ACLU Files Challenge To CFAA Over Blocking Research Into Discrimination Online

from the fix-the-cfaa dept

There’s been a lot of talk lately about the possibility of discrimination being built into the algorithms that determine our lives. In the past year, multiple publications have discussed what happens when algorithms are racist in a time when algorithms decide more and more of our lives. Just recently, we talked about judges using proprietary algorithms in sentencing, and how those algorithms themselves may judge people based on things like skin color. And just a few days ago, there was a fascinating NY Times article about inherent bias in artificial intelligence systems. I even went to a conference recently, where there was a whole discussion on the question of what do you do “if your algorithm is racist.” It’s not an easy question to answer, honestly, but one thing that we should not be doing is holding back research into these systems.

And yet… that’s exactly what’s happening. And the culprit, once again, is the Computer Fraud & Abuse Act (CFAA), which we’ve written about for years. The law, which is woefully out of date, and was passed (literally) by a Congress that was freaked out over the movie WarGames, is supposed to target evil “computer hackers.” But it’s written so broadly, including terms like “unauthorized access” or “exceeding authorized access,” that it’s been used against things like violating a terms of service (that you didn’t read or even agree to) or against downloading too many files. And that’s scaring the hell out of researchers.

Given that, the ACLU has now filed a lawsuit on behalf a group of academic researchers, computer scientists and journalists who want to investigate these issues, but are held back by the CFAA.

Our plaintiffs want to investigate whether websites are discriminating, but they often can?t. Courts and prosecutors have interpreted a provision of the CFAA?one that prohibits individuals from ?exceed[ing] authorized access? to a computer?to criminalize violations of websites? ?terms of service.? Terms of service are the rules that govern the relationship between a website and its user and often include, for example, prohibitions on providing false information, creating multiple accounts, or using automated methods of recording publicly available data (sometimes called ?scraping?).

The problem is that those are the very methods that are necessary to test for discrimination on the internet, and the academics and journalists who want to use those methods for socially valuable research should not have to risk prosecution for using them. The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination.

In terms of the specific challenge, the ACLU is arguing that it violates both the First Amendment and the due process clause of the Fifth Amendment. The crux of the First Amendment argument in the filing:

The Challenged Provision impermissibly burdens speech about business practices and other activity on the internet because websites can determine what speech and expressive activity to prohibit, and these prohibitions become criminal violations of the Challenged Provision. In other words, a website can explicitly target speech or expressive activities. For example, if a website?s terms of service provide that access by certain types of speakers (such as researchers) is unauthorized, or that engaging in certain speech (false or misleading speech, for example, or subsequent disparaging speech about the website) renders access unauthorized, then violations of those private terms of service become crimes through the phrase ?exceeds authorized access? in the Challenged Provision. Such speech or expressive activity thus becomes prohibited under pain of criminal sanctions simply because it occurred on the internet.

Because the Challenged Provision incorporates websites? terms of service into the federal criminal code, its applications are virtually infinite; any speech or expressive activity that the private operator of a website has prohibited as a condition of access to its website becomes a criminal violation, even where that prohibition covers speech subsequent to the visit and in a different forum. In a good number of cases, a website?s ToS will prohibit speech that cannot constitutionally be prohibited. Accordingly, although the Challenged Provision may have legitimate applications, its unconstitutional applications are substantial in relation to its legitimate scope.

There’s some more as well, including the idea that setting up fake profiles to test a site for discrimination may be considered a terms of service violation and one that violates the free speech of the researchers.

As for the Fifth Amendment:

The Challenged Provision fails to notify ordinary people of what conduct is criminal because the phrase ?exceeds authorized access? does not provide sufficient notice that an individual must comply with a website?s written terms of service at all times. The plain meaning of the phrase ?exceeds authorized access? does not clearly cover instances where a website places no barriers, such as technological or physical barriers, to access by individuals.

While I’ve been quite vocal for years about the problems of the CFAA and how it chills a variety of activities, including ones similar to those described here, and while I have enormous respect for the ACLU, I do wonder how successful this case will be. Courts are not always happy to take on cases that can be seen as more “speculative” than over a clear issue (i.e., after someone’s been charged with violating the CFAA for this kind of activity). At the same time, courts also like to avoid dealing with Constitutional questions, if they can avoid it — and so far, multiple courts have rejected attempts to claim that mere terms of service violation violates the CFAA. So they can get out of handling the Constitutional question by just saying “well, that particular use is not a CFAA violation.”

