Scroll Top

Academics Seek to Declare Portions of the CFAA Unconstitutional

A group of professors, academics and a media company, through representation by the ACLU, has filed a lawsuit against the U.S. Government seeking to declare the “exceeds authorized access” portions of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030(a)(2)(C), unconstitutional on the grounds that the statute is unconstitutionally vague, assigns a government action to private companies and that it violates certain users’ rights to free speech.    Sandvig v. Lynch (U.S Attorney General), Case No. 1:16-cv-1368 (D.C. Dist. Ct. June 29, 2016) D.E. 01, Complaint (Available Here). The allegations in Complaint are summarized and heavily quoted below.  

The lawsuit challenges the constitutionality of a provision of the CFAA, 18 U.S.C. §1030(a)(2)(C), on the grounds that the statute is unconstitutionally vague and commits a government action to private companies and its violates certain users’ rights to free speech.    The CFAA makes it a crime to visit or access a website in a manner that violates that website’s terms of service.

Plaintiffs allege that audit testing has long been recognized as a crucial way to uncover racial discrimination in housing and employment and to vindicate the civil rights laws, in particular the Fair Housing Act (“FHA”) and Title VII’s prohibition on discrimination in employment. This testing involves pairing individuals of different races to pose as home- or job-seekers to determine whether they are treated differently.

The CFAA creates liability when an individual, in accessing a protected computer, does so in a manner that “exceeds authorized access.” 18 U.S.C. § 1030(a)(2)(C) (the “Challenged Provision”). Courts and federal prosecutors have interpreted the prohibition on “exceed[ing] authorized access” to make it a crime to visit a website in a manner that violates the terms of service or terms of use (hereinafter “terms of service” or “ToS”).

Transactions involving the core social goods covered by federal and state civil rights laws—e.g., housing, credit, and employment—are increasingly taking place online. Since, big data enables behavioral targeting, meaning that websites can steer individuals toward different homes or credit offers or jobs—including based on their membership in a class protected by civil rights laws.

One set of plaintiff are Professors Sandvig and Karahalios who are conducting a study to determine whether the computer programs that determine what housing to display on real estate websites are discriminating against users by race or other factors.  Another set of Plaintiffs are Professors Wilson and Mislove who are conducting a study to test whether the ranking algorithms on major online hiring websites produce discriminatory outputs by systematically ranking specific classes of people (e.g., people of color or women) below others.

The term “protected computer” includes a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the U.S. 18 U.S.C. § 1030(e)(2)(B).  A protected computer includes any website that is accessible on the internet. See, e.g., United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007).

The CFAA provides in § 1030(a)(2)(C) “Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished as provided in subsection (c) of this section.”  While “without authorization” is not defined by the statute, “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

Courts have held that the “exceeds authorized access” language has been repeatedly interpreted by courts and the federal government to prohibit accessing a publicly-available website in a manner that violates that website’s terms of service.  The Department of Justice’s (DOJ) manual for CFAA prosecutions notes, in explaining the definition of the phrase “exceeds authorized access,” that it is “relatively easy to prove that a defendant had only limited authority to access a computer in cases where the defendant’s access was limited by restrictions that were memorialized in writing, such as terms of service [or] a website notice.  Cases which support this theory that a violation of a website’s ToS is a violation of the CFAA include: United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009); United States v. Lowson, No. CRIM. 10-114 KSH, 2010 WL 9552416 (D.N.J. Oct. 12, 2010).

The CFAA also provides for civil liability where a person “suffers damage or loss by reason of a violation” of its provisions. 18 U.S.C. § 1030(g).  For additional cases of a CFAA – TOS violation see: EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62 (1st Cir. 2003); CollegeSource, Inc. v. AcademyOne, Inc., 597 Fed. App’x 116, 129–30 (3d Cir. 2015).

As for the Plaintiff Professors’ standing to bring the present action, the Supreme Court recognized that fair housing testers have standing to sue for FHA violations in Havens Realty Corp v. Coleman, 455 U.S. 363, 373 (1982), see also, Housing and Community Development Act of 1987 (“HCDA”). Pub. L No. 100–242, 101 Stat 1815. The HCDA created the Fair Housing Initiatives Program, through which the Department of Housing and Urban Development funds private nonprofit fair housing enforcement organizations to enforce the FHA, including specifically “testing and other investigative activities” and “special projects, including the development of prototypes to respond to new or sophisticated forms of discrimination against persons protected” by the FHA. 42 U.S.C. §§ 3616a(b)(1), (b)(2)(A)(c ). Courts have also recognized the role of paired testing in the enforcement of Title VII. Kyles v. J.K. Guardian Sec. Servs., Inc., 222 F.3d 289, 292 (7th Cir. 2000).

