DOJ To Researchers: First Amendment Does Not Protect Violating Websites' Terms Of Services
from the SRO-only-in-the-court-and-not-much-here-to-grab-floor-space dept
The woefully out-of-date CFAA — the product of panicked early-80s legislating in response to underdeveloped hacker fears — continues to hold back research (both of the security and non-security kind) when not being wielded like the prehistoric weapon it is by the DOJ and multiple entities who prefer bludgeoning the messenger to fixing their broken systems.
Because of the ongoing misuse and abuse of a badly-written law (aided and abetted by some terrible court decisions), a group of academic researchers has decided to proactively sue the government over its terrible legislation, rather than wait around to get sued/indicted for attempting to determine if individual websites exhibit bias against certain users.
They’ve enlisted the help of the ACLU, which filed its suit against Attorney General Loretta Lynch back in June. The DOJ has responded with a motion to dismiss [PDF] that claims everything is wrong with the lawsuit, from the issue of standing to multiple failures to state a claim under the First and Fifth Amendments.
Plaintiffs fail to allege an injury in fact sufficient to meet the constitutional minimum of standing. Standing to assert pre-enforcement statutory challenges under the First and Fifth Amendments may exist where the statute in question regulates constitutionally protected conduct and a credible fear of prosecution exists. The challenged provision of the CFAA, however, does not facially regulate protected conduct, and the conduct in which plaintiffs intend to engage—deploying information-gathering software on the websites of non-consenting private entities—is not activity that the First Amendment protects. Moreover, plaintiffs fail to provide any facts indicating a credible threat that the challenged provision will be enforced against them: plaintiffs do not allege to have been investigated by law enforcement or threatened with an enforcement action; plaintiffs do not identify any cases in which the government has sought to enforce the CFAA for harmless terms of use violations that were not in furtherance another crime or tort; and the government has affirmatively stated that it has no intention to enforce the CFAA under the circumstances alleged here. Accordingly, plaintiffs are unable to assert an objectively credible threat of prosecution and, as a result, their complaint must be dismissed on standing grounds.
It is indeed difficult to sue to prevent things from happening, rather than suing to seek recourse after damage has been done. Speculating about future Constitutional violations is even less likely to succeed, as many courts tend to avoid tangling with any civil liberties questions not directly implicated by the case at hand. These two issues alone may find the court agreeing with the DOJ’s assertions.
However, other assertions made by the government aren’t as solid. While it is true the DOJ tends not to prosecute simple CFAA violations without a connection to other criminal activity, when it does choose to do so, it tends to respond with zealous, fear-based prosecution and incredibly severe sentence recommendations.
That the DOJ has magnanimously offered to not enforce the CFAA against the researchers at this point is heartening, as far as that promise goes. The DOJ may have no intention of doing so now, but if the researchers roll up on the wrong website and set some influential wheels to squeaking, that could change.
The DOJ is on less solid ground when it argues the CFAA does not create a chilling effect. It may be that the research effort (deploying bots to simulate job seekers, home buyers, etc.) is not a form of protected speech, but that doesn’t mean speech — and research efforts — aren’t being deterred by the badly-written and vaguely-interpreted law.
The government doesn’t contend, however, that the results of the research won’t be protected under the First Amendment — just that the method of gathering the data isn’t.
Here, plaintiffs allege that the challenged provision of the CFAA has chilled their desire to deploy software technology designed to gather information from the websites of private corporations without the permission of those corporations and in a manner that the relevant website terms of use expressly prohibit. The systemic collection of information from the websites of non-consenting private entities is not conduct the First Amendment protects, and thus plaintiffs are unable to assert a reasonable First Amendment chill with respect to that conduct.
[…]
Thus, just as there is no First Amendment right to gather information by personally travelling to a sanctioned country, and no First Amendment right to gather information by visiting a jail without the permission of the warden, and no First Amendment right to access information in electronic form rather than paper form, there is likewise no First Amendment right to gather information controlled by private entities by deploying a data-scraping computer program on the websites of those entities without their permission and in a manner that the entities explicitly prohibit.
And there’s the chicken-egg problem with the First Amendment, which follows after the other chicken-egg dilemma of having to wait to be prosecuted (or threatened with prosecution) before being granted standing to challenge the government’s enforcement efforts. To use the DOJ’s cited equivalents, delivering the news is protected under the First Amendment. Gathering it, however, may not be.
What the DOJ doesn’t spend any time explaining is why researchers might get the idea the government would come after them for performing this research. The DOJ has explicitly stated in the past that violating a website’s terms of use violates the CFAA, making criminals of millions of pre-teens with Facebook or Twitter accounts. And the DOJ’s own suggested rewriting of the CFAA looks to turn previous misdemeanors into felonies, including the sort of activity the researchers are proposing.