So while I think this is a really important issue, and I’d love to see a constitutional challenge to these aspects of the CFAA succeed, I’m at least somewhat skeptical of the chances of this particular case. Hopefully, I’m proven wrong.

Filed Under: , , , , , , , ,
Companies: aclu

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ACLU Files Challenge To CFAA Over Blocking Research Into Discrimination Online”

Subscribe: RSS Leave a comment
Robert Beckman (profile) says:

Careful What You Wish For

Be careful on this. I was hopeful at first too, since the CFAA is such a horribly overbroad and vague law, but this may open up a Pandora’s Box.

The researchers in this case are trying to prove that some algorithms have racially biased results, and if they’re successful other groups will use that as evidence of intentional discrimination. Even if a successful defense is raised, it’s still proof of disparate impact, so anyone with any kind of automated marketing or other identification could be on the hook for civil rights lawsuits because their algorithm identified people in a biased manner.

This is particularly tough with machine learning, since you don’t actually program the algorithm, you just program how to program itself, so you may be innocently guilty of a violation of the law, and since with disparate impact your intentions don’t matter we should expect to see people put through the wringer because of what technologists would consider innocent conduct.

Of course, this is a problem with other laws, not the fixing of the CFAA specifically.

Mason Wheeler (profile) says:

Re: Careful What You Wish For

Thank you.

Do you know what you get when certain very vocal idiots spend years screaming “RACISM!!!!!!” over every little thing that manages to negatively impact some minority in some way, and then nearly every time, when you actually look closely at it, you see that racism had nothing to do with it in the first place?

Anyone familiar with the old tale of The Boy Who Cried Wolf could have predicted this one easily enough: The answer looks a whole lot like the story of the current presumptive Republican presidential nominee.

Anonymous Coward says:

Re: Re: Re: Careful What You Wish For

This precedent is much more important that simply testing for racism. Testing for algorithmic distinctions in content is paramount for validating the function of the 4th estate, period. Racism is a convenient format for the argument, but the argument is not about racism.

Propaganda can be approached and mitigated with computational analysis. Further the phrase “We the people” not only endows the people with the right to validate the integrity of their intercourse with the state, but assigns them the DUTY to do so.

The prevalence of insanely opaque propaganda in modern media, clearly demonstrates that the people have not, and are not standing up to their end of the bargain that was struck in 1789. The thickness of the buffer between the people and the state is at an all time high.

Validating the integrity of the intercourse between the citizen and the state is both a human right and the duty of free men. The decision of the court is tangential to the resolution of this issue, and only matters in so far as it may confirm or harm the courts integrity before its own oath.

When they said “certain unalienable rights”, THIS is what they were talking about. TOS can not deny you this right any more than they can deny you the right to breath.

orbitalinsertion (profile) says:

Re: Careful What You Wish For

Nice slippery slope argument. I thought those were purportedly the province of those sorts of “other groups”.

There are a lot of things that are racially or otherwise discriminatory in unfair ways. Just because they are unconscious doesn’t mean they shouldn’t be changed. There is always someone who will file a ridiculous lawsuit, but the larger problem is that once having it pointed out that some behavior is racist (or otherwise bigoted, regardless of the intent of the one doing the behavior), instead of reflecting on the issue and maybe changing the behavior, the decision frequently is enough to double down and continue to perpetuate it.

If you want to pretend that subtle, cultural, institutional, and otherwise unconscious racist (or sexist, or whatever) biases and behaviors don’t exist and aren’t a problem for people (or algorithms) that wouldn’t consciously choose to promote or continue problematic biases, you can choose to believe that, or choose to worry that some stupid lawsuit here and there is more important. We will never have an end of bad lawsuits and rulings. But you can drastically eliminate the fodder for them in this arena by simply doing the right thing. And in plenty of cases, I’m sure i’d cry a river for the privileged few who are put through the wringer when they won’t bother to give a rat’s ass about things like racism, or unintended consequences, or, being by and large corporate entities, human beings in general. Which they don’t. And which seems to be a huge deal to people around here if do some other stupid thing, intentional or not, regarding other popular subjects on Techdirt. Including other idiotic applications of the CFAA and First Amendment issues, and privacy issues with slurpy Big Data.

Anonymous Coward says:

Re: My house, my rules?