As alleged in the Complaint, data brokers compile consumers’ information from public records, social media sites, online tracking, and retail loyalty card programs and sell this information for marketing purposes.  Data brokers also place individual consumers into models “primarily focus on minority communities with lower incomes, such as ‘Urban Scramble’ and ‘Mobile Mixers’ which include a high concentration of Latino and African-American consumers with low incomes.  See Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability 20 (May 2014).  Data brokers also offer the ability to “append” additional information about consumers for retailers and other clients including race, age, gender, religion, and ethnicity.  These user profiles follow individuals online. Tracking technologies, which allow websites and advertisers to compile records of individuals’ browsing histories, also allow for targeting via a “cookie” on the user’s computer device or phone.

The Complaint goes on to allege, past hiring decisions reflects past discrimination, a hiring algorithm. Certain zip codes are likely to have lower credit scores, a creditworthiness algorithm. The best way to determine whether members of protected classes are experiencing discrimination in transactions covered by civil rights laws is via outcomes-based audit testing. Many TOS agreements from commonly-visited housing and employment websites prohibit the automated recording of information from their sites (known as “scraping”).  Several sites prohibit users from providing false information. Some websites have terms of service that require advance permission before using the site for research purposes.

According to the Complaint, Sandvig and Karahalios are in the process of designing and conducting a study that would investigate whether the computer programs that determine what to display on real estate websites are discriminating against users by race or other factors.  They write computer programs that act as though it is a real person browsing the Web. This program is an automated program or agent browsing the Web, referred to as a “bot.” Each bot represents an individual person.  The bot will be instructed to behave as a number of different users; each of these profiles is a “sock puppet.”  One sock puppet would browse like a Black user, while another would browse like a white user for several weeks.  At each visit to the real estate site, they scrape the organic listings and the Uniform Resource Locator (“URL”) of any advertisements.  Finally, Plaintiffs Sandvig and Karahalios compare the number and location of properties offered to different sock puppets. Sandvig and Karahalios are aware that this experimental design will violate websites’ terms of service. The use of bots is prohibited by many websites.

Professors Mislove and Wilson conduct research into algorithmic discrimination in the employment context.  They will create baseline demographic data by “crawling” a large random sample of users on the target websites using a bot.  Once ranked lists of candidates are returned in response to search queries, they will “scrape” the website as a method of recording the lists of candidates.  Mislove and Wilson are aware that this experimental design violates websites’ terms of service. Use of crawling and scraping is prohibited by many of the websites that they would crawl or scrape to develop baseline data or record results. The use of sock puppets is prohibited by the terms of service of all hiring websites, which prohibit users from creating profiles containing false information.

It is argued that there is no intent to defraud or cause material harm to any targeted website’s operations, but instead with the intent to determine whether targeted websites are engaging in discrimination.  The burden of these actions by Plaintiffs on the websites is de minimis.

Plaintiff allege that the challenged CFAA provision chills the Plaintiffs and others who wish to do these audit tests because (1) they are in reasonable fear of being prosecuted; (2) they must alter or modify their research and testing design in a manner that may be less methodologically rigorous; and (3) refrain from conducting research or testing that violates websites’ terms of service to avoid the risk of prosecution.

The Plaintiffs allege that the challenged CFAA provision (“exceeds authorized access”) is unconstitutionally overbroad and it impermissibly burdens speech.  Also, the challenged CFAA provision incorporates websites’ terms of service into the federal criminal code.  Further, Plaintiffs wish to engage in anonymous speech and misrepresentation for the purpose of testing for discrimination. In this context, anonymous speech and misrepresentation enjoy First Amendment protection.  The challenged CFAA provision’s broad delegation of criminal regulation to private parties also impairs the First Amendment rights of many other people.  The challenged CFAA provision violates the First Amendment as applied to the Plaintiffs. In order to conduct their proposed research, testing, and investigations, Plaintiffs wish to engage in protected speech or expressive activity prohibited by terms of service.  The basis for the action are: U.S. Const., amend. 1 (Freedom of Speech and Freedom of Press Clauses); U.S. Const., amend. 1 (Petition Clause)(prohibits the speech necessary to communicate with HUD, the EEOC); U.S. Const., amend. 5 (Due Process Clause)(unconstitutionally vague, as it fails to define a criminal offense in a manner definite enough to notify an ordinary person what conduct is prohibited); U.S. Const., amend. 5 (Due Process Clause)(unconstitutionally delegates lawmaking authority to private actors — the website owners who draft terms of service)


The foregoing represents a reasonable summary of the Plaintiffs’ position.  The summary does reflect the author’s views on the subject.  However, the CFAA is not violated unless and until a court determines that the TOS’ contractual terms were violated.  Therefore, the underlying fact, violating the applicable TOS contractual provision, must be established.  Some contractual provisions are not enforceable given certain factual scenarios.

