Supreme Court ruling that limits hacking law supports U-M researcher

June 4, 2021
Contact: Laurel Thomas ltgnagey@umich.edu

Gray pillars. Image credit: Claire Anderson, Unsplash.This week’s U.S. Supreme Court decision in a case involving a police officer who used a database beyond the scope of his responsibility is being hailed as a victory for academic researchers and journalists who investigate discrimination by online platforms.

A University of Michigan researcher had previously challenged the Computer Fraud and Abuse Act (CFAA), arguing that academics and journalists who study potentially illegal behavior by online platforms like Google, LinkedIn and Facebook should not incur criminal and civil liability if they do not abide by a site’s posted terms of use.

An amicus brief filed in the Van Buren v. United States case came from the ACLU on behalf of U-M’s Christian Sandvig, the H. Marshall McLuhan Collegiate Professor of Digital Media; professor of information, and communication and media; and director of the Center for Ethics, Society, and Computing.

The ACLU sued the Department of Justice in 2016 on behalf of Sandvig and researchers at Northeastern University, the University of Illinois and First Look Media Works, publisher of the Intercept.

“The issue at the heart of our case has now been decided by the Supreme Court,” Sandvig said. “It is now clear that academics like us and investigative journalists are not criminal hackers when we examine public information released by big tech companies.”

The Van Buren ruling has important implications for many media and computing researchers, lifting a cloud of legal uncertainty from those who study topics from online misinformation to computer security. The CFAA was passed in 1986 to address hacking but has since been used to prosecute those who would engage in activities like data scraping or gathering data from the web for business intelligence, marketing and other research purposes.

In a 6-3 opinion authored by Justice Amy Coney Barrett, the High Court reversed the Eleventh Circuit’s decision to uphold the conviction of a former police officer who had been charged with a felony for accessing a computer database for a purpose other than his work. The officer appealed, claiming the CFAA did not cover unauthorized “use” of a database that he was allowed to access as part of his job.

Sandvig v. Barr challenged on First Amendment grounds a provision in the CFAA that made it a crime for researchers to set up false accounts in order to audit computer algorithms to check for hidden civil rights violations such as illegal racial, gender or other discrimination. The ACLU argued this procedure is not illegal in the offline world and should not be so in cyberspace.

The lawsuit was filed on Sandvig’s behalf as a private citizen, not as a representative of U-M, but the outcome has implications for media researchers, computer scientists and investigative journalists across the U.S. who were threatened with legal repercussions for violating a website’s terms of service.