WIXLIB

4contained in the Federal Bureau of Investigation’sNational Crime Information Center (“NCIC”) database. (Tr. 931, 937-38, 945; GX 610, 613, 614).Valle’s authority to use his credentials to reviewthe data was restricted and limited. The NYPD instructed Valle repeatedly that the databases could beaccessed only “in the course of a [police officer’s] official duties and responsibilities” and that “[t]herewere no exceptions to this policy.” (Tr. 940-41;GX 612). Valle was further instructed that accessingthe databases for “non-work” purposes was a violation of NYPD policy, state law, and that the penaltiesfor doing so included “arrest, prosecution, termination of employment and fines up to 10,000.” (Tr. 94042, 950). Acknowledging that he understood these access restrictions, Valle signed several NYPD documents certifying his participation in training sessionson the use and misuse of the NYPD computer system.(GX 609-611).In direct violation of his training, Valle accessedNYPD computer systems to gather information aboutwomen he targeted for kidnapping. (Tr. 571-84, 94043; GX 615, 616B, 616C, 616E, 617). On May 31,2012, without authorization, Valle accessed the database to obtain information on Maureen Hartigan, awoman Valle had known since he was in high school.(GX 616C). Valle entered Hartigan’s name into theNYPD computer system, which in turn queried anumber of local, state, and national databases forpersonal information about her, including any avail-

5able criminalGX 616E).recordsonNCIC.3(Tr. 582-84;The parties did not dispute that Valle lacked alegitimate law enforcement purpose for using the database to access information about Hartigan. UnitedStates v. Valle, 301 F.R.D. 53, 110 (S.D.N.Y. 2014)(“It is undisputed that Valle had no law enforcementpurpose for querying Hartigan’s name in the databases.”).B. The Jury Instructions and VerdictPrior to deliberations, Judge Gardephe instructedthe jury, without any objection from the defense, that“Valle could be convicted of Court Two only if theGovernment proved, inter alia, that he had ‘accesseda computer with authorization, but that he exceededhis authority in accessing the information in question.’ ” United States v. Valle, 301 F.R.D. at 110 (quoting Tr. 1662).After two days of deliberations, the jury foundValle guilty of kidnapping conspiracy and the unauthorized access of a federal database, as charged inthe Indictment. (Tr. 1685-86).C.The Post-Trial ProceedingsValle moved to set aside the jury’s verdict on bothcounts of the Indictment. Judge Gardephe granted—————3This instance of unauthorized access providedthe factual basis for Count Two of the Indictment.

6the motion as to Count One and denied it as to CountTwo. See Valle, 301 F.R.D. at 115.On Count Two, Valle argued that his ability to usethe NYPD computer system as part of his police duties immunized him from being “held criminally liable . . . for his improper query concerning Hartigan,”even if that query went beyond the scope of his authorization. Id. at 111. Rejecting that construction ofthe statute, Judge Gardephe held that Valle “exceed[ed] [his] authorized access” to the NYPD computer system by “obtain[ing] information in the computer that he was not entitled to obtain.” Id. (quoting18 U.S.C. § 1030(e)(6)) (internal brackets and ellipsesomitted). Because “Valle was barred by NYPD policyfrom performing a search regarding Hartigan’s nameunless he had a valid law enforcement purpose fordoing so,” Judge Gardephe concluded that “the plainlanguage of the statute” outlawed Valle’s conduct. Id.D. The SentenceOn November 12, 2014, Judge Gardephe sentenced Valle to time served on Count Two, which was20 months at that time, followed by one year of supervised release, and he imposed a mandatory 25special assessment.4 Among the conditions of Valle’ssupervised release is that he not contact any of the“women who were alleged targets of the conductcharged in Count One, or the woman who was the—————4The statutory maximum term of imprisonmentfor a violation of Title 18, United States Code, Section1030(a)(2)(B) is 12 months.

