Sandvig v. Lynch: ACLU Challenges Constitutionality of CFAA Provision That Threatens Online Discrimination Research

First Amendment Cyberlaw Computer Fraud and Abuse Act

The American Civil Liberties Union (“ACLU”) announced in June that it is challenging the constitutionality of certain provisions of the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. § 1030 (2008). In a suit against the Department of Justice, the ACLU argues that the decades-old anti-hacking law violates the First Amendment by preventing researchers from investigating whether computer programs are being used to discriminate against people by race, age, or gender.

In a 47-page complaint filed in the United States District Court for the District of Columbia, the ACLU argues that the unauthorized access provision of the CFAA, 18 U.S.C. § 1030(a)(2)(C), is unconstitutional because it “prohibits and chills academics, researchers, and journalists from testing for discrimination on the internet.” Complaint for Declaratory and Injunctive Relief, Sandvig v. Lynch, Case No. 1:16-cv-01368 (D.D.C. Jun. 29, 2016) Complaint hosted by ACLU. The ACLU filed the complaint on behalf of a group of researchers who specialize in algorithmic research. By potentially making it a crime to access a website in a manner that violates the website’s terms of service, the challenged provision of the law infringes upon the plaintiffs’ First Amendment rights to conduct research and testing activities — including posing as members of other races online and recording the information that they find — which the ACLU argues is protected speech and expressive activity.

The Computer Fraud and Abuse Act has frequently been criticized by civil liberties organizations and advocacy groups for being overbroad and enabling overzealous prosecutors to go after legitimate online activity and research. The provision in question in this case specifically prohibits activity that “exceeds authorized access” to a computer. The ACLU’s complaint explains that courts and federal prosecutors have interpreted this provision broadly in the past to make it a crime to violate a website’s terms of service, essentially making those terms of service legally enforceable. Although there are no known incidents of the CFAA being used to prosecute research of the type described in the lawsuit, the ACLU argues that it creates a chilling effect that prevents researchers from engaging in it out of fear of legal repercussions.

The plaintiffs, who are academics and journalists, test for hidden biases in the proprietary algorithms of popular websites by entering a range of different inputs and seeing whether they get different results based on those inputs. They say that the CFAA poses a threat to their research by exposing them to criminal liability any time their techniques violate a website’s terms of service — agreements that often prohibit the use of aliases or provision of false identification information. According to the complaint, “The CFAA’s prohibition on conducting robust research into online discrimination is of real concern given growing indications that proprietary algorithms are causing websites to discriminate among users, including on the basis of race, gender, and other characteristics protected from discrimination under the civil rights laws.”

Similar types of “audit testing” are perfectly legal in the offline world, where researchers often pose as members of different races or genders to test for bias in the job and housing markets. But in the online context, the threat of legal action under the CFAA can prevent such research from happening. The ACLU hopes that a successful lawsuit will eliminate that hurdle.

Danielle Kehl is a rising 2L at Harvard Law School and a fellow at New America’s Open Technology Institute.