Good news for anyone who uses the Internet as a source of information: A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information.
The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. The CFAA is a serious criminal law, so the plaintiffs have refrained from using automated tools out of an understandable fear of prosecution. Instead, they decided to go to court. With the help of the ACLU, the plaintiffs have argued that the CFAA has chilled their constitutionally protected research and journalism.
The CFAA makes it illegal to access a computer connected to the Internet “without authorization,” but the statute doesn’t tells us what “authorization” or “without authorization” means. Even though it was passed in the 1980s to punish computer intrusions, it has metastasized in some jurisdictions into a tool for companies and websites to enforce their computer use policies, like terms of service (which no one reads). Violating a computer use policy should by no stretch of the imagination count as a felony.
In today’s networked world, where we all regularly connect to and use computers owned by others, this pre-Internet law is causing serious problems. It’s not only chilled discrimination researchers and journalists, but it has also chilled security researchers, whose work is necessary to keep us all safe. It is also threatening the open web, as big companies try to use the law as a tool to block competitors from accessing publicly available data on their sites. Accessing publicly available information on the web should never be a crime. As law professor Orin Kerr has explained, publicly posting information on the web and then telling someone they are not authorized to access it is “like publishing a newspaper but then forbidding someone to read it.”
Luckily, Judge John Bates recognized the critical role that the Internet plays in facilitating freedom of expression—and that a broad reading of the CFAA “threatens to burden a great deal of expressive activity, even on publicly accessible websites.” The First Amendment protects not only the right to speak, but also the right to receive information, and the court held that the fact “[t]hat plaintiffs wish to scrape data from websites rather than manually record information does not change the analysis.” According to the court:
“Scraping is merely a technological advance that makes information collection easier; it is not meaningfully different from using a tape recorder instead of taking written notes, or using the panorama function on a smartphone instead of taking a series of photos from different positions.”
Judge Bates did not strike down the law as unconstitutional, but he did rule that the statute must be interpreted narrowly to avoid running afoul of the First Amendment. Judge Bates also said that a narrow construction was the most common sense reading of the statute and its legislative history.
Judge Bates is the second judge this year to recognize that a broad interpretation of the CFAA will negatively impact open access to information on the web. Last year, Judge Edward Chen found that a “broad interpretation of the CFAA invoked by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.”
The government argued that the plaintiffs did not have standing to pursue the case, in part because there was no “plausible threat” that the government was going to prosecute them for their work. But as the judge pointed out, the government has attempted to prosecute “harmless ToS violations” in the past.
The web is the largest, ever-growing data source on the planet. It is a critical resource for journalists, academics, businesses, and ordinary individuals alike. Meaningful access sometimes requires the assistance of technology to automate and expedite an otherwise tedious process of accessing, collecting and analyzing public information. Using technology to expedite access to publicly available information shouldn’t be a crime—and we’re glad to see another court recognize that.