(a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States;

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—

(A) threat to cause damage to a protected computer;

(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or

(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;

shall be punished as provided in subsection (c) of this section.

(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

(c) The punishment for an offense under subsection (a) or (b) of this section is—

(1)

(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(2)

(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—

(i) the offense was committed for purposes of commercial advantage or private financial gain;

(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii) the value of the information obtained exceeds $5,000; and

(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(3)

(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(4)

(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—

(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—

(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;

(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(III) physical injury to any person;

(IV) a threat to public health or safety;

(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or

(VI) damage affecting 10 or more protected computers during any 1-year period; or

(ii) an attempt to commit an offense punishable under this subparagraph;

(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—

(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or

(ii) an attempt to commit an offense punishable under this subparagraph;

(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of—

(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5)that occurs after a conviction for another offense under this section; or

(ii) an attempt to commit an offense punishable under this subparagraph;

(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of—

(i) an offense or an attempt to commit an offense under subsection (a)(5)(C) that occurs after a conviction for another offense under this section; or

(ii) an attempt to commit an offense punishable under this subparagraph;

(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both;

(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or

(G) a fine under this title, imprisonment for not more than 1 year, or both, for—

(i) any other offense under subsection (a)(5); or

(ii) an attempt to commit an offense punishable under this subparagraph.

(d)

(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.

(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.

(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section—

(1) the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

(2) the term “protected computer” means a computer—

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

(3) the term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;

(4) the term “financial institution” means—

(A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;

(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;

(C) a credit union with accounts insured by the National Credit Union Administration;

(D) a member of the Federal home loan bank system and any home loan bank;

(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;

(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;

(G) the Securities Investor Protection Corporation;

(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and

(I) an organization operating under section 25 or section 25(a) 1 of the Federal Reserve Act;

(5) the term “financial record” means information derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution;

(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

(7) the term “department of the United States” means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;

(8) the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;

(9) the term “government entity” includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;

(10) the term “conviction” shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;

(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and

(12) the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).

(i)

(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States—

(A) such person’s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and

(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.

(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection(d) of that section.

(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:

(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section.

(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section 

451 F.Supp.3d 73

United States District Court, District of Columbia.

Christian W. SANDVIG, et al., Plaintiffs,
v.
William P. BARR,[FN1] in His Official Capacity as Attorney General of the United States, Defendant.

Civil Action No. 16-1368 (JDB)

Signed March 27, 2020

Attorneys and Law Firms

*76 Arthur B. Spitzer, Scott Michelman, American Civil Liberties Union of the District of Columbia, Washington, DC, Esha Bhandari Pro hac Vice, Naomi Gilens, Pro Hac Vice, American Civil Liberties Union Foundation, Rachel Goodman, Pro Hac Vice, New York, NY, for Plaintiffs.

Daniel Stephen Garrett Schwei, John Russell Tyler, Serena Maya Schulz Orloff, Stephen J. Buckingham, U.S. Department of Justice, Washington, DC, for Defendant.

MEMORANDUM OPINION

JOHN D. BATES, United States District Judge

Plaintiffs are academic researchers who intend to test whether employment websites discriminate based on race and gender. In order to do so, they plan to provide false information to target websites, in violation of these websites' terms of service. Plaintiffs bring a pre-enforcement challenge, alleging that the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, as applied to their intended conduct of violating websites' terms of service, chills their First Amendment right to free speech. Without reaching this constitutional question, the Court concludes that the CFAA does not criminalize mere terms-of-service violations on consumer websites and, thus, that plaintiffs' proposed research plans are not criminal under the CFAA. The Court will therefore deny the parties' cross-motions for summary judgment and dismiss the case as moot.

Background

A. Research Plans

Christopher Wilson and Alan Mislove are professors of computer science at Northeastern University. Decl. of Pl. Christopher “Christo” Wilson (“First Wilson Decl.”) [ECF No. 48-1] ¶ 1; Decl. of Pl. Alan Mislove (“First Mislove Decl.”) [ECF No. 48-2] ¶ 1. For their research, Wilson and Mislove “intend to access or visit certain online hiring websites for the purposes of conducting academic research regarding potential online discrimination.” Pls.' Statement of Undisputed Material Facts (“SMF”) [ECF No. 47-2] ¶ 61. Their plans include “audit testing” to examine whether various hiring websites' proprietary algorithms discriminate against online users “based on characteristics, such as race or gender, that constitute a protected *77 class status under civil rights laws.” Id. ¶¶ 64, 66. To conduct these audit tests, plaintiffs “will create profiles for fictitious job seekers, post fictitious job opportunities, and compare their fictitious users' rankings in a list of candidates for the fictitious jobs” in order to see “whether [the] ranking is influenced by race, gender, age, or other attributes.” Id. ¶ 71.

Wilson and Mislove state that they will take steps to minimize the impact of their research both on the targeted websites' servers and on other users of those websites. Id. at ¶¶ 75–78. For instance, they will make it apparent to real job seekers and employers that their postings are fake by “stat[ing] in any fictitious job posting, or in any fictitious job seeker profile, that the job or the job seeker is not real.” Id. at ¶¶ 75–78. Both researchers also intend to “comply with the payment requirement” of certain employment websites. Decl. of Pl. Christopher “Christo” Wilson (“Second Wilson Decl.”) [ECF No. 65-1] ¶ 5; Decl. of Pl. Alan Mislove (“Second Mislove Decl.”) [ECF No. 65-2] ¶ 5. But Wilson and Mislove acknowledge that their research plan will violate the target websites' terms of service prohibiting the provision of false information and/or creating fake accounts. SMF ¶ 86.

B. Procedural History

In June 2016, Wilson and Mislove, as well as two other researchers (Christian W. Sandvig and Kyratso Karahalios) and the nonprofit journalism group First Look Media Works, Inc., brought a pre-enforcement constitutional challenge to a provision of the CFAA. Compl. [ECF No. 1] ¶¶ 180–202. The provision at issue, 18 U.S.C. § 1030(a)(2)(C), or the “Access Provision,” makes it a crime to “intentionally access[ ] a computer without authorization or exceed[ ] authorized access, and thereby obtain[ ] ... information from any protected computer.” Plaintiffs argue that this provision violates the First and Fifth Amendments. Compl. ¶¶ 180–202. Specifically, they claim that the Access Provision (1) is overbroad and chills their First Amendment right to freedom of speech; (2) as applied to their research activities, unconstitutionally restricts their protected speech; (3) interferes with their ability to enforce their rights and therefore violates the Petition Clause; (4) is void for vagueness under the Fifth Amendment Due Process Clause; and (5) unconstitutionally delegates lawmaking authority to private actors in violation of the Fifth Amendment Due Process Clause. See id. On March 30, 2018, this Court partially granted the government's motion to dismiss. See Sandvig v. Sessions, 315 F. Supp. 3d 1, 34 (D.D.C. 2018). The Court dismissed all but the as-applied First Amendment free speech claim brought by Wilson and Mislove. Id.

Now before the Court are the parties' cross-motions for summary judgment. Wilson and Mislove renew their pre-enforcement challenge to the Access Provision of the CFAA, alleging that it unconstitutionally restricts their First Amendment rights to free speech by criminalizing their research plans and journalistic activities that involve violating websites' terms of service. Pls.' Mem. P. & A. in Supp. of Mot. for Summ. J. (“Pls.' Mem.”) [ECF No. 48] at 1. The government, for its part, argues that plaintiffs have failed to establish standing and that the First Amendment's protections do not shield plaintiffs from private websites' choices about whom to exclude from their servers. Def.'s Mem. in Supp. of Cross-Mot. for Summ. J. & in Opp'n to Pls.' Mot. for Summ. J. (“Gov't's Opp'n”) [ECF No. 50-1] at 1–4. The Court held a motions hearing on November 15, 2019, and subsequently ordered another round of briefing to clarify plaintiffs' specific research plans and both parties' understanding of particular terms within the *78 CFAA. See November 26, 2019 Order [ECF No. 63] at 1–2. The parties each responded, see Def.'s Resp. to Court's Order for Clarification (“Def.'s Resp. for Clarification”) [ECF No. 64]; Pls.' Mem. in Resp. to Court's Order [ECF No. 65], and the matter is now ripe for consideration.

Legal Standard

Summary judgment is appropriate when “the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(a). The party seeking summary judgment “bears the initial responsibility of informing the district court of the basis for its motion, and identifying those portions of [the record] ... demonstrat[ing] the absence of a genuine issue of material fact.” Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986); see Fed. R. Civ. P. 56(c)(1)(A) (explaining that a moving party may demonstrate that a fact is undisputed or not by citing “depositions, documents, electronically stored information, affidavits or declarations, stipulations ..., admissions, interrogatory answers, or other materials”).

In determining whether a genuine issue of material fact exists, the Court must “view the facts and draw reasonable inferences in the light most favorable to the party opposing the motion.” Scott v. Harris, 550 U.S. 372, 378, 127 S.Ct. 1769, 167 L.Ed.2d 686 (2007) (internal quotation marks and alteration omitted). But a non-moving party must establish more than the “mere existence of a scintilla of evidence” in support of its position. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 252, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). To avoid summary judgment, “there must be evidence on which the jury could reasonably find for the [non-moving party].” Id.

Analysis

I. Jurisdictional Standing

To have Article III standing, a “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, ––– U.S. ––––, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). This Court previously concluded that plaintiffs had plausibly alleged standing on their First Amendment claims at the motion-to-dismiss stage, Sandvig, 315 F. Supp. 3d at 16–22, but plaintiffs must now demonstrate standing “with specific facts set out by affidavit or other admissible evidence,” In re Navy Chaplaincy, 323 F. Supp. 3d 25, 39 (D.D.C. 2018) (internal quotation marks omitted).

There are two ways in which litigants like plaintiffs here may establish the requisite ongoing injury when seeking to enjoin a statute alleged to violate the First Amendment. First, plaintiffs may show that they intend “to engage in a course of conduct arguably affected with a constitutional interest, but proscribed by a statute, and there exists a credible threat of prosecution thereunder.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 159, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014) (quoting Babbitt v. United Farm Workers Nat. Union, 442 U.S. 289, 298, 99 S.Ct. 2301, 60 L.Ed.2d 895 (1979)). Second, they may refrain from exposing themselves to sanctions under the statute, making a sufficient showing of self-censorship—i.e., they may establish a chilling effect on their free expression. See Laird v. Tatum, 408 U.S. 1, 11–14, 92 S.Ct. 2318, 33 L.Ed.2d 154 (1972). In either case, a constitutionally affected interest and a credible threat of enforcement are required; without them, *79 plaintiffs can establish neither a realistic threat of legal sanction for engaging in protected speech nor an objectively good reason for self-censoring by not conducting their planned research. Here, plaintiffs take the first path and argue that they intend to engage in conduct “arguably” proscribed by statute.

