from the still-nutty dept
The CFAA, again, is the Computer Fraud and Abuse Act, which is supposed to be used against people who hack into others computers. But, as we've covered a whole bunch of times here on Techdirt, these days it's often used to pile on against anyone who does something prosecutors don't like... like using a computer. And that seemed to be the case here. Thankfully, however, the appeals court for the Second Circuit has rejected that argument and cleared Valle of the CFAA violation (it also said that his fantasizing isn't a crime either).
As per usual in CFAA cases, the issue in this case was over the definition of "exceeds authorized access." Prosecutors keep trying to make this mean "does something on a computer that goes against a terms of service or terms of employment." But that super broad definition isn't just dangerous, it basically makes almost everyone a criminal. Thankfully, the court recognized this, though it admits that part of that is just because the law is too ambiguous to make a call. It even looks at the legislative history and notes that it could support either argument, but it needs to be more before allowing the CFAA to be used that way:
At the end of the day, we find support in the legislative history for both Valle’s and the Government’s construction of the statute. But because our review involves a criminal statute, some support is not enough. Where, as here, ordinary tools of legislative construction fail to establish that the Government’s position is unambiguously correct, we are required by the rule of lenity to adopt the interpretation that favors the defendant.And it notes, in agreeing with a few other key CFAA rulings, that adopting a broader construction of the law could have an "effect on millions of ordinary citizens caused by the statute's unitary definition of 'exceeds authorized access'" (which is quoting the key Nosal decision that rejected a broad definition under the CFAA). Indeed, the court recognizes that even if Valle seems like a particularly terrible person, it must be aware that its decision will impact many others:
Whatever the apparent merits of imposing criminal liability may seem to be in this case, we must construe the statute knowing that our interpretation of “exceeds authorized access” will govern many other situations.... It is precisely for this reason that the rule of lenity requires that Congress, not the courts or the prosecutors, must decide whether conduct is criminal. We, on the other hand, are obligated to “construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.”... While the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly....There is a dissent from Judge Chester Straub, in which he argues that there is no actual ambiguity in the law, and if you violate what your employer says you can do with our computer, well, then you might just be a felon:
In reaching this result, the majority discovers ambiguity in the statutory language where there is none. Under the plain language of the statute, Valle exceeded his authorized access to a federal database in violation of the CFAA.And, Judge Straub says, if that means that just about everyone is a criminal, well, that's a problem for Congress to solve:
The majority opinion, apparently without irony, concludes that giving effect to the plain language of the statute would somehow “place us in the position of [the] legislature.” ... But where, as here, the statute’s language is plain and unambiguous, the “sole function of the courts is to enforce it according to its terms.” ... It may well be that the CFAA sweeps broadly. But such is a matter for policy debate... and the Congress is free to amend the statute if it choosesThankfully, his opinion on this did not become the majority opinion.