7subject of the conduct that forms the basis for CountTwo.” (A. 256-57).ARGUMENTValle’s unauthorized access of the NCIC databaseto obtain information about Hartigan violated Title18, United States Code, Section 1030(a)(2)(B), whichprotects information belonging to the United Statesfrom being obtained in an unauthorized manner. Theundisputed trial evidence established that Valle (i)possessed credentials that enabled him to access theNCIC database, (ii) was authorized to do so only inthe course of his duties as a police officer, and (iii)queried the database for information on Hartiganwithout a valid, law enforcement reason. When Valleused his credentials to access the database for nonpolice purposes, he “exceed[ed] his authorized access”to the database in violation of the statute. 18 U.S.C.§ 1030(a)(2).Valle resists this logic, arguing that because hewas able to access the database for improper purposes, he was also authorized to so. That reading of thestatute is unsustainable. The NYPD provided Vallewith several law enforcement tools—credentials toaccess the NCIC database, handcuffs, a gun—butthat does not mean Valle was authorized to use thosetools however he saw fit, limited only by his abilities.To accept Valle’s construction of the statute is to conflate ability with authorization. But there is nothingin the statutory text that recommends, much lesscompels, that unnatural result, particularly where itwould run counter to the weight of precedent and

8serve only to undermine the statute’s purpose of protecting information belonging to the United Statesfrom unauthorized disclosure.POINT IThe Statute Prohibits the Use of Validly IssuedCredentials in an Unauthorized MannerA. Applicable Law1. The Computer Fraud and Abuse ActThe Computer Fraud and Abuse Act (“CFAA”)prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access,and thereby obtain[ing] . . . information from any department or agency of the United States.” 18 U.S.C.§ 1030(a)(2)(B). Under the statute, individuals “exceed[ ] authorized access” when they “access a computer with authorization and . . . use such access toobtain or alter information in the computer that [theyare] not entitled so to obtain or alter.” 18 U.S.C.§ 1030(e)(6).Construing the CFAA, this Court has held that“authorization” has no “technical or ambiguous meaning” as used in the statute. United States v. Morris,928 F.2d 504, 511 (2d Cir. 1991) (holding that “it wasunnecessary to provide the jury with a definition of‘authorization’ ” because “the word is of common usage”). The term is readily understood to mean“[o]fficial permission to do something.” Black’s LawDictionary (10th ed. 2014). That commonsense understanding applies equally to a user who “exceeds

9authorized access” by “obtain[ing] . . . information”that she has no “entitle[ment]” or permission to obtain. 18 U.S.C. § 1030(e)(6). Official permission, nottechnical ability, is therefore the touchstone ofwhether information belonging to the U.S. has beenaccessed in violation of the CFAA.Users who inadvertently access U.S. data do notrun afoul of the statute because only intentional actsare prohibited. See 18 U.S.C. § 1030(a)(2). For an actto be intentional, it must have been done “deliberately and purposefully,” as “the product of [an individual’s] conscious objective rather than the product ofmistake or accident.” United States v. Kelly, 147 F.3d172, 177 (2d Cir. 1998) (approving district court’s instruction).2. Principles of Statutory ConstructionThe interpretation of statutes “must begin withthe language employed by Congress and the assumption that the ordinary meaning of that language accurately expresses the legislative purpose.” UnitedStates v. Albertini, 472 U.S. 675, 680 (1985) (internalquotation marks omitted); see also Smith v. UnitedStates, 508 U.S. 223, 228 (1993) (“When a word is notdefined by statute, we normally construe it in accordwith its ordinary or natural meaning.”). If the statute’s language is “ ‘plain, the sole function of thecourts is to enforce it according to its terms.’ ”’ UnitedStates v. Ron Pair Enters., 489 U.S. 235, 241 (1989)(quoting Caminetti v. United States, 242 U.S. 470,485 (1917)); see also Connecticut Nat’l Bank v. Germain, 503 U.S. 249, 253-54 (1992) (“We have stated

10time and again that courts must presume that a legislature says in a statute what it means and means ina statute what it says there.”). Where there is ambiguity, however, “a court may resort to the canons ofstatutory interpretation and to the statute’s legislative history to resolve the ambiguity.” United Statesv. Awadallah, 349 F.3d 42, 51 (2d Cir. 2003).B. Discussion1. The Statutory Text Prohibits Valle’sUnauthorized Use of His CredentialsValle’s search of the NCIC database for information on Hartigan ran afoul of the unambiguoustext of the CFAA. Under the undisputed facts of thiscase, Valle had permission to use his credentials toaccess NYPD computer systems only in furtheranceof his duties as a police officer. (Br. 4). Equally beyond dispute is that Valle had no legitimate law enforcement reason for entering Hartigan’s name intothose systems and searching records maintained bythe NCIC. (Br. 5). Nor is there any dispute that Valle’s conduct was deliberate and purposeful and notthe product of mistake or accident. (Br. 5). Thosefacts—none of which are contested on appeal—fallsquarely within the CFAA’s straightforward prohibition on “exceed[ing] authorized access” to a computersystem in order to intentionally obtain informationbelonging to the United States without any “entitle[ment]”tothatinformation.18U.S.C.§ 1030(a)(2)(B), (e)(6). Because Valle had no permission to access the NCIC to learn anything about Hartigan, he “exceed[ed] [his] authorized access” in viola-