The government responds that plaintiffs lack standing for three reasons. First, regardless of whether the Department of Justice would prosecute their conduct, plaintiffs “lack any concrete plans for conducting future research covered by their as-applied claim, i.e., involving fake or misleading accounts.” Gov't's Opp'n at 10. Second, assuming concrete research plans, “[p]laintiffs have not demonstrated a credible threat of prosecution for ... such research.” Id. And third, plaintiffs' “claims are too abstract to be evaluated and therefore are not ripe.” Id. The government does not appear to dispute that, if plaintiffs can satisfy the injury-in-fact requirements, they can also meet the causation and redressability tests to establish standing. See Spokeo, 136 S. Ct. at 1547.

A. Concrete Plans

The government first argues that plaintiffs have failed to establish the existence of “any concrete plans for conducting further research covered by their as-applied claim.” See Gov't's Opp'n at 10–11. To support this argument, the government quotes testimony from Wilson and Mislove that they have no “concrete plans” for research involving the provision of false information or the creation of fake accounts in violation of websites' terms of service. Id.

This framing—and selective quotation—of plaintiffs' testimony mischaracterizes the extent of their plans. “Pre-enforcement review, particularly in the First Amendment context, does not require plaintiffs to allege that they will in fact violate the regulation in order to demonstrate an injury.” U.S. Telecom Ass'n v. FCC, 825 F.3d 674, 739 (D.C. Cir. 2016) (internal quotation marks omitted). “Standing to challenge laws burdening expressive rights requires only a credible statement by the plaintiff of intent to commit violative acts and a conventional background expectation that the government will enforce the law.” Id. (emphasis added) (internal quotation marks omitted).

Plaintiffs here satisfy this standard. Wilson later clarified that, when he said he did not have concrete plans, “what [he] meant was [they] don't have software, [they] don't have a timeframe. There [are] no students assigned to it.” Oral Depo. of Christopher Wilson (“Wilson Depo.”) [ECF No. 54-3] at 215:25–216:4. But Wilson has already “applied and received ... funding” and approval from the Institutional Review Board (“IRB”) for such projects. Id. at 217:15–18. Likewise, Mislove testified that he has “specific research plans [and] specific platforms that [his lab is] studying ... in the sense that this is an area of [his] research that [he] intend[s] to conduct work[ ] in.” Oral Depo. of Alan E. Mislove (“Mislove Depo.”) [ECF No. 52-3] at 47:4–8. In response to the government's interrogatory asking for “any and all platforms and/or websites that Plaintiffs intend to access in the future for purposes” of research, plaintiffs identified specific websites, including LinkedIn, Monster, Glassdoor, and Entelo, and noted that they intended to conduct research that might violate these sites' terms of service by “creating accounts using false information and/or providing false or misleading information.” Pls.' Third Suppl. Resps. & Objs. to Def.'s First Set of Interrogs. Nos. 2–3 [ECF No. 52-6] at 3–4.

The government argues in response that “ ‘some day’ intentions—without any description *80 of concrete plans, or indeed even any specification of when the some day will be—do not support a finding of the actual or imminent injury.” Gov't's Opp'n at 10–11 (quoting Defs. of Wildlife, 504 U.S. at 564, 112 S.Ct. 2130). But unlike the amorphous “ ‘some day’ intentions” to visit endangered species on another continent at issue in Defenders of Wildlife, see 504 U.S. at 564, 112 S.Ct. 2130, these researchers' plans are already in motion, even if the specifics of their study are still being developed. The fact that plaintiffs have secured funding and IRB clearance to engage in conduct covered by their as-applied challenge evinces a sufficient demonstration of injury in fact. Cf. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 183–84, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000) (concluding that organizational plaintiffs' members suffered an injury in fact because they had “reasonable concerns” rising above the level of “speculative some day intentions” that the discharge of pollutants would “directly affect[ ]” their “recreational, aesthetic, and economic interests” (internal quotation marks omitted)).

The government also argues that plaintiffs' two declarations, clarifying the meaning of their earlier statements about “concrete plans,” must be disregarded under the so-called “sham affidavit rule.” Gov't's Opp'n at 11–12; see also First Wilson Decl.; First Mislove Decl. This argument fails, however, because these affidavits' descriptions of plaintiffs' research plans merely clarify plaintiffs' prior answers and contextualize their use of the term “concrete.” See Galvin v. Eli Lilly & Co., 488 F.3d 1026, 1030 (D.C. Cir. 2007). Mislove and Wilson said they have no “concrete” plans in order to explain that they are not currently implementing any of those research plans, notwithstanding their intent to do so in the future. Moreover, there is no indication that plaintiffs, in their earlier statements, intended to use the term “concrete plans” in its specific meaning as a legal term of art.

Finally, in its reply brief, the government states that the clearest examples of concrete steps taken by Wilson actually concern a different research project than the proposed discrimination project at issue in this case. Def.'s Reply Mem. in Supp. of Cross-Mot. for Summ. J. (“Gov't's Reply”) [ECF No. 56] at 4 n.1. The government does not clearly articulate the distinction between the different research projects, however, and this Court has already recognized that Wilson and Mislove intend both to “create fake employer profiles” and to “create fictitious sock-puppet job seeker profiles” as part of the research at issue in this case. Sandvig, 315 F. Supp. 3d at 9–10.

B. Credible Threat

Under their theory of standing, plaintiffs must show that they intend to engage in conduct arguably both protected by the First Amendment and proscribed by the statute they challenge, and that there is a “credible threat” that the statute will be enforced against them when they do so. See Driehaus, 573 U.S. at 158–63, 134 S.Ct. 2334. The government argues that plaintiffs fail to establish a credible threat of prosecution under the CFAA, contending that (1) plaintiffs' testimony shows that they do not fear prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do not establish a credible threat that plaintiffs' proposed conduct will be prosecuted; and (3) the government's charging policies and public statements undercut plaintiffs' attempt to establish a credible threat of prosecution. Gov't's Opp'n at 12–18.

“Standing to challenge laws burdening expressive rights requires only a credible *81 statement by the plaintiff of intent to commit violative acts and a conventional background expectation that the government will enforce the law” U.S. Telecom Ass'n, 825 F.3d at 739 (internal quotation marks omitted). As previously noted, plaintiffs satisfy the first half of this test; the question thus becomes whether the “conventional background expectation” of criminal enforcement holds here. Id. Again, plaintiffs have the stronger arguments.

First, plaintiffs' testimony that they do not subjectively fear prosecution under this statute—and that they have even engaged in the allegedly “chilled” conduct previously—does not undermine their legal claim. The question is whether there exists “a credible threat,” which is an objective, rather than subjective, inquiry. See id. Mislove also testifies that he does subjectively fear facing criminal consequences for his future research. See, e.g., Mislove Depo. at 147:12–19 (“[I]t really weigh[s] heavily on my mind ... [that I am] exposing my students to criminal—to potential criminal prosecution or the risk.”).

Second, even assuming the absence of prior prosecutions, but see Sandvig, 315 F. Supp. 3d at 19–20 (discussing two previous prosecutions under the Access Provision), plaintiffs still are not precluded from bringing this pre-enforcement action. When constitutionally protected conduct falls within the scope of a criminal statute, and the government “has not disavowed any intention of invoking the criminal penalty provision,” plaintiffs are “not without some reason in fearing prosecution” and have standing to bring the suit. Babbitt, 442 U.S. at 302, 99 S.Ct. 2301. Indeed, at the pleadings stage, the Court already rejected the contention that the lack of similar past CFAA prosecutions undermines a credible threat of prosecution now. See Sandvig, 315 F. Supp. 3d at 18–21.

Third, the government points to guidance from the Attorney General that “expressly cautions against prosecutions based on [terms-of-service] violations,” as well as statements to Congress by Department of Justice officials, as evidence that plaintiffs face no credible threat of prosecution. Gov't's Opp'n at 16–17. But the absence of a specific disavowal of prosecution by the Department undermines much of the government's argument. See Babbitt, 442 U.S. at 302, 99 S.Ct. 2301. The government insists that it is not a defendant's burden to “come forward with proof of a non-existent threat of prosecution.” Gov't's Opp'n at 17. But while the burden of demonstrating standing remains on the plaintiffs, this Court has previously ruled that in the absence of an “explicit statement” disavowing prosecution, these various advisory and non-binding statements and Department of Justice policies do not eliminate the reasonable fear of prosecution. Sandvig, 315 F. Supp. 3d at 20–21. Furthermore, as noted above the government has brought similar Access Provision prosecutions in the past and thus created a credible threat of prosecution. Id. at 19–20.

Discovery has not helped the government's position. John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, testified at his deposition that it was not “impossible for the Department to bring a CFAA prosecution based on [similar] facts and de minimis harm.” Dep. of John T. Lynch, Jr. [ECF No. 48-4] at 154:3–7. Although Lynch has also stated that he does not “expect” the Department to do so, Aff. of John T. Lynch, Jr. [ECF No. 21-1] ¶ 9, “[t]he Constitution ‘does not leave us at the mercy of noblesse oblige,’ ” Sandvig, 315 F. Supp. 3d at 21 (quoting United States v. Stevens, 559 U.S. 460, 480, 130 S.Ct. 1577, 176 L.Ed.2d 435 (2010)). Absent *82 a specific disavowal or a clear indication that plaintiffs' conduct falls outside the scope of the criminal provisions, plaintiffs adequately demonstrate a credible threat for standing purposes.

C. Ripeness

The government also argues that plaintiffs' claims are not ripe for adjudication. “Plaintiffs have not yet identified the specific websites that they intend to access for their research,” the government says, and hence it is “impossible to know what those websites' [terms of service] will be at the time of Plaintiffs' research”—or whether any violation of the terms of service will run afoul of the Court's narrow construction of the CFAA. Gov't's Opp'n at 18. Because plaintiffs do not know what their research will entail, the government argues, the Court cannot evaluate the potential harms caused by their hypothetical research. Id. at 18–19. Hence, according to the government, the Court cannot meaningfully examine plaintiffs' First Amendment claim on the merits and fashion a proper injunction under Rule 65 because it cannot “describe in reasonable detail—and not by referring to the complaint or other document—the act or acts restrained or required.” Id. at 19 (quoting Fed. R. Civ. P. 65(d)(1)(B), (C)).

Plaintiffs respond first that, because terms of service are always subject to change, it will always be impossible to know what a website's exact terms of service will be in the future, or whether research violating those terms will implicate the Access Provision. Pls.' Mem. in Opp'n to Def.'s Mot. for Summ. J. & Reply in Supp. of Pls.' Mot. for Summ. J. (“Pls.' Reply”) [ECF No. 54] at 10–11. Accordingly, “[p]laintiffs would have to actually undertake the research—taking note of the [terms of service] actually in effect at the time and exposing themselves to criminal liability—in order to challenge the Access Provision's application to them,” a drastic and risky step that plaintiffs argue is not required by the First Amendment. Id. at 11. Next, plaintiffs say that how exactly they plan to carry out their research—for instance, the number of fictitious accounts or postings that will be necessary or how long each account or posting will exist—is irrelevant to the First Amendment question. Id. Finally, plaintiffs argue that their complaint and declarations clarify in detail the research goals, methodologies, and precautions that will be taken to mitigate potential harm. Id. at 11–12.

