                                  UNITED STATES DISTRICT COURT
                                  FOR THE DISTRICT OF COLUMBIA


  CHRISTIAN W. SANDVIG, et al.,
             Plaintiffs,
                    v.                                            Civil Action No. 16-1368 (JDB)
                              1
  WILLIAM P. BARR, in his official
  capacity as Attorney General of the United
  States,
             Defendant.




                                         MEMORANDUM OPINION

         Plaintiffs are academic researchers who intend to test whether employment websites

discriminate based on race and gender. In order to do so, they plan to provide false information to

target websites, in violation of these websites’ terms of service. Plaintiffs bring a pre-enforcement

challenge, alleging that the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, as applied

to their intended conduct of violating websites’ terms of service, chills their First Amendment right

to free speech. Without reaching this constitutional question, the Court concludes that the CFAA

does not criminalize mere terms-of-service violations on consumer websites and, thus, that plaintiffs’

proposed research plans are not criminal under the CFAA. The Court will therefore deny the parties’

cross-motions for summary judgment and dismiss the case as moot.




         1
          Pursuant to Fed. R. Civ. P. 25(d), William P. Barr, the current Attorney General of the United States, is
automatically substituted as the defendant in this matter.

                                                           1
                                             BACKGROUND

        A. Research Plans

        Christopher Wilson and Alan Mislove are professors of computer science at Northeastern

University. Decl. of Pl. Christopher “Christo” Wilson (“First Wilson Decl.”) [ECF No. 48-1] ¶ 1;

Decl. of Pl. Alan Mislove (“First Mislove Decl.”) [ECF No. 48-2] ¶ 1. For their research, Wilson

and Mislove “intend to access or visit certain online hiring websites for the purposes of conducting

academic research regarding potential online discrimination.”           Pls.’ Statement of Undisputed

Material Facts (“SMF”) [ECF No. 47-2] ¶ 61. Their plans include “audit testing” to examine whether

various hiring websites’ proprietary algorithms discriminate against online users “based on

characteristics, such as race or gender, that constitute a protected class status under civil rights laws.”

Id. ¶¶ 64, 66. To conduct these audit tests, plaintiffs “will create profiles for fictitious job seekers,

post fictitious job opportunities, and compare their fictitious users’ rankings in a list of candidates

for the fictitious jobs” in order to see “whether [the] ranking is influenced by race, gender, age, or

other attributes.” Id. ¶ 71.

        Wilson and Mislove state that they will take steps to minimize the impact of their research

both on the targeted websites’ servers and on other users of those websites. Id. at ¶¶ 75–78. For

instance, they will make it apparent to real job seekers and employers that their postings are fake by

“stat[ing] in any fictitious job posting, or in any fictitious job seeker profile, that the job or the job

seeker is not real.” Id. at ¶¶ 75–78. Both researchers also intend to “comply with the payment

requirement” of certain employment websites. Decl. of Pl. Christopher “Christo” Wilson (“Second

Wilson Decl.”) [ECF No. 65-1] ¶ 5; Decl. of Pl. Alan Mislove (“Second Mislove Decl.”) [ECF No.

65-2] ¶ 5. But Wilson and Mislove acknowledge that their research plan will violate the target

websites’ terms of service prohibiting the provision of false information and/or creating fake

                                                    2
accounts. SMF ¶ 86.

        B. Procedural History

        In June 2016, Wilson and Mislove, as well as two other researchers (Christian W. Sandvig

and Kyratso Karahalios) and the nonprofit journalism group First Look Media Works, Inc., brought

a pre-enforcement constitutional challenge to a provision of the CFAA. Compl. [ECF No. 1] ¶¶ 180–

202. The provision at issue, 18 U.S.C. § 1030(a)(2)(C), or the “Access Provision,” makes it a crime

to “intentionally access[] a computer without authorization or exceed[] authorized access, and

thereby obtain[] . . . information from any protected computer.” Plaintiffs argue that this provision

violates the First and Fifth Amendments. Compl. ¶¶ 180–202. Specifically, they claim that the

Access Provision (1) is overbroad and chills their First Amendment right to freedom of speech; (2)

as applied to their research activities, unconstitutionally restricts their protected speech; (3) interferes

with their ability to enforce their rights and therefore violates the Petition Clause; (4) is void for

vagueness under the Fifth Amendment Due Process Clause; and (5) unconstitutionally delegates

lawmaking authority to private actors in violation of the Fifth Amendment Due Process Clause. See

id. On March 30, 2018, this Court partially granted the government’s motion to dismiss. See Sandvig

v. Sessions, 315 F. Supp. 3d 1, 34 (D.D.C. 2018). The Court dismissed all but the as-applied First

Amendment free speech claim brought by Wilson and Mislove. Id.

        Now before the Court are the parties’ cross-motions for summary judgment. Wilson and

Mislove renew their pre-enforcement challenge to the Access Provision of the CFAA, alleging that

it unconstitutionally restricts their First Amendment rights to free speech by criminalizing their

research plans and journalistic activities that involve violating websites’ terms of service. Pls.’ Mem.

P. & A. in Supp. of Mot. for Summ. J. (“Pls.’ Mem.”) [ECF No. 48] at 1. The government, for its

part, argues that plaintiffs have failed to establish standing and that the First Amendment’s

                                                     3
protections do not shield plaintiffs from private websites’ choices about whom to exclude from their

servers. Def.’s Mem. in Supp. of Cross-Mot. for Summ. J. & in Opp’n to Pls.’ Mot. for Summ. J.

(“Gov’t’s Opp’n”) [ECF No. 50-1] at 1–4. The Court held a motions hearing on November 15, 2019,

and subsequently ordered another round of briefing to clarify plaintiffs’ specific research plans and

both parties’ understanding of particular terms within the CFAA. See November 26, 2019 Order

[ECF No. 63] at 1–2. The parties each responded, see Def.’s Resp. to Court’s Order for Clarification

(“Def.’s Resp. for Clarification”) [ECF No. 64]; Pls.’ Mem. in Resp. to Court’s Order [ECF No. 65],

and the matter is now ripe for consideration.

                                           LEGAL STANDARD

       Summary judgment is appropriate when “the movant shows that there is no genuine dispute

as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. Civ.

P. 56(a). The party seeking summary judgment “bears the initial responsibility of informing the

district court of the basis for its motion, and identifying those portions of [the record] . . .

demonstrat[ing] the absence of a genuine issue of material fact.” Celotex Corp. v. Cartrett, 477 U.S.

317, 323 (1986); see Fed. R. Civ. P. 56(c)(1)(A) (explaining that a moving party may demonstrate

that a fact is undisputed or not by citing “depositions, documents, electronically stored information,

affidavits or declarations, stipulations . . . , admissions, interrogatory answers, or other materials”).

