Academic researchers who wanted to test whether employment websites discriminate based on race and gender provided false information to target websites, in violation of these websites’ terms of service. The researches asserted a pre-enforcement challenge to the court, requesting that it declare that these actions do not violate the CFAA.
The court held that online terms of service do not constitute “permission requirements” that, if violated, trigger criminal liability under the CFAA. The court explained that websites’ terms of service provide inadequate notice for purposes of criminal liability. The court also questioned the wisdom of empowering private actors, like website operations, to define the boundaries of criminal liability. Per the court, this would turn “each website into its own criminal jurisdiction and each webmaster into his own legislature”. The court also cited the rule of lenity for interpreting criminal statutes: doubts about the statute’s interpretation should be resolved in favor of a narrow and more lenient interpretation.
The Court concluded that a user should be deemed to have “accesse[d] a computer without authorization,” in the wording of the CFAA, only when they bypass an authenticating permission requirement or an “authentication gate,” such as a password restriction that requires the user to demonstrate that they have been granted access privileges.
CLICK HERE to read the court’s opinion in Sandvig v. Barr.