The United States District Court for the District of Columbia held that a breach of a website's terms of use does not constitute an actionable violation of the U.S. federal Computer Fraud and Abuse Act ("CFAA") that can give rise to a criminal offense.

Academic researchers who wanted to test whether employment websites discriminate based on race and gender provided false information to target websites, in violation of these websites' terms of service. The researches asserted a pre-enforcement challenge to the court, requesting that it declare that these actions do not violate the CFAA.

The court held that online terms of service do not constitute "permission requirements" that, if violated, trigger criminal liability under the CFAA. The court explained that websites' terms of service provide inadequate notice for purposes of criminal liability. The court also questioned the wisdom of empowering private actors, like website operations, to define the boundaries of criminal liability. Per the court, this would turn "each website into its own criminal jurisdiction and each webmaster into his own legislature". The court also cited the rule of lenity for interpreting criminal statutes: doubts about the statute's interpretation should be resolved in favor of a narrow and more lenient interpretation.

The Court concluded that a user should be deemed to have "accesse[d] a computer without authorization," in the wording of the CFAA, only when they bypass an authenticating permission requirement or an "authentication gate," such as a password restriction that requires the user to demonstrate that they have been granted access privileges.

CLICK HERE to read the court's opinion in Sandvig v. Barr.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.