Case Summary and Outcome

A District Court in Columbia dismissed a First Amendment challenge to the constitutionality of the Computer Fraud and Abuse Act (CFAA) alleging it criminalized certain research activities. The case was brought by researchers who wished to find out whether employment websites engage in discrimination on the basis of race, gender or other protected characteristics. Their research methods required that they violate websites’ Terms of Service (ToS), which they claimed exposed them to the risk of prosecution under a provision that criminalized intentionally accessing a computer without authorization or authorized access to obtain information from a protected computer. The Court interpreted CFAA’s Access Provision rather narrowly to hold that the plaintiffs’ conduct was not criminal as they were neither exceeding authorized access, nor accessing password protected sites, but public sites.  Construing violation of ToS as a potential crime under CFAA, the Court observed would allow private website owners to define the scope of criminal liability – thus constituting an improper delegation of legislative authority. Since their proposed actions were not criminal, the Court concluded that the researchers were free to conduct their study and dismissed the case.

Facts

The plaintiffs, four professors and a media organization First Look Media Works, Inc. publishing news online, were conducting studies to respond to new trends in real estate, finance and employment transactions, which increasingly have been initiated on the Internet. The plaintiffs’ aimed to test whether the ranking algorithms on major online hiring websites produce discriminatory outputs by systematically ranking specific classes of people (e.g., people of color or women) below others. For this purpose, they sought to repeatedly access a website or other network service (‘target website’), by creating false or artificial user profiles as well as by using bots to crawl profiles of random selection of jobseekers to obtain baseline demographic data. Their intention was to see how websites/algorithms respond to users and ranks candidates who display characteristics attributed to certain  races, genders, or other classes.

The plaintiffs’ claimed that while their research endevours (scraping to record data or gaining information through the target websites) had a potential to violate terms of service (‘ToS’) of those websites, they were willing to take steps to minimise the impact on the operations of the target websites as well as their users. Thus, to ensure minimum impact, they would take steps to inform real job seekers and employers that the job posting or the profile of the job seeker was ‘fictitious’.

On June 29, 2016, the plaintiffs’ brought a pre-enforcement challenge claiming that they had two options: (i) to either refrain from conducting research and investigations that would constitute protected speech or expressive activity, or (ii) expose themselves to the risk of prosecution under the Access Provision of the CFAA. Specifically, they claimed that the provision in question, 18 U.S.C. § 1030(a)(2)(C) (‘Access Provision’) criminalised intentionally accessing a computer without authorisation or authorised access to obtain information from a protected computer. This, according to the plaintiffs’, violated their First and Fifth Amendment rights on four grounds – (i) by unconstitutionally restricting their protected speech, (ii) interfering with plaintiffs’ ability to enforce their rights and hence, violating Petition clause, (iii) on account of vagueness under Fifth Amendment Due Process Clause and (iv) by delegating lawmaking authority to private actors in violation of the Fifth Amendment.

Against the pre-enforcement challenge, the government moved to dismiss the suit on September 9, 2016 under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) for lack of standing and failure to state a claim. By an order dated March 30, 2018, the Court partially granted government’s motion to dismiss, finding that that only Plaintiffs Alan Mislove and Christopher Wilson’s research plans would violate the provisions of CFAA. The Court additionally held that, based on their intention to create fictitious user accounts on employment websites in the course of their research, Plaintiffs Mislove and Wilson had standing to challenge the Access Provision on grounds concerning First Amendment Free Speech violation. Specifically, the court noted that “absent any evidence that the speech would be used to gain a material advantage, plaintiffs’ false speech on public websites retains First Amendment protection and rendering it criminal does not appear to advance the government’s proffered interests.” [p. 38]

Before this court, the plaintiffs’ subsequently filed a cross-motion for summary judgment, renewing their pre-enforcement challenge against the Access Provision of the CFAA and alleging unconstitutional restrictions on their First Amendment rights due to a blanket criminalisation of research/journalistic activities that violate websites’ ToS. Their claim was twofold: (i) that they had jurisdictional standing to challenge the constitutionality of the Access provision and (ii) that the Access provision violated the First Amendment. On the contrary, the government argued that the plaintiffs’ failed to establish jurisdictional standing and that the First Amendment was not equipped to shield the plaintiffs’ from choices of the private websites’ about ‘whom to exclude from their servers’ [p. 3].

Decision Overview

Judge John Bates delivered the opinion of the United States District Court of Columbia. The principle question before the Court was whether the Access Provision of the Computer Fraud and Abuse Act (‘CFAA’) violated plaintiffs’ First and Fifth Amendment rights.

The CFAA 18 U.S.C. § 1030(a)(2)(C) (‘Access Provision’) states that “[w]hoever … intentionally accesses  computer without authorization or exceeds the authorized access, and thereby obtains…information from any protected computer…shall be punished by fine or imprisonment”. Constitutionally, to arrive at an Article III standing, three requirements are essential to be satisfied. Accordingly, the plaintiff is required to establish that an injury is (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the challenged statute or conduct; and (3) likely to be redressed by a favorable decision.

