On March 30, 2018, in Sandvig v. Sessions,1 the U.S. District Court for the District of Columbia held that a group of academic researchers can move forward with their First Amendment challenge to the Computer Fraud and Abuse Act (CFAA),2 a federal law that criminalizes, among other things, accessing a computer in a manner that “exceeds authorized access.”
The CFAA was enacted in the early 1980s in response to concerns that there were not enough criminal laws on the books to address emerging computer crimes.3 In its early days, the statute narrowly prohibited harmful computer misuse such as malicious hacking and attempts to break into government computers. In 1986, however, Congress began passing a series of amendments that significantly expanded the statute’s reach. Today, many view the CFAA as an overbroad, vague law that criminalizes standard computer conduct in the digital age. Others view it as a pragmatic tool to deter unwanted computer misuse that harms businesses and consumers alike. As a result, the outcome of this case will have implications for individuals who seek to obtain data through means like scraping, and websites that seek to deter unwanted conduct through contract-based restrictions on access to their services.
In June 2016, the American Civil Liberties Union filed a lawsuit on behalf of researchers seeking to investigate whether online algorithms perpetuate racial, gender, and other unlawful discrimination in housing, finance, and employment. In order to conduct this research, the plaintiffs claim that they need to use research methods that necessarily require them to violate websites’ terms of service, thus subjecting them to potential criminal liability under the CFAA.
Specifically, the plaintiffs seek to engage in “outcomes-based audit testing” to determine whether websites are discriminating against members of protected classes online. Outcomes-based audit testing often involves scraping data from public websites and repeatedly accessing websites using artificial “tester” accounts to evaluate how they treat users who display characteristics attributed to certain races, genders, and other protected classes. For example, two of the plaintiffs plan to investigate whether computer programs that decide what to display on real estate websites discriminate against users based on race or similar factors. To do this, the plaintiffs seek to use bots that will create a number of distinct user profiles called “sock puppets” to determine whether race-associated behaviors cause the sock puppets to see different sets of properties. According to these plaintiffs, while these research methods are akin to paired testing procedures in the physical world—i.e., where multiple people who are identical but for one legally protected trait apply for the same house or job to uncover housing and employment discrimination—in the virtual world, the plaintiffs allege that these same methods can be considered criminal conduct under the CFAA.
As a result, the plaintiffs brought this pre-enforcement challenge alleging that the CFAA is unconstitutional under the First Amendment’s Free Speech, Free Press, and Petition Clauses, and constitutes a violation of due process and an impermissible delegation of authority to private parties under the Fifth Amendment. In response to the government’s motion to dismiss, Judge John Bates of the D.C. District Court held that the plaintiffs can proceed with one, but not the rest, of their claims—specifically, their claim that the CFAA’s access provision, as applied to them, violates the Free Speech and Free Press Clauses of the First Amendment.
The CFAA’s access provision prohibits intentionally accessing a computer without authorization, or in a manner that exceeds authorized access, to obtain information from a “protected computer.”4 “Protected computer” includes, among other things, a computer that “is used in or affecting interstate or foreign commerce or communication.”5 As Judge Bates noted in the opinion, the CFAA’s definition of protected computer is notoriously broad, encompassing “just about all computers hooked up to the Internet[.]”6 The CFAA defines “exceeds authorized access” as accessing a computer without authorization, and using such access to obtain or alter information in the computer that the accessor is not permitted to obtain or alter.7 Thus, the access provision applies to anyone who (i) “purposely accesses an Internet-connected computer without authorization,” or (ii) “uses a legitimate authorization to receive or change information that they are not supposed to, and thereby obtains information from the computer.”8
Violations of the CFAA can, and often do, carry steep penalties. Specifically, the first violation of the CFAA’s access provision can result in a fine or imprisonment for up to one year, or up to five years if the offense: (i) was committed for commercial or financial gain; or (ii) in furtherance of any criminal or tortious act; or (iii) involved obtaining information valued at more than $5,000.9 While the first violation carries a one to five year term of imprisonment, any further violation of the access provision can result in up to 10 years’ imprisonment.10
The Internet as a Public Forum
At the outset, the court addressed an issue that guided its analysis of both the standing inquiry and the merits of the case: the First Amendment status of the Internet and the government’s authority to regulate activity on websites. In the government’s view, the plaintiffs in this case have no business in court because their claims involve the conduct of private actors in a private forum, and are therefore outside the scope of constitutional scrutiny. While the court did find some basis for the government’s position in Supreme Court case law, ultimately, the court made clear that the public Internet is far too saturated with expressive First Amendment activity to be deemed a private forum. On the other hand, the court noted that it would be ill-advised to treat the entire Internet as a public forum, as doing so would “subject to heightened scrutiny regulations on even the Internet’s most secluded nooks and crannies.”11 Thus, the court concluded that while the First Amendment may protect the Internet generally, it “does not protect those who circumvent barriers that demarcate private areas, even if those private areas are surrounded by an otherwise public forum.”12
The court next addressed whether the plaintiffs had standing to bring their claims in court. To make this determination, the court evaluated whether the plaintiffs plausibly alleged an intention to engage in a course of conduct that (1) is arguably affected with a constitutional interest, (2) but prohibited by the statute, therefore (3) resulting in a credible threat of prosecution under the statute. In evaluating whether the plaintiffs’ proposed conduct is arguably affected with a constitutional interest, the court made some significant statements about the level of First Amendment protection afforded activities like scraping, using tester accounts, and publishing research in violation of websites’ terms of service.
