315 F. Supp. 3d 1
D.C. Cir.2018Background
- Plaintiffs (four professors and a media org) seek to run automated "audit" tests (bots, "sock puppets," scraping) on public real-estate and hiring websites to detect algorithmic discrimination, knowing these methods violate some sites' Terms of Service (ToS).
- They filed a pre-enforcement constitutional challenge to the CFAA §1030(a)(2)(C) (the "Access Provision") alleging First Amendment (speech, press, petition) and Fifth Amendment (vagueness, unlawful delegation) violations; DOJ moved to dismiss for lack of standing and failure to state a claim.
- The Access Provision criminalizes intentionally accessing a protected computer without authorization or "exceed[ing] authorized access" to obtain information; penalties vary by severity and objective (misdemeanor up to 1 year; felony enhancements for fraud, financial gain, or >$5,000 loss).
- Plaintiffs concede they will violate ToS (scraping, creating fake accounts), but allege their actions are public‑forum information-gathering and publication protected by the First Amendment and that CFAA exposure chills their research.
- The Court addressed standing (pre-enforcement First Amendment claim standards), statutory interpretation of "exceeds authorized access," and constitutional challenges, construing the CFAA before resolving overbreadth/vagueness/nondelegation concerns.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing (pre-enforcement) | Plaintiffs intend protected expressive conduct; CFAA proscribes ToS violations; credible threat of prosecution exists => injury-in-fact | DOJ: no specific threats; charging guidance discourages harmless ToS prosecutions; lack of enforcement history against benign ToS breaches | Court: Plaintiffs have standing for First and Fifth Amendment claims (pre-enforcement standard relaxed for speech claims); credible threat plausible given past prosecutions and lack of categorical disavowal |
| Scope of "exceeds authorized access" under CFAA | CFAA should be read to include ToS violations (use-based) so plaintiffs' ToS breaches fall within statute | DOJ: CFAA targets access violations and may consider ToS in context; statute criminalizes access-based wrongs | Court: Adopts narrow, access-limited reading: covers obtaining/altering information outside the scope of authorized access (not mere use/purpose violations); thus many ToS breaches fall outside CFAA |
| First Amendment (as-applied & overbreadth) | CFAA criminalizes expressive conduct (scraping, false identities, publication) and is overbroad/chills research | DOJ: CFAA regulates conduct not speech; private websites control access; law is content-neutral and serves significant interests (preventing theft/trespass) | Court: Denied dismissal of as-applied First Amendment claim as to creating false accounts on sites where account creation is an authentication gate (Mislove & Wilson); facial overbreadth dismissed because limiting construction narrows problematic sweep |
| Fifth Amendment vagueness & nondelegation | Broad reading delegates lawmaking to private parties via ToS and invites arbitrary enforcement and lacks fair notice | DOJ: Narrow construction avoids nondelegation and vagueness; CFAA like other criminal laws that depend on private authorization | Court: Dismissed vagueness and nondelegation claims after adopting a limiting, access-based construction that avoids constitutional problems |
Key Cases Cited
- Reno v. American Civil Liberties Union, 521 U.S. 844 (1997) (Internet as a diverse medium deserving full First Amendment protection)
- Packingham v. North Carolina, 582 U.S. _ (2017) (cyberspace is a primary site for First Amendment activity; courts must exercise caution restricting access to social-media sites)
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (reading "exceeds authorized access" as limited to access, not mere misuse)
- United States v. Valle, 807 F.3d 508 (2d Cir. 2015) (legislative history and text support access‑based interpretation of "exceeds authorized access")
- WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) ("exceeds authorized access" focuses on scope of access rather than purpose of use)
- Holder v. Humanitarian Law Project, 561 U.S. 1 (2010) (standing and merits context for pre-enforcement First Amendment challenges)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing elements and burden of proof)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (plausibility standard on motion to dismiss)