Heading to the Courthouse for Sandvig v. Sessions

E._Barrett_Prettyman_Federal_Courthouse,_DC

(or: Research Online Should Not Be Illegal)

I’m a college professor. But on Friday morning I won’t be in the classroom, I’ll be in courtroom 30 in the US District Courthouse on Constitution Avenue in Washington DC. The occasion? Oral arguments on the first motion in Sandvig v. Sessions.

You may recall that the ACLU, academic researchers (including me), and journalists are bringing suit against the government to challenge the constitutionality of “The Worst Law in Technology” — the US law that criminalizes most online research. Our hopes are simple: Researchers and reporters should not fear prosecution or lawsuits when we seek to obtain information that would otherwise be available to anyone, by visiting a Web site, recording the information we see there, and then publishing research results based on what we find.

As things stand, the misguided US anti-hacking law, called the Computer Fraud and Abuse Act (CFAA), makes it a crime if a computer user “exceeds authorized access.” What is authorized access to a Web site? Previous court decisions and the federal government have defined it as violating the site’s own stated “Terms of Service,” (ToS) but that’s ridiculous. The ToS is a wish-list of what corporate lawyers dream about, written by corporate lawyers. (Crazy example, example, example.) ToS sometimes prohibit people from using Web sites for research, they prohibit users from saying bad things about the corporation that runs the Web site, they prohibit users from writing things down. They should not be made into criminal violations of the law.

In the latest developments of our case, the government has argued that Web servers are private property, and that anyone who exceeds authorized access is trespassing “on” them. (“In” them? “With” them? It’s a difficult metaphor.) In other cases the CFAA was used to say that because Web servers are private, users are also wasting capacity on these servers, effectively stealing a server’s processing cycles that the owner would rather use for other things. I visualize a cartoon thief with a bag of electrons.

Are Internet researchers and data journalists “trespassing” and “stealing”? These are the wrong metaphors. Lately I’ve been imagining what would happen in the world of print if the CFAA metaphors were our guide back when the printing press were invented.

If you picked up a printed free newspaper like Express, the Metro, or the Chicago Reader at a street corner and the CFAA applied to it, there would be a lengthy “Terms of Readership” printed on an inside page in very small type. Since these are advertising-supported publications, it would say that people who belong to undesirable demographics are trespassing on the printed page if they attempt to read it. After all, the newspaper makes no money from readers who are not part of a saleable advertising audience. In fact, since the printing presses are private property, unwanted readers are stealing valuable ink and newsprint that should be reserved for the paper’s intended readers. To cover all the bases, readers would be forbidden from writing anything based on what they read in the paper if the paper’s owners wouldn’t like it. And readers could be sued by the newspaper or prosecuted by the federal government if they did any of these things. The scenario sounds foolish and overblown, but it’s the way that Web sites work now under the CFAA.

Another major government argument has been that we researchers and journalists have nothing to be concerned about because prosecutors will use this law with the appropriate discretion. Any vagueness is OK because we can trust them. Concern by researchers and reporters is groundless.

Yet federal prosecutors have a terrible record when it comes to the CFAA. And the idea that online platforms want to silence research and journalism is not speculative. After our lawsuit was filed, the Streaming Heritage research team funded by the Swedish Research Council (similar to the US National Science Foundation) received shocking news: Spotify’s lawyers had contacted the Research Council and asked the council to take “resolute action” against the project, suggesting it had violated “applicable law.” Professors Snickars, Vonderau, and others were studying the Spotify platform. What “law” did Spotify claim was being violated? The site’s own Terms of Service. (Here’s a description of what happened. Note: It’s in Swedish.)

This demand occurred just after a member of the research team appeared in a news story that characterized Spotify in a way that Spotify apparently did not like. Luckily, Sweden does not have the CFAA, and terms of service there do not hold the force of law. The Research Council repudiated Spotify’s claim that research studying private platforms was unethical and illegal if it violated the terms of service. Researchers and journalists in other countries need the same protection.

More Information

The full text of the motions in the case is available on the ACLU Web site. In our most recent filing there is an excellent summary of the case and the issues, starting on p. 6. You do not need to read the earlier filings for this to make sense.

There was a burst of news coverage when our lawsuit was filed. Standout pieces include the New Yorker’sHow an Old Hacking Law Hampers the Fight Against Online Discrimination” and “When Should Hacking Be Legal?” in The Atlantic.

