Skip to main content

New ACLU lawsuit takes on the internet’s most hated hacking law

New ACLU lawsuit takes on the internet’s most hated hacking law

Share this story

federal courthouse virginia

For decades, the Computer Fraud and Abuse Act has been one of America’s dangerous laws for anyone doing "unauthorized" things with a computer. Used to prosecute Aaron Swartz, Sergey Alenikov, and jailbreaker George Hotz, the law has long been criticized as a blank check for prosecutors. Under the law’s current interpretation, anyone breaking a website’s terms of service to collect information is guilty of a federal crime.

Now, the American Civil Liberties Union is challenging that. This morning, the group brought a suit against the Department of Justice on behalf of a group of researchers, who say the CFAA is a legal threat to their research. The plaintiffs specialize in algorithmic research: bombarding closed algorithms with a range of different inputs to study their hidden biases. Those techniques often involve breaking a websites terms of service, potentially exposing them to prosecution under the CFAA.

"Being able to run socially beneficial studies like ours is at the heart of academic freedom," the lead plaintiff, University of Michigan professor Christian Sandvig, said in a statement. "We shouldn’t have to fear prosecution just because we’re doing our jobs."

"We want researchers doing this kind of work."

That kind of research has come to play a pivotal role in sussing out hidden bias. In April, a Bloomberg investigation of Amazon’s same-day delivery service found that the service was avoiding predominantly African-American zip codes. In May, a ProPublica investigation into a widely used sentencing-recommendation algorithm found that it systematically overestimated black defendants’ risk of repeat offenses. Neither system explicitly considered race as an input, but analysis was able to uncover troubling signs of racial bias in the outputs, suggesting confounding variables had skewed the system along racial lines without the creators’ knowledge.

There are no known instances of the CFAA being used to prosecute research of that kind. Still, collecting the necessary data often does violate a website’s Terms of Use, either by scraping the site or inputting a range of different inputs in a way that wasn’t intended or authorized by the sites’ creators. According to the ACLU, the result is a chilling effect, driving away researchers or institutional review boards concerned about legal blowback.

"We want to establish a robust right to test for discrimination online and a recognition that many of the activities involved in testing are protected by the first amendment," says ACLU staff attorney Esha Bhandari. "I don’t think anyone would disagree that we want researchers doing this kind of work."

The ACLU’s case is based on a First Amendment argument, and even if it succeeds, it would leave many aspects of the CFAA untouched. Legislators have offered a number of bills to restrict the CFAA’s powers, most recently Aaron’s Law in 2013, but so far none have made it through Congress.