       In determining whether a genuine issue of material fact exists, the Court must “view the facts

and draw reasonable inferences in the light most favorable to the party opposing the motion.” Scott

v. Harris, 550 U.S. 372, 378 (2007) (internal quotation marks and alteration omitted). But a non-

moving party must establish more than the “mere existence of a scintilla of evidence” in support of

its position. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 252 (1986). To avoid summary

judgment, “there must be evidence on which the jury could reasonably find for the [non-moving

                                                    4
party].” Id.

                                              ANALYSIS

      I.   Jurisdictional Standing

       To have Article III standing, a “plaintiff must have (1) suffered an injury in fact, (2) that is

fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a

favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (citing Lujan v.

Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). This Court previously concluded that plaintiffs had

plausibly alleged standing on their First Amendment claims at the motion-to-dismiss stage, Sandvig,

315 F. Supp. 3d at 16–22, but plaintiffs must now demonstrate standing “with specific facts set out

by affidavit or other admissible evidence,” In re Navy Chaplaincy, 323 F. Supp. 3d 25, 39 (D.D.C.

2018) (internal quotation marks omitted).

       There are two ways in which litigants like plaintiffs here may establish the requisite ongoing

injury when seeking to enjoin a statute alleged to violate the First Amendment. First, plaintiffs may

show that they intend “to engage in a course of conduct arguably affected with a constitutional

interest, but proscribed by a statute, and there exists a credible threat of prosecution thereunder.”

Susan B. Anthony List v. Driehaus, 573 U.S. 149, 159 (2014) (quoting Babbitt v. United Farm

Workers Nat. Union, 442 U.S. 289, 298 (1979)). Second, they may refrain from exposing themselves

to sanctions under the statute, making a sufficient showing of self-censorship—i.e., they may

establish a chilling effect on their free expression. See Laird v. Tatum, 408 U.S. 1, 11–14 (1972). In

either case, a constitutionally affected interest and a credible threat of enforcement are required;

without them, plaintiffs can establish neither a realistic threat of legal sanction for engaging in

protected speech nor an objectively good reason for self-censoring by not conducting their planned

research. Here, plaintiffs take the first path and argue that they intend to engage in conduct

                                                   5
“arguably” proscribed by statute.

       The government responds that plaintiffs lack standing for three reasons. First, regardless of

whether the Department of Justice would prosecute their conduct, plaintiffs “lack any concrete plans

for conducting future research covered by their as-applied claim, i.e., involving fake or misleading

accounts.” Gov’t’s Opp’n at 10. Second, assuming concrete research plans, “[p]laintiffs have not

demonstrated a credible threat of prosecution for . . . such research.” Id. And third, plaintiffs’

“claims are too abstract to be evaluated and therefore are not ripe.” Id. The government does not

appear to dispute that, if plaintiffs can satisfy the injury-in-fact requirements, they can also meet the

causation and redressability tests to establish standing. See Spokeo, 136 S. Ct. at 1547.

       A.      Concrete Plans

       The government first argues that plaintiffs have failed to establish the existence of “any

concrete plans for conducting further research covered by their as-applied claim.” See Gov’t’s Opp’n

at 10–11. To support this argument, the government quotes testimony from Wilson and Mislove that

they have no “concrete plans” for research involving the provision of false information or the creation

of fake accounts in violation of websites’ terms of service. Id.

       This framing—and selective quotation—of plaintiffs’ testimony mischaracterizes the extent

of their plans. “Pre-enforcement review, particularly in the First Amendment context, does not

require plaintiffs to allege that they will in fact violate the regulation in order to demonstrate an

injury.” U.S. Telecom Ass’n v. FCC, 825 F.3d 674, 739 (D.C. Cir. 2016) (internal quotation marks

omitted). “Standing to challenge laws burdening expressive rights requires only a credible statement

by the plaintiff of intent to commit violative acts and a conventional background expectation that the

government will enforce the law.” Id. (emphasis added) (internal quotation marks omitted).

       Plaintiffs here satisfy this standard. Wilson later clarified that, when he said he did not have

                                                   6
concrete plans, “what [he] meant was [they] don’t have software, [they] don’t have a timeframe.

There [are] no students assigned to it.” Oral Depo. of Christopher Wilson (“Wilson Depo.”) [ECF

No. 54-3] at 215:25–216:4. But Wilson has already “applied and received . . . funding” and approval

from the Institutional Review Board (“IRB”) for such projects. Id. at 217:15–18. Likewise, Mislove

testified that he has “specific research plans [and] specific platforms that [his lab is] studying . . . in

the sense that this is an area of [his] research that [he] intend[s] to conduct work[] in.” Oral Depo.

of Alan E. Mislove (“Mislove Depo.”) [ECF No. 52-3] at 47:4–8. In response to the government’s

interrogatory asking for “any and all platforms and/or websites that Plaintiffs intend to access in the

future for purposes” of research, plaintiffs identified specific websites, including LinkedIn, Monster,

Glassdoor, and Entelo, and noted that they intended to conduct research that might violate these sites’

terms of service by “creating accounts using false information and/or providing false or misleading

information.” Pls.’ Third Suppl. Resps. & Objs. to Def.’s First Set of Interrogs. Nos. 2–3 [ECF No.

52-6] at 3–4.

        The government argues in response that “‘some day’ intentions—without any description of

concrete plans, or indeed even any specification of when the some day will be—do not support a

finding of the actual or imminent injury.” Gov’t’s Opp’n at 10–11 (quoting Defs. of Wildlife, 504

U.S. at 564). But unlike the amorphous “‘some day’ intentions” to visit endangered species on

another continent at issue in Defenders of Wildlife, see 504 U.S. at 564, these researchers’ plans are

already in motion, even if the specifics of their study are still being developed. The fact that plaintiffs

have secured funding and IRB clearance to engage in conduct covered by their as-applied challenge

evinces a sufficient demonstration of injury in fact. Cf. Friends of the Earth, Inc. v. Laidlaw Envtl.

Servs. (TOC), Inc., 528 U.S. 167, 183–84 (2000) (concluding that organizational plaintiffs’ members

suffered an injury in fact because they had “reasonable concerns” rising above the level of

                                                    7
“speculative some day intentions” that the discharge of pollutants would “directly affect[]” their

“recreational, aesthetic, and economic interests” (internal quotation marks omitted)).