The ACLU’s Rachel Goodman has recently published a short summary of how to do research under the shadow of the CFAA. It is titled as a tipsheet for “Data Journalism” but it applies equally well to academic researchers. A longer version co-authored with Esha Bhandari is also available.

(Note that I filed this lawsuit as a private citizen and it does not involve my university.)

IMAGE CREDIT: AgnosticPreachersKid via Wikimedia Commons

Why I Am Suing the Government — Update

[This is an old postSEE ALSO: The most recent blog post about this case.]

Last month I joined other social media researchers and the ACLU to file a lawsuit against the US Government to protect the legal right to conduct online research. This is newly relevant today because a community of devs interested in public policy started a petition in support of our court case. It is very nice of them to make this petition. Please consider signing it and sharing this link.

PETITION: Curiosity is (not) a crime
http://slashpolicy.com/petition/curiosity-is-not-a-crime/


For more context, see last month’s post: Why I Am Suing the Government.

 

Why I Am Suing the Government

(or: I write scripts, bots, and scrapers that collect online data)

[This is an old postSEE ALSO: The most recent blog post about this case.]

I never thought that I would sue the government. The papers went in on Wednesday, but the whole situation still seems unreal. I’m a professor at the University of Michigan and a social scientist who studies the Internet, and I ran afoul of what some have called the most hated law on the Internet.

Others call it the law that killed Aaron Swartz. It’s more formally known as the Computer Fraud and Abuse Act (CFAA), the dangerously vague federal anti-hacking law. The CFAA is so broad, you might have broken it. The CFAA has been used to indict a MySpace user for adding false information to her profile, to convict a non-programmer of “hacking,” to convict an IT administrator of deleting files he was authorized to access, and to send a dozen FBI agents to the house of a computer security researcher with their guns drawn.

Most famously, prosecutors used the CFAA to threaten Reddit co-founder and Internet activist Aaron Swartz with 50 years in jail for an act of civil disobedience — his bulk download of copyrighted scholarly articles. Facing trial, Swartz hung himself at age 26.

The CFAA is alarming. Like many researchers in computing and social science, writing scripts, bots, or scrapers that collect online data is a normal part of my work. I routinely teach my students how to do it in my classes. Now that all sorts of activities have moved online — from maps to news to grocery shopping — studying people means now means studying people online and thus gathering online data. It’s essential. 

Les raboteurs de parquet (cropped)

Image: Les raboteurs de parquet by Gustave Caillebotte (cropped)
SOURCE: Wikipedia

Yet federal charges were brought against someone who was downloading publicly available Web pages.

People might think of the CFAA as a law about hacking with side effects that are a problem for computer security researchers. But the law affects anyone who does social research, or who needs access to public information. 

I work at a public institution. My research is funded by taxes and is meant for the greater good. My results are released publicly. Lately, my research designs have been investigating illegal fraud and discrimination online, evils that I am trying to stop. But the CFAA made my research designs too risky. A chief problem is that any clause in a Web site’s terms of service can become enforceable under the CFAA.

I found that crazy. Have you ever read a terms of service agreement? Verizon’s terms of service prohibited anyone using a Verizon service from saying bad things about Verizon. As it says in the legal complaint, some terms of service prohibit you from writing things down (as in, with a pen) if you saw them on a particular — completely public — Web page.

These terms of service aren’t laws, they’re statements written by Web site owners describing what they’d like to happen if they ran the universe. But the current interpretation of the CFAA says that we must judge what is authorized on the Web by reading a site’s terms of service to see what has been prohibited. If you violate the terms of service, the current CFAA mindset is: you’re hacking.

That means anything a Web site owner writes in the terms of service effectively becomes the law, and these terms can change at any time.

Did you know that terms of service can expressly prohibit the use of a Web site by researchers? Sites effectively prohibit research by simply outlawing any saving or republication of their contents, even if they are public Web pages. Dice.com forbids “research or information gathering,” while LinkedIn says you can’t “copy profiles and information of others through any means” including “manual” means. You also can’t “[c]ollect, use, copy, or transfer any information obtained from LinkedIn,” or “use the information, content or data of others.” (This begs the question: How would the intended audience possibly use LindedIn and follow these rules? Memorization?)

As a researcher, I was appalled by the implications, once they sunk in. The complaint I filed this week has to do with my research on anti-discrimination laws, but it is not too broad to say this: The CFAA, as things stand, potentially blocks all online research. Any researcher who uses information from Web sites could be at risk from the provision in our lawsuit. That’s why others have called this case “key to the future of social science.”

