DC Court Says Terms Of Service Violations Can't Trigger Federal CFAA Prosecutions
from the forcing-discretion-on-DOJ-prosecutors dept
In a win for researchers and the ACLU, a federal court has ruled that violating a site's terms of service is not a criminal violation of the CFAA.
The ACLU filed this lawsuit in 2016, representing researchers, scientists, and journalists who were looking into whether employment websites engaged in discriminatory behavior. To do so, the researchers needed to deliberately violate the terms of service of the websites they were studying by creating bogus accounts and providing other false information.
Since the CFAA has been the go-to law for companies seeking to silence security researchers and critics, the ACLU and its plaintiffs raised a pre-enforcement challenge, seeking a ruling declaring this work legal before the DOJ had a chance to abuse this terrible law to shut the research down.
The DC federal court doesn't go so far as to extend First Amendment protection to these actions, but it does hold, importantly, that the CFAA does not criminalize terms-of-service violations. From the decision [PDF]:
The Court agrees with the clear weight of relevant authority and adopts a narrow interpretation of “exceeds authorized access.” Without weighing in on the circuit split over employers’ computer-use policies, the Court concludes that violating public websites’ terms of service, as Wilson and Mislove propose to do for their research, does not constitute a CFAA violation under the “exceeds authorized access” provision.
The DOJ tried to argue the plaintiffs had no case because it would never in a million years even think about bringing a CFAA prosecution over terms of service violations. The court says the government's own words and actions contradict its assertions.
The government argues that plaintiffs fail to establish a credible threat of prosecution under the CFAA, contending that (1) plaintiffs’ testimony shows that they do not fear prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do not establish a credible threat that plaintiffs’ proposed conduct will be prosecuted; and (3) the government’s charging policies and public statements undercut plaintiffs’ attempt to establish a credible threat of prosecution.
[...]
[E]ven assuming the absence of prior prosecutions, but see Sandvig, 314 F. Supp. 3d at 19–20 (discussing two previous prosecutions under the Access Provision), plaintiffs still are not precluded from bringing this pre-enforcement action. When constitutionally protected conduct falls within the scope of a criminal statute, and the government “has not disavowed any intention of invoking the criminal penalty provision,” plaintiffs are “not without some reason in fearing prosecution” and have standing to bring the suit.
It's not enough for the government to declare it probably won't pursue ToS-violation prosecutions, the court says.
[T]he government points to guidance from the Attorney General that “expressly cautions against prosecutions based on [terms-of-service] violations,” as well as statements to Congress by Department of Justice officials, as evidence that plaintiffs face no credible threat of prosecution. Gov’t’s Opp’n at 16–17. But the absence of a specific disavowal of prosecution by the Department undermines much of the government’s argument.
All we're left with is the DOJ's prosecutorial discretion, which is extremely suspect and not backed by any statements from officials that would assure the plaintiffs the government would not choose to take action against them in the future.
Discovery has not helped the government’s position. John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, testified at his deposition that it was not “impossible for the Department to bring a CFAA prosecution based on [similar] facts and de minimis harm…" Although Lynch has also stated that he does not “expect” the Department to do so, Aff. of John T. Lynch, Jr. [ECF No. 21-1] ¶ 9, “[t]he Constitution ‘does not leave us at the mercy of noblesse oblige...’”
This may keep the DOJ off researchers' backs but it won't shield them from lawsuits from the targeted sites.
The Court concludes that agreeing to such contractual restrictions, although that may have consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA.
This at least will deter the DOJ from pursuing these prosecutions in its "home" court. Most CFAA action still takes place in the Ninth Circuit, where most tech companies are located. Opinions on civil CFAA cases have been hit and miss, but at least one major case (LinkedIn v. HiQ) saw the court come down on the side of the party doing the scraping, a violation of LinkedIn's terms of service. This decision is being appealed, but for now, it still stands.
The research can move forward without the threat of government prosecution dangling over its head. That's a start.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, criminal, doj, research, security research, terms of service
Companies: aclu
Reader Comments
Subscribe: RSS
View by: Time | Thread
This sounds smart. They must be smart. What's next, bringing on Richard Liebowitz, and a 'credible' prosecutor?
[ link to this | view in chronology ]
Contracts.
In most of my life, Everyone and everything has asked me to sign contracts. They have even shown that 99% of the people DONT read them.
Once everything has a contract..And many times it more then one.
20+ pages
Legalese
Convoluted Monkey pucky..
I would love to get someone to sign one, that allows me to Take 1/4 to 1/2 of the PCH winnings.
The odds are they would never read it, and not realize What was happening until they Won. How many here have ever TRIED to read that Contract with PCH??
PCH does nto tell you how many times per year they make a Drawing.. They make Many, and its like Multi level marketing. "you are getting closer". Have they Ever told you When the last drawing for YOUR drawing is going to happen, NOT just a Sorting Drawing for the 100,000.
Lets quit this and go this way..
HOW many contracts have an END DATE? think about that.
With this thought in mind, and that the Odds of winning PCH are over 10 times the world population.. I would love to goto court and ask about ALL the numbers they have given me and my family in the last 40+ year. and to check to see if I have won.