The question of ripeness presents a closer call than the previous two standing issues. For instance, if this Court were to reach the First Amendment analysis urged by plaintiffs and evaluate the Access Provision under intermediate scrutiny, it would have to determine whether the government has “show[n] ‘a close fit between ends and means’ ” such “that the regulation ‘promotes a substantial government interest that would be achieved less effectively absent the regulation,’ ” and does “not ‘burden substantially more speech than is necessary to further the government's legitimate interests.’ ” A.N.S.W.E.R. Coal. v. Basham, 845 F.3d 1199, 1213–14 (D.C. Cir. 2017) (citations omitted); see also Sandvig, 315 F. Supp. 3d at 30. Absent specific direction from plaintiffs, it will be difficult to engage in this analysis. The Court is not well placed, for instance, to forecast what technological or security risks might be generated by permitting such research.

Still, based on the record before it, the Court concludes that the present dispute is ripe. Plaintiffs listed several websites—LinkedIn, Monster, Glassdoor, and Entelo—that they plan to visit, and they described intending to violate these sites' terms of service by “creating accounts using *83 false information and/or providing false or misleading information.” Pls.' Third Suppl. Resps. & Objs. to Def.'s First Set of Interrogs. No. 3, at 3–4. Wilson and Mislove also both testified that their research plans were designed to have, at most, a de minimis effect on the targeted websites, further demonstrating that specific concrete steps have been taken in their research. First Wilson Decl. ¶ 46; First Mislove Decl. ¶ 43. The governments' own exhibits make clear the extent to which websites, like LinkedIn, both prohibit and attempt to eliminate false accounts. See, e.g., Decl. of Paul Rockwell (“LinkedIn Decl.”) [ECF No. 52-11] at 3–12; Decl. of Thomas O'Brien (“GlassDoor Decl.”) [ECF No. 52-13] at 5–6; Affirmation of Leonard Kardon (“Monster Aff.”) [ECF No. 52-14] at 1–2. These various pieces of evidence reveal a ripe dispute over whether criminally prosecuting plaintiffs under the CFAA for violations of public websites' terms of service runs afoul of the First Amendment.

* * *

Finally, the Court turns to the question of whether plaintiffs' “intended future conduct is ‘arguably ... proscribed by’ ” the CFAA. Driehaus, 573 U.S. at 162, 134 S.Ct. 2334 (quoting Babbitt, 442 U.S. at 298, 99 S.Ct. 2301). The government does not appear to question that plaintiffs plan to engage in proscribed conduct, but the Court has “an independent obligation to assure that standing exists.” Summers v. Earth Island Inst., 555 U.S. 488, 499, 129 S.Ct. 1142, 173 L.Ed.2d 1 (2009). The Court is also mindful that its ultimate interpretation of the CFAA, see infra, at –––– – 84–92, excludes plaintiffs' conduct from criminal liability and, at minimum, moots their First Amendment claim. Still, the question remains whether the Court's ultimate determination that the CFAA does not criminalize plaintiffs' intended conduct eliminates plaintiffs' injury-in-fact, see Driehaus, 573 U.S. at 158–59, 134 S.Ct. 2334, or merely moots the First Amendment dispute, see Powell v. McCormack, 395 U.S. 486, 496, 89 S.Ct. 1944, 23 L.Ed.2d 491 (1969) (“[A] case is moot when the issues presented are no longer ‘live’ ....”).

The resolution to this question turns on the meaning of Driehaus's holding that plaintiffs' intended conduct must be “arguably ... proscribed by statute,” Driehaus, 573 U.S. at 159, 134 S.Ct. 2334; see also Woodhull Freedom Found. v. United States, 948 F.3d 363, 371 (D.C. Cir. 2020) (holding that courts should look to Driehaus's test for determining whether a plaintiff faces an “imminent threat” of prosecution in a pre-enforcement action). The Second Circuit has taken this standard to mean that, as long as plaintiffs propose a reasonable interpretation of the statute under which they credibly fear prosecution, then they satisfy the standing requirement. See Knife Rights, Inc. v. Vance, 802 F.3d 377, 384–86 (2d Cir. 2015) (holding that plaintiff had standing where, despite believing its knife design was not proscribed, plaintiff could not “confidently determine which such knives defendants will deem proscribed gravity knives”). This “reasonable interpretation” approach stems from a line of pre-Driehaus cases in which the Second Circuit was interpreting Babbitt, from which Driehaus borrowed the “arguably proscribed” standard. See Vt. Right to Life Comm., Inc. v. Sorrell, 221 F.3d 376, 382 (2d Cir. 2000). The Second Circuit understood Babbitt to require only that an interpretation proscribing plaintiffs' intended conduct be “reasonable enough that [they] may legitimately fear that [they] will face enforcement of the statute.” Id. at 383.

The D.C. Circuit's recent decision in Woodhull Freedom Foundation suggests a *84 slightly different approach. Although not as explicit as the Second Circuit in stating how plausible an interpretation needs to be to satisfy plaintiffs' standing requirements, the court engaged in considerable statutory construction before deciding that plaintiffs did, in fact, have standing. See Woodhull Freedom Found., 948 F.3d at 371–73. As Judge Katsas suggested in concurrence, a district court is first to decide the statute's meaning and then to decide if, arguably, the plaintiffs' conduct falls within its “[p]roperly construed” bounds. Id. at 375 (Katsas, J., concurring).

Unlike in Woodhull Freedom Foundation, which concerned a plain-meaning interpretation relying on dictionaries and precedent, see id. at 372–73, Wilson and Mislove challenge an ambiguous statute that this Court has already deemed may apply to their conduct, see Sandvig, 315 F. Supp. 3d at 18. As will be discussed below, substantive canons of interpretation, like the rule of lenity and constitutional avoidance, guide this Court's ultimate decision. Under such circumstances, the Court concludes that plaintiffs' intended conduct is “arguably ... proscribed by statute,” Driehaus, 573 U.S. at 159, 134 S.Ct. 2334. To rule otherwise, and decide this complicated statutory matter under the rubric of standing, would risk converting the “arguably ... proscribed by statute” standard of Babbitt and Driehaus into one of certainty. Cf. Hedges v. Obama, 724 F.3d 170, 199 (2d Cir. 2013) (noting an unease with “allowing a preenforcement standing inquiry to become the vehicle by which a court addresses” important and complex matters of statutory interpretation).

II. Interpreting the CFAA

Assuming, then, that plaintiffs have satisfied the injury-in-fact requirement, the Court nevertheless concludes that their First Amendment claim is moot. As will be discussed below, courts have disagreed as to the breadth of the CFAA's Access Provision. If this Court determines that the Access Provision does not actually criminalize plaintiffs' proposed conduct—namely, violating consumer websites' terms of service—then the Court need not dive, and judicial economy would advise against diving, into the First Amendment issue. See Bond v. United States, 572 U.S. 844, 855, 134 S.Ct. 2077, 189 L.Ed.2d 1 (2014) (“[I]t is a well-established principle governing the prudent exercise of this Court's jurisdiction that normally the Court will not decide a constitutional question if there is some other ground upon which to dispose of the case.” (internal quotation marks omitted)). Rather, the Court concludes that the First Amendment claims plaintiffs “presented are no longer ‘live’ ” and will dismiss the case as moot. Powell, 395 U.S. at 496, 89 S.Ct. 1944.

a. Accessing Without Authorization

The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] ... information from any protected computer.” 18 U.S.C. § 1030(a)(2). The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” Id. § 1030(e)(2)(B), and no party disputes that the servers and other computers associated with the websites in question here, like LinkedIn, constitute “protected computer[s].”

Although the CFAA does not define “authorization,” courts have found the term “clear” and given it a “straightforward meaning.” United States v. Nosal (“Nosal II”), 844 F.3d 1024, 1035 (9th Cir. 2016). The Ninth Circuit, for instance, has consistently interpreted “authorization” to mean “permission or power granted by an authority.” *85 LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); see also hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1000 (9th Cir. 2019) (“Authorization is an affirmative notion, indicating that access is restricted to those specially recognized or admitted.” (internal quotation marks omitted)); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016) (“[A] defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly.”); Nosal II, 844 F.3d at 1033 (“Not surprisingly, there has been no division among the circuits on the straightforward ‘without authorization’ prong of [§ 1030(a)].”). At least the Second, Fourth, and Sixth Circuits have come to the same conclusion. See, e.g., United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015) (“[C]ommon usage of ‘authorization’ suggests that one ‘accesses a computer without authorization’ if he accesses a computer without permission to do so at all.”); WEC Carolina Energy Sols. v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (“[B]ased on the ordinary, contemporary, common meaning of ‘authorization,’ ... an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.”); Pulte Homes, Inc. v. Laborers' Int'l Union of N. Am., 648 F.3d 295, 303–04 (6th Cir. 2011) (“Commonly understood, ... a defendant who accesses a computer ‘without authorization’ does so without sanction or permission.”).

The statutory text is less clear, however, when it comes to the entire phrase “accesses a computer without authorization.” The CFAA does not define this phrase, but “the wording of the statute, forbidding ‘access[ ] ... without authorization,’ ... suggests a baseline in which access is not generally available and so permission is ordinarily required.” hiQ Labs, 938 F.3d at 1000. This wording thus contemplates a view of the internet as divided into at least two realms—public websites (or portions of websites) where no authorization is required and private websites (or portions of websites) where permission must be granted for access. Because many websites on the internet are open to public inspection, a website or portion of a website becomes “private” only if it is “delineated as private through use of a permission requirement of some sort.” Id. at 1001.[FN2]

*86 Most courts agree with the hiQ Labs court's interpretation of “accesses ... without authorization” as contemplating a “two-realm internet.” See, e.g., WEC Carolina Energy Sols., 687 F.3d at 204 (“[A user] accesses a computer ‘without authorization’ when he gains admission to a computer without approval.” (emphasis added)); United States v. Nosal (“Nosal I”), 676 F.3d 854, 858 (9th Cir. 2012) (en banc) (“ ‘[W]ithout authorization’ would apply to outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).”). Courts have interpreted this provision to involve transitioning from a public area of the internet to a private, permission-restricted area, often requiring some form of authentication before a viewer is granted access. See, e.g., hiQ Labs, 938 F.3d at 1001 (“[A]uthorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information.”); Valle, 807 F.3d at 524 (“ ‘[W]ithout authorization’ most naturally refers to a scenario where a user lacks permission to access the computer at all.”).

The statutory and legislative history of the CFAA support this public-private reading of the provision. Originally part of the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, § 2102(a), 98 Stat. 2190, 2190–92, the CFAA “has been substantially modified” over the intervening decades. See Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1561 (2010). Throughout this history, however, Congress has consistently analogized violations of § 1030 to physical-world crimes. For example, “[t]he 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry.” hiQ Labs, 938 F.3d at 1000. That Report notes that “[d]ifficulties in coping with computer abuse arise because much of the property involved does not fit well into categories of property subject to abuse or theft.” H.R. Rep. No. 98-894, at *9 (1984) (emphasis added). Instead of focusing on what was stolen, the CFAA relied on “an ‘unauthorized access’ concept,” wherein “the conduct prohibited is analogous to that of ‘breaking and entering’ rather than using a computer (similar to the use of a gun) in committing the offense.” Id. at *20.

