(or: Research Online Should Not Be Illegal)
I’m a college professor. But on Friday morning I won’t be in the classroom, I’ll be in courtroom 30 in the US District Courthouse on Constitution Avenue in Washington DC. The occasion? Oral arguments on the first motion in Sandvig v. Sessions.
You may recall that the ACLU, academic researchers (including me), and journalists are bringing suit against the government to challenge the constitutionality of “The Worst Law in Technology” — the US law that criminalizes most online research. Our hopes are simple: Researchers and reporters should not fear prosecution or lawsuits when we seek to obtain information that would otherwise be available to anyone, by visiting a Web site, recording the information we see there, and then publishing research results based on what we find.
As things stand, the misguided US anti-hacking law, called the Computer Fraud and Abuse Act (CFAA), makes it a crime if a computer user “exceeds authorized access.” What is authorized access to a Web site? Previous court decisions and the federal government have defined it as violating the site’s own stated “Terms of Service,” (ToS) but that’s ridiculous. The ToS is a wish-list of what corporate lawyers dream about, written by corporate lawyers. (Crazy example, example, example.) ToS sometimes prohibit people from using Web sites for research, they prohibit users from saying bad things about the corporation that runs the Web site, they prohibit users from writing things down. They should not be made into criminal violations of the law.
In the latest developments of our case, the government has argued that Web servers are private property, and that anyone who exceeds authorized access is trespassing “on” them. (“In” them? “With” them? It’s a difficult metaphor.) In other cases the CFAA was used to say that because Web servers are private, users are also wasting capacity on these servers, effectively stealing a server’s processing cycles that the owner would rather use for other things. I visualize a cartoon thief with a bag of electrons.
Are Internet researchers and data journalists “trespassing” and “stealing”? These are the wrong metaphors. Lately I’ve been imagining what would happen in the world of print if the CFAA metaphors were our guide back when the printing press were invented.
If you picked up a printed free newspaper like Express, the Metro, or the Chicago Reader at a street corner and the CFAA applied to it, there would be a lengthy “Terms of Readership” printed on an inside page in very small type. Since these are advertising-supported publications, it would say that people who belong to undesirable demographics are trespassing on the printed page if they attempt to read it. After all, the newspaper makes no money from readers who are not part of a saleable advertising audience. In fact, since the printing presses are private property, unwanted readers are stealing valuable ink and newsprint that should be reserved for the paper’s intended readers. To cover all the bases, readers would be forbidden from writing anything based on what they read in the paper if the paper’s owners wouldn’t like it. And readers could be sued by the newspaper or prosecuted by the federal government if they did any of these things. The scenario sounds foolish and overblown, but it’s the way that Web sites work now under the CFAA.
Another major government argument has been that we researchers and journalists have nothing to be concerned about because prosecutors will use this law with the appropriate discretion. Any vagueness is OK because we can trust them. Concern by researchers and reporters is groundless.
Yet federal prosecutors have a terrible record when it comes to the CFAA. And the idea that online platforms want to silence research and journalism is not speculative. After our lawsuit was filed, the Streaming Heritage research team funded by the Swedish Research Council (similar to the US National Science Foundation) received shocking news: Spotify’s lawyers had contacted the Research Council and asked the council to take “resolute action” against the project, suggesting it had violated “applicable law.” Professors Snickars, Vonderau, and others were studying the Spotify platform. What “law” did Spotify claim was being violated? The site’s own Terms of Service. (Here’s a description of what happened. Note: It’s in Swedish.)
This demand occurred just after a member of the research team appeared in a news story that characterized Spotify in a way that Spotify apparently did not like. Luckily, Sweden does not have the CFAA, and terms of service there do not hold the force of law. The Research Council repudiated Spotify’s claim that research studying private platforms was unethical and illegal if it violated the terms of service. Researchers and journalists in other countries need the same protection.
The full text of the motions in the case is available on the ACLU Web site. In our most recent filing there is an excellent summary of the case and the issues, starting on p. 6. You do not need to read the earlier filings for this to make sense.
There was a burst of news coverage when our lawsuit was filed. Standout pieces include the New Yorker’s “How an Old Hacking Law Hampers the Fight Against Online Discrimination” and “When Should Hacking Be Legal?” in The Atlantic.
The ACLU’s Rachel Goodman has recently published a short summary of how to do research under the shadow of the CFAA. It is titled as a tipsheet for “Data Journalism” but it applies equally well to academic researchers. A longer version co-authored with Esha Bhandari is also available.
(Note that I filed this lawsuit as a private citizen and it does not involve my university.)
IMAGE CREDIT: AgnosticPreachersKid via Wikimedia Commons