By Esha Bhandari, Deputy Director, National ACLU Speech, Privacy, and Technology Project
Earlier this week, the Supreme Court issued a decision interpreting the Computer Fraud and Abuse Act (CFAA), a federal anti-hacking law from the 1980s which has proven ill-suited to the modern internet. The Supreme Court’s opinion in Van Buren v. United States, narrowing the scope of the CFAA, will have positive consequences for online civil rights testing, research, and data journalism.
At first glance, the decision may not seem obviously related to civil rights enforcement. The case concerned a police officer who searched for information about a license plate in a law enforcement database in exchange for money. The officer was criminally charged with “exceed[ing] authorized access” under the CFAA because he violated his employer’s computer use policies. The Supreme Court held that the CFAA should not be read to criminalize violations of computer use policies alone, but instead prohibits behavior akin to breaking and entering — i.e. accessing parts of a computer that someone does not have authority to access at all.
This ruling is critically important for the twenty-first century civil rights investigations and data journalism that hold powerful platforms accountable. For many years now, the federal government and lower courts have interpreted the “exceeds authorized access” language in the CFAA to prohibit violations of website terms of service — those unilaterally imposed, self-serving conditions written by companies, and which most internet users never read. As the Supreme Court recognized, under this interpretation, you could be criminally liable for using a pseudonym on Facebook, or embellishing a dating profile in violation of website terms.
But websites’ terms of service not only risked turning everyday internet behavior into a crime, they were a barrier to modern civil rights testing — an investigative process meant to ferret out discrimination online. Testing websites’ algorithms to see how they distinguish among users on the basis of race, gender, age, or other protected class status often requires violating website terms of service. This kind of investigative testing is a critical mechanism for exposing discriminatory practices in housing, credit, and employment, among other areas.
The ACLU’s amicus brief to the Supreme Court on behalf of civil rights researchers and journalists provided examples of how these restrictive terms could interfere with civil rights testing.
Website prohibitions on the use of inaccurate or incomplete information would prevent the creation of tester accounts or fictitious profiles that vary only along one attribute like race or gender. Sharing log-in information is often necessary for researcher collaboration. Prohibitions on the use of any automated means to capture information, including scraping, would inhibit efficient testing. Some terms even prohibit any attempt to understand the mechanisms or systems underlying a service.
When researchers had to fear the threat of criminal or civil liability under the CFAA for terms of service violations, many understandably chose to forego investigations they might have otherwise undertaken. And because of this threat of liability, the ACLU filed a lawsuit in 2016 on behalf of academics and journalists to challenge the constitutionality of the CFAA. Our case resulted in a district court decision that the CFAA does not criminalize website terms of service violations alone. Now, the Supreme Court has validated that interpretation, clearing the way for researchers and journalists to use common investigative techniques online without the fear of CFAA liability.
The important work of algorithmic auditors, data journalists, and other researchers has already led to groundbreaking studies on the ways that automated systems and platforms are affecting our lives. Limiting the scope of the CFAA is a welcome step to encouraging many more people to undertake the necessary work of civil rights enforcement in the digital age.