Back in 2016, the ACLU and First Look (the publishers of The Intercept) sued the US government
to force it to clarify that the 1986 Computer Fraud and Abuse Act –
the overbroad statute passed during over a panic sparked by the movie
“Wargames” – does not prohibit violations of terms of service.
At issue is the CFAA’s incredibly broad definition of hacking:
“exceeding your authorization” on a computer. Tech companies have argued
that this means that any violation of their terms of service (through
which they define your authorization) is a felony under the CFAA. This
was the basis for the US government’s legal attack on Aaron Swartz,
allowing a federal prosecutor to threaten him with 35 years in prison
for failing to abide by the legal fine-print on a website.
The US Government moved to dismiss the suit and a Federal Circuit judge
has dismissed their motion, and will allow the suit to proceed.
The Intercept and the ACLU are seeking a judgment that would allow them
to systematically explore whether services are practicing illegal racial
and gender-based discrimination in advertising and offering financial
products to their users; to do this, they want to be able to create fake
personas and login to the services to gather data.
Axios’s Joe Uchill points out that this is a fraught business in the
midst of the Cambridge Analytica scandal, with some skeptics arguing
that a victory in the suit for the ACLU and The Intercept would be the
thin edge of the wedge for allowing companies like Cambridge Analytica
to violate terms of service by scraping user profiles. I think that this
is overstated: other circuits have already narrowed the CFAA
and its ability to turn EULAs into private law; and the issue being
argued here is a narrow one: whether a specific legal activity can be
made illegal by adding a term-of-service prohibiting it.
