TR Daily Court Allows CFAA Challenge by Researchers to Proceed on One Claim
Monday, April 2, 2018

Court Allows CFAA Challenge by Researchers to Proceed on One Claim

U.S. District Judge John D. Bates of the U.S. District Court for the District of Columbia has rejected in part the Justice Department’s motion to dismiss for lack of standing a challenge of the Computer Fraud and Abuse Act by academic researchers and an investigative news organization, allowing the case to proceed on one of the claims posed by the plaintiffs.

The ruling represents the latest chapter in the long-running debate over the use of the 1986 CFAA to prosecute “minor” violations or “white-hat” actions.

In a memorandum opinion filed Friday in “Christian W. Sandvig et al. v. Jefferson B. Sessions III” (civil action 16-1368), Judge Bates said that the use of the CFAA to prosecute those who violate a website’s terms of service (ToS) can pose “a dilemma for those with more benign intentions. Plaintiffs in this case, for instance, are researchers who wish to find out whether websites engage in discrimination, but who have to violate certain ToS to do so. They have challenged the statute that they allege criminalizes their conduct, saying that it violates their free speech, petition, and due process rights. First, however, they must show that they have a sufficient injury to make it through the courthouse door, and that their suit is plausible enough to continue.”

He noted, “Plaintiffs are conducting studies to respond to new trends in real estate, finance, and employment transactions, which increasingly have been initiated on the Internet. Id. ¶¶ 15, 18, 55. Data brokers assemble consumers’ information from myriad sources and place consumers into models that include racial, ethnic, socioeconomic, gender, and religious inferences about them. Id. ¶¶ 56–57. After brokers create consumer profiles, those profiles follow consumers around online through tracking technologies such as cookies. Id. ¶¶ 58–59. Tracking allows websites and advertisers to display content targeted at particular groups, based on consumers’ inferred characteristics or the sorts of websites they visit. Id. ¶¶ 59–60. But plaintiffs are concerned, ‘[g]iven the . . . history of racial discrimination in housing and employment,’ that this technology may be “harnessed for discriminatory purposes.’ Id. ¶ 61. They are also concerned that, ‘when algorithms automate decisions, there is a very real risk that those decisions will unintentionally have a prohibited discriminatory effect.’

“Plaintiffs are all aware that their activities will violate certain website ToS. Id. ¶¶ 95, 124, 131. All intend to use scraping to record data, which is banned by many of the websites plaintiffs seek to study. Id.; see id. ¶¶ 70–71. Many of the housing websites that Sandvig and Karahalios will study prohibit the use of bots. Id. ¶¶ 71, 95. All of the hiring websites that Mislove and Wilson will study prohibit the use of sock puppets, and most prohibit crawling. Id. ¶¶ 71, 124. Additionally, some websites control when and how visitors may speak about any information gained through the site — even in other forums — by including non-disparagement clauses in their ToS. Id. ¶ 72. Some sites also have ToS that require advance permission before using the sites for research purposes, which, plaintiffs allege, creates the possibility of viewpoint-discriminatory permission schemes. Id. ¶ 73. Aside from their ToS violations, plaintiffs’ experiments will have at most a minimal impact on the operations of the target websites,” the judge wrote.

Judge Bates noted that plaintiffs have asserted “four causes of action: (1) a facial overbreadth and as-applied challenge under the Free Speech and Free Press Clauses of the First Amendment, id. ¶¶ 180–86; (2) a First Amendment Petition Clause challenge, ¶¶ 187–93; (3) a vagueness claim under the Fifth Amendment’s Due Process Clause, id. ¶¶ 194–98; and (4) a claim of unconstitutional delegation to private parties under the Fifth Amendment, id. ¶¶ 199–202. The government has moved to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) for lack of standing and failure to state a claim.”

In applying First Amendment protections to online activities on private companies’ websites, Judge Bates noted that in its decision in “Packingham v. North Carolina” last year, the Supreme Court, “applied public forum analysis to a North Carolina law that banned former sex offenders from using social media websites, employing intermediate scrutiny because the law was content-neutral.”

“An analogy to the real world, while necessarily imperfect, may help illustrate the point. Stroll out onto the National Mall on any day with decent weather and you will discover a phalanx of food trucks lining the streets. Those food trucks are privately owned businesses. Customers interact with them for the private purpose of buying a meal. If they were a brick-and-mortar store on private property, they would encounter no First Amendment barrier to removing a patron who created a ruckus. Yet if a customer standing on a public sidewalk tastes her food and then yells at those in line behind her that they should avail themselves of the myriad other culinary options nearby, the truck could not call the police to arrest her for her comments. She is in a public forum, and her speech remains protected even when she interacts with a private business located within that forum,” he added.

