Federal courts on a variety of levels and in a variety of jurisdictions have grappled with the question of what it means to “access a computer without authorization” and to exceed
which is an essential requirement under many of the subsections of the Computer Fraud and Abuse Act. Now in Christian W. Sandvig v. Barr, __ F.3d __, 2020 WL 1494065 (D.D.C. 2020), a district court in the District of Columbia ruled that researchers do not violate a website’s terms of service by providing false information about providing false information to the website. This allows researchers, at least in the District of Columbia, to breach such agreements on the website.
The Sandvig plaintiffs, including professors at Northeastern University, who intend to test whether employment websites discriminate based on race and gender, including by providing false information to the website, in violation of these websites’ terms of service, brought a pre-enforcement challenge alleging that the CFAA, as applied to their intended conduct of violating the websites’ terms of service, chills their First Amendment right to free speech.
After closely analyzing precedent from other jurisdictions, including from the Ninth Circuit in hiQ Labs. Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), and the legislative history of the CFAA, the court concluded “that agreeing to [a website’s terms of service], although that may consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA. In other words, terms of service do no constitute ‘permission requirements’ that, if violated, trigger criminal liability.”