        The government also argues that plaintiffs’ two declarations, clarifying the meaning of their

earlier statements about “concrete plans,” must be disregarded under the so-called “sham affidavit

rule.” Gov’t’s Opp’n at 11–12; see also First Wilson Decl.; First Mislove Decl. This argument fails,

however, because these affidavits’ descriptions of plaintiffs’ research plans merely clarify plaintiffs’

prior answers and contextualize their use of the term “concrete.” See Galvin v. Eli Lilly & Co., 488

F.3d 1026, 1030 (D.C. Cir. 2007). Mislove and Wilson said they have no “concrete” plans in order

to explain that they are not currently implementing any of those research plans, notwithstanding their

intent to do so in the future. Moreover, there is no indication that plaintiffs, in their earlier statements,

intended to use the term “concrete plans” in its specific meaning as a legal term of art.

        Finally, in its reply brief, the government states that the clearest examples of concrete steps

taken by Wilson actually concern a different research project than the proposed discrimination project

at issue in this case. Def.’s Reply Mem. in Supp. of Cross-Mot. for Summ. J. (“Gov’t’s Reply”)

[ECF No. 56] at 4 n.1. The government does not clearly articulate the distinction between the

different research projects, however, and this Court has already recognized that Wilson and Mislove

intend both to “create fake employer profiles” and to “create fictitious sock-puppet job seeker

profiles” as part of the research at issue in this case. Sandvig, 315 F. Supp. 3d at 9–10.

        B.      Credible Threat

        Under their theory of standing, plaintiffs must show that they intend to engage in conduct

arguably both protected by the First Amendment and proscribed by the statute they challenge, and

that there is a “credible threat” that the statute will be enforced against them when they do so. See

Driehaus, 573 U.S. at 158–63. The government argues that plaintiffs fail to establish a credible threat

                                                     8
of prosecution under the CFAA, contending that (1) plaintiffs’ testimony shows that they do not fear

prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do

not establish a credible threat that plaintiffs’ proposed conduct will be prosecuted; and (3) the

government’s charging policies and public statements undercut plaintiffs’ attempt to establish a

credible threat of prosecution. Gov’t’s Opp’n at 12–18.

       “Standing to challenge laws burdening expressive rights requires only a credible statement

by the plaintiff of intent to commit violative acts and a conventional background expectation that the

government will enforce the law” U.S. Telecom Ass’n, 825 F.3d at 739 (internal quotation marks

omitted). As previously noted, plaintiffs satisfy the first half of this test; the question thus becomes

whether the “conventional background expectation” of criminal enforcement holds here. Id. Again,

plaintiffs have the stronger arguments.

       First, plaintiffs’ testimony that they do not subjectively fear prosecution under this statute—

and that they have even engaged in the allegedly “chilled” conduct previously—does not undermine

their legal claim. The question is whether there exists “a credible threat,” which is an objective,

rather than subjective, inquiry. See id. Mislove also testifies that he does subjectively fear facing

criminal consequences for his future research. See, e.g., Mislove Depo. at 147:12–19 (“[I]t really

weigh[s] heavily on my mind . . . [that I am] exposing my students to criminal—to potential criminal

prosecution or the risk.”).

       Second, even assuming the absence of prior prosecutions, but see Sandvig, 314 F. Supp. 3d

at 19–20 (discussing two previous prosecutions under the Access Provision), plaintiffs still are not

precluded from bringing this pre-enforcement action. When constitutionally protected conduct falls

within the scope of a criminal statute, and the government “has not disavowed any intention of

invoking the criminal penalty provision,” plaintiffs are “not without some reason in fearing

                                                   9
prosecution” and have standing to bring the suit. Babbitt, 442 U.S. at 302. Indeed, at the pleadings

stage, the Court already rejected the contention that the lack of similar past CFAA prosecutions

undermines a credible threat of prosecution now. See Sandvig, 315 F. Supp. 3d at 18–21.

       Third, the government points to guidance from the Attorney General that “expressly cautions

against prosecutions based on [terms-of-service] violations,” as well as statements to Congress by

Department of Justice officials, as evidence that plaintiffs face no credible threat of prosecution.

Gov’t’s Opp’n at 16–17. But the absence of a specific disavowal of prosecution by the Department

undermines much of the government’s argument. See Babbitt, 442 U.S. at 302. The government

insists that it is not a defendant’s burden to “come forward with proof of a non-existent threat of

prosecution.” Gov’t’s Opp’n at 17. But while the burden of demonstrating standing remains on the

plaintiffs, this Court has previously ruled that in the absence of an “explicit statement” disavowing

prosecution, these various advisory and non-binding statements and Department of Justice policies

do not eliminate the reasonable fear of prosecution. Sandvig, 315 F. Supp. 3d at 20–21. Furthermore,

as noted above the government has brought similar Access Provision prosecutions in the past and

thus created a credible threat of prosecution. Id. at 19–20.

       Discovery has not helped the government’s position. John T. Lynch, Jr., the Chief of the

Computer Crime and Intellectual Property Section of the Criminal Division of the Department of

Justice, testified at his deposition that it was not “impossible for the Department to bring a CFAA

prosecution based on [similar] facts and de minimis harm.” Dep. of John T. Lynch, Jr. [ECF No. 48-

4] at 154:3–7. Although Lynch has also stated that he does not “expect” the Department to do so,

Aff. of John T. Lynch, Jr. [ECF No. 21-1] ¶ 9, “[t]he Constitution ‘does not leave us at the mercy of

noblesse oblige,’” Sandvig, 315 F. Supp. 3d at 21 (quoting United States v. Stevens, 559 U.S. 460,

480 (2010)). Absent a specific disavowal or a clear indication that plaintiffs’ conduct falls outside

                                                  10
the scope of the criminal provisions, plaintiffs adequately demonstrate a credible threat for standing

purposes.

       C.      Ripeness

       The government also argues that plaintiffs’ claims are not ripe for adjudication. “Plaintiffs

have not yet identified the specific websites that they intend to access for their research,” the

government says, and hence it is “impossible to know what those websites’ [terms of service] will be

at the time of Plaintiffs’ research”—or whether any violation of the terms of service will run afoul of

the Court’s narrow construction of the CFAA. Gov’t’s Opp’n at 18. Because plaintiffs do not know

what their research will entail, the government argues, the Court cannot evaluate the potential harms

caused by their hypothetical research. Id. at 18–19. Hence, according to the government, the Court

cannot meaningfully examine plaintiffs’ First Amendment claim on the merits and fashion a proper

injunction under Rule 65 because it cannot “describe in reasonable detail—and not by referring to

the complaint or other document—the act or acts restrained or required.” Id. at 19 (quoting Fed. R.

Civ. P. 65(d)(1)(B), (C)).

