In a win for researchers and the ACLU, a federal court has ruled that violating a site’s terms of service is not a criminal violation of the CFAA.
The ACLU filed this lawsuit in 2016, representing researchers, scientists, and journalists who were looking into whether employment websites engaged in discriminatory behavior. To do so, the researchers needed to deliberately violate the terms of service of the websites they were studying by creating bogus accounts and providing other false information.
Since the CFAA has been the go-to law for companies seeking to silence security researchers and critics, the ACLU and its plaintiffs raised a pre-enforcement challenge, seeking a ruling declaring this work legal before the DOJ had a chance to abuse this terrible law to shut the research down.
The DC federal court doesn’t go so far as to extend First Amendment protection to these actions, but it does hold, importantly, that the CFAA does not criminalize terms-of-service violations. From the decision [PDF]:
The Court agrees with the clear weight of relevant authority and adopts a narrow interpretation of “exceeds authorized access.” Without weighing in on the circuit split over employers’ computer-use policies, the Court concludes that violating public websites’ terms of service, as Wilson and Mislove propose to do for their research, does not constitute a CFAA violation under the “exceeds authorized access” provision.
The DOJ tried to argue the plaintiffs had no case because it would never in a million years even think about bringing a CFAA prosecution over terms of service violations. The court says the government’s own words and actions contradict its assertions.
The government argues that plaintiffs fail to establish a credible threat of prosecution under the CFAA, contending that (1) plaintiffs’ testimony shows that they do not fear prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do not establish a credible threat that plaintiffs’ proposed conduct will be prosecuted; and (3) the government’s charging policies and public statements undercut plaintiffs’ attempt to establish a credible threat of prosecution.[…] [E]ven assuming the absence of prior prosecutions, but see Sandvig, 314 F. Supp. 3d at 19–20 (discussing two previous prosecutions under the Access Provision), plaintiffs still are not precluded from bringing this pre-enforcement action. When constitutionally protected conduct falls within the scope of a criminal statute, and the government “has not disavowed any intention of invoking the criminal penalty provision,” plaintiffs are “not without some reason in fearing prosecution” and have standing to bring the suit.
It’s not enough for the government to declare it probably won’t pursue ToS-violation prosecutions, the court says.[T]he government points to guidance from the Attorney General that “expressly cautions against prosecutions based on [terms-of-service] violations,” as well as statements to Congress by Department of Justice officials, as evidence that plaintiffs face no credible threat of prosecution. Gov’t’s Opp’n at 16–17. But the absence of a specific disavowal of prosecution by the Department undermines much of the government’s argument.
All we’re left with is the DOJ’s prosecutorial discretion, which is extremely suspect and not backed by any statements from officials that would assure the plaintiffs the government would not choose to take action against them in the future.
Discovery has not helped the government’s position. John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, testified at his deposition that it was not “impossible for the Department to bring a CFAA prosecution based on [similar] facts and de minimis harm…” Although Lynch has also stated that he does not “expect” the Department to do so, Aff. of John T. Lynch, Jr. [ECF No. 21-1] ¶ 9, “[t]he Constitution ‘does not leave us at the mercy of noblesse oblige…’”
This may keep the DOJ off researchers’ backs but it won’t shield them from lawsuits from the targeted sites.
The Court concludes that agreeing to such contractual restrictions, although that may have consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA.
This at least will deter the DOJ from pursuing these prosecutions in its “home” court. Most CFAA action still takes place in the Ninth Circuit, where most tech companies are located. Opinions on civil CFAA cases have been hit and miss, but at least one major case (LinkedIn v. HiQ) saw the court come down on the side of the party doing the scraping, a violation of LinkedIn’s terms of service. This decision is being appealed, but for now, it still stands.
The research can move forward without the threat of government prosecution dangling over its head. That’s a start.