Yottabytes: Storage and Disaster Recovery

Dec 20 2015   7:51PM GMT

Oh, Go On, Use That Work Database for Anything You Want, Court Rules

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
Database
privacy
Security

A U.S. appellate court has recently ruled that violating rules about the use of databases at work isn’t subject to criminal penalties, which opens the potential for all sorts of interesting possibilities.

Of course, just this particular case was interesting enough: A police officer who used a police department database to look up information about women he wanted to kill, cook, and eat.

“Former New York City Police Officer Gilberto Valle was found guilty at trial in March 2013 of conspiring to kidnap women and illegally accessing a police database to collect information on potential victims,” writes Joseph Ax for Reuters. But the 2nd U.S. Circuit Court of Appeals in New York vacated his conviction for using the database, “finding that federal law does not prohibit individuals from accessing a computer they are normally authorized to use, even if they do so for an improper purpose,” he continues.

“As an NYPD officer, Valle had access to the Omnixx Force Mobile (“OFM”), a computer program that allows officers to search various restricted databases, including the federal National Crime Information Center database, which contain sensitive information about individuals such as home addresses and dates of birth,” the court writes. “It is undisputed that the NYPD’s policy, known to Valle, was that these databases could only be accessed in the course of an officer’s official duties and that accessing them for personal use violated Department rules.  In May 2012, he accessed the OFM and searched for Maureen Hartigan, a woman he had known since high school and had discussed kidnapping with Aly Khan.    This access with no law enforcement purpose is the basis for the CFAA charge.”

Prosecutors also used Valle’s illicit research in the database as evidence that he was actually planning to carry out some of his fantasies, for which he was also charged and which the appellate court also threw out because they felt he was simply expressing fantasies. “Valle was not accused of harming any women,” Ax writes. “Instead, prosecutors said he discussed with other online enthusiasts his intention to abduct, torture, cook and eat women.”

Not men, though, because, you know, that would be weird.

The computer charge hinged on the Computer Fraud and Abuse Act (CFAA), and the court reversed the conviction because it was concerned that upholding it would give the government too much power, writes Justin William Moyer in the Washington Post. “While the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters,” he quotes from the opinion. “A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.”

The problem with the prosecutor’s initial argument, writes Orin Kerr for the Volokh Conspiracy, is that various parts of the law and other courts had used the CFAA to make largely artificial distinctions between the notion of illegal “access” vs. illegal “use” – which, taken to their logical extreme, could make playing Freecell or using Facebook on a work computer a criminal offense. “Playing solitaire or using Facebook plainly satisfies this element,” he writes. “When you play solitaire, you enter in commands to see cards. You therefore obtain information about your cards from the computer accessed. And when you spend time on Facebook, you’re constantly seeing new text, pictures, and videos that you hadn’t seen before you logged in. You are ‘obtaining information’ for purposes of the statute.”

Valle did have access to the National Crime Information Center database in the normal course of his job, and the way the CFAA is written, he could only be charged under it if he was gaining access to information he was not entitled to in any way, writes the Electronic Frontier Foundation in its amicus curiae on the case. (If you’re just dying to read the argument yourself, it’s pages 28-38 in the court’s ruling, and 24-34 in the dissent.)

Consequently, Kerr didn’t feel that Valle was guilty under that charge. “If violating a written restriction on a computer is an unauthorized access, then pretty much everyone is a criminal,” he writes. “That includes me, as I have even testified to Congress about one of my many violations of written restrictions on computers: My Facebook account says I live in Washington, DC, although I actually live in Arlington, VA.”

On the other hand, one wonders, what sorts of shenanigans with work computers are now considered legal due to this ruling? Are there people (other than the mom who created a fake MySpace account for the purposes of harassing one of her daughter’s classmates) who have been charged under this who should now go free? Is there any activity with a work computer that can now be considered criminal, or is it at this point on only a matter of workplace discipline?

Ultimately, the case could go to the Supreme Court, writes Noah Feldman, a professor of law at Harvard University and a columnist for Bloomberg View. “This issue has split the federal courts of appeal, with four adopting the government’s view, and now three saying that under the rule of lenity, an ambiguous criminal statute ought to be read restrictively and in favor of the defendant,” he writes. “The 2nd Circuit’s worry is that a broad reading of the statute turns every violation of an employer’s computer rules into a violation of federal law. That would certainly be an overreading of the statute, not to mention bad policy. The split means the Supreme Court should resolve this issue — possibly even in an appeal in this case.” It also seems likely that the CFAA should be modified to be more clear.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: