
Court: Breaking Your Employer's Computer Policy Isn't a Crime - kjstevo
https://www.eff.org/deeplinks/2015/12/federal-court-appeals-rejects-notion-violating-your-employers-computer-use
======
dkbrk
> A court should not uphold a highly problematic interpretation of a statute
> merely because the Government promises to use it responsibly.

This. Whether a law is just needs to be considered in light of its worst-case
abuse potential, not just on the basis of how it is currently being applied.
It is a great advantage of the common law system that over-broad, ill-
specified or otherwise broken laws can be remedied through precedent, however
the responsibility still lies with the government to make laws that are well-
considered, based on sound principles and not overly broad.

~~~
purpled_haze
Could you extrapolate from that though that:

1\. Since the first amendment allows the free exercise of religion, prayer
must be allowed in schools as long as no specific religion is established via
those prayers?

2\. Since the second amendment allows the right to keep and bear arms, without
further amendment, that right should be unrestricted by any registration
process considered onerous or restrictive?

~~~
samman
2a. "...well-regulated..."

~~~
lackbeard
At the time when it was written, "well-regulated" did not mean lots of
oversight by the government. It meant something closer to "properly
functioning". I.e.: armed and trained sufficiently.

~~~
ceejayoz
Well, we've got the armed part down.

------
Illniyar
"Valle was also charged with violating the CFAA for accessing a police
database to look up information about people without a valid law enforcement
purpose, in violation of NYPD policy."

I find it odd that the prosecutors decided to go with a computer fraud charge
for this crime, aren't there any laws that would prohibit this action
regardless of method used? If he chose to lookup paper files on unrelated
people, would he be immune to prosecution?

~~~
pbhjpbhj
I thought the CFAA, like the UK equivalent Computer Misuse Act 1990, governed
unauthorised access to computer systems and data. Seems appropriate to me.

Paper files would probably be locked up - the equivalent prosecution would
then be something like trespass, breaking and entering, or what have you.

If you have access to data for operational purposes then access outside of
operational needs is just unauthorised access which on computer systems is an
offence in itself because physical access is already historically covered
under various laws.

~~~
AnthonyMouse
> Paper files would probably be locked up - the equivalent prosecution would
> then be something like trespass, breaking and entering, or what have you.

You're making the right analogy but then the analogous thing has the same
problem. The bad thing isn't trespassing, the bad thing is misusing police
records. Trespassing or B&E doesn't fit at all, because he is legitimately
allowed to be there (which is what that crime prohibits) and even to have that
information, but isn't allowed to use the information for that purpose, which
is something else entirely.

The penalty for trespassing is also the wrong one because misusing police
records is worse than trespassing. So if trespassing is the worst you can
charge then you end up either having to make the penalty for trespassing far
too severe for most other instances of trespassing, or the effective penalty
for misusing police records would be too lenient.

Which is why we need laws against specific things with penalties appropriate
to the crime, rather than one overly broad law with severe penalties that
effectively says don't do anything you aren't supposed to do.

~~~
forgotpwtomain
> You're making the right analogy but then the analogous thing has the same
> problem. The bad thing isn't trespassing, the bad thing is misusing police
> records. Trespassing or B&E doesn't fit at all, because he is legitimately
> allowed to be there (which is what that crime prohibits) and even to have
> that information, but isn't allowed to use the information for that purpose,
> which is something else entirely.

Exactly - though in most cases being fired from your position would be
appropriate and the end of the story (unless there were actual people whom
were harmed or material damages involved). In particular I think the
comments/judgements regarding this issue are subconsciously harsher due to the
subject matter.

------
ubercow
> The court also ruled that the government cannot hold people criminally
> liable on the basis of purely fantastical statements they make online—i.e.,
> thoughtcrime.

I think this is the bigger news here.

------
SeanDav
I almost think the entire EFF should receive the civilian equivalent of the
Congressional Medal of Honor. Amazing work and gratz to all those involved!

~~~
DINKDINK
Vote with your wallet, make a donation!

------
golergka
For the people who skipped the article and assumed that the case was about
some stupid office policy:

> Valle was also charged with violating the CFAA for accessing a police
> database to look up information about people without a valid law enforcement
> purpose, in violation of NYPD policy.

