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter…”[4] Under a strict reading of this definition, Valle was actually fully authorized to access information on the women in the police databases, however, NYPD policies and ethics forbid using the databases for personal uses. In other words, he was entitled to obtain the information, it’s only the purpose that was unauthorized.

The 2nd Circuit decided that the Rule of Lenity (in criminal cases, ambiguous statutes should be interpreted in a way that helps the defendant), combined with the ambiguity as to whether the statute was intended to apply to unauthorized purposes, required the court to interpret ‘exceeds authorized access’ to not apply to Valle’s searches.[5]

If the court had gone the other way, the use of any company or agency computer for personal use could potentially be a federal crime. Under (a)(2)(C) of the CFAA, accessing a ‘protected computer’ without/exceeding authorized access is also a crime, and since a ‘protected computer’ can be any computer involved in interstate commerce, any company computer with internet access can fall into that category[6]. However, there’s some ambiguity as to how much of a ‘parade of horribles’[7] this would end up being — if only obtaining or altering information located directly on that computer is a violation, then accessing non-work-related websites on work computers might not be a crime. Both the 4th and 9th Circuits, in ruling against the broad interpretation, felt that they would criminalize this conduct, or, at the very least, leave an ambiguous line between accepted personal use and criminal personal uses[8]. In the 9th Circuit’s en banc hearing of United States v. Nosal, the court was specifically concerned with whether employees would have enough notice that their conduct was prohibited and therefore criminal[9]. Judge Kozinski’s opinion specifically mentions that several other circuits have ruled on the broad interpretation by focusing only on the conduct of the accused[10].

While the 2nd Circuit agreed with the 9th Circuit, the court could have found that Valle was on notice – Valle should have known he wasn’t allowed to use the police database to feed his own fetishes. He had to have known that his conduct was not in any sense permitted by the NYPD. The court did not need to attempt to draw the line between accepted personal use and criminal use.

As the stated purpose of the CFAA is to protect against hacking, a limitation on its scope preventing the criminalization of unsatisfied or distracted employees seems reasonable, but this is still a divided area of law.

[1] United States v. Valle, No. 14-2710-CR, 2015 WL 7774548, at *1 (2d Cir. Dec. 3, 2015).

[2] Fraud and related activity in connection with computers, 18 U.S.C. § 1030 (2008).

[3] Id.

[4] Id.

[5] United States v. Valle, No. 14-2710-CR, 2015 WL 7774548, at *13 (2d Cir. Dec. 3, 2015).

[6] 18 U.S.C. § 1030(a)(2).

[7] United States v. Nosal, 676 F.3d 854, 866 (9th Cir. 2012).

[8] WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) ,Nosal, 676 F.3d 854.

[9] Nosal, 676 F.3d 854.

[10] Id. at 862.

Comments are closed.