       Plaintiffs respond first that, because terms of service are always subject to change, it will

always be impossible to know what a website’s exact terms of service will be in the future, or whether

research violating those terms will implicate the Access Provision. Pls.’ Mem. in Opp’n to Def.’s

Mot. for Summ. J. & Reply in Supp. of Pls.’ Mot. for Summ. J. (“Pls.’ Reply”) [ECF No. 54] at 10–

11. Accordingly, “[p]laintiffs would have to actually undertake the research—taking note of the

[terms of service] actually in effect at the time and exposing themselves to criminal liability—in

order to challenge the Access Provision’s application to them,” a drastic and risky step that plaintiffs

argue is not required by the First Amendment. Id. at 11. Next, plaintiffs say that how exactly they

plan to carry out their research—for instance, the number of fictitious accounts or postings that will

                                                  11
be necessary or how long each account or posting will exist—is irrelevant to the First Amendment

question. Id. Finally, plaintiffs argue that their complaint and declarations clarify in detail the

research goals, methodologies, and precautions that will be taken to mitigate potential harm. Id. at

11–12.

         The question of ripeness presents a closer call than the previous two standing issues. For

instance, if this Court were to reach the First Amendment analysis urged by plaintiffs and evaluate

the Access Provision under intermediate scrutiny, it would have to determine whether the

government has “show[n] ‘a close fit between ends and means’” such “that the regulation ‘promotes

a substantial government interest that would be achieved less effectively absent the regulation,’” and

does “not ‘burden substantially more speech than is necessary to further the government’s legitimate

interests.’” A.N.S.W.E.R. Coal. v. Basham, 845 F.3d 1199, 1213–14 (D.C. Cir. 2017) (citations

omitted); see also Sandvig, 315 F. Supp. 3d at 30. Absent specific direction from plaintiffs, it will

be difficult to engage in this analysis. The Court is not well placed, for instance, to forecast what

technological or security risks might be generated by permitting such research.

         Still, based on the record before it, the Court concludes that the present dispute is ripe.

Plaintiffs listed several websites—LinkedIn, Monster, Glassdoor, and Entelo—that they plan to visit,

and they described intending to violate these sites’ terms of service by “creating accounts using false

information and/or providing false or misleading information.” Pls.’ Third Suppl. Resps. & Objs. to

Def.’s First Set of Interrogs. No. 3, at 3–4. Wilson and Mislove also both testified that their research

plans were designed to have, at most, a de minimis effect on the targeted websites, further

demonstrating that specific concrete steps have been taken in their research. First Wilson Decl. ¶ 46;

First Mislove Decl. ¶ 43. The governments’ own exhibits make clear the extent to which websites,

like LinkedIn, both prohibit and attempt to eliminate false accounts. See, e.g., Decl. of Paul Rockwell

                                                  12
(“LinkedIn Decl.”) [ECF No. 52-11] at 3–12; Decl. of Thomas O’Brien (“GlassDoor Decl.”) [ECF

No. 52-13] at 5–6; Affirmation of Leonard Kardon (“Monster Aff.”) [ECF No. 52-14] at 1–2. These

various pieces of evidence reveal a ripe dispute over whether criminally prosecuting plaintiffs under

the CFAA for violations of public websites’ terms of service runs afoul of the First Amendment.

                                            *      *       *

        Finally, the Court turns to the question of whether plaintiffs’ “intended future conduct is

‘arguably . . . proscribed by’” the CFAA. Driehaus, 573 U.S. at 162 (quoting Babbitt, 442 U.S. at

298). The government does not appear to question that plaintiffs plan to engage in proscribed

conduct, but the Court has “an independent obligation to assure that standing exists.” Summers v.

Earth Island Inst., 555 U.S. 488, 499 (2009). The Court is also mindful that its ultimate interpretation

of the CFAA, see infra, at 15–28, excludes plaintiffs’ conduct from criminal liability and, at

minimum, moots their First Amendment claim. Still, the question remains whether the Court’s

ultimate determination that the CFAA does not criminalize plaintiffs’ intended conduct eliminates

plaintiffs’ injury-in-fact, see Driehaus, 573 U.S. 158–59, or merely moots the First Amendment

dispute, see Powell v. McCormack, 395 U.S. 486, 496 (1969) (“[A] case is moot when the issues

presented are no longer ‘live’ . . . .”).

        The resolution to this question turns on the meaning of Driehaus’s holding that plaintiffs’

intended conduct must be “arguably . . . proscribed by statute,” Driehaus, 573 U.S. at 159; see also

Woodhull Freedom Found. v. United States, 948 F.3d 363, 371 (D.C. Cir. 2020) (holding that courts

should look to Driehaus’s test for determining whether a plaintiff faces an “imminent threat” of

prosecution in a pre-enforcement action). The Second Circuit has taken this standard to mean that,

as long as plaintiffs propose a reasonable interpretation of the statute under which they credibly fear

prosecution, then they satisfy the standing requirement. See Knife Rights, Inc. v. Vance, 802 F.3d

                                                  13
377, 384–86 (2d Cir. 2015) (holding that plaintiff had standing where, despite believing its knife

design was not proscribed, plaintiff could not “confidently determine which such knives defendants

will deem proscribed gravity knives”). This “reasonable interpretation” approach stems from a line

of pre-Driehaus cases in which the Second Circuit was interpreting Babbitt, from which Driehaus

borrowed the “arguably proscribed” standard. See Vt. Right to Life Comm., Inc. v. Sorrell, 221 F.3d

376, 382 (2d Cir. 2000). The Second Circuit understood Babbitt to require only that an interpretation

proscribing plaintiffs’ intended conduct be “reasonable enough that [they] may legitimately fear that

[they] will face enforcement of the statute.” Id. at 383.

       The D.C. Circuit’s recent decision in Woodhull Freedom Foundation suggests a slightly

different approach. Although not as explicit as the Second Circuit in stating how plausible an

interpretation needs to be to satisfy plaintiffs’ standing requirements, the court engaged in

considerable statutory construction before deciding that plaintiffs did, in fact, have standing. See

Woodhull Freedom Found., 948 F.3d at 371–73. As Judge Katsas suggested in concurrence, a district

court is first to decide the statute’s meaning and then to decide if, arguably, the plaintiffs’ conduct

falls within its “[p]roperly construed” bounds. Id. at 375 (Katsas, J., concurring).

       Unlike in Woodhull Freedom Foundation, which concerned a plain-meaning interpretation

relying on dictionaries and precedent, see id. at 372–73, Wilson and Mislove challenge an ambiguous

statute that this Court has already deemed may apply to their conduct, see Sandvig, 315 F. Supp. 3d

at 18. As will be discussed below, substantive canons of interpretation, like the rule of lenity and

constitutional avoidance, guide this Court’s ultimate decision. Under such circumstances, the Court

concludes that plaintiffs’ intended conduct is “arguably . . . proscribed by statute,” Driehaus, 573

U.S. at 159. To rule otherwise, and decide this complicated statutory matter under the rubric of

standing, would risk converting the “arguably . . . proscribed by statute” standard of Babbitt and

                                                  14
Driehaus into one of certainty. Cf. Hedges v. Obama, 724 F.3d 170, 199 (2d Cir. 2013) (noting an

unease with “allowing a preenforcement standing inquiry to become the vehicle by which a court

addresses” important and complex matters of statutory interpretation).

