The Computer Fraud and Abuse Act has been a perpetual threat since its passage. This shouldn’t surprise anyone, since it was enacted in 1986, when nobody outside of some serious geeks had any real idea of how computers would be ten, twenty, thirty years later. It was a lot easier to pass a law about computers back then, because there wasn’t a great deal of public concern. We didn’t have them. We didn’t use them. They were barely a twinkle in our eye, and regulating their use posed no threat to our ability to play Angry Birds or take selfies.
One of the remnants of this more innocent age is that the CFAA, if interpreted by a federal prosecutor with a really sad story, would criminalize accessing a website in violation of the site’s terms of service. The notion is absurd, since the terms of service could prohibit anything the website owner wants it to prohibit. My TOS is that no assholes are allowed. You’re committing a felony right now if the CFAA’s “unauthorized access” provision criminalizes violation of terms of service.
Bear in mind, back then only corporations and educational institutions were regular computer users. They could type “gopher” after the C prompt and go online, because there was no world wide web then. Remember the old days when you had to include “www.” before every URL or you wouldn’t get anywhere? Then you might be asked for your five letter password, sometimes “muffy,” chosen because of an adored kitty. With enough effort, a hacker might discover your secret key and do mischief. That had to be stopped, and so the CFAA was crafted.
The ACLU has taken up arms against the threat of the CFAA being used to create crimes based on terms of service limiting authorized access. It’s a worthy cause, since the notion is inconsistent with reality, the Constitution and is rife with the potential for abuse. Yay? Not so fast.
In the digital age, with everyone experimenting with new uses of big data, algorithms, and machine-learning, it’s crucial that researchers be able to engage in anti-discrimination testing online. But a federal computer crimes law, the Computer Fraud and Abuse Act, is creating a significant barrier to research and testing necessary to uncover online discrimination in everything from housing to employment. The ACLU filed a lawsuit today on behalf of a group of academic researchers, computer scientists, and journalists to remove the barrier posed by the CFAA’s overbroad criminal prohibitions.
The plaintiffs chosen by the ACLU aren’t your ordinary assholes. Not even your run-o’-the-mill hackers. They are “academics, computer scientists and journalists” who want to do “research and testing necessary to uncover online discrimination in everything from housing to employment.” They want to violate websites’ terms of service to uncover hidden discrimination.
As more and more of our transactions move online, and with much of our internet behavior lacking anonymity, it becomes easier for companies to target ads and services to individuals based on their perceived race, gender, or sexual orientation.
Or to put it less tactfully, social justice warriors want the right to turn over private rocks in search of thing that make their sacred cows cry. And this is whom the ACLU chooses as its plaintiffs.*
That the terms of service should not give rise to the manufacture of a federal offense by a prosecutor in search of a means to screw someone who violated his sacred cow may well be a very worthwhile endeavor. There isn’t much of a question that limiting the reach of unauthorized access as a crime is desperately needed.
The law, which is woefully out of date, and was passed (literally) by a Congress that was freaked out over the movie WarGames, is supposed to target evil “computer hackers.” But it’s written so broadly, including terms like “unauthorized access” or “exceeding authorized access,” that it’s been used against things like violating a terms of service (that you didn’t read or even agree to) or against downloading too many files. And that’s scaring the hell out of researchers.
And yet, these “researchers'” purpose is to find secret algorithms that may discriminate by anticipating binary gender? So they can take the devs outside to be shot for not adhering to the SJW orthodoxy? The deeply conflicted beliefs of activists have been raised as a bone of contention before, and this seals the deal for the ACLU. Much as violating terms of service should never be the basis for a crime, the argument against it is not to enable SJWs to undermine the rights of website owners to be as discriminatory as they wanna be. There is no First Amendment right to dig up SJW dirt to complain about other people’s First Amentment rights to not give a shit about SJW orthodoxy.
At Techdirt, Mike Masnick questioned whether this suit had any chance of success.
While I’ve been quite vocal for years about the problems of the CFAA and how it chills a variety of activities, including ones similar to those described here, and while I have enormous respect for the ACLU, I do wonder how successful this case will be. Courts are not always happy to take on cases that can be seen as more “speculative” than over a clear issue (i.e., after someone’s been charged with violating the CFAA for this kind of activity). At the same time, courts also like to avoid dealing with Constitutional questions, if they can avoid it — and so far, multiple courts have rejected attempts to claim that mere terms of service violation violates the CFAA. So they can get out of handling the Constitutional question by just saying “well, that particular use is not a CFAA violation.”
For the lawyers among us, this is the “case and controversy” requirement, plus the tenet that courts shouldn’t address constitutional questions when they don’t have to. In other words, the ACLU has picked a really stupid case to try and make its point. And yet:
So while I think this is a really important issue, and I’d love to see a constitutional challenge to these aspects of the CFAA succeed, I’m at least somewhat skeptical of the chances of this particular case. Hopefully, I’m proven wrong.
As much as Mike, and I, would like to see any doubt eliminated about the CFAA’s “unauthorized use” provision not applying to the transitory and visceral terms of service, I totally hope Mike is wrong; completely, utterly wrong. Ending the potential for a crime based on terms of service violations is certainly a good cause. Contending that academics have some intrinsic right to hack private websites in search of feelz violations is also wrong. Two wrongs don’t make a right, and these SJW academics have no right to scour the internet in search of private parties exercising free speech and not swooning at their 31 flavors of gender.