‘Cannibal cop’ case may set criminal precedent for violating computer use policies – EFF
While courts have conceded that the details of former New York Police Department officer Gilberto Valle’s plots are grisly, a conspiracy charge was overturned last year by a federal judge, who said “the nearly yearlong kidnapping conspiracy alleged by the government is one in which no one was ever kidnapped, no attempted kidnapping ever took place, and no real-world, non-Internet-based steps were ever taken to kidnap anyone.” The court said a conspiracy charge was tantamount to thoughtcrime.
Valle used the NYPD’s federal database to collect information on various women he intended to target. For this offense, he was charged with violating the Computer Fraud and Abuse Act (CFAA) for abusing his position to illegally access the database. Unlike the conspiracy charge, the CFAA violation stuck, as the court interpreted Valle had violated an “access” restriction his employer put on his database use, rather than a “use” restriction.
This week, the Electronic Frontier Foundation (EFF) filed an amicus brief with Second Circuit Court of Appeals to overturn the CFAA charge, saying that a conviction would set a dangerous precedent for any employee who violates employer computer use guidelines.
“The distinction between ‘access’ and ‘use’ restrictions is critical because serious prison time is at stake. Congress clearly intended the CFAA to criminalize the act of breaking into computer systems a person is not allowed to be in otherwise, but violating a use restriction—a (usually written) policy that governs the purposes for which someone can use their access—is clearly not that,” EFF wrote in a blog post.
While condemning Valle’s behavior, EFF -- along with many other groups -- said the former officer did not violate the CFAA. In the words of EFF, “a computer use restriction is not an access restriction simply because it is phrased as such. True access restrictions are code-based, technological barriers to entry, not a contractual agreement about the purposes for which a person will use their access.”
Valle, they said, misused the database but did not, say, break into it to grant himself illegal access. If he is charged with the CFAA violation, it could portend ominous punishment for routine employee computer use while at work.
In November, Valle was sentenced to one year time served, the maximum for a misdemeanor, and one year probation. He also was ordered to continue mental health treatment. Valle had already served 20 months in jail as he awaited trial.