Suit To Let Researchers Break Website Rules Wins a Round

An anonymous reader writes: Anyone following Facebook's recent woes with Cambridge Analytica might be surprised to hear that there's a civil liberties argument for swiping data from websites, even while violating their terms of service. In fact, there's a whole world of situations where that thinking could apply: bona fide academic research. On Friday, a judge in a D.C. federal court ruled that an American Civil Liberties Union-backed case trying to guarantee researchers the ability to break sites' rules without being arrested could move forward, denying a federal motion to dismiss. "What we're talking about here is research in the public interest, finding out if there is discrimination," Esha Bhandari, an ACLU attorney representing the academics, told Axios.

To clarify:

This suit is over whether breaking a site's TOS consittutes a criminal offense under the CFAA, notably 18 USC 1030(a)(4-6).

There is a circuit split on this issue, which this suit attempts to clarify.

This suit does not have any impact on civil or contractual suits researches might face for breaking TOS, only whether doing so is a federal criminal offense under this specific law.

Shitty summary. Read the actual complaint

[clovis]

I don't see in the actual lawsuit anything about swiping collected data, nor is the suit suggesting accessing website data other than through the normal access a person typing at a keyboard using the site in a normal way would do. In other words, it isn't about mass data grabbing from servers behind the web site.
What the complaint is covering is very narrowly defined behavior.

Here is the actual ACLU Sandvig v. Lynch - Complaint
https://www.aclu.org/legal-doc...

It's about violating TOS access to websites that forbid using dummy accounts, bots to do testing, scraping (saving screenshots in this case), or violating TOS with non-disparagement clauses.
The complaint says that on-line access that may violate a TOS should not be covered under the CFAA, and that the penalties are far too harsh.

Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against. As an example, AirBNB, VRBO and such like are prime examples of where that sort of discrimination is in play. Many sites require real names, and non-disparagement clauses would obviously be violated if the research turned up anything.

I especially object to non-disparagement clauses in sites that have an open interface to the public, and although I think that requiring real names is a valid stipulation to use a website, I cannot support that using an alias is a criminal act. The website has the option of cancelling your account if they don't like you much in the same way that the mall can kick you out for not wearing shoes.

The summary is terrible

The summary is terrible, the short version of the argument is that private companies shouldn't be able to write overbearing ToS and turn violations into a federal felony under the CFAA. The only thing it does is to make it so private companies can't attack people with felonies over some stupid ToS on their website. They could still go after you at the civil (but not criminal) level for damages related to any breach of your agreements, the main difference is that they can't get you thrown into jail for violating some nonsense they wrote on their web page this way.

If you want to defend privacy, it's better to get actual privacy laws so that the hundred thousand other companies who misused the Facebook friends API to suck in your social graph can't misuse it. Yes, I realize the only thing that CA did wrong was to break Facebook's ToS, but making that into a federal felony is a bad idea because a ton of you have likely broken their ToS in some trivial way don't belong in prison. I mean, they're especially after disparagement clauses. Would you like for everyone with a Facebook account to be forced, under pain of federal felony charges, to not be able to say bad things about Facebook any more?

Because that's the kind of crap you're asking for if you defend this use of the CFAA.