2nd Circuit ‘cannibal cop’ opinion deepens appellate rift on anti-hacking law

December 3, 2015

 A divided panel of the 2nd U.S. Circuit Court of Appeals reversed the conviction of New York’s infamous “cannibal cop,” Gilberto Valle, on Thursday. The decision is full of the lurid details of the case, describing online exchanges in which Valle, a New York City police officer, and other participants in the Dark Fetish Network plotted to kidnap, murder and cook real women Valle knew, including his own wife. The appeals court concluded that as shocking and horrific as Valle’s posts were, they were sexual fantasies, not actual kidnapping schemes. “Fantasizing about committing a crime, even a crime of violence against a real person whom you know, is not a crime,” wrote Judge Barrington Parker, who was joined by Judge Susan Carney.

If the cannibal cop case outlives its tabloid headlines, however, it will be for a more technical (and far, far less sensational) holding in Thursday’s opinion. The 2nd Circuit majority also found Valle could not be convicted under the Computer Fraud and Abuse Act (CFAA) for using law enforcement databases to look up information about his purported kidnapping targets. That conclusion aligned with the 9th Circuit’s 2012 en banc holding in U.S. v. Nosal and the 4th Circuit’s 2012 decision in WEC Carolina Energy v. Miller, but deepened the split between those rulings and older decisions by the 1st, 5th, 7th and 11th Circuits. The 2nd Circuit described these differing interpretations of the CFAA as a “sharp division” among the circuits.

The split stems from CFAA language that says a person may be charged with a crime if he or she “intentionally accesses a computer without authorization or exceeds authorized access.” The courts have had no trouble applying the law in cases against outside hackers who break into a computer system. But defining “authorized access” for employees is a tougher call. Employees are obviously authorized to access their employers’ computer systems. Defining the limits of “authorized access” is, as the 2nd Circuit said in the Valle opinion, “a question six other circuits have wrestled with.”

The first four circuits to answer the question all sided with the government, holding that insiders can be prosecuted for violating restrictions on their use of employers’ computers. The 9th Circuit’s en banc ruling in Nosal broke the trend. In that opinion, Judge Alex Kozinski said the CFAA’s “exceeds authorized access” phrase must be interpreted as a limitation of access, not a limitation of use. In other words, employees cannot be prosecuted for violating their employers’ restrictions on computer usage.

To hold otherwise, Judge Kozinski said, would be to “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved,” he wrote. “Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.”

A few months later in its WEC opinion, a 4th Circuit panel quibbled with some aspects of the 9th Circuit’s Nosal reasoning, but similarly concluded (albeit in a civil case) that CFAA’s probation on “authorized access” applies only “when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”

In Thursday’s Valle opinion, Judges Parker and Carney said the CFAA’s language is vague enough to justify both the expansive and restrictive interpretations of the law. But under the rule of lenity, the majority said, doubts must be resolved in favor of defendants. In this case, the 2nd Circuit said, the government could not show that its broad reading of criminal liability under the CFAA was unambiguously correct, so the narrower interpretation must apply.

The opinion cited the same overcriminalization fears as the Nosal and WEC decisions. “While the government might promise that it would not prosecute an individual for checking Facebook at work,” the 2nd Circuit said, “we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the government promises to use it responsibly.”

In a dissent based on the pre-Nosal appellate rulings from the 1st, 5th, 7th and 11th Circuits, 2nd Circuit Judge Chester Straub said his fellow panel members had discovered “ambiguity in the statutory language where there is none. Under the plain language of the statute, Valle exceeded his authorized access to a federal database in violation of the CFAA.”

So will the Justice Department ask the U.S. Supreme Court to resolve the split among the circuits on the proper interpretation of the CFAA? A spokesperson for Manhattan U.S. Attorney Preet Bharara did not immediately respond to a Reuters request for comment. But Jamie Lee Williams of the Electronic Frontier Foundation, which appeared as an amicus for Valle, said the government may be wary because the three most recent circuit decisions have gone against prosecutors.

“The government might see the tides are changing,” she said. Right now, prosecutors still have broad discretion to charge people under the CFAA in all but three federal circuits, Williams said, and the Justice Department may decide not to put that power at risk at the Supreme Court.

If the issue does go to the justices, Williams said, the 2nd Circuit’s reliance on the rule of lenity will be significant. “The rule of lenity is a foundational principle,” she said. “When a criminal statute is so vague, it’s unconstitutional.”

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/