‘Cannibal cop’ case may set criminal precedent for violating computer use policies – EFF

Reuters / Carlos Barria
The case of a New York cop convicted of planning to kidnap and kill women before eating them could mean employees could be held criminally liable under federal law for violating an employer’s computer use policy, the Electronic Frontier Foundation says.

While courts have conceded that the details of former New York Police Department officer Gilberto Valle’s plots are grisly, a conspiracy charge was overturned last year by a federal judge, who said “the nearly yearlong kidnapping conspiracy alleged by the government is one in which no one was ever kidnapped, no attempted kidnapping ever took place, and no real-world, non-Internet-based steps were ever taken to kidnap anyone.” The court said a conspiracy charge was tantamount to thoughtcrime.

Valle used the NYPD’s federal database to collect information on various women he intended to target. For this offense, he was charged with violating the Computer Fraud and Abuse Act (CFAA) for abusing his position to illegally access the database. Unlike the conspiracy charge, the CFAA violation stuck, as the court interpreted Valle had violated an “access” restriction his employer put on his database use, rather than a “use” restriction.

This week, the Electronic Frontier Foundation (EFF) filed an amicus brief with Second Circuit Court of Appeals to overturn the CFAA charge, saying that a conviction would set a dangerous precedent for any employee who violates employer computer use guidelines.

Gilberto Valle (Reuters / Carlo Allegri)

“The distinction between ‘access’ and ‘use’ restrictions is critical because serious prison time is at stake. Congress clearly intended the CFAA to criminalize the act of breaking into computer systems a person is not allowed to be in otherwise, but violating a use restriction—a (usually written) policy that governs the purposes for which someone can use their access—is clearly not that,” EFF wrote in a blog post.

While condemning Valle’s behavior, EFF -- along with many other groups -- said the former officer did not violate the CFAA. In the words of EFF, “a computer use restriction is not an access restriction simply because it is phrased as such. True access restrictions are code-based, technological barriers to entry, not a contractual agreement about the purposes for which a person will use their access.”

READ MORE: Obama proposes cyber law update in wake of Sony hack

Valle, they said, misused the database but did not, say, break into it to grant himself illegal access. If he is charged with the CFAA violation, it could portend ominous punishment for routine employee computer use while at work.

“CFAA liability gives employers and website owners the power to make behavior illegal through simply adopting use restrictions in their corporate policies or terms of use, which in turn criminalizes a broad range of innocuous everyday behaviors—like checking personal email or the score of a baseball game,” EFF wrote.

In November, Valle was sentenced to one year time served, the maximum for a misdemeanor, and one year probation. He also was ordered to continue mental health treatment. Valle had already served 20 months in jail as he awaited trial.