It’s like this. If I go to a Milwaukee Brewers game, they don’t allow me to take along a soft-sided cooler larger than 16″. If I do, they can deny me entry, or ask me to leave. The Milwaukee County Sheriff’s Department isn’t going to jail me for trespassing unless I remain after I am asked to leave. But if I go onto the field, where I’m not supposed to be, I will be charged with trespassing.

This is analogous to the terms of service of a website. If I break into the server, perhaps that warrants criminal charges. But if I simply violate the terms of service, they should only be able to have me leave.

Bergman (profile) says:

Re: Re: My house, my rules?

A better analogy would be a restaurant.

Suppose you go to a popular diner one day. There’s a sign with very small print on the door — the text is far too small to read and is posted in a way that most customers won’t see it.

The sign declares that anyone entering the door and ordering food agrees to the posted Terms of Service. Among the Terms is a non-disparagement clause that forbids negative commentary and retroactively revokes authorization to be inside the diner if anyone does so.

The cook is having a hellishly bad month and loses his mind while your food is being cooked. He takes a dump in the fryer, and serves it to everyone in the restaurant — nicely breaded and fried, but still excrement.

Naturally, no one there enjoys the meal at all. About half the people call the health department, about a quarter call their lawyer, the last quarter call the police. All of them tell their friends, post to social media, and write reviews of the horrific experience.

The restaurant owner calls the police on all of them, and demands they all be arrested for violating the Terms of Service and accessing the restaurant while unauthorized.

If it’s a brick & mortar diner, the police will laugh at the crazy man. But if the diner in question were a website, every one of those customers would be guilty of a felony and subject to prison time and enormous fines. All because it happened on the internet.

THAT is why the CFAA is a bad law.

Rekrul says:

Re: My house, my rules?

So, let me get this straight. You want to use my property (website) to do your research, that I don’t want you to do or I would have given you permission, and to do it you have the break the rules of using my property.

More like you’ve put completely arbitrary and nonsensical rules in place for the specific purpose of keeping someone from exposing the flaws in your web site.

It’s like a lock company putting up a display of their new, ultra-secure lock that they claim nobody can open without a key and then freaking out when someone wants to use a set of lockpicks to test their claims.

John Fenderson (profile) says:

Re: My house, my rules?

If you put up a website that anyone can browse to, you have little control or right to control what anyone does with the information they find there (I’m ignoring IP law here,because it isn’t special to visiting web sites).

It doesn’t really matter what your terms of service say if you have no realistic means to enforce them other than trying to sue people.

If you want to truly restrict what people can do with what they find at your site, then make your site membership-only. That way you can “eject” those who don’t abide by your terms.

It seems pretty simple to me.

Capt ICE Enforcer says:


I wonder. If the AI system gets connected with the IOT and gains the capability to manipulate the world’s technology. Would the US government try and negotiate a truce with the system in order to maintain the façade of power and control. Would the computer even bother with us. It wouldn’t need to be a super smart computer. Just one that has the ability to turn out the lights. And maybe send a few text messages or emails to start trouble… Imagine Trump as possible president receiving a text talking about his small fingers or hands coming from a foreign country leader. He would order nuclear strike and the AI would laugh at the simple hack…

Anonymous Coward says:

The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination.

This is a bit of a stretch for me. I would say that the First Amendment protects speech. It does not protect “information gathering”.

For example, if a website’s terms of service provide that… engaging in certain speech (false or misleading speech, for example, or subsequent disparaging speech about the website) renders access unauthorized, then violations of those private terms of service become crimes through the phrase “exceeds authorized access” in the Challenged Provision. Such speech or expressive activity thus becomes prohibited under pain of criminal sanctions simply because it occurred on the internet.

This is like charging someone with trespassing at Fight Club because they later talked about Fight Club, and they have a rule against that and never would have let them in if they had known. It’s all well and good that they wouldn’t have let them in – but they DID let them in, and any later violation of the rules doesn’t retroactively make them guilty of trespassing. And it shouldn’t retroactively make anyone guilty of unauthorized access. The access was authorized. It’s what they did later that wasn’t.

Anonymous Coward says:

techno illiterate lawmakers

when you use a web based service, it results in a bad outcome for you, (you would have been better off if you did nothing), you tell others of your bad experience, the website’s terms and conditions expressly forbid negative reviews and describe their poor customer service as your unauthorised access, so 5 years jail for you.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...