The US legal system took a step towards criminalizing thought when a New York court convicted a former NYPD officer of conspiring to kidnap, rape, kill and eat 100 women. The evidence against Gilberto Valle included chat logs and internet searches.
The details uncovered were nightmarish. But at the end of it all, it only amounted to Valle giving his very vivid imagination a long leash. On appeal, the court overturned the conspiracy charges, stating that Valle’s “conspiracy” was little more than thoughtcrime, something the legal system isn’t* in the business of punishing. (And yet, “conspiracy” remains a valid criminal charge — one used extensively by the FBI to bag its handcrafted “terrorists.” Go figure.)
But the court left one charge on the table: a CFAA violation. During the course of Valle’s fantasizing, he used police databases to look up information on one of his “victims.” This, of course, is an egregious abuse of his position and access, but it is not — as the EFF argues — a CFAA violation.
Despite acquitting Valle on the conspiracy charge, the court upheld the CFAA conviction, believing that the restrictions placed on Valle concerning the database—which permitted him to access any part of the database as long as it was for a valid law enforcement purpose—was an access restriction, not a use restriction, simply because of the way the restriction was phrased. The distinction between “access” and “use” restrictions is critical because serious prison time is at stake. Congress clearly intended the CFAA to criminalize the act of breaking into computer systems a person is not allowed to be in otherwise, but violating a use restriction—a (usually written) policy that governs the purposes for which someone can use their access—is clearly not that.
The EFF has filed an amicus brief in Valle’s case (now before the Second Circuit Court), arguing for this charge to be overturned as well. In it, the EFF points out that Valle’s unauthorized access didn’t involve him actually breaking into the NYPD’s computers — a key element of CFAA charges. Instead, he already had access. He just didn’t have permission to do what he did.
So, while Valle’s abuse of his access was certainly immoral, possibly illegal under a New York state law, and a clear violation of NYPD policy, it was not the sort of circumvention Congress had in mind when it crafted the bill. There should definitely be consequences for this activity (including Valle being subject to civil rights lawsuits from the violated party[ies]), but there definitely should not be a finding that violating an internal use policy is a federal crime.
As it stands now, the decision reached by the lower court poses a serious threat to nearly anyone with access to computers/networks provided by their employers.
It’s the worst cases — ones with less-than-sympathetic defendants — that result in the worst precedents. Valle’s extended, detailed cannibalistic fantasies are hard to defend, even knowing that he never followed through with the lurid plans he dreamed up. Free speech is toughest to defend when it’s composed of brutal and depraved fantasies that include any number of hideous criminal acts. But the lower court saw it for what it was: thoughts, not deeds.
Now, there’s one detail left, but it’s hardly a minor one. The remaining charge — if left standing — seriously lowers the bar for criminal charges under the CFAA, a law that is already severely flawed. And so, the EFF joins the battle on behalf of a former NYPD officer who abused his position to further his violent fantasies in hopes of protecting far-more-centered members of the general public from abuse at the hands of a broken law.