Judge Bates said that the First Amendment would not justify breaking into “a business’s confidential files” in the cloud, breaking into a Gmail account, or breaching a paywall, because in those instances “the owners of the information at issue have taken real steps to limit who can access it. But simply placing contractual conditions on accounts that anyone can create, as social media and many other sites do, does not remove a website from the First Amendment protections of the public Internet.”

In looking at whether the plaintiffs have standing, Judge Bates said, “Because this is a pre-enforcement challenge, plaintiffs must meet more specific conditions to satisfy the injury-in-fact requirement. They must plausibly allege ‘an intention to engage in a course of conduct [1] arguably affected with a constitutional interest, but [2] proscribed by a statute, and [3] [that] there exists a credible threat of prosecution thereunder.’ Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2342 (2014) (quoting Babbitt v. United Farm Workers Nat’l Union, 442 U.S. 289, 298 (1979)). The government argues that plaintiffs cannot meet this test. … Plaintiffs contend that they do intend to engage in constitutionally protected speech, and that they have pled a credible threat of prosecution. … It is clear that any injury to plaintiffs is caused by the government’s criminalization of websites’ ToS, and that the declaratory and injunctive relief plaintiffs seek, … would redress the injury. Therefore, the question is whether plaintiffs allege a sufficient injury in the first place.”

The judge said that “scraping plausibly falls within the ambit of the First Amendment” and that “plaintiffs have a First Amendment interest in harmlessly misrepresenting their identities to target websites,” as well as to publish their research, which anti-disparagement clauses in some sites’ ToS might prevent them from doing. “Applying criminal sanctions for publishing original material that uses publicly available information, or for making negative statements about a website, triggers First Amendment scrutiny,” he said.

He rejected the government’s argument that the ToS are private actions, noting that “private speech prohibitions can still implicate the First Amendment when given the imprimatur of state protection through civil or criminal law.” In addition, he said, “plaintiffs claim injury from a potential criminal action against them — and ‘a criminal prosecution under the CFAA would undoubtedly constitute state action’ because the government itself is policing website ToS violations.”

Interpreting the CFAA’s provision against intentionally accessing a compute without authorization or exceeding authorized access (the Access Provision) narrowly, so as to apply solely to access and not to use of the data, Judge Bates said that “it becomes clear that most of plaintiffs’ proposed activities fall outside the CFAA’s reach. Scraping or otherwise recording data from a site that is accessible to the public is merely a particular use of information that plaintiffs are entitled to see. The same goes for speaking about, or publishing documents using, publicly available data on the targeted websites. The use of bots or sock puppets is a more context-specific activity, but it is not covered in this case. Employing a bot to crawl a website or apply for jobs may run afoul of a website’s ToS, but it does not constitute an access violation when the human who creates the bot is otherwise allowed to read and interact with that site.”

“Out of plaintiffs’ proposed activities, then, only Mislove and Wilson’s plan to create fictitious user accounts on employment sites would violate the CFAA. Unlike plaintiffs’ other conduct, which occurs on portions of websites that any visitor can view, creating false accounts allows Mislove and Wilson to access information on those sites that is both limited to those who meet the owners’ chosen authentication requirements and targeted to the particular preferences of the user,” Judge Bates wrote.

He dismissed the plaintiffs’ claim on the grounds of facial overbreadth, because the court’s interpretation of the Access Provision finds that it “incorporates only those ToS that limit access to particular information.”

Judge Bates rejected the government’s request to dismiss the plaintiffs’ claim that, as applied to them, the Access Provision unconstitutionally restricts their protected speech, but that “significant [government] interests appear to underlie the Access Provision” and thus strict scrutiny would not apply. The government will have to show that the statute is narrowly tailored to advance those interests, he said.

The judge dismissed the plaintiffs’ claims that the CFAA interferes with the First Amendment right to petition for redress of grievances by preventing the public from using the data they would gather through their research in such petitions. “As the government notes, the clause is not aimed at the right to gather facts, or to speak while doing so, as a preliminary step to help prepare that petition in a preferred way,” Judge Bates said.

He also dismissed the plaintiffs’ Fifth Amendment vagueness claim, noting that the narrow interpretation of the Access Provision “severely curtails both websites’ ability to define the law and prosecutors’ freedom arbitrarily to enforce it.”

Finally, he dismissed the plaintiffs’ Fifth Amendment claim that the CFAA unconstitutionally “delegates the content of criminal law to private parties.”

“Since the Access Provision creates a blanket prohibition on accessing information in protected computers, which owners of those computers can waive through permission, plaintiffs do not plausibly allege that the provision unconstitutionally delegates legislative power,” he said.

In a statement, Rachel Goodman, staff attorney with the Racial Justice Program at the American Civil Liberties Union, which is representing the plaintiffs, said that they “want nothing more than to secure their right to conduct the kinds of experiments online that have been used to identify and root out offline discrimination for decades. This decision is an important step forward in helping them expose online discrimination.” —Lynn Stanton, [email protected]


Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More