The Communications Fraud and Abuse Act is a federal statute designed to crack down on computer and data misuse. It provides criminal and civil penalties for people who obtain computer data improperly. But one portion of the CFAA has caused a lot of head scratching since its adoption. And a recent criminal case involving the “Cannibal Cop” illustrates the point.
A New York City Police Detective named Gilberto Valle developed an interest in violent sexual fantasies. He eventually found kindred spirits online and became a regular participant in online discussion groups talking about fantasies that involved kidnapping, rape torture and cannibalism. Occasionally Valle’s discussions centered on women he knew personally.
Valle was indicted on a number of charges, including conspiracy to commit kidnapping. Among Valle’s defenses was that his discussions were nothing more than fantasy, and he was being prosecuted for his thoughts, not his actions. HBO produced a documentary on Valle’s case entitled “Thought Crimes.”
But Valle was also charged with a criminal violation of the CFAA, which implicated more than just thoughts. Under the CFAA count, Valle was accused of accessing law enforcement data bases to get information on some of the women who were the subject of his fantasies. The trial court convicted Valle under that count. Valle appealed. And that is where the conundrum came into play.
The CFAA applies to anyone who “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information.” Almost since the CFAA’s adoption, courts have split over what “exceeds authorized access” means. Very simply, the question is whether a person who is authorized to access the data in the first instance “exceeds” that authorization if he misuses the data once he gets his hands on it. The question was critical to Valle, because he was authorized to access the data, in the sense that he did not have to hack in to get it. He was convicted based solely on what he did with the data after he got it.
Courts that have taken a narrow view of the CFAA have found liability only if the defendant in some way hacked in to the data. That could mean accessing a system in which the person lacked authorization or accessing a system with authorization but then entering a data base that is off limits. But for these courts, misuse of data properly acquired does not violate the CFAA.
Courts taking a broader view have found that misuse of the data “exceeds authorized access.”
Based on its reversal of Valle’s conviction, The Second Circuit Court of Appeals lines up with the narrow interpretation group. In its view, both sides of the debate have a point, but its duty is to interpret criminal statutes strictly. So if the conduct is not clearly prohibited by the statute, the court can’t convict. On that basis the appellate court overturned Valle’s CFAA conviction.
Congress could clear up this conundrum by amending the CFAA. But for now, one Cannibal Cop is happy with the ambiguity.