from the fix-the-cfaa dept
And yet... that's exactly what's happening. And the culprit, once again, is the Computer Fraud & Abuse Act (CFAA), which we've written about for years. The law, which is woefully out of date, and was passed (literally) by a Congress that was freaked out over the movie WarGames, is supposed to target evil "computer hackers." But it's written so broadly, including terms like "unauthorized access" or "exceeding authorized access," that it's been used against things like violating a terms of service (that you didn't read or even agree to) or against downloading too many files. And that's scaring the hell out of researchers.
Given that, the ACLU has now filed a lawsuit on behalf a group of academic researchers, computer scientists and journalists who want to investigate these issues, but are held back by the CFAA.
Our plaintiffs want to investigate whether websites are discriminating, but they often can’t. Courts and prosecutors have interpreted a provision of the CFAA—one that prohibits individuals from “exceed[ing] authorized access” to a computer—to criminalize violations of websites’ “terms of service.” Terms of service are the rules that govern the relationship between a website and its user and often include, for example, prohibitions on providing false information, creating multiple accounts, or using automated methods of recording publicly available data (sometimes called “scraping”).In terms of the specific challenge, the ACLU is arguing that it violates both the First Amendment and the due process clause of the Fifth Amendment. The crux of the First Amendment argument in the filing:
The problem is that those are the very methods that are necessary to test for discrimination on the internet, and the academics and journalists who want to use those methods for socially valuable research should not have to risk prosecution for using them. The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination.
The Challenged Provision impermissibly burdens speech about business practices and other activity on the internet because websites can determine what speech and expressive activity to prohibit, and these prohibitions become criminal violations of the Challenged Provision. In other words, a website can explicitly target speech or expressive activities. For example, if a website’s terms of service provide that access by certain types of speakers (such as researchers) is unauthorized, or that engaging in certain speech (false or misleading speech, for example, or subsequent disparaging speech about the website) renders access unauthorized, then violations of those private terms of service become crimes through the phrase “exceeds authorized access” in the Challenged Provision. Such speech or expressive activity thus becomes prohibited under pain of criminal sanctions simply because it occurred on the internet.There's some more as well, including the idea that setting up fake profiles to test a site for discrimination may be considered a terms of service violation and one that violates the free speech of the researchers.
Because the Challenged Provision incorporates websites’ terms of service into the federal criminal code, its applications are virtually infinite; any speech or expressive activity that the private operator of a website has prohibited as a condition of access to its website becomes a criminal violation, even where that prohibition covers speech subsequent to the visit and in a different forum. In a good number of cases, a website’s ToS will prohibit speech that cannot constitutionally be prohibited. Accordingly, although the Challenged Provision may have legitimate applications, its unconstitutional applications are substantial in relation to its legitimate scope.
As for the Fifth Amendment:
The Challenged Provision fails to notify ordinary people of what conduct is criminal because the phrase “exceeds authorized access” does not provide sufficient notice that an individual must comply with a website’s written terms of service at all times. The plain meaning of the phrase “exceeds authorized access” does not clearly cover instances where a website places no barriers, such as technological or physical barriers, to access by individuals.While I've been quite vocal for years about the problems of the CFAA and how it chills a variety of activities, including ones similar to those described here, and while I have enormous respect for the ACLU, I do wonder how successful this case will be. Courts are not always happy to take on cases that can be seen as more "speculative" than over a clear issue (i.e., after someone's been charged with violating the CFAA for this kind of activity). At the same time, courts also like to avoid dealing with Constitutional questions, if they can avoid it -- and so far, multiple courts have rejected attempts to claim that mere terms of service violation violates the CFAA. So they can get out of handling the Constitutional question by just saying "well, that particular use is not a CFAA violation."
So while I think this is a really important issue, and I'd love to see a constitutional challenge to these aspects of the CFAA succeed, I'm at least somewhat skeptical of the chances of this particular case. Hopefully, I'm proven wrong.