If you are a researcher and you think other researchers would be interested in this information, please share this information. We need to get the word out that the present situation is untenable.

NEW: There is now an online petition started by a cool group of policy-minded devs on our behalf. Please consider signing and sharing it.

The ACLU is providing my legal representation, and in spirit I feel that they have taken this case on behalf of all researchers and journalists. If you care about this issue and you’d like to help, I urge you to contribute.

 

Want more? Here is an Op-Ed that I co-authored with my co-plaintiff Prof. Karrie Karahalios:

Most of what you do online is illegal. Let’s end the absurdity.
https://www.theguardian.com/commentisfree/2016/jun/30/cfaa-online-law-illegal-discrimination

Here is the legal complaint:

Sandvig v. Lynch
https://www.aclu.org/legal-document/sandvig-v-lynch-complaint

Here is a press release about the lawsuit:

ACLU Challenges Law Preventing Studies on “Big Data” Discrimination
https://www.aclu.org/news/aclu-challenges-law-preventing-studies-big-data-discrimination

Here is some of the news coverage:

Researchers Sue the Government Over Computer Hacking Law
https://www.wired.com/2016/06/researchers-sue-government-computer-hacking-law/

New ACLU lawsuit takes on the internet’s most hated hacking law
http://www.theverge.com/2016/6/29/12058346/aclu-cfaa-lawsuit-algorithm-research-first-amendment

Do Housing and Jobs Sites Have Racist Algorithms? Academics Sue to Find Out
http://arstechnica.com/tech-policy/2016/06/do-housing-jobs-sites-have-racist-algorithms-academics-sue-to-find-out/

When Should Hacking Be Legal?
http://www.theatlantic.com/technology/archive/2016/07/when-should-hacking-be-legal/489785/

Please note that I have filed suit as a private citizen and not as an employee of the University.

[Updated on 7/2 with additional links.]

[Updated on 8/3 with the online petition.]

 

New Report Released: Few Legal Remedies for Victims of Online Harassment

For the last year, I’ve been working with Fordham’s Center on Law and Information Policy to research what legal remedies are available to victims of online harassment. We investigated cyberharassment law, cyberstalking law, defamation law, hate speech, and cyberbullying statutes. We found that although online harassment and hateful speech is a significant problem, there are few legal remedies for victims.

Report Highlights

  • Section 230 of the Communications Decency Act provides internet service providers(including social media sites, blog hosting companies, etc.) with broad immunity from liability for user-generated content.
  • Given limited resources, law enforcement personnel prioritize other cases over
    prosecuting internet-related issues.
  • Similarly, there are often state jurisdictional issues which make successful prosecution
    difficult, as victim and perpetrator are often in different states, if not different countries.
  • Internet speech is protected under the First Amendment. Thus, state laws regarding online
    speech are written to comply with First Amendment protections, requiring fighting
    words, true threats, or obscene speech (which are not protected). This generally means
    that most offensive or obnoxious online comments are protected speech.
  • For an online statement to be defamatory, it must be provably false rather than a matter of
    opinion. This means that the specifics of language used in the case are extremely
    important.
  • While there are state laws for harassment and defamation, few cases have resulted in
    successful prosecution. The most successful legal tactic from a practical standpoint has
    been using a defamation or harassment lawsuit to reveal the identities of anonymous
    perpetrators through a subpoena to ISPs then settling. During the course of our research,
    we were unable to find many published opinions in which perpetrators have faced
    criminal penalties, which suggests that the cases are not prosecuted, they are not appealed
    when they are prosecuted, or that the victim settles out of court with the perpetrator and
    stops pressing charges.
  • In offline contexts, hate speech laws seem to only be applied by courts as penalty
    enhancements; we could locate no online-specific hate speech laws.
  • Given this landscape, the problem of online harassment and hateful speech is unlikely to
    be solved solely by victims using existing laws; law should be utilized in combination
    with other practical solutions.

The objective of the project is to provide a resource that may be used by the general public, and in particular, researchers, legal practitioners, Internet community moderators, and victims of harassment and hateful speech online. If you’re working on online harassment, cyberbullying, revenge porn, or a host of related issues, we hope this will be of service to you.

Also, read it to find out the difference between calling someone a “bitch” and a “skank” online, what a “true threat” is, and why students are probably at the most risk of being prosecuted for online speech acts.

Download the report from SSRN