And if they cant find this info.. suggest That I HAVE WON.. Because they cant prove I didnt.
[ link to this | view in chronology ]
Re: Contracts.
Great! Excellent!
Let's assume they gave you a number every month for 40 years.
40 x 12 = 480. For the drawing you're in court about, your odds have improved from 1 in 1,700,000,000 to one in 3,541,667.
One of the top prizes is $1,250,000. Let's say you have a cheap-but-effective lawyer, and cap his billing at $300,000, contingent on winning. So you're looking at, say a $900,000 payout IF your number comes up.
I'm not even going to cover the "PCH hasn't run the same game for the last 40 years running, invalidating most of those 480 numbers you started with" argument, because I (for one) am not seeing the odds of winning as all that great even with a win in court.
On the plus side, PCH could just offer a settlement of "sure, let's compare all your numbers against that one contest and see what happens. ... Oh, and by accepting, you give us publicity rights for it all." ... at which point your lawyer turns to you and points to the contract you signed with HIM about what happens in a settlement...
But good luck with your shake-down!
[ link to this | view in chronology ]
Re: Contracts.
You still don't have to sign a contract to enter a retail store and buy something with cash. They'll make you agree to the 20+ pages if you're using the online site of that same store, but I guess they figure people would start leaving if asked to sit down with a notary and sign that shit. And that's the main way I see anyone putting a stop to it online: tell them you disagree and will have to shop elsewhere.
The other possibility: volume, which it turns out is a weapon against forced arbitration. Have a day where every potential buyer emails the site's legal counsel to get clarification on contract terms (users don't know all the legal terms, after all), to object to them, to use every opt-out available.
[ link to this | view in chronology ]
Re: Re: Contracts.
ANDDDDD
When you signg the contract with the Landlord...NOT OWNER..
it says...
you abid by those also, EVEN IF NOT PRINTED OUT
[ link to this | view in chronology ]
Re: Re: Re: Contracts.
Mentioning landlord/tenant law is quite the non-sequitur. That's one of the more regulated areas of contract law. Where I live, e-commerce sites can put almost anything they want in their "agreements", while landlords can only give a standardized 3-page form with some boxes like "no smoking" and "who pays utilities?" to be checked, and a box for monthly amount.
[ link to this | view in chronology ]
Re: Re: Re: Re: Contracts.
And in idaho they dont even have Anyone to complain to.
All you can do, is call city inspectors.
There are some laws, but not enforced.
[ link to this | view in chronology ]
Re: Re: Contracts.
Kinda makes me wonder how many online store contracts apply to people who later go into the brick & mortar location of the store.
[ link to this | view in chronology ]
Im starting something,
Pass this around.
Its kinda hard to find the section to send a Email to many of these sites, but Im tired of it.
Being asked to ALLOW 3rd party crap on my machine, and I cant see anything unless I DO accept..
I send this letter, as a contract is a 2 party thing.
"My acceptance of your ability to advert on my computer, means that you are willing to accept My TOS.
Thank you.
This means that Any 3rd party that inserts Virus/adware/bots/trackers and any other obtrusive software, you are Liable for.
Thank you for accepting."
[ link to this | view in chronology ]
'But we pinky-promised and everything!'
'You should toss this case, we would never do something like what they're talking about.'
'Are you willing to put that on paper in a legally binding manner?'
'Well... I mean... I really don't see how that's necessary, and that would be a lot of work...'
Can't imagine why the court wasn't stupid enough to buy that argument...
[ link to this | view in chronology ]
Well, this is something nice amidst not-so-nice days.
[ link to this | view in chronology ]
Great news but I about choked on my drink when I read:
"John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice"
If you have a problem... if no one else can help... and if you can find them... maybe you can hire... The A-Team.
Just re-watched that movie the other night......
[ link to this | view in chronology ]
Sure
If they actually had no intention of ever prosecuting for terms of service violation, then they wouldn't have objected.
[ link to this | view in chronology ]
This Sounds Shady
The very first indication that something shady is going on, to any sensible person, is that the ACLU is involved. That right there should perk up one's instincts that there's going to be some grievance hucksterism about to go down.
The second is the word 'discrimination'. Now we know we're about to enter some strange territory, where no effort is spared, where no behavior is off limits, where no resistance is countenanced, where any and all means will be considered necessary to ensure no able-bodied, non-sexually-perverted White male is doing thoughtcrime somewhere.
The third is the concept of a pre - enforcement challenge. Now, being a non-lawyer non-bureaucrat non-professional-nuisance, I've not encountered this 'pre-enforcement challenge' phrase before, but it smacks of "I want official sanction to do something I suspect most folks are going to consider not cricket".
The fourth? "Ninth Circuit". Okay, yep, something shady is happening.
[ link to this | view in chronology ]
Re: This Sounds Shady
I won't bother addressing the rest of your post, but if you are willing to learn something:
https://www.law.cornell.edu/wex/declaratory_judgment
[ link to this | view in chronology ]
Re: Re: This Sounds Shady
From you, Nasch? Not a surprise.
[ link to this | view in chronology ]
Re: Re: Re: This Sounds Shady
Oh, BURN!!!
[ link to this | view in chronology ]