…knowingly and willfully traffics… in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section…
The rewrite removes a key phrase: “with intent to defraud.” This excision turns the researchers’ plan to search for bias in websites into an admission of felonious intent.
That being said, there’s a good chance this lawsuit will be tossed quickly. The route to CFAA reform still flows (slowly and sometimes, stupidly) through Congress. Unfortunately, the stakeholders with the loudest voices are those who prosecute under the law, rather than those punished by it. Because of that barrier to true reform, efforts to attack the law from oblique angles are likely to appear periodically until the law is overhauled… or replaced with something worse.
Filed Under: cfaa, chilling effects, doj, first amendment, hacking, research
Companies: aclu
Comments on “DOJ To Researchers: First Amendment Does Not Protect Violating Websites' Terms Of Services”
Does that suggest.....?
IAN(even slightly)AL, but that sounds to me like some intrepid litigator ought to gather together a bunch of people who have been screwed over by the CFAA and take a run at it. I imagine there’s unlikely to be a shortage of candidates for plaintiffs…
Re: Does that suggest.....?
While I’d love it if this happens, it’s a tough sell.
The whole “they broke into my house” real world pseudo-analogy muddies the waters for jurors, and most people prosecuted under this CFAA bullshit are unsympathetic to a public primed on irrational (and in some cases overtly anti-rational) fear.
You and I might support Aaron Swartz (RIP) and Edward Snowden (at least I do), but I doubt we’re in the majority.
Pedant (me) is pedantic
Perhaps you mean overdeveloped?
or replaced with something worse
Sadly this seems to be the default path these days. But let’s hope this doesn’t happen here. In the end everybody loses, including the Government (when your citizenry loses and is put in danger because of your actions you lose too).
For people interested in the DoJ side of things, this talk took place at BSides Las Vegas 2016 last month: https://www.youtube.com/watch?v=NzDGJk8C5Fc&index=7&list=PLjpIlpOLoRNTG3td7JfV1LDinNFLSHJqM.
Very interesting talk and one I’m positive will be illuminating on internal actions the DoJ has taken in regards to how it handles CFAA prosecutions.
My Website
Why should I let someone use my web site for whatever they want? I made it, I pay for it, it is my business. Why should anyone be able to do whatever they want, especially when I’ve asked them not to?
This story has never made sense to me.
Re: My Website
Because criminals and hostile governments the world over couldn’t care less about what you want. And since an insecure website can be used to attack others, ensuring cyber-good-samaritans and cyber-experts can find the vulnerabilities around the world and inform the website owners of them so they can be fixed is vital for Internet security. Yours and ours.
Also, the CFAA being used to attach criminal penalties to violations of civil contracts means the Feds are sticking their nose into civil matters when they absolutely shouldn’t be.
Re: My Website
Not sure much will make sense to you then.
How would you like to be forced to place a whole pile of your information in a middle of the town square. Then told you are not allowed to know how secure it is, who is securing it, or if a thief has breached it, or who it was being shared with?
Re: 'I don't see any problems' does not equal 'There are no problems to be seen'
Here’s the thing: You want (or should want) security researchers monkeying around with your site and trying to find exploits, because they aren’t likely malicious and won’t use the exploits or vulnerabilities that they find against you. If you’ve been smart in how you respond to people pointing out vulnerabilities it’s entirely possible that they’ll tell you directly, giving you time to patch or fix the issue safely before a small potential problem because a big realized problem.
On the other hand If security researchers and/or white hats are too scared to look for vulnerabilities because it’s too risky legally to do so the first you’re likely to find out about a vulnerability or other problem regarding your site it when someone that is malicious uses it against you, and at that point you’re stuck scrambling around trying to contain the damage.
Scaring off security researchers and/or white hats doesn’t make the problems they would have otherwise found go away, it just allows those problems to fester until someone interested in exploiting them for personal gain finds and exploits them, and that’s not an ‘if’ proposition it’s a ‘when’.
Re: My Website
You forget the other side of the equation, and that is the information you collect actually belongs to others and when your carelessness comes homes home to roost, you’ll be denying any responsibility for the care of the information that you’ve collected that belongs to everyone else.
So are you willing to set aside enough funds to cover all the problems that arise out of the website that you’ve made, that is your business and you are now paying for?
Standing
Getting standing is simple – as you mention in the article itself, just get a pre-teen with a Facebook account. They’re under threat of being prosecuted under the CFAA, so they clearly have standing.
Suggestion
Researchers can send their findings in the form of cut out magazine and newspaper letters glued to a piece of paper.
being told you have no rights unless those in power decide you have them should be grounds for more than just apathetic complacency.