DC Court Says Terms Of Service Violations Can't Trigger Federal CFAA Prosecutions

from the forcing-discretion-on-DOJ-prosecutors dept

In a win for researchers and the ACLU, a federal court has ruled that violating a site's terms of service is not a criminal violation of the CFAA.

The ACLU filed this lawsuit in 2016, representing researchers, scientists, and journalists who were looking into whether employment websites engaged in discriminatory behavior. To do so, the researchers needed to deliberately violate the terms of service of the websites they were studying by creating bogus accounts and providing other false information.

Since the CFAA has been the go-to law for companies seeking to silence security researchers and critics, the ACLU and its plaintiffs raised a pre-enforcement challenge, seeking a ruling declaring this work legal before the DOJ had a chance to abuse this terrible law to shut the research down.

The DC federal court doesn't go so far as to extend First Amendment protection to these actions, but it does hold, importantly, that the CFAA does not criminalize terms-of-service violations. From the decision [PDF]:

The Court agrees with the clear weight of relevant authority and adopts a narrow interpretation of “exceeds authorized access.” Without weighing in on the circuit split over employers’ computer-use policies, the Court concludes that violating public websites’ terms of service, as Wilson and Mislove propose to do for their research, does not constitute a CFAA violation under the “exceeds authorized access” provision.

The DOJ tried to argue the plaintiffs had no case because it would never in a million years even think about bringing a CFAA prosecution over terms of service violations. The court says the government's own words and actions contradict its assertions.

The government argues that plaintiffs fail to establish a credible threat of prosecution under the CFAA, contending that (1) plaintiffs’ testimony shows that they do not fear prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do not establish a credible threat that plaintiffs’ proposed conduct will be prosecuted; and (3) the government’s charging policies and public statements undercut plaintiffs’ attempt to establish a credible threat of prosecution.

[...]

[E]ven assuming the absence of prior prosecutions, but see Sandvig, 314 F. Supp. 3d at 19–20 (discussing two previous prosecutions under the Access Provision), plaintiffs still are not precluded from bringing this pre-enforcement action. When constitutionally protected conduct falls within the scope of a criminal statute, and the government “has not disavowed any intention of invoking the criminal penalty provision,” plaintiffs are “not without some reason in fearing prosecution” and have standing to bring the suit.

It's not enough for the government to declare it probably won't pursue ToS-violation prosecutions, the court says.

[T]he government points to guidance from the Attorney General that “expressly cautions against prosecutions based on [terms-of-service] violations,” as well as statements to Congress by Department of Justice officials, as evidence that plaintiffs face no credible threat of prosecution. Gov’t’s Opp’n at 16–17. But the absence of a specific disavowal of prosecution by the Department undermines much of the government’s argument.

All we're left with is the DOJ's prosecutorial discretion, which is extremely suspect and not backed by any statements from officials that would assure the plaintiffs the government would not choose to take action against them in the future.

Discovery has not helped the government’s position. John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, testified at his deposition that it was not “impossible for the Department to bring a CFAA prosecution based on [similar] facts and de minimis harm…" Although Lynch has also stated that he does not “expect” the Department to do so, Aff. of John T. Lynch, Jr. [ECF No. 21-1] ¶ 9, “[t]he Constitution ‘does not leave us at the mercy of noblesse oblige...’”

This may keep the DOJ off researchers' backs but it won't shield them from lawsuits from the targeted sites.

The Court concludes that agreeing to such contractual restrictions, although that may have consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA.

This at least will deter the DOJ from pursuing these prosecutions in its "home" court. Most CFAA action still takes place in the Ninth Circuit, where most tech companies are located. Opinions on civil CFAA cases have been hit and miss, but at least one major case (LinkedIn v. HiQ) saw the court come down on the side of the party doing the scraping, a violation of LinkedIn's terms of service. This decision is being appealed, but for now, it still stands.

The research can move forward without the threat of government prosecution dangling over its head. That's a start.

Filed Under: cfaa, criminal, doj, research, security research, terms of service
Companies: aclu


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 7 Apr 2020 @ 11:08am

    The government argues that plaintiffs fail to establish a credible threat of prosecution under the CFAA, contending that (1) plaintiffs’ testimony shows that they do not fear prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do not establish a credible threat that plaintiffs’ proposed conduct will be prosecuted;

    This sounds smart. They must be smart. What's next, bringing on Richard Liebowitz, and a 'credible' prosecutor?

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 7 Apr 2020 @ 12:12pm

    Contracts.

    In most of my life, Everyone and everything has asked me to sign contracts. They have even shown that 99% of the people DONT read them.
    Once everything has a contract..And many times it more then one.
    20+ pages
    Legalese
    Convoluted Monkey pucky..

    I would love to get someone to sign one, that allows me to Take 1/4 to 1/2 of the PCH winnings.

    The odds are they would never read it, and not realize What was happening until they Won. How many here have ever TRIED to read that Contract with PCH??
    PCH does nto tell you how many times per year they make a Drawing.. They make Many, and its like Multi level marketing. "you are getting closer". Have they Ever told you When the last drawing for YOUR drawing is going to happen, NOT just a Sorting Drawing for the 100,000.