Before the Court, the defendant had contested plaintiffs’ standing for their claim, arguing that their challenge was too abstract to be capable of judicial resolution. The government’s contention was primarily based on three claims – (i) plaintiffs’ lacked any concrete plans for conducting future research, (ii) they had failed to demonstrate a credible threat of prosecution for such research and (iii) their claim was not ripe to be evaluated.

With respect to the first claim, the Court attributed a lower standard than what the defendant had originally contested, arguing that pre-enforcement reviews in the First Amendment context does not require the plaintiff to demonstrate violation of regulation to demonstrate injury (quoting U.S. Telecom Ass’n v. FCC, 825 F.3d 674 (D.C. Cir. 2016)). What is actually required is only a ‘credible statement by the plaintiff of the intent to commit a violative act and a conventional background expectation that the government will enforce the law’ [p. 6]. On this basis, the court concluded that the fact that plaintiffs’ had secured funding and IRB clearance to engage in their intended conduct (to create fake employer and fictitious job seeker profiles) demonstrated sufficiently an injury of fact.

On defendant’s second claim, the plaintiffs’ were required to prove that they intended to engage in conduct that was both protected by First Amendment and prohibited by CFAA, and that there was a credible threat of enforcement of statute against them when they do so. The government had contested plaintiffs’ failure to establish credible threat of prosecution on three grounds – that plaintiffs’ testimony showed they did not fear prosecution and had already engaged in alleged research, that past CFAA prosecutions did not establish a credible threat that their conduct would be prosecuted and finally, that the government’s charging policies and public statements undercut plaintiffs’ attempt to establish a credible threat of prosecution [p. 9].  Despite these arguments, the Court, however, held that the plaintiff adequately demonstrated a credible threat and was not precluded from bringing a pre-enforcement action. A strong basis for the Court’s contrary conclusion was the absence of specific disavowal of prosecution by the Department of Justice officials as well as the absence of a clear indication that plaintiffs’ conduct fell outside the scope of the criminal provisions.

On a related note, the government had also argued that plaintiffs’ claims were not ripe for adjudication, primarily because it was not possible to anticipate the effects of plaintiffs’ hypothetical research or evaluate the potential harms caused by it. Recognising that an immediate scrutiny of the Access Provision on First Amendment grounds as urged by the plaintiffs’ was perhaps ‘too soon’, the Court nevertheless concluded that the dispute was ripe, based on the record of websites provided by them as well as their intention to violate ToS of these websites.

Post settlement of the jurisdictional standing, the Court sought to delve into a determination on whether CFAA criminalised plaintiffs’ intended conduct, and if that raised a First Amendment dispute. These two concerns were intricately interlinked in view of the Court, and an exclusion from criminal liability under CFAA would render moot plaintiffs’ First Amendment claim. Deriving interpretation from previous decisions, the Court held that an intended conduct is ‘arguably…proscribed by the statute’ as long as a reasonable interpretation of the statute is proposed by the plaintiffs’ under which they fear credible prosecution [p. 13].

It is worthwhile to note that the Court construed CFAA’s Access Provision rather narrowly to hold that the plaintiffs’ conduct in violating websites’ ToS was not criminal. To that effect, the Court answered the question whether ToS conditions, rather than authentication gates (such as password restriction), constitutes adequate ‘permission’ requirement for criminal liability under the CFAA in negative. This was because, first, the plaintiffs’ access a computer ‘without authorisation’ (as per the provision) was deemed criminal only when they accessed a ‘private’ website where a permission (password protected or otherwise) was required. Consequently, accessing a ‘public’ website required no authorisation and could not be deemed criminal under CFAA. Second, even though public, agreeing to a websites’ ToS was not sufficient to constitute a ‘permission’ requirement and therefore, did not trigger criminal liability under CFAA. On similar lines, the Court also concluded that violation of ToS by the plaintiffs’ did not attract criminal liability under the second part of the Access Provision as well (i.e. the CFAA prohibits “exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.”).

The Court’s narrow construction of the criminal liability under CFAA seems well placed for a number of reasons. The Court was concerned about the inability of the websites’ ToS to provide adequate notice for purposes of criminal liability, specifically since ToS are lengthy, opaque, frequently subject to change and are often of a ‘clickwrap’ nature, seldomly read. Construing violation of ToS as a potential crime under CFAA also allowed private website owners to define the scope of criminal liability – thus constituting an improper delegation of legislative authority. [‘Criminalizing terms-of-service violations would risk turning each website into its own criminal jurisdiction and each webmaster into his own legislature. Such an arrangement, wherein each website’s terms of service “is a law unto itself,”] [p. 21].

Interestingly, the Court sought refuge in longstanding canons of interpretation such as the rule of lenity and constitutional avoidance (the principle that the Court will not decide a constitutional question if there is some other ground upon which to dispose of the case) to reach this conclusion

Thus, for reasons aforementioned, the Court declared plaintiffs’ research as not violative of CFAA’s Access Provision. Since their actions were not criminal, the Court sought to refrain from delving into the question concerning First Amendment protection. The suit was dismissed.