Likewise, when the CFAA was amended in 1996 to cover federal government computers and those in interstate commerce (i.e., “protected computers”), the Senate Report described the bill as “protect[ing] against the interstate or foreign theft of information by computer” (emphasis added), suggesting a comparison to the physical-world crime of theft. S. Rep. No. 104-357, at *7 (1996). This Report reveals that a central motivation behind these amendments was “to increase protection for the privacy and confidentiality of computer information,” id., further suggesting that “access[ing] a computer without authorization” involves “obtain[ing]” information from non-public websites, see 18 U.S.C. § 1030(a)(2).

This interpretation rooted in property norms also aligns with judicial readings of similar language in the Stored Communications Act. See 18 U.S.C. § 2701(a) (criminalizing “intentionally access[ing] without authorization a facility through which an electronic communication service is provided” *87 or “intentionally exceed[ing] an authorization to access [such a] facility”); see also Wachovia Bank v. Schmidt, 546 U.S. 303, 305, 126 S.Ct. 941, 163 L.Ed.2d 797 (2006) (“[U]nder the in pari materia canon, statutes addressing the same subject matter generally should be read as if they were one law ....” (internal quotation marks omitted)). For example, interpreting the Act in light of the common law, the Ninth Circuit focused on “the essential nature” of the relationship between the computer owner and the accesser, and concluded that “[p]ermission to access a stored communication does not constitute valid authorization if it would not defeat a trespass claim in analogous circumstances.” Theofel v. Farey-Jones, 359 F.3d 1066, 1073 (9th Cir. 2004) (emphasis added).

Likewise, in amending 18 U.S.C. § 2510, the Patriot Act defined “computer trespasser” as “a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer.” Pub. L. 107–56, 115 Stat. 272 (2001). That the Patriot Act cites § 1030 for the definition of “protected computer” makes the connection between these two statutes all the clearer: “access[ing] a computer without authorization” is the computer equivalent of trespassing in the physical world.

Adopting the formulation of the Ninth Circuit in hiQ Labs, this Court will call the barriers between the public internet and private authorization-based computers “permission requirements.” 938 F.3d at 1001. Under this interpretation, the question becomes what sort of “permission requirement” constitutes enough of a barrier to trigger criminal liability under § 1030(a)(2) if bypassed. The government suggests that such “permission requirements” can be minimal. See Tr. Mots. H'rg [ECF No. 62] at 54:15–56:17. An announcement on the homepage of a website that access to any further content is conditioned on agreeing to lengthy terms of service—or even one term of service—would, the government argues, constitute such a requirement. Id. at 54:22–24.

The Court concludes that agreeing to such contractual restrictions, although that may have consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA. In other words, terms of service do not constitute “permission requirements” that, if violated, trigger criminal liability.

A number of considerations lead the Court to this conclusion. First, websites' terms of service provide inadequate notice for purposes of criminal liability. These protean contractual agreements are often long, dense, and subject to change. While some websites force a user to agree to the terms before access—so-called “clickwrap”—others simply provide a link at the bottom of the webpage, or place the terms, often in fine print, elsewhere on the page. “Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read.” Nosal I, 676 F.3d at 860.

Second, although not a paradigmatic example of a “nondelegation” problem, enabling private website owners to define the scope of criminal liability does raise concerns for the Court. See The Vagaries of Vagueness: Rethinking the CFAA as a Problem of Private Nondelegation, 127 Harv. L. Rev. 751, 768–71 (2013). Previously, this Court determined that a narrow interpretation of the CFAA limited to “access restrictions” saved § 1030(a)(2) from becoming “a limitless, standardless delegation of power to individual websites to define crimes.” *88 Sandvig, 315 F. Supp. 3d at 33. The Court also concluded that merely “incorporat[ing] private parties' chosen restrictions, which are only binding on those who interact with those parties' individual [websites],” did not necessarily constitute an improper delegation of legislative or regulatory authority. Id. at 33–34.

Upon further reflection, and now presented with additional evidence of the nature of the target websites' terms of service, the Court finds that it is necessary to answer another question: whether terms-of-service conditions, rather than authentication gates, constitute adequate “permission requirements” for criminal liability under the CFAA. Again, the Court concludes that the narrower interpretation is the wiser path. The government analogizes website owners to real property owners, who have historically been allowed to exclude whomever they choose from their private, non-commercial land, Gov't's Opp'n at 23–24, but the analogy between real property and the internet is not perfect. The internet is inherently open and public, see Reno v. Am. Civil Liberties Union, 521 U.S. 844, 880, 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997) (observing that “most Internet forums—including chat rooms, newsgroups, mail exploders, and the Web—are open to all comers”), and users constantly move from one website to another and navigate between various sections of a given website. Under such circumstances, the CFAA's prohibition on “access[ing] a computer without authorization,” even though phrased “in the form of a general prohibition” that can often escape nondelegation worries, see Silverman v. Barry, 845 F.2d 1072, 1086 (D.C. Cir. 1988), becomes unworkable and standardless. Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature. Such an arrangement, wherein each website's terms of service “is a law unto itself,” Emp't Div., Dep't of Human Res. of Or. v. Smith, 494 U.S. 872, 890, 110 S.Ct. 1595, 108 L.Ed.2d 876 (1990), would raise serious problems. This concern, then, supports a narrow interpretation of the CFAA.

Third, both the rule of lenity and the avoidance canon weigh in favor of this narrow interpretation as well. “When interpreting a criminal statute, we do not play the part of a mindreader.” United States v. Santos, 553 U.S. 507, 515, 128 S.Ct. 2020, 170 L.Ed.2d 912 (2008). If “a reasonable doubt persists about a statute's intended scope even after resort to the language and structure, legislative history, and motivating policies of the statute,” Moskal v. United States, 498 U.S. 103, 108, 111 S.Ct. 461, 112 L.Ed.2d 449 (1990) (internal quotation marks omitted), courts must adopt the narrower interpretation. See Yates v. United States, 574 U.S. 528, 135 S. Ct. 1074, 1088, 191 L.Ed.2d 64 (2015) (“[I]f ... recourse to traditional tools of statutory construction leaves any doubt about the meaning of [a statutory term] ..., we would invoke the rule that ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity.” (internal quotation marks omitted)). Here, none of the traditional tools of statutory interpretation definitively resolves the question of what constitutes “access[ing] ... without authorization,” so the Court opts to interpret the provision narrowly and as not encompassing terms-of-service violations.

Likewise, constitutional avoidance weighs in favor of interpreting “accesses ... without authorization” narrowly. If the Court were to conclude that plaintiffs' terms-of-service violations do violate the CFAA, then it would have to decide whether prosecuting them for such actions violates the First Amendment. As the Court previously observed, it “need not determine *89 whether plaintiffs' constitutional arguments would actually win the day,” but rather “whether one reading ‘presents a significant risk that [constitutional provisions] will be infringed.’ ” Sandvig, 315 F. Supp. 3d at 25 (quoting NLRB v. Catholic Bishop of Chi., 440 U.S. 490, 502, 99 S.Ct. 1313, 59 L.Ed.2d 533 (1979)). Plaintiffs' First Amendment challenge raises such risks, see Sandvig, 315 F. Supp. 3d at 28–30, and thus weighs in favor of a narrow interpretation under the avoidance canon.

Given all these concerns, a user should be deemed to have “accesse[d] a computer without authorization,” 18 U.S.C. § 1030(a)(2), only when the user bypasses an authenticating permission requirement, or an “authentication gate,” such as a password restriction that requires a user to demonstrate “that the user is the person who has access rights to the information accessed,” Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1147, 1164 (2016) (hereinafter “Norms”). Although bypassing code-based restrictions, like a social-security-number or credit-card requirement, are paradigmatic examples of an “authentication gate,” see Orin S. Kerr, Cybercrime's Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1664 (2003), “[t]he key point is not that some code was circumvented but rather that the computer owner conditioned access on authentication of the user and the access was outside the authentication,” Norms at 1164.

Here, neither Wilson nor Mislove attempt to bypass an authentication gate. For websites requiring “login credentials—i.e., usernames and passwords”—Wilson and Mislove intend to provide the information that they “generated when [they] created tester accounts.” Second Wilson Decl. ¶ 6; Second Mislove Decl. ¶ 6. And for websites that require payments, they intend to “comply with the payment requirement.” Second Wilson Decl. ¶ 5; Second Mislove Decl. ¶ 5. None of their research plans, then, involve bypassing authenticating “permission requirements,” and thus none of them when executed will constitute violations of the CFAA as interpreted herein.

The record does reflect that at least Wilson previously used borrowed business information for authentication purposes on CareerBuilder.com. See Wilson E-mails Regarding CareerBuilder Receipt, PID7243-46 (July 2016) [ECF No. 52-16] at 3. At the motions hearing, however, counsel for plaintiffs stated that “they only intend to access parts of a website that are otherwise open to the public or available to anyone who creates a [username] and password.” Mots. Hr'g Tr. at 8:15–17. The Court asked for clarification, see Nov. 26, 2019 Order at 1–2, and declarations from both researchers now clarify that, although they may pay for access to some public employment websites, their future research plans entail no provision of “authenticating, real-world business information ..., such as real-world business license information.” Second Wilson Decl. ¶ 2; Second Mislove Decl. ¶ 2. The Court thus has no occasion to determine whether provision of either false or borrowed real-world business information to access otherwise private portions of employment websites would violate the CFAA.

b. Exceeding Authorized Access

Turning to the second part of the Access Provision, the CFAA prohibits “exceed[ing] authorized access, and thereby obtain[ing] ... information from any protected computer.” The CFAA defines “the term ‘exceeds authorized access’ [to] mean[ ] to access a computer with authorization and to use such access to obtain or alter information in the computer that the *90 accesser is not entitled so to obtain or alter.” 18 U.S.C § 1030(e)(6).

This language suggests that an individual cannot “exceed[ ] authorized access” without first legitimately passing through a “permission requirement.” After all, the violator must “use such [authorized] access” in order to “obtain or alter information” to which the violator “is not entitled,” implying that barriers are passed through permissibly. Id. (emphasis added). This interpretation aligns with the Ninth Circuit's distinction between “accesses ... without authorization” applying to “outside hackers” and “exceeds authorized access” applying to “inside hackers.” Nosal I, 676 F.3d at 858.

If bypassing a “permission requirement” is not the action that triggers criminal liability, however, then the question remains what type of conduct does constitute a criminal act. In other words, what distinguishes information that an authorized accesser is “entitled to obtain or alter” from information to which he is not entitled? Does plaintiffs' anticipated provision of false information to their target websites, in violation of these websites' terms of services, cross that line and “exceed[ ] authorized access”?

The resolution of this question turns, in part, on the meaning of “entitled” in the statutory definition of “exceeds authorized access” at § 1030(e)(6). The government argues that “entitled” means “to furnish with a right,” and “supports [a] broader interpretation of the phrase ‘exceeds authorized access’ ..., in which all relevant facts (including policies set by the computer owners) may be considered in determining the scope of a person's authorized access.” Def.'s Resp. for Clarification at 5–6. By this approach, the meaning of “exceeds authorized access” is context-dependent: “Because the computer owner furnishes an individual with the right to access its systems and obtain information from them, explicit policies restricting that right determines when an individual ‘exceeds authorized access.’ ” Id. at 6. According to the government, such “explicit policies” include employers' computer-use policies and the terms of service of public websites. See id. at 6; Gov't's Opp'n at 53–54.