This is not a typical "employer policy". This a policy about access to
sensitive private data that is only available to the government. Wouldn't you
want improper access to such data punished?

~~~
gvb
He was apparently fired for violating his terms of employment, so he was
punished, but not _criminally_ punished. While I am very disturbed that a
major restraint (the threat of _criminal_ prosecution) has been taken off the
table for abuse of sensitive private government data, I'm happy that it has
been taken off the table for me as well, as a non-government employee that
only has access to sensitive _company_ private data.

Quote from the appeals court ruling: "Valle concedes that he violated the
terms of his employment by putting his authorized computer access to personal
use..."

Ref: <[http://arstechnica.com/tech-policy/2015/12/repugnant-
online-...](http://arstechnica.com/tech-policy/2015/12/repugnant-online-
discussions-are-not-illegal-thoughtcrime-court-rules/>)

------
pilif
In general, that's probably the right decision. But I also think that using
police records for personal purposes is different from browsing Facebook at
work.

One only damages the employer slightly, the other has huge potential issues
against society at large. The CFAA is not the correct solution for this issue,
but none the less, I think such behavior should be a criminal matter.

~~~
walshemj
Its gross misconduct and in the uk Malfeasance in office (surely there is an
equivalent law in the USA.

And doesn't the US equivalent of the official secrets act apply to all police
officers?

~~~
extra88
Doesn't the UK Official Secrets Act apply to matters of national security? The
closest U.S. equivalent is the Espionage Act of 1917. Records from a city's
criminal database are not national security secrets.

~~~
walshemj
The OS act applies to a lot of things all list X organisations for example and
in the UK all police answer to the home secretary.

All police and civilian police workers are vetted and access to Police
databases etc is covered by the OS act.

Even access to say BT's databases that track phone numbers and circuits is
covered.

------
ss64
Still down, heres a cached version
[http://webcache.googleusercontent.com/search?q=cache:Bj2aVsY...](http://webcache.googleusercontent.com/search?q=cache:Bj2aVsY9v94J:https://www.eff.org/deeplinks/2015/12/federal-
court-appeals-rejects-notion-violating-your-employers-computer-
use+&cd=1&hl=en&ct=clnk&gl=uk)

~~~
aluhut
Thanks.

------
r0m4n0
I'm not a lawyer by any means but in CA I'm completely aware of an employer
clause in subsection H of 502c that obviously excludes these acts performed
within the scope of employment, as long as there wasn't real damage as an
outcome. I don't have a copy of the CFAA but I'm assuming it does as well.
Interesting that there was dissent to begin with...

[http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=pen&gr...](http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=pen&group=00001-01000&file=484-502.9)

------
sixtypoundhound
This is awesome piece of work - massive kudos to the EFF!

In true authoritarian tradition, the establishment took an unsympathetic
example (on the surface, this defendant is a hard one to explain to the common
person) and used it to push through some scary interpretations into case law
that would affect a much broader (and more mainstream) group.

------
aluhut
Mh I'm getting a 403 from Germany for the whole domain.
downforeveryoneorjustme says it's up. Could someone paste the content for me?

~~~
fenomas
Same for me, and it worked fine maybe an hour ago. Server issue it seems.

~~~
QuantumCookie
Probably: working now from Germany

------
mcherm
The topic is interesting, but I would rather read an intelligent synopsis with
comments on the implications than try to read the court opinion on my own
without any input from those properly trained in the law.

(Linking to the actual decision IN ADDITION to some expert analysis would be a
great idea.)

~~~
sageabilly
Good point, here's the Gizmodo article about it: [http://gizmodo.com/court-
rules-that-breaking-your-employers-...](http://gizmodo.com/court-rules-that-
breaking-your-employers-computer-polic-1746133150)

In short: _The United States Court of Appeals for the Second Circuit issued an
opinion rejecting the government’s attempt to hold an employee criminally
liable under the federal hacking statute—the Computer Fraud and Abuse Act
(“CFAA”)—for violating his employer-imposed computer use restrictions... The
court also ruled that the government cannot hold people criminally liable on
the basis of purely fantastical statements they make online—i.e.,
thoughtcrime._

~~~
bumbledraven
From the gizmodo article:

 _Valle was also charged with violating the CFAA for accessing a police
database to look up information about people without a valid law enforcement
purpose, in violation of NYPD policy._

Querying a government database for personal use is a serious offense. I hope
the court would address it separately from lesser rules such as "don't use
Facebook at work."

------
sowbug
How might this court have handled the Aaron Swartz case? I don't know the
facts of either case well enough to tell whether they're comparable.

------
x1798DE
I've seen other places in this thread indicating that charging this guy under
the CFAA was an inappropriate choice (i.e. not just the _only_ choice if they
want to pursue criminal charges); does anyone know if there have been similar
cases of abuse of law enforcement data where the accused was charged under a
different statute?

------
workitout
The efforts of the EFF are to be lauded in this case.

------
nicolai123
Great news !

------
DiabloD3
Dupe:
[https://news.ycombinator.com/item?id=10675396](https://news.ycombinator.com/item?id=10675396)

~~~
detaro
Re-submitting something is fine if it hasn't been submitted to often and
previous submissions didn't spawn discussions. Linking to empty discussions
isn't useful.

~~~
DiabloD3
Re-submitting it in under a day isn't useful either.

