Another Court Significantly Limits the Scope of Criminal CFAA–Sandvig v. Barr
The plaintiffs want to create fake job profiles to research algorithmic discrimination. Fearing that their research activities would expose them to criminal CFAA prosecution, they challenged the CFAA as violating their First Amendment rights. Venkat blogged a preliminary ruling in the case 2 years ago. Now, the court dismisses the researchers’ suit as moot and sidesteps the First Amendment challenge. Nevertheless, the researchers still won this ruling, because the court says that TOS violations can’t support criminal CFAA prosecutions.
What Does the CFAA Cover? The CFAA prohibits access to a computer “without authorization.” The court explains that this:
contemplates a view of the internet as divided into at least two realms—public websites (or portions of websites) where no authorization is required and private websites (or portions of websites) where permission must be granted for access. Because many websites on the internet are open to public inspection, a website or portion of a website becomes “private” only if it is “delineated as private through use of a permission requirement of some sort.”…
Courts have interpreted this provision to involve transitioning from a public area of the internet to a private, permission-restricted area, often requiring some form of authentication before a viewer is granted access.
Following hiQ v. LinkedIn, the court says “the barriers between the public internet and private authorization-based computers” are called “permission requirements.” The court emphatically concludes that TOS cannot constitute “permission requirements” for criminal CFAA purposes for at least three reasons:
- Inadequate notice. “These protean contractual agreements are often long, dense, and subject to change.”
- Private website owners should not be able to define criminal boundaries. “Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature.” However, the court distinguishes “authentication gates,” which still give private actors the power to define criminal boundaries.
- Rule of lenity and the constitutional avoidance canon.
The court says “a user should be deemed to have ‘accesse[d] a computer without authorization,’ 18 U.S.C. § 1030(a)(2), only when the user bypasses an authenticating permission requirement, or an ‘authentication gate,’ such as a password restriction that requires a user to demonstrate ‘that the user is the person who has access rights to the information accessed.'” That sounds swell, but how does that apply to the facts of this case? The researchers want to create online accounts using false information. Are they bypassing an authentication gate? The court says no: the researchers will use the “authentic” login credentials issued to them based on their false registrations, and they will pay the stated price. The court says the results might be different if the researchers “borrow” legitimate businesses’ information (which sounds like a type of identity theft, though the court doesn’t use that phrase).
The court then discusses another CFAA prong, “exceeds authorized access,” and says that the analysis is basically the same, collapsing the distinction between the two prongs.
The plaintiffs nominally got the result they wanted in court, but the case leaves plenty of holes in the researchers’ legal protection. Even if the DOJ can’t prosecute them, the researchers face a panoply of other potential legal claims for their research endeavor, ranging from civil trespass to chattels to breach of contract. Furthermore, the court notes that C&D letters can convert public spaces into nonpublic ones. That hasn’t become an issue in this case yet because the researchers haven’t started their work; but criminal CFAA might apply the moment the researchers receive their first C&D. So even with this ruling in hand, I wouldn’t volunteer to work on this research team, at least not without the cooperation of the target websites.
More generally, this ruling represents another step in the waning of the CFAA in the courts. We are getting closer to the scenario where the CFAA only protects against hacking-type attacks. I advocated for that result in 2013, but I thought it would require a statutory amendment. Seeing cases like hiQ and now Sandvig shredding the CFAA, maybe not.
Though I’m happy to see the CFAA’s waning, I’m increasingly baffled how to teach the CFAA to my Internet Law students. It’s easy enough to teach them that authorization is based on a “permission requirement.” How can they apply that legal standard in the field?
- Can a TOS ever constitute a “permission requirement”? Maybe not in the criminal context, but what about in the civil context?
- Can a C&D letter constitute a “permission requirement”? It would be so bizarre if a C&D, which isn’t a contract and typically represents the sender’s overreaching wishes, has more legal consequence than otherwise legally-binding contract.
- Can use of a login screen constitute a “permission requirement”? Apparently yes, but at least in the criminal context, the TOS apparently doesn’t constitute the boundaries of the authorization to use what’s behind the login screen–so what does define those boundaries?
What a mess!
Case citation: Sandvig v. Barr, 2020 WL 1494065 (D.D.C. March 27, 2020)