There is a long history of “audit testing” in the U.S. which has been used to uncover civil rights abuses, especially racial discrimination in housing and employment. Researchers test to see whether rental agents, for example, treat black prospective tenants differently than identical white prospective tenants. These audits have been used for decades to root out and correct potential discrimination so that laws like Title VII and the Fair Housing Act can be passed and properly enforced.
In this case, researchers, including those from Northeastern University, were creating false job ads and posing as false job seekers to ascertain whether various employment websites were discriminating based on a protected classification like race or gender. This type of audit testing online is important and badly needed, as evidenced by the $5 million settlement Facebook paid to settle a number of cases brought against it. The company was allowing advertisers to limit their housing and employment ads based on age, gender, and race, a practice that has been banned for decades. The internet presents an enormous opportunity for civil rights abuses, and audit testing allows for their detection.
The ACLU’s lawsuit, Sandvig v. Barr, sought to provide protection to researchers conducting audit testing online so that they could not be sued by the government under the CFAA for doing their job. The specific CFAA provision in question, also known as the “Access Provision,” states that anyone who “intentionally accesses a computer without authorization or exceeds authorized access” can be held criminally liable. The lawsuit sought a ruling that the First Amendment grants researchers the liberty to provide false information to websites during audit testing such that the Access Provision of the CFAA that prohibits such activity is unconstitutional. They further argued that the CFAA provision was unduly vague and therefore violates the plaintiffs’ Fifth Amendment due process rights. Additionally, the plaintiffs argued that criminally prosecuting a person under the CFAA for the arbitrary terms of service created by a private entity “unconstitutionally delegates lawmaking authority to private actors,” further violating the plaintiffs’ Fifth Amendment due process rights.
On the other hand, the Government argued that the plaintiffs had failed to show standing, meaning they had not suffered any actual harm and, therefore, did not have the right to bring the lawsuit in the first place. It also argued that the First Amendment does not protect plaintiffs from private websites’ choices about whom to exclude from their servers.
The Court declined to rule on the constitutionality of the CFAA provision, instead opting for a narrow ruling, stating that the violation of terms of service is not a violation of the CFAA and thus the researchers could not be criminally prosecuted. The Court went on to conclude that terms of service do not give proper notice to enforce criminal liability as they are often “long, dense, and subject to change.” Further, allowing private entities to determine the scope of criminal liability concerned the court outside of its constitutional implications, and the Court looked to previous rulings that limited the scope of the CFAA to justify this further limitation.
The ruling, though narrow, provides a strong protection for audit testing in the digital era, and gives clear guidance as to the enforcement of the CFAA when it comes to terms of service and user agreements: Private entities do not get to determine who is criminally liable under the CFAA. This amount of clarity is notable for a law that has been implicated in some extremely high profile cases, the outcomes of which were highly controversial. Further, the analysis in this ruling reinforces the need for CFAA- and internet-law-informed judges as the internet becomes an increasingly litigated space.