Seyfarth Synopsis: In a first-of-its-kind ruling in Sandvig v. Barr, No. 16-1368, 2020 WL 1494065 (D.D.C. Mar. 27, 2020), the U.S. District Court for the District of Columbia held that private citizens investigating whether employment hiring websites discriminate based on race or gender by creating fake profiles and job postings would not violate the Computer Fraud and Abuse Act with their use of fake profiles. The ruling is an important warning for employers using these hiring channels to watch out for such “testers” and the potential discrimination claims that may follow.
In Sandvig, academic researchers filed a pre-enforcement constitutional challenge with the District Court, requesting that it examine whether certain provisions of the Computer Fraud and Abuse Act (“CFAA”) – which imposes criminal liability for particular computer-related fraudulent activity – violated the researchers’ constitutional rights, as they believed that the CFAA would prohibit them from conducting research related to hiring discrimination. The plaintiffs hoped to investigate whether websites that facilitate job hiring, such as LinkedIn, Monster, Glassdoor, and Entelo, use algorithms that lead to discriminatory treatment of applicants based on protected characteristics.
To “test” the website algorithms, the plaintiffs informed the Court that they planned to submit fake applications and fake job postings in an effort to see where the fake applicants were ranked by the site’s algorithms when the applications were forwarded to the job poster. The plaintiffs would include in the fake job posting that the posting was not a real opportunity so that no real applicants believed they were applying to a legitimate posting. The plaintiffs also stated that they would comply with any payment-related requirements associated with the job sites; however, the creation of fake profiles and fake postings still ran afoul of the sites’ terms and conditions for use.
Because of the violation of the site terms and conditions necessitated by the research, which the plaintiffs assumed would violate the Access Provision of the CFAA, the plaintiffs asked the Court to find that the Access Provision violated their constitutional rights. In response, the Federal Government filed a motion to dismiss. The Court granted the motion to dismiss for the majority of the plaintiffs’ claims, leaving only a claim that the law violated the plaintiffs’ First Amendment rights. The parties then filed cross-motions for summary judgment.
The Court’s Decision
In their motion for summary judgment, the plaintiffs renewed their pre-enforcement challenge to the Access Provision of the CFAA, alleging that it unconstitutionally restricted their First Amendment rights by criminalizing their research plans involving the violation of websites’ terms of service. In its motion, the government argued that the plaintiffs did not have standing and that the First Amendment did not shield the plaintiffs from decisions of private websites about their own terms and conditions.
The Court first addressed the government’s standing argument. The plaintiffs argued that they had standing because they intended “to engage in a course of conduct arguably affected with a constitutional interest, but proscribed by a statute, and there exists a credible threat of prosecution thereunder.” Id. at *2. The Court agreed. It found that the plaintiffs had concrete plans to engage in their proposed research, there was a credible threat of prosecution based on previous cases brought by the government under the Access Provision, and that the case was ripe for adjudication. Accordingly, the Court concluded that the plaintiffs had standing to bring their claim.
The Court thereafter examined whether the CFAA Access Provision actually prohibited the plaintiffs’ proposed research. The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer.” 18 U.S.C. § 1030(a)(2). In its opinion, the Court assessed whether violating the terms of service of a website constituted unauthorized access such that the violation would become a criminal offense. The Court adopted the common theory of a “two-realm internet,” meaning that unauthorized access involves transitioning from a public area of the internet to a private, permission-restricted area that usually requires a form of authentication before an individual is granted access. Where an individual passes a “permission requirement” that the individual is not authorized to pass, the Access Provision of the CFAA is triggered.
The Court determined that violating the terms of service of a website does not constitute a CFAA violation under the “authorized access” provisions. In its determination, the Court expressed discomfort in allowing website owners to set terms that would eventually lead to criminal liability. Accordingly, the Court denied both motions for summary judgment as moot since the plaintiffs’ proposed conduct did not run afoul of the CFAA, though it expressly opined that the conduct “may have consequences for civil liability under other federal and state laws.” Id. at *10.
Implications for Employers
While many employers may never deal with the CFAA, the Court’s decision should serve as a warning to employers utilizing hiring platforms to fill job postings. The issue of online job advertising has been a hot topic for the EEOC in recent years, with the Commission looking specifically at job advertisements on Facebook for potential discrimination issues, but research indicating potential discrimination in hiring platform algorithms may similarly draw the EEOC’s attention. With the Court’s decision in Sandvig removing the threat of criminal liability for this kind of “testing” research into possible discrimination related to algorithms used by hiring platforms, such research could be used to bolster discriminatory impact claims filed by plaintiffs related to hiring practices. Employers should keep an eye out for research conducted or released in the wake of this opinion, and hiring platforms should be on alert for “fake” postings and applicants utilizing their websites.