The “Cannibal Cop” Case: A Study in the Sweep of the Computer Fraud and Abuse Act
On December 3, 2015, a divided panel of the Second Circuit Court of Appeals cleared Gilberto Valle, sensationally dubbed the “Cannibal Cop” by some in the media, of the two charges against him, conspiracy to commit kidnapping and a violation of the Computer Fraud and Abuse Act (CFAA). Although the kidnapping charge is certainly more lurid, the CFAA charge has wider implications for online freedom of speech and action, and highlights a division in the courts between those that interpret the law as making many if not most Internet users into federal criminals, and those that take a narrower view of the CFAA.
According to the court’s opinion, Valle was a New York City police officer with a penchant for spending time late at night in unusual corners of the Internet. Specifically, he was constructing elaborate fantasies with other users on a fetish forum in which they would kidnap, assault, kill, and eat various women with whom Valle was acquainted. These fantasies sometimes included some real information about the women (including their real pictures and at least partial real names) but also false or outlandish information about them or Valle, such as Valle’s claim to have an isolated cabin in the woods with a human-sized oven. The extent to which some of these fantasies might have crossed over into serious agreements or plans was the basis of the kidnapping conspiracy charge.
The CFAA charge was based on a single incident in which Valle allegedly looked up an acquaintance in a law enforcement database to find her address and other personal information. Through the NYPD, Valle had legitimate access to this database, but was only supposed to use it for law enforcement purposes, and he admitted having no valid law enforcement purpose for this search. In CFAA terms, the question was whether this act “exceeded Valle’s authorized access” to the database.
The CFAA was enacted in 1984 to combat the perceived threat of “computer hackers,” and has not been significantly updated since the 1980’s, despite significant and obvious changes in computer technology and the way people use computers. The CFAA imposes criminal penalties for anyone who “intentionally accesses” a protected computer “without authorization or exceeds authorized access” to that computer. (Although the particular branch at issue in the Valle case deals with computers containing federal information, the CFAA also protects essentially any Internet-connected computer.) It is easy to understand the situation where one has no authorization to access a computer; this is the archetype of a phisher or cracker stealing someone’s password or exploiting a security hole to get onto a server they should not be on.
The courts have divided, however, on how to understand the meaning of “exceeds authorized access.” One interpretation is that someone exceeds authorized access if she accesses information to which she is not supposed to have access for any reason. Under this view, which the Second Circuit and some others have adopted, Valle could not be punished because he had authorized access to the information he obtained, even though he should not have accessed it for the purpose he used it for. The other interpretation is that someone exceeds authorized access if he violates the terms of his access to the computer. On this view, which the dissent advocated and some other courts have accepted, Valle was violating NYPD policies and therefore could be convicted on the CFAA charge.
This latter view is problematic when applied to the vast majority of private Internet sites that impose terms on their users. Virtually every website has terms of use or terms of service (TOS), which very few people read and almost everyone but lawyers ignores. If authorized access is spelled out in the TOS, and exceeding authorized access is a federal crime, then any TOS violation could subject an individual to criminal liability. A Gmail user supplying a fake name to open her account, a software developer whose Facebook app stores its users’ information longer than Facebook’s policies permit, a 17-year-old lying about his birthday to access an adult website—all of these could be turned by an enterprising prosecutor into federal charges and perhaps felonies. Even someone checking personal email from her work computer in violation of her employer’s Internet access policy might face charges.
Under the narrower interpretation of “exceeds authorized access,” the CFAA is focused on those who intentionally access material they are not allowed to access. Under the broader interpretation, it becomes an incredibly broad prosecutorial tool; anyone who breaches those long, seldom-read terms of service could be charged if they end up in the cross-hairs of federal authorities for some other reason. Only prosecutorial discretion keeps many people out of federal prison on the broader reading, which creates an opportunity for political, racist, or otherwise unequal enforcement of the law against disfavored groups. In part for this reason, the Second Circuit relied on the “rule of lenity” in construing the CFAA narrowly; essentially, because either reading was plausible, the rule of lenity (applicable only in criminal cases) requires that the narrower interpretation be used.
Ideally, Congress would step in and rewrite the CFAA to focus it on cybersecurity issues that are currently relevant, some of which were unimaginable 30 years ago when the CFAA was enacted. But since Congress can rarely achieve consensus on anything these days, and a rewrite of the CFAA or similar laws would spark different reactions from various technology and business groups, among others, such that any specific proposal would face significant opposition. The Supreme Court could clarify what the statute says as currently written; although the Court has just heard a CFAA case, that one seems tied up in procedural and case-specific issues and seems unlikely to resolve this interpretive difference. Until one of those things happens, the conflicting rulings from federal courts mean that regular Internet users have to muddle along and either take a closer look at the TOS of the websites they visit, or hope they never find themselves on the wrong side of a CFAA indictment.