On March 30, 2018, a D.C. federal district court denied a motion to dismiss an ACLU case filed against the government to challenge the constitutionality of the Computer Fraud and Abuse Act (CFAA), which makes it a federal crime to access a computer in a manner that “exceeds authorized access.” Sandvig v. Sessions, No. 1:16-cv-01368, Dkt. 24 (D.D.C. Mar. 30, 2018). The court held that the plaintiffs could proceed with their claim that the Free Speech and Free Press Clauses of the First Amendment, as applied, bar prosecution under the CFAA because it would restrict the plaintiffs’ ability to report on publicly available information, and even information available only following user registration on a site is generally available to the public.
The particular facts of the Sandvig case are unsurprisingly aimed at highlighting a potentially extreme application of the CFAA. The named plaintiffs are four professors and a media organization investigating whether automated decision-making and ad targeting technologies employed by various websites would result in potentially discriminatory practices against protected classes. For example, they want to analyze whether a real estate or employment website would discriminate against a user based on race. To perform the necessary analysis, they intend to use web scraping, bots, fake accounts (“sock puppets”) and other data collection techniques to conduct outcomes-based audit testing of websites and uncover such practices. These activities are typically prohibited by websites’ terms of service (TOS) and therefore unauthorized activity.
Federal circuit courts are currently divided on whether individuals who violate a website TOS in such a manner could be prosecuted under the “access provision” of the CFAA, which provides that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer” may be fined and imprisoned. 18 U.S.C. § 1030(a)(2)(C). In Sandvig, the court sided with the Second, Fourth and Ninth Circuits, which have held that the CFAA prohibits “only unauthorized access to information” – such as by hacking – and rejected the interpretation of the First, Fifth and Eleventh Circuits “that it also covers (at least in some instances) unauthorized use of information that a defendant was authorized to access only for specific purposes” – which includes using permitted access to engage in prohibited activity per the TOS.
Although the Department of Justice (DOJ) interprets the CFAA more broadly and has not foreclosed prosecution for TOS violations, in practice such prosecutions have been limited and the DOJ’s Prosecuting Computer Crimes Manual (2010) acknowledges that the CFAA was found to be unconstitutional by some courts when applied to a TOS violation. In Sandvig, the government declined to expressly disavow prosecution of the plaintiffs for their proposed activities, and the court therefore found a credible threat of prosecution as standing to sue.
However, the court only allowed the case to proceed on the basis that the access provision in the given circumstances could violate the Free Speech and Free Press Clauses of the First Amendment. The court granted dismissal on claims that it would violate the First Amendment’s Petition Clause, the Fifth Amendment’s Due Process Clause, and unconstitutional delegation to private parties under the Fifth Amendment.
What remains to be seen is whether the First Amendment challenge survives in the district court, which side of the circuit split will be adopted by the D.C. Circuit Court if appealed, and whether, finally, the circuit split will be resolved by the Supreme Court.