A deeper look at United States v. Vargas, the case concerning the NYPD detective accused of violating the CFAA

The recent allegations against New York Police Department detective Edwin Vargas have been making headlines recently, and were the subject of a recent press release by the U.S. Attorney's Office for the Southern District of New York. The press release announced that on May 20, 2013, a complaint was filed in the Southern District of New York alleging that Vargas had committed two offenses under the Computer Fraud and Abuse Act, 18 U.S.C §1030.  Below, I take a look at the two counts and offer some thoughts on the "Unlawful Access of Law Enforcement Database" allegation (count two).

The first count alleges that Vargas and other “known and unknown" defendants "willfully and knowingly combined, conspired, confederated, and agreed together and with each other to engage in computer hacking.” Specifically, the complaint alleges that Vargas conspired with individuals associated with an "e-mail hacking service" to violate §1030(a)(2)(C). That section under the CFAA, for context, states in relevant part

Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished as provided in subsection (c) of this section. 

The CFAA also provides as an offense, in §1030(b), any attempted violations or conspiracy to commit violations of the Act. According to the complaint, Vargas “paid certain e-mail hacking services to hack into numerous e-mail accounts . . . in order to obtain the log-in credentials for those accounts.” The complaint continues

In total, Vargas ordered hacks of at least 43 personal e-mail accounts belonging to at least 30 different individuals including 21 who are affiliated with the NYPD; of those 21, 19 are current NYPD officers, one is a retired NYPD officer, and one is current NYPD administrative staff. Vargas accessed at least one personal email account belonging to a current NYPD officer after receiving the account's log-in credentials from the hacking service. 

While the first count contains allegations that one would typically associate with a criminal hacking statute like the CFAA, the second count is a bit more interesting. According to the allegations in the complaint, Vargas

intentionally and knowingly accessed a computer without authorization and exceeded authorized access and thereby obtained information from a department and agency of the United States, [specifically], Vargas accessed, and obtained information from the federal National Crime Information Center ("NCIC") database, without authorization, and exceeding the scope of his authority. 

Vargas’ alleged actions are believed to have violated §1030(a)(2)(B) of the CFAA, which states in relevant part

Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any department or agency of the United States . . . shall be punished as provided in subsection (c) of this section. 

This allegation centers on Vargas accessing the NCIC database to gain information on fellow NYPD officers (referred to as “Victim 2” and “Victim 3” in the complaint). According to the complaint, FBI Special Agent Samad Shaheani states

From my discussions with NYPD representatives, I have learned that on or about November 5, 2011, Edwin Vargas . . . accessed the NCIC database and obtained information about Victim 2 and Victim 3. Based on my review of the records provided by the NYPD, I have learned that at the time that he accessed the NCIC database, Vargas was in his precinct in the Bronx. I have learned that Vargas did not have authorization to perform those searches or to access that information about Victim 2 or Victim 3. 

Much of the complaint focuses on the e-mail hacking allegations featured in the first count. However, I have my reservations on whether the second count can hold up. I recently reported on a Southern District of New York case, JBCHoldings v. Pakter, in which the court applied a narrow interpretation of “without authorization” and “exceeds authorization.” As I stated,

In applying the plain meaning of the term “without authorization” the court found that “an employee ‘accesses a computer without authorization’ when he does so without permission to do so. This definition plainly speaks to permitted access, not permitted use.” The court also found the CFAA’s statutory definition of “exceeds authorized access” was inherently similar to the plain meaning of “without authorization” stating, “[b]y its plain terms, this definition also speaks to access, not use.” 

A similar application might come into play in the case against Vargas. While JBCHoldings was a civil case, the court's application of “without authorization” and “exceeds authorized access” might hold some weight as this case moves forward (however, as the court JBCHoldings observed "[d]istrict courts within the Second Circuit have taken opposing views [as to the meaning of “without authorization” and “exceeds authorized access]”). Its true that Vargas might not have had “authorization to perform those searches” or to “access that information,” as the complaint alleges, but the question to consider would be whether Vargas, as in NYPD detective, was generally given access through his employment to use the the NCIC system. Did Vargas simply misuse the information from the NCIC system that he had the right to access through his employment? If so, that might make the second count against Vargas a bit more challenging. I’ll be interested to see how this case progresses.

What do you think? Feel free to sound off in the comments.