Terms of Service 0 – Researchers 1: Judge Rules in Favor of the Plaintiffs in Sandvig v. Sessions
On March 30, 2018, in Sandvig v. Sessions, the United States District Court for the District of Columbia ruled that scraping data from websites plausibly falls within the ambit of the First Amendment and violating a website’s terms of service is not enough to establish a federal crime under the Computer Fraud and Abuse Act (“CFAA”).
Back in June 2016, the American Civil Liberties Union filed this lawsuit on behalf of four researchers. The plaintiffs were testing for hidden biases in the proprietary algorithms of popular websites. To uncover online discrimination, they often times relied on the use of aliases or other forms of false identification. This conduct was contrary to many websites’ terms of services. Therefore, the plaintiffs feared prosecution due to their testing since many courts interpreted the CFAA as prohibiting an individual from visiting a website in a manner that violates its terms of service or terms of use. Thus, the plaintiffs claimed that the CFAA unconstitutionally criminalized audit testing and investigations.
Having analyzed different views, the District of Columbia sided with the Second, Fourth, and Ninth Circuits and opted for a narrower reading of the statute. By doing so, the court relied on the text of the statute, statutory context, the legislative history, and the amendment history of the CFAA to support its finding. Moreover, Judge John Bates ruled that two plaintiffs could proceed on their claim that criminalizing such activity violates their free speech rights. Professor James Grimmelmann noted on Twitter that this could be “a big victory for online freedom, scholarly research on the Internet, and anti-discrimination.”
Though it could be a victory for online freedom, Sandvig v. Sessions deepened the circuit split on the interpretation of “exceeding authorized access” under the CFAA. In October 2017, the Supreme Court denied writ of certiorari to Facebook, Inc., v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016), which could have been an opportunity to resolve the split. One must wait and see whether Sandvig will reach the Supreme Court and thereby resolve the question of whether violations of terms of service could lead to criminal liability.
Microsoft Ireland: Government Submits Motion to Vacate Judgment of the Court of Appeals and Remand with Directions to Dismiss as Moot
On March 23, 2018, Congress passed and the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) as part of the Omnibus Bill. 2018, H.R. 1625, Div. V, 115th Cong., 2d Sess. (2018). The CLOUD Act Section 103(a) explicitly states that a service provider responding to a Stored Communications Act Section 2703 order must produce information within its “possession, custody, or control, regardless of whether such information is located within or outside of the United States.”
One of the main questions in the Microsoft Ireland case was whether the Stored Communications Act applied extraterritorially, either explicitly or implicitly. While the United States District Court for the Southern District of New York accepted that Section 2703 of the Stored Communications Act had an extraterritorial application, the Second Circuit disagreed and ruled in favor of Microsoft. The case is now pending before the Supreme Court. Upon the introduction of the CLOUD Act, the Department of Justice issued a new warrant for the Microsoft data. Subsequently, it submitted a motion to vacate the prior Court of Appeals judgment and dismiss the case.
Microsoft President Brad Smith greeted the new legislation with optimism. He noted in the Official Microsoft Blog that “[t]he inclusion of the CLOUD Act in the Omnibus funding bill negotiated by congressional leaders of both parties is a critical step forward in resolving an issue that has been the subject of litigation for over four years.” Subsequently, on April 3, 2018, Microsoft filed a response in agreement with the government’s position concerning the mootness of the case.
The Supreme Court is expected to deliver its judgment in June. Scholars expect that the Supreme Court will rule that CLOUD Act mooted the case.
New Rules for Facebook in the Aftermath of Cambridge Analytica?
The revelations surrounding Cambridge Analytica surprised and shocked many Facebook users. According to the New York Times, data of 50 million users were surreptitiously misused. To explain the situation in more depth, Mark Zuckerberg will testify before the House Energy and Commerce Committee on April 11, 2018 regarding the company’s use and protection of user data.
Prior to his appearance before the Senate, Zuckerberg has made two important announcements, which might give rise to new rules for Facebook. First, according to TechCrunch, Zuckerberg stated that Facebook will implement the EU’s General Data Protection Regulation (“GDPR”) worldwide. The GDPR, which will enter into force May 25, 2018, places various compliance requirements on data controllers and regulates user consent in a different way than the U.S. Moreover, it ensures that individuals have a right to know which companies have what data about them and ask for the deletion or the correction of the data held. While Zuckerberg cautioned that it could not be applied in the same format due to the divergence of local laws, Facebook will endeavor to comply with GDPR’s data privacy rules.
Second, through a Facebook post, Zuckerberg stated: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again.”. According to Jack Balkin, this statement acknowledges the fiduciary duties of Facebook. Balkin writes, “[B]ecause Facebook holds so much data about people, and because its operations are not transparent, people are vulnerable to how Facebook uses their data. This means that people must trust Facebook not to abuse their confidence. Facebook's right to hold the data depends on its responsibilities not to use abuse that trust. This is, in essence, the assumption of a fiduciary duty—the duty not to abuse the trust that vulnerable parties must place in another who performs services for them.”
Under the current privacy scheme in the U.S., the biggest problem for users is the enforcement of privacy rules and regulations. As Daniel Solove and Woodrow Hartzog note, unlike many countries, U.S. privacy law adopts a sectoral approach rather than an omnibus approach. Since courts reject the view that privacy policies are contracts or privacy breaches are akin to common law torts, the U.S. privacy regulatory system depends on the FTC or cases brought by state attorneys general. Application of the GDPR or perceiving Facebook as an “information fiduciary” might change this trend as it might pave the way for privacy cases brought by individuals.
Secil Bilgic is an LLM student at Harvard Law School and a Fulbright Scholar.