     II.   Interpreting the CFAA

       Assuming, then, that plaintiffs have satisfied the injury-in-fact requirement, the Court

nevertheless concludes that their First Amendment claim is moot. As will be discussed below, courts

have disagreed as to the breadth of the CFAA’s Access Provision. If this Court determines that the

Access Provision does not actually criminalize plaintiffs’ proposed conduct—namely, violating

consumer websites’ terms of service—then the Court need not dive, and judicial economy would

advise against diving, into the First Amendment issue. See Bond v. United States, 572 U.S. 844, 855

(2014) (“[I]t is a well-established principle governing the prudent exercise of this Court’s jurisdiction

that normally the Court will not decide a constitutional question if there is some other ground upon

which to dispose of the case.” (internal quotation marks omitted)). Rather, the Court concludes that

the First Amendment claims plaintiffs “presented are no longer ‘live’” and will dismiss the case as

moot. Powell, 395 U.S. at 496.

               a.   Accessing Without Authorization

       The CFAA prohibits “intentionally access[ing] a computer without authorization or

exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected

computer.” 18 U.S.C. § 1030(a)(2). The term “protected computer” refers to any computer “used in

or affecting interstate or foreign commerce or communication,” Id. § 1030(e)(2)(B), and no party

disputes that the servers and other computers associated with the websites in question here, like

LinkedIn, constitute “protected computer[s].”

       Although the CFAA does not define “authorization,” courts have found the term “clear” and

                                                   15
given it a “straightforward meaning.” United States v. Nosal (“Nosal II”), 844 F.3d 1024, 1035 (9th

Cir. 2016). The Ninth Circuit, for instance, has consistently interpreted “authorization” to mean

“permission or power granted by an authority.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127,

1133 (9th Cir. 2009); see also hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1000 (9th Cir. 2019)

(“Authorization is an affirmative notion, indicating that access is restricted to those specially

recognized or admitted.” (internal quotation marks omitted)); Facebook, Inc. v. Power Ventures, Inc.,

844 F.3d 1058, 1067 (9th Cir. 2016) (“[A] defendant can run afoul of the CFAA when he or she has

no permission to access a computer or when such permission has been revoked explicitly.”); Nosal II,

844 F.3d at 1033 (“Not surprisingly, there has been no division among the circuits on the

straightforward ‘without authorization’ prong of [§ 1030(a)].”). At least the Second, Fourth, and

Sixth Circuits have come to the same conclusion. See, e.g., United States v. Valle, 807 F.3d 508,

524 (2d Cir. 2015) (“[C]ommon usage of ‘authorization’ suggests that one ‘accesses a computer

without authorization’ if he accesses a computer without permission to do so at all.”); WEC Carolina

Energy Sols. v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (“[B]ased on the ordinary, contemporary,

common meaning of ‘authorization,’ . . . an employee is authorized to access a computer when his

employer approves or sanctions his admission to that computer.”); Pulte Homes, Inc. v. Laborers’

Int’l Union of N. Am., 648 F.3d 295, 303–04 (6th Cir. 2011) (“Commonly understood, . . . a

defendant who accesses a computer ‘without authorization’ does so without sanction or

permission.”).

        The statutory text is less clear, however, when it comes to the entire phrase “accesses a

computer without authorization.” The CFAA does not define this phrase, but “the wording of the

statute, forbidding ‘access[] . . . without authorization,’ . . . suggests a baseline in which access is not

generally available and so permission is ordinarily required.” hiQ Labs, 938 F.3d at 1000. This

                                                    16
wording thus contemplates a view of the internet as divided into at least two realms—public websites

(or portions of websites) where no authorization is required and private websites (or portions of

websites) where permission must be granted for access. Because many websites on the internet are

open to public inspection, a website or portion of a website becomes “private” only if it is “delineated

as private through use of a permission requirement of some sort.” Id. at 1001.2

         Most courts agree with the hiQ Labs court’s interpretation of “accesses . . . without

authorization” as contemplating a “two-realm internet.” See, e.g., WEC Carolina Energy Sols., 687

F.3d at 204 (“[A user] accesses a computer ‘without authorization’ when he gains admission to a

computer without approval.” (emphasis added)); United States v. Nosal (“Nosal I”), 676 F.3d 854,

858 (9th Cir. 2012) (en banc) (“‘[W]ithout authorization’ would apply to outside hackers (individuals

who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply

to inside hackers (individuals whose initial access to a computer is authorized but who access

unauthorized information or files).”). Courts have interpreted this provision to involve transitioning

from a public area of the internet to a private, permission-restricted area, often requiring some form



         2
           The hiQ Labs court faced the additional wrinkle of whether sending a cease-and-desist letter to specific users,
who were allegedly violating LinkedIn’s terms of service, was enough to revoke authorization even for otherwise
“public” parts of the website. See 938 F.3d at 999 (“The pivotal CFAA question here is whether once hiQ received
LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within
the meaning of the CFAA and thus a violation of the statute.”); see also Craigslist Inc. v. 3Taps Inc., 964 F. Supp. 2d
1178, 1182 (N.D. Cal. 2013) (describing “the question here” as “whether Craigslist had the power to revoke, on a case-
by-case basis, the general permission it granted to the public to access the information on its website”). Because no such
letters have been sent in this case, the Court need not decide whether they would constitute a revocation of authorization
and thereby make any further visits by the recipients to the otherwise public portions of LinkedIn a CFAA violation. See
also Pet. for Writ of Cert. at 25, LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116 (U.S. Mar. 9, 2020) (“Where a website
owner sets up technical measures to deny a third-party scraper access to its website or sends a cease-and-desist letter,
thereby putting the scraper indisputably on notice that access is not authorized, any further efforts to access that website
are ‘without authorization.’”).
          At the same time, the fact that receipt of a cease-and-desist letter might render the recipient’s future visits to an
otherwise public website “unauthorized” does provide one possible distinction between § 1605(a)(2) and § 1605(a)(3)
that helps to give meaning to the term “nonpublic” in the latter provision. Cf. 3Taps, 964 F. Supp. 2d at 1182–83
(“Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated
the public vs. nonpublic distinction—but § 1030(a)(2)(C) contains no such restrictions or modifiers.”).

