On March 30, 2018, in Sandvig v. Sessions, the U.S. District Court for the District of Columbia allowed one of several constitutional challenges to the Computer Fraud and Abuse Act to survive a motion to dismiss. In doing so, the district court highlighted and analyzed the split between circuits in interpreting the “exceeds authorization” provision and joined the Second, Fourth, and Ninth Circuits in finding that exceeding authorization means exceeding authorized access and not merely authorized use.
The constitutional challenges at issue in Sandvig arise out of an unusual set of circumstances. The plaintiffs are several professors who want to research whether websites offering employment, real estate, and financial services engage in unintentional discrimination through their use of algorithms. The professors intend to run a series of “audit tests” which use bots to scrape the websites and create false user profiles. The bots will then collect information to determine how the websites respond to users who display characteristics attributed to certain races, genders, or other classes. Because such techniques are generally prohibited by most websites’ terms of service agreements, the professors contend they must either refrain from conducting research that constitutes protected speech, or else expose themselves to risk of prosecution under the CFAA.
In determining whether the plaintiffs were actually at risk of prosecution, the court inquired whether the plaintiffs’ proposed conduct—using information in violation of a website’s terms of service—“exceeds authorization” under the CFAA. The court started by noting that there exists a significant circuit split on this issue. The Second, Fourth, and Ninth Circuits have held that the CFAA prohibits only unauthorized access to information. In these circuits, a defendant can use information however he chooses without CFAA liability as long as his access was authorized. The First, Fifth, and Eleventh Circuits, in contrast, have held that the CFAA may also cover the unauthorized use of information, even if the defendant was authorized to access it.
The circuit split between liability for “unauthorized access” and liability for mere “unauthorized use” is important for companies operating in multiple jurisdictions, and is an issue that TSW and other Orrick blogs follow closely. Consider, for example, a departing employee who accesses company information with authorization, but then uses that information in a manner that violates company policies or employment agreements (e.g., by disclosing it to his new employer). Employers in the latter circuits may assert CFAA claims to assert their rights while employers in the former circuits may not.
In Sandvig, the district court noted that the D.C. Circuit has not yet weighed in on the issue. The court then analyzed the CFAA, including the constitutional implications of both interpretations, and joined the Second, Fourth, and Ninth Circuits in finding that liability turned on access, not use. The court then found that scraping public information would not violate the CFAA, but that creating false profiles for purpose of obtaining information that is not otherwise public could constitute a violation.
Pursuant to this narrow reading of the statute, the district court dismissed a number of plaintiffs’ constitutional challenges, including a claim that the “exceeds authorization” provision of the CFAA is “facially overbroad” under the First Amendment. But the court denied the motion to dismiss as to plaintiffs’ claim that the provision “as applied to plaintiffs” unconstitutionally restricts their protected speech. Accordingly, that claim still remains viable.
It is still unclear if or when the Supreme Court will resolve the circuit split on this issue. It is also unclear whether plaintiffs’ remaining constitutional challenges would have survived the motion to dismiss had the D.C. district court adopted the First, Fifth, and Eleventh Circuits’ interpretation of the “exceeds authorization” provision. But, to be sure, TSW will continue to follow and report on developments regarding the meaning (and constitutionality) of the “exceeds authorization” clause in the CFAA.