NYPD ‘Cannibal Cop' Computer Fraud Conviction Overturned

The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...

By Joseph Wright

Dec. 3 — A police officer was wrongfully convicted of federal computer fraud for using job-related access rights to law enforcement databases in order to find personal information about the subjects of his violent sexual fantasies, the U.S. Court of Appeals for the Second Circuit held Dec. 3.

Judge Barrington D. Parker, writing for a 2-1 majority, said legislative history supported the view that the statutory phrase “exceeding authorized access” meant accessing information on a computer without having authorization—not, as the government argued, using authorized access rights for an unauthorized purpose.

The case broadens a circuit split over whether the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2), should be read as a narrow anti-hacking statute or as a broader law that prohibits misuse of information obtained from a computer network by an authorized user.

The broader interpretation is frequently advanced by law enforcement as well as employers, who contend that the CFAA is violated by departing employees who use their computer credentials to access and copy proprietary information for later use in a new job.

The case was a criminal one. However, Peter Toren, a partner with Weisbrod Matteis & Copley PLLC in Washington and a former Justice Department Computer Crimes Unit prosecutor, told Bloomberg BNA Dec. 3 that courts bound by the decision are unlikely to ignore its holding in civil cases.

“Generally courts have applied the rule to civil and criminal cases in the same way,” Toren said.

Toren said he believes the majority interpreted the CFAA correctly.

“At the time [the officer] accessed the database he had authorization to access it, and that's what the statute is all about,” Toren said. “It's not about how you use the materials afterward.”

The CFAA provides several causes of action for taking information or committing fraud during an unauthorized computer access or an access in excess of authorization.

Using Police Database to Further Fantasies

Defendant Gilberto Valle was a New York City Police Department officer who spent an extensive amount of his personal time engaged in online fantasy discussions about aberrant, violent sexual scenarios involving kidnapping, rape and torture. These discussions sometimes involved women he knew personally.

Valle used his credentials to search restricted law enforcement databases for addresses and other information about the subjects of his fantasies. Personal use of the databases violated NYPD rules.

Valle, dubbed the “cannibal cop” in the press after his arrest, was charged with violating the CFAA and with conspiracy to kidnap. He appealed his conviction on the CFAA count.

Legislative History Supports Defendant

The Second Circuit first turned to legislative history after finding that the phrase “exceeds authorized access” was ambiguous as to whether it means the purpose for accessing information or the actual files and databases accesses. After its 1984 passage, Congress amended the CFAA in 1986, substituting “exceeds authorized access” for the prior language, “having accessed a computer with authorization, us[ing] the opportunity such access provides for purposes to which such authorization does not extend.”

The prosecution argued that this language was a mere simplification not meant to change the statute's scope. Valle, though, pointed to language in a Senate Committee Report showing that Congress meant to “remove[ ] from the sweep of the statute one of the murkier grounds of liability” by eliminating the word “purposes” from the CFAA.

The court found the legislative history to be ambiguous, but credited Valle's interpretation. “In explaining the revisions, the Committee understood authorization in spatial terms, namely, an employee going beyond the parameters of his access rights,” the court said.

The legislative history and the existence of a circuit split proved that the provision is ambiguous, the court said. Applying the criminal law's rule of lenity, under which criminal provisions must be interpreted narrowly, the court overturned Valle's CFAA conviction.

Judge Susan L. Carney joined the majority opinion.

Dissent: No Ambiguity

Judge Chester J. Straub dissented, arguing that the plain text of the CFAA prohibits accessing databases in violation of any access restriction, regardless of its nature. Because the text is unambiguous, Straub urged, the CFAA's legislative history and the rule of lenity are irrelevant.

Justin Anderson and Randall Jackson of the U.S. Attorney's Office in New York represented the U.S. Edward Zas of the Federal Defenders of New York Inc. in New York represented Valle.

To contact the reporter on this story: Joseph Wright in Washington at jwright@bna.com

To contact the editor responsible for this story: Thomas O'Toole at totoole@bna.com

Full text at http://www.bloomberglaw.com/public/document/United_States_of_America_v_Valle_Valle_Docket_No_1404396_2d_Cir_N

The dissent can be found at http://www.bloomberglaw.com/public/document/United_States_of_America_v_Valle_Valle_Docket_No_1404396_2d_Cir_N/1