                                                             17
of authentication before a viewer is granted access.        See, e.g., hiQ Labs, 938 F.3d at 1001

(“[A]uthorization is only required for password-protected sites or sites that otherwise prevent the

general public from viewing the information.”); Valle, 807 F.3d at 524 (“‘[W]ithout authorization’

most naturally refers to a scenario where a user lacks permission to access the computer at all.”).

       The statutory and legislative history of the CFAA support this public-private reading of the

provision. Originally part of the Counterfeit Access Device and Computer Fraud and Abuse Act of

1984, Pub. L. No. 98-473, § 2102(a), 98 Stat. 2190, 2190–92, the CFAA “has been substantially

modified” over the intervening decades. See Orin S. Kerr, Vagueness Challenges to the Computer

Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1561 (2010). Throughout this history, however,

Congress has consistently analogized violations of § 1030 to physical-world crimes. For example,

“[t]he 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030

to forced entry.” hiQ Labs, 938 F.3d at 1000. That Report notes that “[d]ifficulties in coping with

computer abuse arise because much of the property involved does not fit well into categories of

property subject to abuse or theft.” H.R. Rep. No. 98-894, at *9 (1984) (emphasis added). Instead

of focusing on what was stolen, the CFAA relied on “an ‘unauthorized access’ concept,” wherein

“the conduct prohibited is analogous to that of ‘breaking and entering’ rather than using a computer

(similar to the use of a gun) in committing the offense.” Id. at *20.

       Likewise, when the CFAA was amended in 1996 to cover federal government computers and

those in interstate commerce (i.e., “protected computers”), the Senate Report described the bill as

“protect[ing] against the interstate or foreign theft of information by computer” (emphasis added),

suggesting a comparison to the physical-world crime of theft. S. Rep. No. 104-357, at *7 (1996).

This Report reveals that a central motivation behind these amendments was “to increase protection

for the privacy and confidentiality of computer information,” id., further suggesting that “access[ing]

                                                  18
a computer without authorization” involves “obtain[ing]” information from non-public websites, see

18 U.S.C. § 1030(a)(2).

       This interpretation rooted in property norms also aligns with judicial readings of similar

language in the Stored Communications Act. See 18 U.S.C. § 2701(a) (criminalizing “intentionally

access[ing] without authorization a facility through which an electronic communication service is

provided” or “intentionally exceed[ing] an authorization to access [such a] facility”); see also

Wachovia Bank v. Schmidt, 546 U.S. 303, 305 (2006) (“[U]nder the in pari materia canon, statutes

addressing the same subject matter generally should be read as if they were one law . . . .” (internal

quotation marks omitted)). For example, interpreting the Act in light of the common law, the Ninth

Circuit focused on “the essential nature” of the relationship between the computer owner and the

accesser, and concluded that “[p]ermission to access a stored communication does not constitute

valid authorization if it would not defeat a trespass claim in analogous circumstances.” Theofel v.

Farey-Jones, 359 F.3d 1066, 1073 (9th Cir. 2004) (emphasis added).

       Likewise, in amending 18 U.S.C. § 2510, the Patriot Act defined “computer trespasser” as “a

person who accesses a protected computer without authorization and thus has no reasonable

expectation of privacy in any communication transmitted to, through, or from the protected

computer.” Pub. L. 107–56, 115 Stat. 272 (2001). That the Patriot Act cites § 1030 for the definition

of “protected computer” makes the connection between these two statutes all the clearer:

“access[ing] a computer without authorization” is the computer equivalent of trespassing in the

physical world.

       Adopting the formulation of the Ninth Circuit in hiQ Labs, this Court will call the barriers

between the public internet and private authorization-based computers “permission requirements.”

938 F.3d at 1001. Under this interpretation, the question becomes what sort of “permission

                                                 19
requirement” constitutes enough of a barrier to trigger criminal liability under § 1030(a)(2) if

bypassed. The government suggests that such “permission requirements” can be minimal. See Tr.

Mots. H’rg [ECF No. 62] at 54:15–56:17. An announcement on the homepage of a website that

access to any further content is conditioned on agreeing to lengthy terms of service—or even one

term of service—would, the government argues, constitute such a requirement. Id. at 54:22–24.

        The Court concludes that agreeing to such contractual restrictions, although that may have

consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal

liability under the CFAA.        In other words, terms of service do not constitute “permission

requirements” that, if violated, trigger criminal liability.

        A number of considerations lead the Court to this conclusion. First, websites’ terms of service

provide inadequate notice for purposes of criminal liability. These protean contractual agreements

are often long, dense, and subject to change. While some websites force a user to agree to the terms

before access—so-called “clickwrap”—others simply provide a link at the bottom of the webpage,

or place the terms, often in fine print, elsewhere on the page. “Significant notice problems arise if

we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject

to change and seldom read.” Nosal I, 676 F.3d at 860.

        Second, although not a paradigmatic example of a “nondelegation” problem, enabling private

website owners to define the scope of criminal liability does raise concerns for the Court. See The

Vagaries of Vagueness: Rethinking the CFAA as a Problem of Private Nondelegation, 127 Harv. L.

Rev. 751, 768–71 (2013). Previously, this Court determined that a narrow interpretation of the CFAA

limited to “access restrictions” saved § 1030(a)(2) from becoming “a limitless, standardless

delegation of power to individual websites to define crimes.” Sandvig, 315 F. Supp. 3d at 33. The

Court also concluded that merely “incorporat[ing] private parties’ chosen restrictions, which are only

                                                    20
binding on those who interact with those parties’ individual [websites],” did not necessarily constitute

an improper delegation of legislative or regulatory authority. Id. at 33–34.

       Upon further reflection, and now presented with additional evidence of the nature of the target

websites’ terms of service, the Court finds that it is necessary to answer another question: whether

terms-of-service conditions, rather than authentication gates, constitute adequate “permission

requirements” for criminal liability under the CFAA. Again, the Court concludes that the narrower

interpretation is the wiser path. The government analogizes website owners to real property owners,

who have historically been allowed to exclude whomever they choose from their private, non-

commercial land, Gov’t’s Opp’n at 23–24, but the analogy between real property and the internet is

not perfect. The internet is inherently open and public, see Reno v. Am. Civil Liberties Union, 521

U.S. 844, 880 (1997) (observing that “most Internet forums—including chat rooms, newsgroups,

mail exploders, and the Web—are open to all comers”), and users constantly move from one website

to another and navigate between various sections of a given website. Under such circumstances, the

CFAA’s prohibition on “access[ing] a computer without authorization,” even though phrased “in the

form of a general prohibition” that can often escape nondelegation worries, see Silverman v. Barry,

845 F.2d 1072, 1086 (D.C. Cir. 1988), becomes unworkable and standardless. Criminalizing terms-

of-service violations risks turning each website into its own criminal jurisdiction and each webmaster

into his own legislature. Such an arrangement, wherein each website’s terms of service “is a law

unto itself,” Emp’t Div., Dep’t of Human Res. of Or. v. Smith, 494 U.S. 872, 890 (1990), would raise

serious problems. This concern, then, supports a narrow interpretation of the CFAA.