    Lets quit this and go this way..
    HOW many contracts have an END DATE? think about that.
    With this thought in mind, and that the Odds of winning PCH are over 10 times the world population.. I would love to goto court and ask about ALL the numbers they have given me and my family in the last 40+ year. and to check to see if I have won.
    And if they cant find this info.. suggest That I HAVE WON.. Because they cant prove I didnt.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Apr 2020 @ 2:56pm

      Re: Contracts.

      Great! Excellent!

      Let's assume they gave you a number every month for 40 years.
      40 x 12 = 480. For the drawing you're in court about, your odds have improved from 1 in 1,700,000,000 to one in 3,541,667.

      One of the top prizes is $1,250,000. Let's say you have a cheap-but-effective lawyer, and cap his billing at $300,000, contingent on winning. So you're looking at, say a $900,000 payout IF your number comes up.

      I'm not even going to cover the "PCH hasn't run the same game for the last 40 years running, invalidating most of those 480 numbers you started with" argument, because I (for one) am not seeing the odds of winning as all that great even with a win in court.

      On the plus side, PCH could just offer a settlement of "sure, let's compare all your numbers against that one contest and see what happens. ... Oh, and by accepting, you give us publicity rights for it all." ... at which point your lawyer turns to you and points to the contract you signed with HIM about what happens in a settlement...

      But good luck with your shake-down!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Apr 2020 @ 3:03pm

      Re: Contracts.

      In most of my life, Everyone and everything has asked me to sign contracts.

      You still don't have to sign a contract to enter a retail store and buy something with cash. They'll make you agree to the 20+ pages if you're using the online site of that same store, but I guess they figure people would start leaving if asked to sit down with a notary and sign that shit. And that's the main way I see anyone putting a stop to it online: tell them you disagree and will have to shop elsewhere.

      The other possibility: volume, which it turns out is a weapon against forced arbitration. Have a day where every potential buyer emails the site's legal counsel to get clarification on contract terms (users don't know all the legal terms, after all), to object to them, to use every opt-out available.

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 7 Apr 2020 @ 6:27pm

        Re: Re: Contracts.

        ANDDDDD
        When you signg the contract with the Landlord...NOT OWNER..
        it says...
        you abid by those also, EVEN IF NOT PRINTED OUT

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Apr 2020 @ 1:03pm

          Re: Re: Re: Contracts.

          Mentioning landlord/tenant law is quite the non-sequitur. That's one of the more regulated areas of contract law. Where I live, e-commerce sites can put almost anything they want in their "agreements", while landlords can only give a standardized 3-page form with some boxes like "no smoking" and "who pays utilities?" to be checked, and a box for monthly amount.

          reply to this | link to this | view in chronology ]

          • icon
            ECA (profile), 9 Apr 2020 @ 1:08am

            Re: Re: Re: Re: Contracts.

            And in idaho they dont even have Anyone to complain to.
            All you can do, is call city inspectors.
            There are some laws, but not enforced.

            reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 9 Apr 2020 @ 4:30pm

        Re: Re: Contracts.

        Kinda makes me wonder how many online store contracts apply to people who later go into the brick & mortar location of the store.

        reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 7 Apr 2020 @ 1:29pm

    Im starting something,

    Pass this around.
    Its kinda hard to find the section to send a Email to many of these sites, but Im tired of it.
    Being asked to ALLOW 3rd party crap on my machine, and I cant see anything unless I DO accept..
    I send this letter, as a contract is a 2 party thing.

    "My acceptance of your ability to advert on my computer, means that you are willing to accept My TOS.
    Thank you.
    This means that Any 3rd party that inserts Virus/adware/bots/trackers and any other obtrusive software, you are Liable for.
    Thank you for accepting."

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 7 Apr 2020 @ 7:54pm

    'But we pinky-promised and everything!'

    'You should toss this case, we would never do something like what they're talking about.'

    'Are you willing to put that on paper in a legally binding manner?'

    'Well... I mean... I really don't see how that's necessary, and that would be a lot of work...'

    Can't imagine why the court wasn't stupid enough to buy that argument...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2020 @ 10:28pm

    Well, this is something nice amidst not-so-nice days.

    reply to this | link to this | view in chronology ]

  • icon
    Atkray (profile), 8 Apr 2020 @ 12:59pm

    Great news but I about choked on my drink when I read:

    "John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice"

    If you have a problem... if no one else can help... and if you can find them... maybe you can hire... The A-Team.

    Just re-watched that movie the other night......

    reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 9 Apr 2020 @ 6:28am

    Sure

    If they actually had no intention of ever prosecuting for terms of service violation, then they wouldn't have objected.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2020 @ 10:33am

    This Sounds Shady

    The very first indication that something shady is going on, to any sensible person, is that the ACLU is involved. That right there should perk up one's instincts that there's going to be some grievance hucksterism about to go down.

    The second is the word 'discrimination'. Now we know we're about to enter some strange territory, where no effort is spared, where no behavior is off limits, where no resistance is countenanced, where any and all means will be considered necessary to ensure no able-bodied, non-sexually-perverted White male is doing thoughtcrime somewhere.

    The third is the concept of a pre - enforcement challenge. Now, being a non-lawyer non-bureaucrat non-professional-nuisance, I've not encountered this 'pre-enforcement challenge' phrase before, but it smacks of "I want official sanction to do something I suspect most folks are going to consider not cricket".

    The fourth? "Ninth Circuit". Okay, yep, something shady is happening.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.