11tion of the statute. That is why Judge Gardephe concluded that “Valle’s conduct falls squarely within theplain language of Section 1030(a)(2)(B).” Valle, 301F.R.D. at 111.Disputing Judge Gardephe’s conclusion, Valle invites this Court to ignore the straightforward command of CFAA’s unambiguous text. First, he arguesthat liability under the statute cannot turn on theplanned “purposes” an individual had in mind for restricted information, “or the use, if any, the personmade of the information.” (Br. 12). Insofar as Vallebelieves his conviction stems from his use or intendeduse of restricted information about Hartigan, he ismistaken. The statute is not concerned with whatValle did or intended to do with that restricted information, but whether he had permission to obtain it inthe first place. As Judge Gardephe explained, “HowValle intended to use any information about Hartiganthat he hoped to obtain from the NCIC database is. . . irrelevant” because all that “matter[ed] is thatValle was not authorized to access the . . . system toperform a query regarding Hartigan’s name.” Valle,301 F.R.D. at 115. Valle’s offense was thus premisedon whether he was allowed to enter Hartigan’s nameinto the NCIC database, not whether his intendeduses of the information violated the CFAA.Second, Valle contends that he was “authorized”to obtain Hartigan’s information, notwithstandingthe NYPD’s prohibition on doing so, because he hadthe technical ability to “obtain exactly the sort of information about private citizens that Valle obtainedabout Hartigan.” (Br. 14). Valle’s position boils down

12to the following proposition: Because he was able tomisuse his credentials to obtain restricted information about Hartigan, Valle had permission to doso. That argument improperly conflates ability withauthorization. The CFAA, however, does not speak interms of ability; it speaks about authorization. Andthis Court has held that the CFAA’s use of the word“authorization” has no “technical or ambiguous meaning.” United States v. Morris, 928 F.2d at 511. Itmeans permission, which is far different from ability.Valle might very well not have exceeded his ability toobtain restricted information when he accessed Hartigan’s records, but he did exceed his authorizationbecause he did not have official permission to obtainher records. Because the CFAA refers to “authorization,” and not ability, Valle’s argument is unmooredfrom the statutory text.It is also unmoored from common sense. Valle’sredefinition of “authorization” to mean “ability” wouldbe shocking if applied to any of the other tools he possessed as a police officer. Were Valle to claim that hewas authorized to restrain a member of the public ona lark because the NYPD had issued him handcuffs,no reasonable person, let alone a court, would takehis claim seriously. It would be equally absurd forValle to claim authorization to use his firearm in areckless manner simply because the NYPD had givenhim the weapon in the first place. No less absurd isValle’s argument that, because the NYPD issued himcomputer credentials, he was authorized to misusethem to obtain information from the NYPD computersystem that he had no permission to view.

13There is nothing complicated or ambiguous aboutthis principle: many forms of authorization have conditions that must be met before the authorizationcomes into effect. A police officer, for example, mighthave authorization to use deadly force, but only whenthe condition is met that his life or the safety of civilians is threatened. Valle’s authorization to use theNYPD’s computer systems to access NCIC data wasconditioned on his having a law enforcement purpose.(Tr. 940-41; GX 612). When he chose to access NCIC,in spite of the fact that he had no law enforcementpurpose, he violated the explicit prohibitions of hisdepartment and the plain language of the statute by“exceed[ing] his authorized access” to the NYPD computer system. There is a vital and obvious differencebetween ability and authorization. Valle’s efforts toinject ambiguity into the statute by conflating theterms are misguided.Third, Valle envisions a parade of horribles thatwill flow from this Court’s enforcing the unambiguoustext of the statute. He fears that a lonely heart willbe prosecuted for “misrepresent[ing] his height andweight on a dating website” (Br. 15) or a law clerkmight be brought to justice for shepardizing his “lawschool note” (Br. 16). There is good reason why Vallewould prefer to ponder these outlandish hypotheticalscenarios rather than the inhospitable facts of hisown case: his actions violate the simple command ofthe CFAA prohibiting unauthorized access to information that belongs to the United States.But even if they had some relevance here, Valle’shypothetical musings present no basis to ignore the