       Third, both the rule of lenity and the avoidance canon weigh in favor of this narrow

interpretation as well. “When interpreting a criminal statute, we do not play the part of a mindreader.”

United States v. Santos, 553 U.S. 507, 515 (2008). If “a reasonable doubt persists about a statute’s

                                                  21
intended scope even after resort to the language and structure, legislative history, and motivating

policies of the statute,” Moskal v. United States, 498 U.S. 103, 108 (1990) (internal quotation marks

omitted), courts must adopt the narrower interpretation. See Yates v. United States, 135 S. Ct. 1074,

1088 (2015) (“[I]f . . . recourse to traditional tools of statutory construction leaves any doubt about

the meaning of [a statutory term] . . . , we would invoke the rule that ambiguity concerning the ambit

of criminal statutes should be resolved in favor of lenity.” (internal quotation marks omitted)). Here,

none of the traditional tools of statutory interpretation definitively resolves the question of what

constitutes “access[ing] . . . without authorization,” so the Court opts to interpret the provision

narrowly and as not encompassing terms-of-service violations.

       Likewise, constitutional avoidance weighs in favor of interpreting “accesses . . . without

authorization” narrowly. If the Court were to conclude that plaintiffs’ terms-of-service violations do

violate the CFAA, then it would have to decide whether prosecuting them for such actions violates

the First Amendment. As the Court previously observed, it “need not determine whether plaintiffs’

constitutional arguments would actually win the day,” but rather “whether one reading ‘presents a

significant risk that [constitutional provisions] will be infringed.’” Sandvig, 315 F. Supp. 3d at 25

(quoting NLRB v. Catholic Bishop of Chi., 440 U.S. 490, 502 (1979)). Plaintiffs’ First Amendment

challenge raises such risks, see Sandvig, 315 F. Supp. 3d at 28–30, and thus weighs in favor of a

narrow interpretation under the avoidance canon.

       Given all these concerns, a user should be deemed to have “accesse[d] a computer without

authorization,” 18 U.S.C. § 1030(a)(2), only when the user bypasses an authenticating permission

requirement, or an “authentication gate,” such as a password restriction that requires a user to

demonstrate “that the user is the person who has access rights to the information accessed,” Orin S.

Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1147, 1164 (2016) (hereinafter

                                                  22
“Norms”). Although bypassing code-based restrictions, like a social-security-number or credit-card

requirement, are paradigmatic examples of an “authentication gate,” see Orin S. Kerr, Cybercrime’s

Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev.

1596, 1664 (2003), “[t]he key point is not that some code was circumvented but rather that the

computer owner conditioned access on authentication of the user and the access was outside the

authentication,” Norms at 1164.

       Here, neither Wilson nor Mislove attempt to bypass an authentication gate. For websites

requiring “login credentials—i.e., usernames and passwords”—Wilson and Mislove intend to

provide the information that they “generated when [they] created tester accounts.” Second Wilson

Decl. ¶ 6; Second Mislove Decl. ¶ 6. And for websites that require payments, they intend to “comply

with the payment requirement.” Second Wilson Decl. ¶ 5; Second Mislove Decl. ¶ 5. None of their

research plans, then, involve bypassing authenticating “permission requirements,” and thus none of

them when executed will constitute violations of the CFAA as interpreted herein.

       The record does reflect that at least Wilson previously used borrowed business information

for authentication purposes on CareerBuilder.com. See Wilson E-mails Regarding CareerBuilder

Receipt, PID7243-46 (July 2016) [ECF No. 52-16] at 3. At the motions hearing, however, counsel

for plaintiffs stated that “they only intend to access parts of a website that are otherwise open to the

public or available to anyone who creates a [username] and password.” Mots. Hr’g Tr. at 8:15–17.

The Court asked for clarification, see Nov. 26, 2019 Order at 1–2, and declarations from both

researchers now clarify that, although they may pay for access to some public employment websites,

their future research plans entail no provision of “authenticating, real-world business information

. . . , such as real-world business license information.” Second Wilson Decl. ¶ 2; Second Mislove

Decl. ¶ 2. The Court thus has no occasion to determine whether provision of either false or borrowed

                                                  23
real-world business information to access otherwise private portions of employment websites would

violate the CFAA.

                 b. Exceeding Authorized Access

          Turning to the second part of the Access Provision, the CFAA prohibits “exceed[ing]

authorized access, and thereby obtain[ing] . . . information from any protected computer.” The

CFAA defines “the term ‘exceeds authorized access’ [to] mean[] to access a computer with

authorization and to use such access to obtain or alter information in the computer that the accesser

is not entitled so to obtain or alter.” 18 U.S.C § 1030(e)(6).

          This language suggests that an individual cannot “exceed[] authorized access” without first

legitimately passing through a “permission requirement.” After all, the violator must “use such

[authorized] access” in order to “obtain or alter information” to which the violator “is not entitled,”

implying that barriers are passed through permissibly. Id. (emphasis added). This interpretation

aligns with the Ninth Circuit’s distinction between “accesses . . . without authorization” applying to

“outside hackers” and “exceeds authorized access” applying to “inside hackers.” Nosal I, 676 F.3d

at 858.

          If bypassing a “permission requirement” is not the action that triggers criminal liability,

however, then the question remains what type of conduct does constitute a criminal act. In other

words, what distinguishes information that an authorized accesser is “entitled to obtain or alter” from

information to which he is not entitled? Does plaintiffs’ anticipated provision of false information

to their target websites, in violation of these websites’ terms of services, cross that line and “exceed[]

authorized access”?

          The resolution of this question turns, in part, on the meaning of “entitled” in the statutory

definition of “exceeds authorized access” at § 1030(e)(6). The government argues that “entitled”

                                                   24
means “to furnish with a right,” and “supports [a] broader interpretation of the phrase ‘exceeds

authorized access’ . . . , in which all relevant facts (including policies set by the computer owners)

may be considered in determining the scope of a person’s authorized access.” Def.’s Resp. for

Clarification at 5–6. By this approach, the meaning of “exceeds authorized access” is context-

dependent: “Because the computer owner furnishes an individual with the right to access its systems

and obtain information from them, explicit policies restricting that right determines when an

individual ‘exceeds authorized access.’” Id. at 6. According to the government, such “explicit

policies” include employers’ computer-use policies and the terms of service of public websites. See

id. at 6; Gov’t’s Opp’n at 53–54.

