The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Volokh Conspiracy

The CFAA meets the "cannibal cop" in the Second Circuit—and maybe beyond

|

The Second Circuit held oral argument Tuesday in United States v. Valle, widely known as the "Cannibal Cop" case. There was a ton of media attention about this case at trial, including the trial judge's decision to overturn the jury verdict for conspiracy to commit kidnapping on the ground that it was all a fantasy. HBO has already made a documentary about the case.

Amidst all this attention, the part of Valle that I care about—and that worries me—has flown under the radar. I'm referring to the defendant's appeal from the one count on which Valle was convicted: A violation of the computer hacking statute, the Computer Fraud and Abuse Act. Valle used a law enforcement database for personal reasons when the official policy limited that use to official purposes. Valle was then charged with two counts: first, conspiracy to kidnap women with apparent plans to murder and eat them; and second, violating a computer use policy. Quite the juxtaposition. At trial, the district judge tossed the conspiracy conviction but allowed the CFAA conviction. You can read the opinion here, with the CFAA part beginning at page 105.

As regular readers know, I think the CFAA is not violated in these circumstances. Even some irregular readers may know that, as I have written and advocated this point for years. My writing and advocacy includes a bunch of law review articles on the question (here, here, and here), blogging on it countless times over the years (remember the VC's special terms of service?), and representing Lori Drew when she was charged under the CFAA with violating MySpace's terms of service.

The fact that Valle had to enter in an identifying number and a PIN to access the government database doesn't change the analysis, for reasons I explain in this draft on page 36-37. Valle was fully authorized to access his account, and violating the written restrictions on access doesn't render his authorized access unauthorized any more than federal employees or people with the middle name "Ralph" are violating the CFAA when they visit the Volokh Conspiracy. His CFAA conviction should be overturned.

I said I worry about this case, and here's why. As I see things, a Second Circuit ruling will have to take sides on an already-existing circuit split over the scope of the CFAA. The Eleventh Circuit has taken the view that the CFAA is violated in these circumstances. On the other hand, the en banc Ninth Circuit has taken the view it is not. Other circuits are also potentially part of the split on both sides, depending on how you count them. Either way, the Second Circuit will be deepening the split between at least the Ninth and the Eleventh.

The district court missed the inevitability of taking sides in the circuit split because it misapplied the distinction, from the en banc decision by Judge Kozinski in United States v. Nosal, between access restrictions and use restrictions. Nosal suggested this distinction at the end of the opinion, indicating that circumventing the former is a CFAA crime but violating the latter is not. The trial judge reconciled the cases by reading the computer policy in Valle as a limit on "access" instead of "use," which Nosal said was a proper basis for CFAA liability.

The district court's argument, repeated on appeal in DOJ's brief, is based on a simple misreading of the Nosal en banc decision. Judge Kozinski's opinion pretty clearly clearly meant "use restrictions" to refer to any written restrictions, as they technically allowed access but imposed terms of use. That's what written restrictions—often known as terms of use—do. On the other hand, Kozinski used "access restrictions" to mean code-based restrictions, or in his words, "technological access barriers."

The contrary reading of Kozinski's opinion offered by the district court and DOJ reduces Kozinski's opinion to an absurdity. Kozinski's entire opinion is all about why you can't hinge liability on the mere words of written restrictions. But if you believe that the difference between a use restriction and an access restriction is just how it is written, then Kozinski's opinion hinges liability on exactly the basis for which it purports to reject hinging liability—the mere words of the written restrictions. Nosal makes no sense if you read it as holding that it is legal to violate a written restriction that "you cannot use this computer" but a crime to violate a written restriction that "you cannot access this computer." It's especially bizarre because access and use mean exactly the same thing in the CFAA context. Use of a computer constitutes an access.

The takeaway is that under the Ninth Circuit's Nosal decision, Valle's conduct is legal while under the Eleventh Circuit's Rodriguez decision it is not. The Second Circuit has to pick sides and deepen the existing split either way.

That makes me nervous because it creates the prospect that the "cannibal cop" case might be the first CFAA case to make it to the Supreme Court. The Justices look for splits. The deeper the better. And if you think the defense is right here, as I do, having the Court decide this issue in a case of a guy who dreamt (or more) of kidnapping and eating women is less than ideal.

The defense can use that, to be sure. The outrageous facts help show that the prosecutors really don't care that the defendant violated the terms of use. Prosecutors brought the CFAA count because they were looking for a reason to charge Valle for other things he did.

That dynamic was clear going back to the Lori Drew case. In Drew, the prosecutors didn't really care that Drew was part of a group that violated the written restrictions on MySpace's website. Almost everyone who used MySpace violated those terms, including the founder of MySpace and the young girl who tragically committed suicide. The violation of the written terms was just a hook. Prosecutors were really looking for a way to punish Drew for her assumed role in the suicide. It was just a proxy, and the availability of the proxy shows the overbreadth of the government's theory. So in that sense, the shocking nature of the surrounding facts in a case like Valle only showcases the misuse of the CFAA.