Plaintiffs seem to have agreed with this interpretation for much of the litigation and assumed that such terms-of-service violations do fall afoul of the CFAA. See Pls.' Mem. at 2–3, 9–11. Rather than interpreting the statute narrowly, they argued that their actions are protected by the First Amendment. But plaintiffs now suggest that they would be satisfied with “declaratory and injunctive relief” barring prosecution under the CFAA for violations of websites' terms of service—in other words, with a narrow interpretation of the CFAA that it does not encompass terms-of-service violations. See Pls.' Mem. in Resp. to Court's Order at 1.

Courts have come to a range of views on the best interpretation of “exceeds authorized access,” and the circuits are currently divided on whether, in the employment context, an employee's violation of company policy constitutes a CFAA violation. The First, Fifth, Seventh, and Eleventh Circuits have concluded that a person with access to a computer for business purposes exceeds authorized access when the accesser “obtain[s] ... information for a nonbusiness reason.” United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); see also United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (concluding that an employee's “access[ing] account information for individuals whose accounts she did not manage, remov[ing] this highly sensitive and confidential information from [the employer's] premises, and ultimately us[ing] this information to perpetrate fraud on [the employer] and its customers” *91 constituted a CFAA violation); Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006) (similar); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582–83 (1st Cir. 2001) (similar).[FN3] The Second and Fourth Circuits have come to the opposite conclusion. See Valle, 807 F.3d at 512–13, 528 (applying the rule of lenity and not imposing liability for accessing a government database of personal information for no law enforcement purpose); WEC Carolina Energy Sols., 687 F.3d at 205–07 (refusing to impose liability when employees violated company policy).

Far fewer courts have weighed in on the facts before this Court: namely, whether violating the terms of service of consumer websites constitutes a criminal CFAA violation. But the majority of courts that have examined this question has determined that there is no liability. See, e.g., Facebook, 844 F.3d at 1067 (“[A] violation of the terms of use of a website—without more—cannot establish liability under the CFAA.”); Bittman v. Fox, 107 F. Supp. 3d 896, 900–01 (N.D. Ill. 2015) (concluding that defendants did not “exceed[ ] authorized access” by creating “a fake social media account in violation of a social media company's terms of service”); United States v. Drew, 259 F.R.D. 449, 464–65 (C.D. Cal. 2009) (interpreting “exceeds authorized access” to exclude mere terms-of-service violations to avoid rendering the statute void for vagueness). But see United States v. Lowson, Crim. No. 10-114 (KSH), 2010 WL 9552416, at *5 (D.N.J. Oct. 12, 2010) (not dismissing a case wherein the defendants “implement[ed] ‘hacks’ and us[ed] ‘backdoors’ to enable automated programs to purchase tickets” from online vendors).

The Court agrees with the clear weight of relevant authority and adopts a narrow interpretation of “exceeds authorized access.” Without weighing in on the circuit split over employers' computer-use policies, the Court concludes that violating public websites' terms of service, as Wilson and Mislove propose to do for their research, does not constitute a CFAA violation under the “exceeds authorized access” provision.

In coming to this determination, the Court is guided by many of the same reasons that led to a narrow interpretation of “accesses ... without authorization” that excludes terms-of-service violations. See supra, at 87 – 89. First, consumer websites' terms of service do not provide adequate notice for purposes of criminal liability. See Drew, 259 F.R.D. at 464–66; see also United States v. Thomas, 877 F.3d 591, 596 (5th Cir. 2017) (recognizing that “a narrow reading of [§ 1030(a)(2)] avoids criminalizing common conduct—like violating contractual terms of service for computer use or using a work computer for personal reasons—that lies beyond the antihacking purpose of the access statutes”). Second, criminalizing violations of private websites' terms of service raises considerable nondelegation issues. See supra, at 87 – 88.

Third, the rule of lenity and the constitutional avoidance canon weigh against a *92 broad interpretation of “exceeds authorized access” as encompassing terms-of-service violations. As noted above, courts have come to varying opinions on what type of conduct violates this provision. Compare Rodriguez, 628 F.3d at 1263; John, 597 F.3d at 272; Citrin, 440 F.3d at 420–21; Explorica, 274 F.3d at 582–83, with Valle, 807 F.3d at 512–13, 528; WEC Carolina Energy Sols., 687 F.3d at 205–07. Legislative history and statutory structure provide little guidance one way or the other. See, e.g., Valle, 807 F.3d at 526 (finding the legislative history inconclusive on whether a public employee “exceed[ed] authorized access” in using government computers for personal ends). Because the traditional tools of statutory interpretation do not point definitively one way or the other for whether “exceeds authorized access” encompasses terms-of-service violations on public websites, the rule of lenity requires that the Court adopt the narrower construction. See id. at 526–28. And because this narrow interpretation obviates the need to engage with plaintiffs' thorny First Amendment concerns, constitutional avoidance, too, counsels in favor of this narrow reading. See Bond, 572 U.S. at 855, 134 S.Ct. 2077.

Taken together, these considerations make clear that, even if reading “exceeds authorized access” to exclude terms-of-service violations on public websites is not the only reasonable interpretation, adopting the narrow approach is the wisest path forward. In agreement with the clear weight of relevant cases, then, the Court adopts this narrow interpretation of the CFAA and concludes that plaintiffs' proposed research plans do not violate either provision of § 1030(a)(2).

Conclusion

For the foregoing reasons, the Court concludes that plaintiffs' research plans do not violate the Access Provision of the CFAA. Because their actions are not criminal, the Court need not wade into the question whether plaintiffs' proposed conduct should receive First Amendment protection. Instead, the Court concludes that the parties' cross-motions for summary judgment are moot, and the case will be dismissed. A separate order will be issued on this date.

[FN1] Pursuant to Fed. R. Civ. P. 25(d), William P. Barr, the current Attorney General of the United States, is automatically substituted as the defendant in this matter.

[FN2] The hiQ Labs court faced the additional wrinkle of whether sending a cease-and-desist letter to specific users, who were allegedly violating LinkedIn's terms of service, was enough to revoke authorization even for otherwise “public” parts of the website. See 938 F.3d at 999 (“The pivotal CFAA question here is whether once hiQ received LinkedIn's cease-and-desist letter, any further scraping and use of LinkedIn's data was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute.”); see also Craigslist Inc. v. 3Taps Inc., 964 F. Supp. 2d 1178, 1182 (N.D. Cal. 2013) (describing “the question here” as “whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website”). Because no such letters have been sent in this case, the Court need not decide whether they would constitute a revocation of authorization and thereby make any further visits by the recipients to the otherwise public portions of LinkedIn a CFAA violation. See also Pet. for Writ of Cert. at 25, LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116, 2020 WL 1479902 (U.S. Mar. 9, 2020) (“Where a website owner sets up technical measures to deny a third-party scraper access to its website or sends a cease-and-desist letter, thereby putting the scraper indisputably on notice that access is not authorized, any further efforts to access that website are ‘without authorization.’ ”).

At the same time, the fact that receipt of a cease-and-desist letter might render the recipient's future visits to an otherwise public website “unauthorized” does provide one possible distinction between § 1605(a)(2) and § 1605(a)(3) that helps to give meaning to the term “nonpublic” in the latter provision. Cf. 3Taps, 964 F. Supp. 2d at 1182–83 (“Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public vs. nonpublic distinction—but § 1030(a)(2)(C) contains no such restrictions or modifiers.”).

[FN3] The First Circuit later extended its holding in Explorica, which was based upon confidentiality agreements signed by former employees, to Zefer, a third-party website. See EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003). Although the decision did suggest that terms of service may create CFAA liability by “say[ing] just what non-password protected access they purport to forbid,” id. at 64, the First Circuit's holding relied upon the “relatively narrow grounds” that the injunction against Explorica applied to “anyone else with notice” and thus “precluded [Zefer] from acting to assist the enjoined party from violating the decree [and] from doing so on behalf of that party,” id. at 61, 63.

Vermont Superior Court

Chittenden Unit

Civil Division

State of Vermont
v.
Clearview AI, Inc.

No. 226-3-20 Cncv

Ruling on Defendant's Motion to Dismiss

Helen M. Toor, Superior Court Judge

The State brings this consumer fraud action concerning facial recognition technology developed by Defendant Clearview AI, Inc. In this three-count complaint, the State alleges that Clearview has engaged in unfair acts and practices by collecting billions of photographs and making them available for its customers to search using facial recognition technology without the consent of those depicted, engaged in deceptive acts and practices by making material misrepresentations about its product, and fraudulently acquired brokered personal information (i.e., biometric data used to identify a consumer). The State claims that Clearview's actions violate the Vermont Consumer Protection Act (9 V.S.A. § 2453(a)) (Counts I and II) and Vermont's Fraudulent Acquisition of Data law (9 V.S.A. § 2431(a)(1)) (Count III). Clearview moves to dismiss on various grounds. Ryan Kriger, Justin Kolber, and Jill Abrams, Esqs., represent the State. Timothy Doherty, Tristram Coffin, and Tor Ekeland, Esqs. represent Clearview.[FN1]

Facts

The following facts are alleged in the complaint. The court makes no finding as to their accuracy for purposes of this motion to dismiss.

Clearview, a Delaware corporation with its principle place of business in New York, is engaged in the business of identifying individuals using facial recognition technology applied to photographs. Clearview is also registered as a data broker in Vermont's Data Broker Registry. See 9 V.S.A. § 2446. A data broker is "a business ... that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship." 9 V.S.A.§ 2430(4).

As a small start-up company, Clearview developed facial recognition technology and, using "screen scraping" technology, amassed a database of three billion photographs. Facial recognition technology involves using computers to extract biometric identifiers from photographs based on specific features of an individual's face like relative position, size, or shape of the eyes, nose, cheekbones, and jaw. These identifiers are stored as digital "hashes" in a searchable database to quickly identify an individual based on a photograph or video. A biometric identifier is a piece of information used to authenticate an individual that is based on that person's physical or behavioral traits, for example, a fingerprint, DNA mapping, ocular scan, or an analysis of the way someone walks. Facial recognition extracts a unique, instantly searchable biometric identifier for a person, which that person cannot change absent extreme efforts. Once entered into a facial recognition database, that individual can then be picked out of a crowd by anyone using the technology.

Businesses and policy makers have been particularly cautious regarding the implementation of facial recognition technology because of the potential for misuse and its consequences. Easily accessible facial recognition would permit governments, stalkers, predators, con artists, and others to instantly identify any stranger and, combined with other readily available data sources, know extensive details about their family, address, workplace, and other characteristics. For example, large technology companies such as Google and Facebook have declined to make a facial recognition tool commercially available, though they have the capability to do so.

Clearview collected the billions of photographs by scouring millions of websites through a process called "screen scraping." Screen scraping is a term for sending automated scripts or other processes, sometimes called "spiders," "web scrapers," or "crawlers," to collect information throughout the Internet, such as downloading photographs. It has commercialized these photographs via a service that allows the customer to upload a photograph in order to instantly identify an individual through facial recognition matching. The general public first learned of Clearview through a January 18, 2020 article in the New York Times.