       Plaintiffs seem to have agreed with this interpretation for much of the litigation and assumed

that such terms-of-service violations do fall afoul of the CFAA. See Pls.’ Mem. at 2–3, 9–11. Rather

than interpreting the statute narrowly, they argued that their actions are protected by the First

Amendment. But plaintiffs now suggest that they would be satisfied with “declaratory and injunctive

relief” barring prosecution under the CFAA for violations of websites’ terms of service—in other

words, with a narrow interpretation of the CFAA that it does not encompass terms-of-service

violations. See Pls.’ Mem. in Resp. to Court’s Order at 1.

       Courts have come to a range of views on the best interpretation of “exceeds authorized

access,” and the circuits are currently divided on whether, in the employment context, an employee’s

violation of company policy constitutes a CFAA violation. The First, Fifth, Seventh, and Eleventh

Circuits have concluded that a person with access to a computer for business purposes exceeds

authorized access when the accesser “obtain[s] . . . information for a nonbusiness reason.” United

States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); see also United States v. John, 597 F.3d

263, 272 (5th Cir. 2010) (concluding that an employee’s “access[ing] account information for

                                                 25
individuals whose accounts she did not manage, remov[ing] this highly sensitive and confidential

information from [the employer’s] premises, and ultimately us[ing] this information to perpetrate

fraud on [the employer] and its customers” constituted a CFAA violation); Int’l Airport Ctrs., L.L.C.

v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006) (similar); EF Cultural Travel BV v. Explorica, Inc.,

274 F.3d 577, 582–83 (1st Cir. 2001) (similar).3 The Second and Fourth Circuits have come to the

opposite conclusion. See Valle, 807 F.3d at 512–13, 528 (applying the rule of lenity and not imposing

liability for accessing a government database of personal information for no law enforcement

purpose); WEC Carolina Energy Sols., 687 F.3d at 205–07 (refusing to impose liability when

employees violated company policy).

         Far fewer courts have weighed in on the facts before this Court: namely, whether violating

the terms of service of consumer websites constitutes a criminal CFAA violation. But the majority

of courts that have examined this question has determined that there is no liability. See, e.g.,

Facebook, 844 F.3d at 1067 (“[A] violation of the terms of use of a website—without more—cannot

establish liability under the CFAA.”); Bittman v. Fox, 107 F. Supp. 3d 896, 900–01 (N.D. Ill. 2015)

(concluding that defendants did not “exceed[] authorized access” by creating “a fake social media

account in violation of a social media company’s terms of service”); United States v. Drew, 259

F.R.D. 449, 464–65 (C.D. Cal. 2009) (interpreting “exceeds authorized access” to exclude mere

terms-of-service violations to avoid rendering the statute void for vagueness). But see United States

v. Lowson, Crim. No. 10-114 (KSH), 2010 WL 9552416, at *5 (D.N.J. Oct. 12, 2010) (not dismissing


         3
           The First Circuit later extended its holding in Explorica, which was based upon confidentiality agreements
signed by former employees, to Zefer, a third-party website. See EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st
Cir. 2003). Although the decision did suggest that terms of service may create CFAA liability by “say[ing] just what
non-password protected access they purport to forbid,” id. at 64, the First Circuit’s holding relied upon the “relatively
narrow grounds” that the injunction against Explorica applied to “anyone else with notice” and thus “precluded [Zefer]
from acting to assist the enjoined party from violating the decree [and] from doing so on behalf of that party,” id. at 61,
63.

                                                           26
a case wherein the defendants “implement[ed] ‘hacks’ and us[ed] ‘backdoors’ to enable automated

programs to purchase tickets” from online vendors).

       The Court agrees with the clear weight of relevant authority and adopts a narrow

interpretation of “exceeds authorized access.”      Without weighing in on the circuit split over

employers’ computer-use policies, the Court concludes that violating public websites’ terms of

service, as Wilson and Mislove propose to do for their research, does not constitute a CFAA violation

under the “exceeds authorized access” provision.

       In coming to this determination, the Court is guided by many of the same reasons that led to

a narrow interpretation of “accesses . . . without authorization” that excludes terms-of-service

violations. See supra, at 20–22. First, consumer websites’ terms of service do not provide adequate

notice for purposes of criminal liability. See Drew, 259 F.R.D. at 464–66; see also United States v.

Thomas, 877 F.3d 591, 596 (5th Cir. 2017) (recognizing that “a narrow reading of [§ 1030(a)(2)]

avoids criminalizing common conduct—like violating contractual terms of service for computer use

or using a work computer for personal reasons—that lies beyond the antihacking purpose of the

access statutes”). Second, criminalizing violations of private websites’ terms of service raises

considerable nondelegation issues. See supra, at 20–21.

       Third, the rule of lenity and the constitutional avoidance canon weigh against a broad

interpretation of “exceeds authorized access” as encompassing terms-of-service violations. As noted

above, courts have come to varying opinions on what type of conduct violates this provision.

Compare Rodriguez, 628 F.3d at 1263; John, 597 F.3d at 272; Citrin, 440 F.3d at 420–21; Explorica,

274 F.3d at 582–83, with Valle, 807 F.3d at 512–13, 528; WEC Carolina Energy Sols., 687 F.3d at

205–07. Legislative history and statutory structure provide little guidance one way or the other. See,

e.g., Valle, 807 F.3d at 526 (finding the legislative history inconclusive on whether a public employee

                                                  27
“exceed[ed] authorized access” in using government computers for personal ends). Because the

traditional tools of statutory interpretation do not point definitively one way or the other for whether

“exceeds authorized access” encompasses terms-of-service violations on public websites, the rule of

lenity requires that the Court adopt the narrower construction. See id. at 526–28. And because this

narrow interpretation obviates the need to engage with plaintiffs’ thorny First Amendment concerns,

constitutional avoidance, too, counsels in favor of this narrow reading. See Bond, 572 U.S. at 855.

       Taken together, these considerations make clear that, even if reading “exceeds authorized

access” to exclude terms-of-service violations on public websites is not the only reasonable

interpretation, adopting the narrow approach is the wisest path forward. In agreement with the clear

weight of relevant cases, then, the Court adopts this narrow interpretation of the CFAA and concludes

that plaintiffs’ proposed research plans do not violate either provision of § 1030(a)(2).

                                            CONCLUSION

       For the foregoing reasons, the Court concludes that plaintiffs’ research plans do not violate

the Access Provision of the CFAA. Because their actions are not criminal, the Court need not wade

into the question whether plaintiffs’ proposed conduct should receive First Amendment protection.

Instead, the Court concludes that the parties’ cross-motions for summary judgment are moot, and the

case will be dismissed. A separate order will be issued on this date.

                                                                                    /s/
                                                                             JOHN D. BATES
                                                                        United States District Judge
 Dated: March 27, 2020




                                                  28