14plain meaning of the relevant statutory text. Moststarkly, they do not pertain to Valle’s offense of conviction at all. Valle violated Section 1030(a)(2)(B) because he intentionally obtained information belonging to the United States without permission. Neitherthe user of the dating website, nor the scholarly lawclerk appears to have obtained U.S. data through thehypothetical use of computers, which is reasonenough to set aside Valle’s hypotheticals. But even ifother sections of the CFAA were at issue here, Valle’sconcerns about allegedly absurd results would bemisplaced. While it is a well-established canon ofstatutory interpretation that “absurd results” shouldbe avoided, see SEC v. Rosenthal, 650 F.3d 156, 162(2d Cir. 2011), that canon comes into play only whenthe statutory text is ambiguous, see Connecticut Nat’lBank v. Germain, 503 U.S. at 253-54. Where, as here,the text is unambiguous, courts must apply only the“cardinal canon”—namely, that “a legislature says ina statute what it means and means in a statute whatit says there.” Connecticut Nat’l Bank, 503 U.S. at253-54.Insofar as other provisions of the statute mightsweep in conduct that seems less troubling than Valle’s, those concerns must be raised in the first instance by individuals actually affected by the provision at issue. See Farrell v. Burke, 449 F.3d 470, 494(2d Cir. 2006) (“Federal courts as a general rule allowlitigants to assert only their own legal rights and interests, and not the legal rights and interests of thirdparties. This rule against third-party or jus tertiistanding helps to avoid unnecessary pronouncementsand serves to ensure that the issues before the court

15are ‘concrete and sharply presented.’ ” (citing Secretary of Maryland v. Joseph H. Munson Co., 467 U.S.947, 955 (1984) (citations omitted)). Valle cannotchallenge his conviction under Section 1030(a)(2)(B)by pointing out that unnamed people might face misdemeanor prosecutions under a different provision ofthe CFAA in ways that might seem unfair in the abstract.5 Those cases will present fact-specific questions not relevant here, including whether the applicable authorization was clearly defined and whetherthe abuse of computer access was intentional in thesense of being purposeful and deliberate.6 Valle cannot avail himself of such hypothetical claims to ex—————5And breadth alone is insufficient because, asthis Court has recognized, federal criminal statutescan often apply to a “broad range of conduct.” SeeUnited States v. Shellef, 507 F.3d 82, 106 (2d Cir.2007) (noting “the broad range of conduct covered bythe federal fraud statutes”).Congress’s decision to adopt a heightened mensrea requirement demonstrates not only that it recognized the need to limit the scope of the statute, butalso that it took steps it considered appropriate toimpose such limitations. See S. Rep. No. 99-432, at 6(1986) (describing the substitution of the word “intentionally” for “knowingly” in order to guard againstconcerns of sweeping too broadly: “[t]he substitutionof an ‘intentional’ standard is designed to focus Federal criminal prosecutions on those whose conductevinces a clear intent to enter, without proper authorization, computer files or data belonging to another”).6

16cuse his conduct, which falls squarely within the prohibition.Fourth, Valle contends that giving “authorization”its plain meaning of permission would “creat[e] surplusage” because his misconduct was both withoutauthorization and in excess of his authorized access.(Br. 16). Again, the canons—this time the one againstsurplusage—are relevant only where there is ambiguity in the text, but they play no role when the text isunambiguous. Connecticut Nat’l Bank, 503 U.S. at253-54. Here, there is neither ambiguity, nor surplusage.The CFAA protects information belonging to theUnited States from those who lack a

and (iv) most egregiously, illegally accessed infor-mation in a police database about his intended tar-gets.2 (Tr. 418-652, 1030-34, 1197, 1239, 1275; GX 217, 229, 230, 401-43, 606, 1000-01). Valle was able to access that database because, as a police officer, he was entrusted with credentials (a login and password) that allowed him to use NYPD