The State alleges in Count I (Compl. ¶ 78) that Clearview has engaged in unfair acts and practices in commerce, in violation of the Consumer Protection Act, through the following acts:

• screen scraping billions of photographs without the consent of their owners, many of which had been uploaded subject to terms of service of web sites which limited their use;
• collecting, storing, analyzing, and distributing the photographs of minors without the consent of their parents or guardians;
• invading the privacy of consumers;
• failing to provide adequate data security for the data collected;
• exposing consumers' sensitive personal data to theft by foreign actors and criminals;
• violating consumers' civil rights by chilling their freedoms of assembly and political expression;
• violating consumers' rights as to the display and distribution of their photographs and other property rights; and
• exposing citizens to the threat of surveillance, stalking, harassment, and fraud.

In Count 2 (Compl. ¶ 81), the State alleges that Clearview has engaged in deceptive acts and practices, in violation of the CPA, by making materially false or misleading statements regarding:

• the ways that Vermont consumers can assert their privacy rights to opt out of its product;
• that Clearview's processing of consumers' personal data does not unduly affect their interests or fundamental rights and freedoms;
• the strength of its data security;
• that the product is only used by law enforcement agencies and is not publicly available;
• that it removes consumers from its database to comply with relevant laws;
• the accuracy of its facial recognition matching product; and
• its success in assisting law enforcement investigations.

Finally, in Count 3, the State alleges that Clearview's use of screen scraping technology constitutes fraudulent acquisition of brokered personal information m violation of Vermont's Fraudulent Acquisition of Data Law. Compl. ¶ 86.[FN2]

Discussion

Clearview's motion to dismiss is based on several grounds: (1) improper venue; (2) preemption by the federal Communications Decency Act; (3) the First Amendment; (4) that the claims are void for vagueness under the Fifth and Fourteenth Amendments; (5) failure to state a claim for a CPA violation; and (6) lack of standing. Clearview also appears to assert a Fourth Amendment argument, but the basis for that argument is unclear. Clearview's Mot. to Dismiss at 2. Clearview incorporated its memorandum opposing the State's motion for a preliminary injunction into its motion to dismiss (filed Apr. 9, 2020), making its arguments for dismissal less than crystal clear. The court uses "Clearview's Mem." to refer to that memorandum throughout this ruling.

I. Venue

Clearview contends that this case cannot be brought in Chittenden  County under 9 V.S.A. § 2458(a) because it does not reside in, have a place of business in, or do business in Chittenden County. However, the State has pled that venue is proper because Clearview does business in Chittenden County. Compl. ¶ 9. That is sufficient to survive a motion to dismiss.

II. Communications Decency Act § 230

Clearview next contends that it is protected from liability for the State's claims under section 230 of the federal Communications Decency Act, which provides in pertinent part: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." 47 U.S.C. § 230(c)(1). Section 230 further provides that "[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section." Id.§ 230(e)(3).

Generally, section 230 bars plaintiffs from holding internet service providers and web hosts legally responsible for information that third parties created and developed. Johnson v. Arden, 614 F.3d 785, 791 (8th Cir. 2010); see also Fed. Trade Comm'n v. LeadClick Media. LLC, 838 F.3d 158, 173 (2d Cir. 2016) (noting that section 230 was enacted in response to inconsistent district court rulings concerning liability for publishing or censoring third-party defamatory statements, and "intended to ... provide immunity for 'interactive computer service[s]' that make 'good faith' efforts to block and screen offensive content"). "Section 230 was enacted, in part, to maintain the robust nature of Internet communication and, accordingly, to keep government interference in the medium to a minimum." Zeran v. Am. Online. Inc., 129 F.3d 327,330 (4th Cir. 1997). "[T]he application of Section 23o(c)(1) is appropriate at the pleading stage when ... the statute's barrier to suit is evident from the face of [the] complaint." Force v. Facebook, Inc., 934 F.3d 53, 63 n.15 (2d Cir. 2019).

"In applying the statute, courts have broken [it] down into three component parts, finding that [i]t shields conduct if the defendant (1) is a provider or user of an interactive computer service, (2) the claim is based on information provided by another information content provider and (3) the claim would treat [the defendant] as the publisher or speaker of that information." Fed. Trade Comm'n v. LeadClick Media, LLC, 838 F.3d 158, 173 (2d Cir. 2016) (quotations omitted). The parties agree that Clearview is a provider or user of an "interactive computer service" under that term's broad statutory definition. See id. at 174; 47 U.S.C. § 230(f)(2).

However, the State's claims are not based on information provided by another information content provider. "Information content provider" means "any person or entity that is responsible, in whole or in part, for the creation or development of information  provided through  the Internet or any other interactive computer service." 47 U.S.C. § 230(f)(3). The statute's "grant of immunity" applies "only if the interactive service provider is not also an 'information content provider' of the content which gives rise to the underlying claim." LeadClick, 838 F.3d at 174. This definition of information content provider "cover[s] even those who are responsible for the development of content only in part," FTC v. Accusearch Inc., 570 F.3d 1187, 1197 (10th Cir. 2009), however, a defendant "will not be held responsible unless it assisted in the development of what made the content unlawful." Id. at 1201; see also, e.g., id. at 1199 (a defendant who paid researchers to uncover confidential phone records protected by law, and then provided that information to paying customers, fell within the definition because he did not merely act as a neutral intermediary, but instead "specifically encourage[d] development of what [was] offensive about the content"); Fair Hous. Council of San Fernando Valley v. Roommates.Com, LLC, 521 F.3d 1157, 1167-68 (9th Cir. 2008) (holding defendant liable for  developing  content  by "not merely ... augmenting the content generally, but ... materially contributing to its alleged unlawfulness" by requiring subscribers to provide information which enabled site users to unlawfully discriminate in selecting a roommate).

Importantly, the basis for the State's claims is not merely the photographs provided by third-party individuals and entities, or that Clearview makes those photographs available to its consumers. Instead, the claims are based on the means by which Clearview acquired the photographs, its use of facial recognition technology to allow its users to easily identify random individuals from photographs, and its allegedly deceptive statements regarding its product. See LeadClick, 838 F.3d at 176 (defendant "not entitled to immunity because it participated in the development of the deceptive content posted on fake news pages"). This is not simply a case of Clearview republishing offensive photographs provided by someone else, and the State seeking liability because those photographs are offensive. See, e.g., Barnes v. Yahoo!. Inc., 570 F.3d 1096, 1103 (9th Cir. 2009) (no liability for failure to "remov[e] ... indecent profiles that [plaintiffs] former boyfriend posted on Yahoo!'s website"). Indeed, whether the photographs themselves are offensive or defamatory is immaterial to the State's claims.

Moreover, the State's claims do not treat Clearview as the publisher or speaker of the third-party photographs. "At its core, § 230 bars lawsuits seeking to hold a service provider liable for its exercise of a publisher's traditional editorial functions-such as deciding whether to publish, withdraw, postpone or alter content." LeadClick, 838 F.3d at 174 (quotation omitted); see also Barnes v. Yahoo!, Inc., 570 F.3d 1096, 1102 (9th Cir. 2009) ("To put it another way, courts must ask whether the duty that the plaintiff alleges the defendant violated derives from the defendant's status or conduct as a 'publisher or speaker.' If it does, section 230(c)(1) precludes liability.''). Instead, the claims here attempt to hold Clearview "accountable for its own unfair or deceptive acts or practices," such as screen-scraping photographs without the owners' consent and in violation of the source's terms of service, providing inadequate data security for consumers' data, applying facial recognition technology to allow others to easily identify persons in the photographs, and making material false or misleading statements about its product. LeadClick. 838 F.3d at 176 (emphasis in original); see also Accusearch, 570 F.3d at 1204- 05 (Tymkovitch, J., concurring) (noting that "the FTC sought and ultimately held [defendant] liable for its conduct rather than for the content of the information it was offering on [its] website" and arguing that there should be no immunity because "Section 230 only immunizes publishers or speakers for the content of the information from other providers that they make public") (emphasis in original).

The complaint here simply does not fall into the category of cases relied upon by Clearview where§ 230 precluded liability. See, e.g., Barnes, 570 F.3d at 1103; Marshall's Locksmith Serv. Inc. v. Google, LLC, 925 F.3d 1263, 1269 (D.C. Cir. 2019) (holding that § 230 immunized search engine for publishing false information provided by third parties); Bennett v. Google, LLC, 882 F.3d 1163, 1167-68 (D.C. Cir. 2018) (Google immune from liability under § 230 for failure to remove offensive third-party blog post); Parker v. Google, Inc., 242 F. App'x 833, 838 (3d Cir. 2007) (immunity under§ 230 for linking to defamatory third-party posts); Zeran v. Am. Online, Inc., 129 F.3d 327, 332 (4th Cir. 1997) (AOL immune from liability for defamatory third-party posts on its message board service). The Communications Decency Act is not grounds for dismissal.

III. First Amendment

Clearview's next ground for dismissal is that its app (and the computer code used to write it) is protected First Amendment speech, and that the State's action amounts to an unconstitutional regulation of that speech. The State contends that many of its claims are unrelated to speech, that the First Amendment does not protect deceptive statements, and that the Clearview app is not protected speech and, even if it were, it would survive whatever First Amendment scrutiny applied.

The First Amendment guarantees an individual the right to free speech, "a term necessarily comprising the decision of both what to say and what not to say." Riley v. National Fed'n of the Blind of North Carolina. Inc., 487 U.S. 781, 796-97 (1988). Generally, this means that "government has no power to restrict expression because of its message, its ideas, its subject matter, or its content." Bolger v. Youngs Drug Prod. Corp., 463 U.S. 60, 65 (1983) (quotation omitted). "Even dry information, devoid of advocacy, political relevance, or artistic expression, has been accorded First Amendment protection." Universal City Studios. Inc. v. Corley, 273 F.3d 429, 446 (2d Cir. 2001) (collecting cases).

Content-based speech restrictions-i.e., "those that target speech based on its communicative content"-are "presumptively unconstitutional" and subject to strict scrutiny. Reed v. Town of Gilbert, Ariz., 576 U.S. 155, 163 (2015). Content-neutral regulations that incidentally restrict speech-i.e., a law that targets the non­ communicative component of conduct that includes both communicative and non­ communicative elements-are subject to intermediate scrutiny. United States v. O'Brien, 391 U.S. 367, 376 (1968); City of Erie v. Pap's A.M., 529 U.S. 277, 289 (2000); Vermont Soc. of Ass'n Executives v. Milne, 172 Vt. 375, 390 (2001); City of Burlington v. New York Times Co., 148 Vt. 275, 278 (1987). However, a restriction on nonspeech or nonexpressive conduct does not implicate the First Amendment and receives  only rational basis scrutiny. See Arcara v. Cloud Books, Inc., 478 U.S. 697, 706-07 (1986); Sorrell v. IMS Health Inc., 564 U.S. 552, 567 (2011).

