DOJ To Researchers: First Amendment Does Not Protect Violating Websites' Terms Of Services
from the SRO-only-in-the-court-and-not-much-here-to-grab-floor-space dept
The woefully out-of-date CFAA -- the product of panicked early-80s legislating in response to underdeveloped hacker fears -- continues to hold back research (both of the security and non-security kind) when not being wielded like the prehistoric weapon it is by the DOJ and multiple entities who prefer bludgeoning the messenger to fixing their broken systems.
Because of the ongoing misuse and abuse of a badly-written law (aided and abetted by some terrible court decisions), a group of academic researchers has decided to proactively sue the government over its terrible legislation, rather than wait around to get sued/indicted for attempting to determine if individual websites exhibit bias against certain users.
They've enlisted the help of the ACLU, which filed its suit against Attorney General Loretta Lynch back in June. The DOJ has responded with a motion to dismiss [PDF] that claims everything is wrong with the lawsuit, from the issue of standing to multiple failures to state a claim under the First and Fifth Amendments.
Plaintiffs fail to allege an injury in fact sufficient to meet the constitutional minimum of standing. Standing to assert pre-enforcement statutory challenges under the First and Fifth Amendments may exist where the statute in question regulates constitutionally protected conduct and a credible fear of prosecution exists. The challenged provision of the CFAA, however, does not facially regulate protected conduct, and the conduct in which plaintiffs intend to engage—deploying information-gathering software on the websites of non-consenting private entities—is not activity that the First Amendment protects. Moreover, plaintiffs fail to provide any facts indicating a credible threat that the challenged provision will be enforced against them: plaintiffs do not allege to have been investigated by law enforcement or threatened with an enforcement action; plaintiffs do not identify any cases in which the government has sought to enforce the CFAA for harmless terms of use violations that were not in furtherance another crime or tort; and the government has affirmatively stated that it has no intention to enforce the CFAA under the circumstances alleged here. Accordingly, plaintiffs are unable to assert an objectively credible threat of prosecution and, as a result, their complaint must be dismissed on standing grounds.
It is indeed difficult to sue to prevent things from happening, rather than suing to seek recourse after damage has been done. Speculating about future Constitutional violations is even less likely to succeed, as many courts tend to avoid tangling with any civil liberties questions not directly implicated by the case at hand. These two issues alone may find the court agreeing with the DOJ's assertions.
However, other assertions made by the government aren't as solid. While it is true the DOJ tends not to prosecute simple CFAA violations without a connection to other criminal activity, when it does choose to do so, it tends to respond with zealous, fear-based prosecution and incredibly severe sentence recommendations.
That the DOJ has magnanimously offered to not enforce the CFAA against the researchers at this point is heartening, as far as that promise goes. The DOJ may have no intention of doing so now, but if the researchers roll up on the wrong website and set some influential wheels to squeaking, that could change.
The DOJ is on less solid ground when it argues the CFAA does not create a chilling effect. It may be that the research effort (deploying bots to simulate job seekers, home buyers, etc.) is not a form of protected speech, but that doesn't mean speech -- and research efforts -- aren't being deterred by the badly-written and vaguely-interpreted law.
The government doesn't contend, however, that the results of the research won't be protected under the First Amendment -- just that the method of gathering the data isn't.
Here, plaintiffs allege that the challenged provision of the CFAA has chilled their desire to deploy software technology designed to gather information from the websites of private corporations without the permission of those corporations and in a manner that the relevant website terms of use expressly prohibit. The systemic collection of information from the websites of non-consenting private entities is not conduct the First Amendment protects, and thus plaintiffs are unable to assert a reasonable First Amendment chill with respect to that conduct.
[...]
Thus, just as there is no First Amendment right to gather information by personally travelling to a sanctioned country, and no First Amendment right to gather information by visiting a jail without the permission of the warden, and no First Amendment right to access information in electronic form rather than paper form, there is likewise no First Amendment right to gather information controlled by private entities by deploying a data-scraping computer program on the websites of those entities without their permission and in a manner that the entities explicitly prohibit.