But while that's a defense argument if Valle gets to the Supreme Court, I suspect most judges—and more importantly, most Justices—would have different instincts. The shocking context works against the defense, not in its favor.

So how did the CFAA issues go during Tuesday's argument? We don't know beyond a snippet, as the Second Circuit does not post the audio of its arguments online. Most of the press coverage has covered the conspiracy count instead of the CFAA count. All I could find about the CFAA argument was this brief passage:

Probing [the government's] position, Judge Carney asked the government whether an employee playing Solitaire or using Facebook on the company clock could face federal litigation.
Assistant U.S. Attorney Randall Jackson, who also prosecuted Valle during the trial, dismissed the argument as a "Doomsday scenario."
"You're not obtaining information improperly in that situation," he said.
Zas countered that the Congress created the CFAA to prevent computer hacking and unauthorized "access," not unauthorized "use."
The NYPD already fired Valle based on his unauthorized use of the police database, and the former cop might still face criminal or civil penalties for what he did at the state level, Zas added.

If this report is accurate, the AUSA's suggestion that the CFAA would not be violated in Judge Carney's hypo was just wrong. The CFAA does not require "obtaining information improperly." Section 1030(a)(2) just requires unauthorized access that leads to obtaining information. The legislative history is clear that merely observing or reading information counts as "obtaining" that information. See S. Rep. N. 99-432, at 6 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484 (noting that "obtaining information" in the statute includes "mere observation of the data"); S. Rep. No. 104-357, at 7 (1996), reprinted at 1996 WL 492169 ("[T]he term 'obtaining information' includes merely reading it.").

Courts have recognized that interpretation, too. As a result, the element of obtaining information "will always be met when an individual using a computer contacts or communicates with an Internet website." United States v. Drew, 259 F.R.D. 449 (C.D.Cal. 2009) (emphasis added).

Importantly, obtaining any information at all is sufficient. That wasn't always the case. In the original version of 1030(a)(2), from the 1980s, the requirement of obtaining information was limited to specific kinds of sensitive financial information obtained from banks. But Congress eliminated those limits in two amendments, as as I have explained in detail. First, in 1996, Congress loosened the requirement so that obtaining any information at all was sufficient as long as it crossed state lines:

The . . . change vastly expanded the scope of § 1030(a)(2), which was originally limited to unauthorized access that obtained financial records from financial institutions, card issuers, or consumer reporting agencies. The 1996 amendments expanded the prohibition dramatically to prohibit unauthorized access that obtained any information of any kind so long as the conduct involved an interstate or foreign communication. Prior legislative history emphasized the tremendous reach of this new amendment by clarifying that obtaining information included simply reading it. Since most forms of unauthorized access will reveal information to read, even if it is only the prompts or graphic interface provided to those with access, the new § 1030(a)(2) effectively criminalized all interstate hacking.

And then in 2008, Congress eliminated the interstate requirement:

[The 2008 amendments] once again expanded the scope of § 1030(a)(2) by removing the requirement of an interstate communication. Under the new § 1030(a)(2)(C), any unauthorized access to any protected computer that retrieves any information of any kind, interstate or intrastate, is punishable by the statute.

Because of the 1996 and 2008 amendments, the requirement of "obtaining information" now applies to effectively all computer use. Going back to Judge Carney's hypothetical, playing solitaire or using Facebook plainly satisfies this element. When you play solitaire, you enter in commands to see cards. You therefore obtain information about your cards from the computer accessed. And when you spend time on Facebook, you're constantly seeing new text, pictures, and videos that you hadn't seen before you logged in. You are "obtaining information" for purposes of the statute.

The only kind of use that wouldn't constitute "obtaining information" would be a purely one-way communication such as sending an e-mail or a denial of service attack. In these limited contexts, the sender normally doesn't get any information back. But that's about it. As the Drew court recognized, the element of obtaining information "will always be met when an individual using a computer contacts or communicates with an Internet website."

Judge Carney's question thus reveals the big problem. Contrary to the AUSA's suggestion, the only actual limit in the statute is unauthorized access. If violating a written restriction on a computer is an unauthorized access, then pretty much everyone is a criminal. That includes me, as I have even testified to Congress about one of my many violations of written restrictions on computers: My Facebook account says I live in Washington, DC, although I actually live in Arlington, VA. I'm pretty sure that all of the AUSAs who prosecuted the Valle case are also criminals under the their theory. For that matter, the judges on the Second Circuit are probably criminals under DOJ's view, too. But surely DOJ would exercise its prosecutorial discretion and not charge us, at least if we all stay in line.