The Restatement (Second) of Contracts § 178(1) provides that: “(1) A promise or other term of an agreement is unenforceable on grounds of public policy if legislation provides that it is unenforceable or the interest in its enforcement is clearly outweighed in the circumstances by a public policy against the enforcement of such terms.  (2) In weighing the interest in the enforcement of a term, account is taken of (a) the parties’ justified expectations, (b) any forfeiture that would result if enforcement were denied, and (c)  any special public interest in the enforcement of the particular term.  (3) In weighing a public policy against enforcement of a term, account is taken of:  (a) the strength of that policy as manifested by legislation or judicial decisions, (b) the likelihood that a refusal to enforce the term will further that policy, (c) the seriousness of any misconduct involved and the extent to which it was deliberate, and (d) the directness of the connection between that misconduct and the term.”

In Instruments S.A. v. American Holographic, Inc., 2000 Mass. Super. LEXIS 661, 40-41 (Mass. Super. Ct. Dec. 28, 2000), the court was called upon to resolve a contract dispute involving an earlier patent infringement settlement agreement (“SA”).  The defendant failed to pay royalties per the SA and plaintiff demanded payment for both patented and non-patented products.  The court ruled that payments were only due for the sale of patented products, not the non-patented products.

“Construing the [SA] in this fashion, Instruments urges thus would raise serious questions about whether the [SA] was consistent with federal law and federal policy. In general, a term ‘of an agreement is unenforceable on grounds of public policy if legislation provides that is unenforceable or the interest in its enforcement is clearly outweighed in the circumstances by a public policy and against the enforcement of such terms.’ Restatement (Second) of Contracts, § 178(1). Such a term is contrary to public policy ‘if it is unreasonably in restraint of trade.’ Id., § 186(1). Most important for present purposes, one should interpret a contract in a manner that ‘gives a reasonable, lawful and effective meaning to all the terms,’ id., 203(a); see Walsh v. Schlecht, 429 U.S. 401, 408, 50 L. Ed. 2d 641, 97 S. Ct. 679 (1977), and in ‘in choosing among the reasonable meanings of [a contract], a meaning that serves the public interest is generally preferred.’ Id., § 207. Restricting coverage of the [SA] to gratings on which Instruments actually held a patent thus keeps the [SA] from colliding with federal patent law and policy and serves the public interest by preventing extraction of royalty payments for unpatented devices and labeling as ‘patented’ devices that in fact are not.”  Instruments S.A. v. American Holographic, Inc., 2000 Mass. Super. LEXIS 661, 40-41 (Mass. Super. Ct. Dec. 28, 2000).

In Lasercomb America Inc.  v.  Reynolds, 911 F.2d 970 (4th Cir.  1990), the court applied copyright misuse theories to void Lasercomb’s contract which prohibited the licensee from “writ[ing], develop[ing], produc[ing] or sell[ing] computer assisted die making software,” and obligated licensee “for one (1) year after the termination … that it will not write, develop, produce or sell or assist others in the writing, developing, producing or selling of computer assisted die making software, directly or indirectly without Lasercomb’s prior written consent.”

In striking and reversing the award of damages, the Lasercomb court stated: “Lasercomb undoubtedly has the right to protect against copying of the Interact code. Its standard licensing agreement, however, goes much further and essentially attempts to suppress any attempt by the licensee to independently implement the idea which Interact expresses. The agreement forbids the licensee to develop or assist in developing any kind of computer-assisted die-making software. If the licensee is a business, it is to prevent all its directors, officers and employees from assisting in any manner to develop computer-assisted die-making software. Although one or another licensee might succeed in negotiating out the noncompete provisions, this does not negate the fact that Lasercomb is attempting to use its copyright in a manner adverse to the public policy embodied in copyright law, and that it has succeeded in doing so with at least one licensee. See supra note 8 and accompanying text. Cf. Berenbach v. Anderson & Thompson Ski Co., 329 F.2d 782, 784-85 [141 USPQ 84] (9th Cir.), cert. denied, 379 U.S. 830 [143 USPQ 464] (1964).” Lasercomb at 974.

Related Posts