Preliminarily, the court agrees with the State that the First Amendment does not protect the alleged deceptive statements in Count II. "The First Amendment, as applied to the States through the Fourteenth Amendment, protects commercial speech from unwarranted governmental regulation." Cent. Hudson Gas & Elec. Corp. v. Pub. Serv. Comm'n of New York, 447 U.S. 557, 561 (1980). Commercial speech is defined as "expression related solely to the economic interests of the speaker and its audience." Id. (emphasis added); see also United States v. United Foods, Inc., 533 U.S. 405,409 (2001) (stating that commercial speech is "usually defined as speech that does no more than propose a commercial transaction"). The alleged deceptive statements in Count II are advertisement, and are therefore properly categorized as commercial speech.

However, the First Amendment does not protect false or deceptive commercial speech. "[T]he government may freely regulate commercial speech that concerns unlawful activity or is misleading." Fla. Bar v. Went For It, Inc., 515 U.S. 618, 623-24 (1995); see also In re Deyo, 164 Vt. 613, 614 (1995) ("For commercial speech to come within that provision, it must at least concern lawful activity and not be misleading.") (quotation omitted). Therefore, the alleged deceptive statements in Count II are not protected by the First Amendment.

The court next observes that at least some of the conduct alleged in Counts I and III is largely nonexpressive in nature. The allegations that Clearview provided inadequate data security and exposed consumers' information to theft, security breaches, and surveillance lack a communicative element. The First Amendment does not protect such conduct. See Nat'l Rifle Ass'n of Am. v. City of Los Angeles, 441 F. Supp. 3d 915, 928-29 (C.D. Cal. 2019) (summarizing different categories of speech and corresponding levels of scrutiny).

Whether Clearview's app is First Amendment speech presents a harder question. Courts have considered whether other forms of electronic media constitute First Amendment speech. For instance, the U.S. Supreme Court has recognized that video games are protected speech because they "communicate ideas-and even social messages-through many familiar literary devices (such as characters, dialogue, plot, and music) and through features distinctive to the medium (such as the player's interaction with the virtual world)" like the "protected books, plays, and  movies  that  preceded them "Brown v. Entm't Merchants Ass'n, 564 U.S. 786, 790 (2011).

However, Brown does not state that all software applications are speech, and Clearview's app is not like a video game. A better analogy is found in a pair of Second Circuit cases: Commodity Futures Trading Comm'n v. Vartuli, 228 F.3d 94 (2d Cir. 2000) and Universal City Studios, Inc. v. Corley, 273 F.3d 429 (2d Cir. 2001). In Corley, the Second Circuit considered whether posting a DVD decryption code and links to other DVD decryption codes on a website was protected First Amendment speech. The court recognized that "computer code, and computer programs constructed from code can merit First Amendment protection " because they have the capacity to communicate to other programmers reading the code. Id. at 449 (emphasis added). The court held that the regulation sought was content-neutral because it targeted only the code's nonspeech, functional component (i.e., its "capacity to instruct a computer to decrypt" DVDs), not its speech component (i.e., its capacity to convey information to a human being). Id. at 454, 456.  The court went on to hold that the regulation survived intermediate scrutiny. Id. at 454-57. Vartuli involved a software program that told users when to buy or sell currency futures contracts if their computers were fed currency market rates. Because this program was sold and marketed as an automatic trading system generating buy and sell instructions "in an entirely mechanical way," and to "induce action without the intercession of the mind or the will of the recipient," the court held that it was not protected speech and accordingly did not apply even intermediate scrutiny to the government's regulation. Vartuli, 228 F.3d at 111.

Because the Clearview app's raw code is not at issue here as in Corley, the app arguably has no expressive speech component and is more similar to the "entirely mechanical" automatic trading  system in Vartuli that "induce[d] action without the intercession of the mind or the will of the recipient." Vartuli, 228 F.3d at 111. The user simply inputs a photograph of a person, and the app automatically displays other photographs of that person with no further interaction required from the human user. In that sense, the app might not be entitled to any First Amendment protection. Complicating matters, however, is the fact that Clearview's app is similar to a search engine, and some courts have generally recognized First Amendment protection for search engines, at least to the extent that the display and order of search results involve a degree of editorial discretion. See Dreamstime.com, LLC v. Google, LLC, No. C 18-01910 WHA, 2019 WL 2372280, at *2 (N.D. Cal. June 5, 2019) (collecting cases). The State would confine those cases to search engine results for text rather than photos, and also contends that Clearview's app goes far beyond what any other search engines have done.

The court need not decide whether the Clearview app is speech, however. Assuming without deciding that it is speech or at least contains a speech component, the State's attempted regulation of Clearview through this enforcement action is a permissible content-neutral regulation that survives intermediate scrutiny. "[G]overnment regulation of expressive activity is 'content neutral' if it is justified without reference to the content of regulated speech." Hill v. Colorado, 530 U.S. 703, 720 (2000). "The government's purpose is the controlling consideration. A regulation that serves purposes unrelated to the content of expression is deemed neutral, even if it has an incidental effect on some speakers or messages but not others." Ward v. Rock Against Racism, 491 U.S. 781, 791 (1989). "The Supreme Court's approach to determining content-neutrality appears to be applicable whether what is regulated  is expression, conduct, or any 'activity' that can be said to combine speech and non-speech elements." Corley, 273 F.3d at 450 (citations omitted).

The State does not justify its action against Clearview based on the content of Clearview's speech, for example, the order of its search results or whether the photographs displayed are offensive. Instead, its purpose is based purely on the alleged function of the Clearview app in allowing users to easily identify Vermonters through photographs obtained unfairly and without consent, thereby resulting in privacy invasions and unwarranted surveillance. Presumably, the State has no problem with Clearview operating its app so long as the Vermonters depicted in its photograph database have fully consented. The regulation sought by the State here is content-neutral and, accordingly, subject to intermediate scrutiny.

Clearview maintains that the State's attempted regulation is nevertheless subject to strict scrutiny because it is "speaker-based," relying on Sorrell v. IMS Health Inc., 564 U.S. 552, 563-64 (2011) ("On its face, Vermont's law enacts content-and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information."); see also Citizens United v. Fed. Election Comm'n, 558 U.S. 310, 340-41 (2010). Clearview's reliance on Sorrell is misplaced. The statute there specifically  prohibited pharmaceutical manufacturers from using prescriber-identifying information for marketing, but allowed other speakers to obtain and use such information. Sorrell, 564 U.S. at 564. Here, the Consumer Protection Act is obviously not facially speaker-based, but Clearview complains of discriminatory enforcement. Clearview contends that the State is targeting only Clearview and none of the other search engines, and asserts that Google has also developed and patented facial-recognition technology. See Clearview's Reply at 41, 53. However, the State alleges that Google has not actually used that technology, Compl. ¶ 16-17, and that Google's image search does not display photographs from websites with terms of service that prohibit screen scraping. Id. ¶ 39. There is no basis to conclude that the State's action is a speaker-based restriction on speech.

A content-neutral restriction is permissible if it serves a substantial governmental interest, the interest is unrelated to the suppression of free expression, and the regulation is narrowly tailored, which "in this context requires . . . that the means chosen do not 'burden substantially more speech than is necessary to further the government's legitimate interests."' Turner Broadcasting System, Inc. v. FCC, .512 U.S. 622, 662 (1994) (quoting Ward v. Rock Against Racism, 491 U.S. 781,799 (1989)). The State plainly has a substantial governmental interest in maintaining a fair and honest commercial marketplace, and in protecting the health, welfare, and privacy of its citizens. See 9 V.S.A.§ 2451 (stating that purposes of the Consumer Protection Act are "to protect the public and to encourage fair and honest competition"); Rubin v. Coors Brewing Co., 514 U.S. 476, 485 (1995) ("the Government ... has a significant interest in protecting the health, safety, and welfare of its citizens"); Edenfield v. Fane, 507 U.S. 761,769 (1993) (protecting individual privacy is a "substantial state interest"); State v. VanBuren, 2018 VT 95, ¶ 57, as supplemented (June 7, 2019) ("The government's interest in preventing  any intrusions  on individual privacy is substantial.").

This interest is unrelated to the suppression of free expression. The injunction the State seeks would require Clearview to remove all images of Vermonters from its facial recognition database in order to protect their privacy and welfare, regardless of the content of those images or what information they convey. See Corley. 273 F.3d at 454. The State also seeks civil penalties for Clearview's allegedly unfair and deceptive acts, as permitted by the Consumer Protection Act. See 9 V.S.A. §§ 2431(b), 2458(a)-(b). The State seeks those penalties because of the app's function in invading Vermonters' privacy, not because of disagreement with the app's content.

Furthermore, any incidental restriction on speech imposed by the State's action would not burden substantially more speech than is necessary to further the State's interest in protecting privacy. The State estimates that the relief it requests will leave more than 99 percent of Clearview's database intact. Moreover, an injunction would presumably allow Clearview the option of obtaining affirmative consent in order to add Vermonters' images to its database. In any event, the court might need to take evidence on whether there are other, substantially less burdensome ways to further the State's interest here. Any remedies could accordingly be further tailored in light of such evidence.

Clearview also advances a slightly different First Amendment theory-that this action violates its right to access public data on the web. See Clearview's Mem. at 37-42; see also Packingham v. North Carolina, 137 S. Ct. 1730, 1732 (2017) (holding that restricting sex offenders from accessing social media sites violates First Amendment). The court finds this theory unpersuasive. None of the relief sought by the State would prohibit Clearview from accessing and viewing any particular website. Instead, the claims derive from what Clearview does with that information, and the theory that Clearview's actions constitute unfair trade practices.

Clearview relatedly relies on a trio of federal court decisions discussing the application of the federal   Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2)(C), to data scraping. See hiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th Cir. 2019) (involving data analytics company scraping Linkedin's data and selling to employers interested in retaining employees); Sandvig v. Barr, No. CV 16-1368 (JDB), 2020 WL 1494065 (D.D.C. Mar. 27, 2020) (Sandvig II) (involving academic researchers' intended conduct of violating employment websites' terms of service to research whether sites discriminated based on race or gender); Sandvig v. Sessions, 315 F. Supp. 3d 1 (D.D.C. 2018) (Sandvig I). These decisions are inapposite. While those courts suggested that criminalizing data scraping and website terms of service violations might implicate the First Amendment, the decisions ultimately turned on a statutory interpretation of the CFAA, which is not at issue here. See hiQ Labs, 938 F.3d at 999-1004; Sandvig II, 2020 WL 1494065, at *14 ("[T]he Court concludes that plaintiffs' research plans do not violate the Access Provision of the CFAA. . . . [T]he Court need not wade into the question whether plaintiffs' proposed conduct should receive First Amendment protection."). The same is true for the  other federal  cases cited by Clearview.  See Clearview's  Mem. at 42 n.146 (listing cases); see also United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015) (explaining circuit split on CFAA statutory interpretation issue).

Moreover, dicta by the Ninth Circuit further undermines Clearview's argument. See hiQ Labs, 938 F.3d at 1004 ("We note that entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply: state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.") (emphasis added) (footnote omitted). The First Amendment does not provide grounds for dismissal here at the pleading stage.