And there's the chicken-egg problem with the First Amendment, which follows after the other chicken-egg dilemma of having to wait to be prosecuted (or threatened with prosecution) before being granted standing to challenge the government's enforcement efforts. To use the DOJ's cited equivalents, delivering the news is protected under the First Amendment. Gathering it, however, may not be.
What the DOJ doesn't spend any time explaining is why researchers might get the idea the government would come after them for performing this research. The DOJ has explicitly stated in the past that violating a website's terms of use violates the CFAA, making criminals of millions of pre-teens with Facebook or Twitter accounts. And the DOJ's own suggested rewriting of the CFAA looks to turn previous misdemeanors into felonies, including the sort of activity the researchers are proposing.
...knowingly and willfully traffics... in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section…
The rewrite removes a key phrase: "with intent to defraud." This excision turns the researchers' plan to search for bias in websites into an admission of felonious intent.
That being said, there's a good chance this lawsuit will be tossed quickly. The route to CFAA reform still flows (slowly and sometimes, stupidly) through Congress. Unfortunately, the stakeholders with the loudest voices are those who prosecute under the law, rather than those punished by it. Because of that barrier to true reform, efforts to attack the law from oblique angles are likely to appear periodically until the law is overhauled… or replaced with something worse.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, chilling effects, doj, first amendment, hacking, research
Companies: aclu
Reader Comments
Subscribe: RSS
View by: Time | Thread
Does that suggest.....?
[ link to this | view in thread ]
Pedant (me) is pedantic
Perhaps you mean overdeveloped?
[ link to this | view in thread ]
Re: Does that suggest.....?
The whole "they broke into my house" real world pseudo-analogy muddies the waters for jurors, and most people prosecuted under this CFAA bullshit are unsympathetic to a public primed on irrational (and in some cases overtly anti-rational) fear.
You and I might support Aaron Swartz (RIP) and Edward Snowden (at least I do), but I doubt we're in the majority.
[ link to this | view in thread ]
Sadly this seems to be the default path these days. But let's hope this doesn't happen here. In the end everybody loses, including the Government (when your citizenry loses and is put in danger because of your actions you lose too).
[ link to this | view in thread ]
Very interesting talk and one I'm positive will be illuminating on internal actions the DoJ has taken in regards to how it handles CFAA prosecutions.
[ link to this | view in thread ]
My Website
This story has never made sense to me.
[ link to this | view in thread ]
Re: My Website
Also, the CFAA being used to attach criminal penalties to violations of civil contracts means the Feds are sticking their nose into civil matters when they absolutely shouldn't be.
[ link to this | view in thread ]
Standing
[ link to this | view in thread ]
Re: My Website
How would you like to be forced to place a whole pile of your information in a middle of the town square. Then told you are not allowed to know how secure it is, who is securing it, or if a thief has breached it, or who it was being shared with?
[ link to this | view in thread ]
Suggestion
[ link to this | view in thread ]
'I don't see any problems' does not equal 'There are no problems to be seen'
On the other hand If security researchers and/or white hats are too scared to look for vulnerabilities because it's too risky legally to do so the first you're likely to find out about a vulnerability or other problem regarding your site it when someone that is malicious uses it against you, and at that point you're stuck scrambling around trying to contain the damage.
Scaring off security researchers and/or white hats doesn't make the problems they would have otherwise found go away, it just allows those problems to fester until someone interested in exploiting them for personal gain finds and exploits them, and that's not an 'if' proposition it's a 'when'.
[ link to this | view in thread ]
Re: My Website
So are you willing to set aside enough funds to cover all the problems that arise out of the website that you've made, that is your business and you are now paying for?
[ link to this | view in thread ]
[ link to this | view in thread ]