First, the court found that scraping “plausibly falls within the ambit of the First Amendment” because the First Amendment protects the right to gather information13 and record matters of public interest to disseminate ideas.14 This protection, according to the court, is not hindered simply by the fact that the plaintiffs seek to use automated means to gather information rather than manually record the information themselves. As a result, the court found that the plaintiffs’ attempts to record the contents of public websites for research purposes are arguably affected with a First Amendment interest. Second, the court found that the plaintiffs have a First Amendment interest in harmlessly misrepresenting their identities to target websites through the use of tester accounts because the purpose of such misrepresentation is not to defraud such websites or secure money or other valuable consideration, rather for research purposes only. And finally, the court concluded that First Amendment scrutiny unquestionably applies to whether the plaintiffs can publish the results of their research in violation of certain anti-disparagement clauses in websites’ terms of service.
Next, the court considered how to properly interpret the CFAA’s access provision in light of the circuit split between the Second, Fourth, and Ninth Circuits and the First, Fifth, and Eleventh Circuits. While the Second, Fourth, and Ninth Circuits have held that “exceeds authorized access” prohibits only unauthorized access to information—thus adopting an “access-based” interpretation of the CFAA15—the First, Fifth, and Eleventh Circuits have adopted an “intended-use-based” interpretation, holding that “exceeds authorized access” can also extend to authorized use of information that a defendant was authorized to access only for specific purposes.16 Ultimately, the D.C. District Court concluded that the Second, Fourth, and Ninth Circuit analysis is the best reading of the statute, adding it to the list of courts that have adopted the narrower access-based interpretation of “exceeds authorized access” under the CFAA.
The court then addressed each of the plaintiffs’ five claims. First, the court dismissed the plaintiffs’ claim that the CFAA is overbroad on its face because the access provision, properly read, incorporates only those terms of service that limit access to particular information, not all terms of service violations. Second, the court dismissed the plaintiffs’ First Amendment Petition Clause claim on the basis that the Petition Clause is not aimed at protecting the right to gather facts, or to speak while doing so, rather those rights are more appropriately within the province of the Speech and Press Clauses of the First Amendment. Third, the court dismissed the plaintiffs’ Fifth Amendment due process claim on the grounds that the CFAA’s access provision is not unconstitutionally vague, and the plaintiffs had fair notice that their proposed conduct was prohibited by the statute (as demonstrated by their pre-enforcement challenge). And finally, the court dismissed the plaintiffs’ Fifth Amendment nondelegation claim on the grounds that the plaintiffs improperly relied on an overbroad reading of the access provision that sweeps in use, purpose, and manner restrictions on obtaining or altering information, when the statute should be read to apply only to access restrictions, as described above.
Although it dismissed four of the plaintiffs’ five claims, the court allowed the case to move forward to consider the plaintiffs’ central claim, i.e., whether the CFAA’s access provision, as applied to them, violates the Free Speech and Free Press Clauses of the First Amendment. In determining whether the plaintiffs pled plausible as-applied First Amendment claims under the Free Speech and Free Press Clauses, the court primarily evaluated whether the government’s reason for prohibiting the conduct at issue directly advances its interest in preventing digital theft or trespass. Ultimately, the court found that the government’s alleged interests in deterring digital theft and trespass would not be advanced by prohibiting plaintiffs’ proposed “false speech” on public websites.
In short, the court’s March 30, 2018, ruling in Sandvig is significant because Judge Bates has now placed the D.C. District Court among the list of courts that have adopted a narrower, access-based interpretation of the CFAA instead of the broad, intended-use-based test adopted by the First, Fifth, and Eleventh Circuits. The opinion also sheds light on the level of First Amendment protection afforded online activities such as scraping, using bots to creating fake tester accounts, and publishing research in violation of websites’ terms of service. Ultimately, it will be interesting to see how the court comes out on the as-applied challenge to the access provision, which could have significant implications for both researchers and businesses alike.
1 No. 16-cv-1368 (D.D.C. March 30, 2018).
2 18 U.S.C. § 1030.
3 Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, tit. II, ch. 21, § 2102(a), 98 Stat. 1837, 2190-91.
4 18 U.S.C. § 1030(a)(2)(C).
5 Id. § 1030(e)(2)(B).
6 Sandvig, No. 16-cv-1368 at 2 (quoting United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012)).
7 18 U.S.C. § 1030(e)(6).
8 Sandvig, No. 16-cv-1368 at 2.
9 18 U.S.C. § 1030(c)(2)(A), (B).
10 Id. § 1030(c)(2)(C).
11 Sandvig, No. 16-cv-1368 at 10.
12 Id. at 17.
13 See Packingham v. North Carolina, 137 S. Ct. 1730, 1737 (2017) (banning individuals from accessing information, knowing current events, and checking ads for employment through social media inhibits “the legitimate exercise of First Amendment rights”); Sorrell v. IMS Health Inc., 564 U.S. 552, 570 (2011) (“This Court has held that the creation and dissemination of information are speech within the meaning of the First Amendment.” (citations omitted)); Brown v. Entm’t Merchants Ass’n, 564 U.S. 786, 792 n.1 (2011) (“Whether government regulation applies to creating, distributing, or consuming speech makes no difference.”); Citizens United v. FEC, 558 U.S. 310, 340 (2010) (“Laws enacted to control or suppress speech may operate at different points in the speech process…”).
14 See, e.g., Gericke v. Begin, 753 F.3d 1, 7 (1st Cir. 2014) (reaffirming right to film police officer during traffic stop).
15 See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Ener. Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012); Nosal, 676 F.3d at 863.
16 See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); United States v. John, 597 F.3d 263, 271 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); see also Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2016) (holding employee’s deletion of employer’s files in violation of employment contract terminated agency relationship that authorized employee to access the information).