WASHINGTON — In a major victory for civil liberties and civil rights enforcement during the digital age, a federal court has ruled that research aimed at uncovering whether online algorithms result in racial, gender, or other discrimination does not violate the Computer Fraud and Abuse Act (CFAA). The first-of-its-kind ruling comes in a lawsuit, Sandvig v. Barr, filed by the American Civil Liberties Union on behalf of academic researchers, computer scientists, and journalists who wish to investigate companies’ online practices.
“This decision helps ensure companies can be held accountable for civil rights violations in the digital era,” said Esha Bhandari, staff attorney with the ACLU’s Speech, Privacy, and Technology Project. “Researchers who test online platforms for discriminatory and rights-violating data practices perform a public service. They should not fear federal prosecution for conducting the 21st-century equivalent of anti-discrimination audit testing.”
The ACLU challenged a provision of the CFAA that the government argues makes it a crime to violate a website’s terms of service. Those terms, which are unilaterally set by individual sites and can change at any time, often prohibit researchers and journalists from creating tester online identities or recording what content is served up to those identities. These practices were used by, for example, investigative journalists who exposed that advertisers were using Facebook’s ad-targeting algorithm to exclude users from receiving job, housing, or credit ads based on race, gender, age, or other classes protected from discrimination in federal and state civil rights laws.
The court rejected the government’s arguments that the CFAA criminalizes terms-of-service violations, and ruled that the research at question in this case could proceed without threat of federal prosecution under that law.
Below are comments from plaintiffs in the case, including:
Christian Sandvig, Director of the Center for Ethics, Society and Computing and Professor of Information at the University of Michigan: "It's a relief to hear that my research is not a crime. The future of AI requires independent researchers and journalists who investigate the operation of these computers. This ruling underlines the importance of these investigations."
Christo Wilson, associate professor of computer science at Northeastern University: "Researchers and investigative journalists who are working to hold tech platforms accountable should not have to live in fear of the threat of federal prosecution. Throughout this case, the DOJ has attempted to have their cake and eat it too, asserting that researchers like us have nothing to fear, yet reserving the right to prosecute us for Terms of Service violations. The court recognized that this position is untenable. Vague, ever-changing, self-serving website Terms of Service simply cannot be the delineating factor that determines what is and is not "hacking" under federal law. I am looking forward to continuing my research."
Alan Mislove, professor of computer science at Northeastern University: "This ruling will significantly aid researchers who are studying the negative impacts that algorithmic systems can have on people. I am particularly heartened to see the court acknowledge that website terms of service are often problematic, as they can be changed at any time and without notice; these issues are particularly acute and onerous under the government’s interpretation that a ToS violation alone is sufficient to trigger CFAA criminal liability."
Karrie Karahalios, a professor of computer science at the University of Illinois: "This outcome reinforces not only the ability, but the need to examine unintended consequences of algorithmic systems that affect the majority of our population today. I am thankful on behalf of myself and my students that the court recognized that our research should not be constrained by dynamically changing terms of service conditions."