By Robert Margolis, J.D.
Researchers plan to create fictitious job candidate profiles and fictitious job opportunities, in violation of the websites’ terms of service, to test if the websites discriminate.
Researchers testing whether the algorithms of online job websites discriminate against job candidates on such bases as race, gender, and age will not violate the criminal provisions of the Consumer Fraud and Abuse Act (CFAA) by creating fake profiles and fake job postings as part of their research, a federal district court in Washington D.C. has held. The court dismissed as moot the researchers’ pre-enforcement First Amendment challenge to a provision of the CFAA that they feared the government would use to prosecute them, finding that the provision does not apply to their planned research activities (Sandvig v. Barr, March 27, 2020, Bates, J.).
Research plans. Computer science professors, academic researchers, and journalists have developed plans to research whether online hiring websites—including LinkedIn, Monster, Glassdoor, and Entelo—through their proprietary algorithms, discriminate against online users based on characteristics such as race, gender, and age. The research plans include “audit testing” of the sites by creating “profiles for fictitious job seekers, post[ing] fictitious job opportunities, and compar[ing] their fictitious users’ rankings in a list of candidates for the fictitious jobs” in order to determine “whether [the] ranking is influenced by race, gender, age, or other attributes.” As a result, the research inevitably will violate the targeted websites’ terms of service agreements, which prohibit providing false information and/or creating fake accounts.
Pre-enforcement challenge. In June 2016, the researchers brought a pre-enforcement constitutional challenge to the “Access Provision” of the CFAA. That provision makes it a crime to “intentionally access a computer without authorization or exceed authorized access, and thereby obtain … information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). The researchers claimed that this Access Provision, among other things, is overbroad and chills their First Amendment right to free speech, and as applied to their research activities will unconstitutionally restrict their protected speech. The concern was based on the premise that the government would interpret the Access Provision to apply to their research plan, thus subjecting them to criminal prosecution. After the district court partially granted the government’s motion to dismiss, leaving only the researchers’ claim thatthe CFAA Access Provision, as applied to their planned research, violates their First Amendment rights, the parties cross-moved for summary judgment.
Standing. The researchers first had to establish Article III standing. When seeking to enjoin application of a statute on constitutional grounds, plaintiffs can establish standing by showing that they intend to engage in a course of conduct that arguably involves constitutional interests and that a statute proscribes that conduct, such that a credible threat of prosecution exists, observed the court, citing the Supreme Court’s decision in Susan B. Anthony List v. Driehaus. The government made three arguments against standing: (1) the researchers lacked “concrete plans” for their research; (2) they did not show a “credible threat” of prosecution; and (3) the case was not ripe. The court rejected each argument.
Concrete plans. Establishing the necessary “concrete plans” means that a plaintiff must provide a “credible statement” of an intent to commit violative acts. While the government argued that the researchers undermined their standing by admitting that they do not yet have the software to conduct their tests, a timeframe, nor have they assigned students, the court found otherwise. The researchers had applied for and obtained funding, obtained approval from the Institutional Review Board for their research, developed specific research plans, and identified the websites they would test. Unlike amorphous “some day” plans in the cases the government cited, here the researchers’ plans already were “in motion,” according to the court.
Credible statement. To defeat the government’s “credible threat” argument, the researchers had to present “a credible statement” that they intended to commit “violative acts” and that they have “a conventional background expectation that the government will enforce the law.” While there was no evidence of prior prosecutions for similar acts, the government had not disavowed the intent to prosecute under the CFAA Access Provision, the court pointed out.
Finally, the court rejected the government’s argument that the claims could not be ripe because websites’ terms of service agreements change frequently so it is not possible to know if at the time the testing begins, the researchers will in fact be violating the applicable terms of service.
Having rejected the government’s three main arguments, the court still had to affirmatively conclude that the researchers established the requisite for standing, that their intended future conduct is “arguably … proscribed” by the CFAA, under Driehaus. As the court noted, its ultimate conclusion that the CFAA does not criminalize their intended conduct could, at a minimum moot their First Amendment claim. But that does not necessarily destroy their standing. Applying an interpretation of Driehaus’ “arguably … proscribed” standard that looks to whether the plaintiffs have proposed a reasonable interpretation of a statute under which they would credibly face prosecution, the court found that the researchers met that test.
No criminal violation. As noted above, the court ultimately concluded that the CFAA does not criminalize the researchers’ planned activities, and thus dismissed the researchers’ First Amendment claim as moot. The court based its conclusion on its analysis of two portions of the Access Provision: what it means (1) to “access” a computer “without authorization”; and (2) to “exceed authorized access.”
Authorization. “Authorization” is not defined in the CFAA, but courts have defined it to mean “permission or power granted by an authority.” Courts interpret the statutory language to contemplate a two-realm Internet, which includes (1) public websites (or public portions of websites) where no authorization is required, and (2) private websites (or portions of websites) where permission to gain access is required. The court reviewed legislative history and interpretations and noted that the two-realm view is rooted in “property norms”—gaining access to a private area without proper permission is akin to “breaking and entering.” Thus, the court framed the question of criminal liability as, “what sort of ‘permission requirement’ constitutes enough of a barrier to trigger criminal liability under [the Access Provision] if bypassed.”
The government argued that any requirements set forth in terms of service agreements, including that a user not provide false information, would suffice. The court disagreed, instead holding that agreeing to terms of service and then violating them in the way the researchers intended may bring civil liability consequences but is not sufficient for criminal liability. In particular, the way these terms of service requirements are presented, often in small print or elsewhere on a page, do not provide adequate notice for criminal liability, the court found. In addition, the court was concerned that giving private website owners the ability to define criminal liability risked creating an “unworkable and standardless” world where each website becomes its own criminal jurisdiction and each webmaster its own legislature.
Finally, the “rule of lenity” and “the avoidance canon” counseled for interpreting the Access Provision so as to avoid criminal liability for violating terms of service. The lenity rule advises that when doubt persists about an interpretation of a criminal statute, the narrower interpretation must be adopted. The avoidance doctrine weighs in favor of interpreting statutes in a way that does not cause them to violate the constitution. Here, a broader interpretation of the Access Provision would cause it to run headlong into the researchers’ free speech rights, an outcome that should be avoided if possible.
Authentication gate. Thus, the court interpreted the Access Provision as proscribing only when a user “bypasses” an authenticating permission requirement, an “authentication gate,” that requires the user to demonstrate he has access rights to the information accessed. The researchers did not intend to “bypass” an “authentication gate” because they intend to use login credentials—usernames and passwords—generated when they created tester accounts. And in instances when payment is required, they intend to comply. As such, they will not gain unauthorized access.
The court then interpreted the “exceed[ing] authorized access” as requiring an authorized user to obtain information from a computer to which the user is not entitled. The court then noted a split among the circuits on what this means in the employment context, whether an employee’s violation of company policy constitutes a CFAA violation. Several find a violation when the employee uses information for “a nonbusiness reason,” while others find no such violation. As to the particular question of whether violation of terms of service agreements on consumer websites constitutes CFAA criminal violation, the court found that a majority of courts have determined that there is no criminal liability. The court based this conclusion on the same reasons above as to the “authorization” requirement—insufficient notice, creating standard less private criminal jurisdictions, and the rules of lenity and avoidance.
Interested in submitting an article?
Submit your information to us today!Learn More
Labor & Employment Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on labor and employment legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.