IV. Vagueness

Clearview next argues that the Consumer Protection Act as applied here is unconstitutionally vague. "A statute is void for vagueness when it 'either forbids or requires the doing of an act in terms so vague that [persons] of common intelligence must necessarily guess at its meaning and differ as to its application.'" Kimbell v. Hooper, 164 Vt. 80, 88 (1995) (quoting Zwickler v.  Koota, 389  U.S.  241,  249  (1967));  see also Rutherford v. Best, 139 Vt. 56, 60 (1980) (due process requires that person have fair warning of what conduct is prohibited). However, "a statute need not detail every circumstance that would amount to a violation.'' Kimbell, 164 Vt. at 89; see also State v. Pecora, 2007 VT 41, ¶ 11, 181 Vt. 627 ("the fact that the statute does not enumerate 'every act that might constitute a violation' does not render it unconstitutionally vague.'') (quoting In re Illuzzi, 160 Vt. 474,481 (1993)).

The vagueness doctrine is "based on the rationale that persons should not be chilled in their exercise of constitutional rights because of their fear of criminal sanctions.'' Kimbell, 164 Vt. at 88 (quotation omitted). Thus, generally, the U.S. Supreme Court has "expressed greater tolerance of enactments with civil rather than criminal penalties because the consequences of imprecision are qualitatively less severe." Sessions v. Dimaya, 138 S. Ct. 1204, 1212-13 (2018) (quotation omitted). Moreover, the court generally presumes statues to be constitutional. In re LaBerge NOV, 2016 VT 99, ¶ 18, 203 Vt. 98. A proponent of a constitutional vagueness challenge "has a very weighty burden to overcome.'' Id. (quotation omitted).

In prohibiting the acts of screen scraping individuals' photographs without consent and allowing users to search those photographs through facial recognition technology as unfair, the Consumer Protection Act is not unconstitutionally vague. Clearview complains that "privacy" is the primary basis for the State's action. However, the Vermont Supreme Court has at least implicitly recognized a tort for invasion of privacy, based upon "intrusion upon seclusion" and the applicable standards set forth in the Restatement. See, e.g., Denton v. Chittenden Bank, 163 Vt. 62, 68-69 (1994) (supervisor's questions of employee about his illness and absence from work, although "unusual and possibly rude," were not "substantial" or "an intrusion that would be highly offensive to a reasonable person"); Hodgdon v. Mt. Mansfield Co., 160 Vt. 150, 162 (1992) ("the single letter from defendant threatening termination, although perhaps  insensitive  under  the circumstances in this case, was insufficient to constitute an invasion of privacy") (citing Restatement (Second) of Torts § 652A).

Moreover, as stated above, a statute need not enumerate every single act that might constitute a violation. Rather, "[s]tatutory language that conveys a definite warning as to proscribed conduct when measured by common understanding and practices will satisfy due process." In re Palmer, 171 Vt. 464, 472 (2000) (quoting Brody v. Barasch, 155 Vt. 103, 111 (1990)). Clearview suggests that it lacked fair warning without a specific statute or regulation prohibiting screen scraping and applying facial recognition technology to those photos. This court rejected a similar argument earlier this year, in a case alleging price-gouging of personal protective equipment:

The fact that there is not a precise statute or declaration directly discussing PPEs is not relevant. If a separate law or executive order was required to find a particular practice unfair under the Act, the Act would have little meaning. Moreover, the Sperry case expressly rejected the argument, concluding that in determining what is "unfair" the FTC may "consider[] public values beyond simply those enshrined in the letter or encompassed in the spirit of' other laws.

State v. Big Brother Security Programs, No. 326-4-20 Cncv, slip copy at 12 (Apr. 27, 2020) (Ex. A to Pl.'s Opp'n to Def.'s Mot. to Dismiss) (quoting F.T.C. v. Sperry & Hutchinson Co., 405 U.S. 233,244 (1972)).

As the State recognizes, consumer protection statutes have been applied to numerous specific behaviors that are not specifically enumerated  in a particular statute or regulation. See, e.g., McDonald v. Kiloo ApS, 385 F. Supp. 3d 1022, 1029 (N.D. Cal. 2019) (gaming app collecting user data for geo-targeted advertising). It would make no sense for the legislature to have to pass a new law as soon as any new technology is invented and brought to market. Such a requirement would defeat the broad, proscriptive purpose of the Consumer Protection Act. See Fed. Trade Comm'n v. Raladam Co., 316 U.S. 149, 152 (1942) ("One of the objects of the Act creating the Federal Trade Commission was to prevent potential injury by stopping unfair methods of competition in their incipiency."). Clearview had fair notice that its alleged conduct implicates privacy interests and might reasonably be considered "unfair" under the Act. Clearview has not met its "very weighty burden" to demonstrate that the Act as applied is unconstitutionally vague.

V. Vermont Consumer Protection Act and Fraudulent Acquisition of Data Law

Clearview contends that the complaint fails to state a claim under the Consumer Protection Act and the Fraudulent Acquisition of Data law pursuant to V.R.C.P. 12(b)(6). Both laws prohibit "unfair or deceptive acts or practices in commerce.'' 9 V.S.A. § 2453(a); id. § 2431(b)(1). Essentially, Clearview argues that the conduct alleged in Count I is not "unfair," that the conduct alleged in Count II is not "deceptive," and that the conduct alleged in Count III does not constitute a fraudulent acquisition of brokered personal information and, consequently, is not an unfair or deceptive act or practice.[FN3]

A. Unfairness

There are three factors courts generally consider in deciding whether a practice is unfair under the Consumer Protection Act:

(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise whether, in other words, it is within at least the penumbra of some common-law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive or unscrupulous; (3) whether it causes substantial injury to consumers ....

Christie v. Dalmig, Inc., 136 Vt. 597, 601 (1979) (quoting F.T.C. v. Sperry & Hutchinson Co., 405 U.S. 233, 244 n.5 (1972)). To the extent Clearview argues that all three factors must be satisfied or that the "substantial injury" factor in particular must be satisfied in all cases, this court has already concluded in a previous case that the factors are independent. See State v. Big Brother Security Programs, No. 326-4-20 Cncv, slip copy at 9-10 (Apr. 27, 2020) (Ex. A to Pl.'s Opp'n to Def.'s Mot. to Dismiss). Moreover, numerous other courts have concluded similarly. See, e.g., Wendorf v. Landers, 755 F. Supp. 2d 972, 979 (N.D. Ill. 2010) ("The Illinois Supreme Court has interpreted Sperry to impose only a factor-based framework, not a three-part conjunctive test"); Ramirez v. Health Net of Ne.• Inc, 938 A.2d 576, 589 (Conn. 2008) ("All three criteria do not need to be satisfied to support a finding of unfairness. A practice may be unfair because of the degree to which it meets one of the criteria or because to a lesser extent it meets all three."); Morrison v. Toys "R" Us, Inc., 806 N.E.2d 388, 392 (Mass. 2004) (same); Rohrer v. Knudson, 203 P.3d 759,764 (Mont. 2009) ("We hold as a matter of law that an unfair act or practice is one which offends established public policy and which is either immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers.").

Here, the State has adequately alleged, at the very least, the first two factors. It alleges that Clearview's acts offend public policy as it relates to the privacy of Vermont consumers. Compl. ¶ 77. As to the public policy factor, the FTC specified that

the policies relied upon "should be clear and well- established"-that is, "declared or embodied in formal sources such as statutes, judicial decisions, or the Constitution as interpreted by the courts, rather than being ascertained from the general sense of the national values." Put another way, an act or practice's "unfairness" must be grounded in statute, judicial decisions—i.e., the common law—or the Constitution.

LabMD, Inc. v. Fed. Trade Comm'n, 894 F.3d 1221, 1229 (11th Cir. 2018) (citation omitted). Privacy as a public policy is embodied in numerous Vermont and non-Vermont judicial decisions. As noted above, the Vermont Supreme Court has at least implicitly recognized a tort for invasion of privacy, based upon "intrusion upon seclusion" and the applicable standards set forth in the Restatement. See, e.g., Denton v. Chittenden Bank, 163 Vt. 62, 68-69 (1994) (supervisor's questions of employee about his illness and absence from work, although "unusual and possibly rude," were not "substantial" or "an intrusion that would be highly offensive to a reasonable person"); Hodgdon v. Mt. Mansfield Co., 160 Vt. 150, 162 (1992) ("the single letter from defendant threatening termination, although perhaps insensitive under the circumstances in this case, was insufficient to constitute an invasion of privacy") (citing Restatement (Second) of Torts § 652.A). The Court has also recognized that "[t]he government's  interest in preventing any intrusions on individual privacy is substantial." State v. VanBuren, 2018 VT 95, ¶ 57, as supplemented (June 7, 2019).[FN4]

As the cases cited by the State amply demonstrate, many courts outside of Vermont have recognized privacy rights in the context of emerging technology. "Technological advances provide access to a category of information otherwise unknowable, and implicate privacy concerns in a manner as different from traditional intrusions as a ride on horseback is different from a flight to the moon." Patel v. Facebook, Inc., 932 F.3d 1264, 1272-73 (9th Cir. 2019) (collecting recent U.S. Supreme Court cases recognizing privacy implications of sense-enhancing thermal imaging, GPS monitoring, cell phone storage of personal information, and tracking of cell-site location information). See also, e.g., id. at 1273 ("We conclude that the development of a face template using facial­ recognition technology without consent (as alleged here) invades an individual's private affairs and concrete interests. Similar conduct is actionable at common law."); Opperman v. Path. Inc., 84 F. Supp. 3d 962, 992-93 (N.D. Cal. 2015) (accessing and misusing phone and app purchasers' address and contacts lists without consent); McDonald v. Kiloo ApS, 385 F. Supp. 3d 1022, 1029 (N.D. Cal. 2019) (gaming app covertly collecting user data for geo-targeted advertising). The invasion of privacy alleged here is "within at least the penumbra of some common-law, statutory, or other established concept of unfairness." Christie, 136 Vt. at 601; see also LabMD, 894 F.3d 1221, 1229 ("an act or practice's 'unfairness' must be grounded in ... judicial decisions-i.e., the common law").

The State also sufficiently alleges that Clearview's conduct is "immoral, unethical, oppressive or unscrupulous." Christie, 136 Vt. at 601; see also Compl. ¶ 77. Courts have described such conduct as that which "imposes a lack of meaningful choice," Centerline Equip. Corp. v. Banner Pers. Serv.• Inc., 545 F. Supp. 2d 768, 780 (N.D. Ill. 2008), or that involves a lack of consent. Votto v. Am. Car Rental. Inc., 871A.2d 981, 985 (Conn. 2005) ("The defendant's use of the plaintiffs signature on a blank credit card slip to charge the plaintiff more than twice the amount of the estimated cost of repair to the vehicle was without question unscrupulous, immoral and oppressive."). Clearview's alleged collection of and application of facial recognition technology to Vermonters' photographs without their consent plainly falls within this standard. While it remains to be seen whether the State can prove unfairness at trial, the allegations in the complaint are sufficient to survive a motion to dismiss.

Even assuming the State also had to allege substantial injury, the complaint would still suffice to move past the pleading stage. Clearview correctly observes that, in deciding whether an act or practice is "unfair or deceptive" under the Consumer Protection Act, "the courts of this State will be guided by the construction of similar terms contained in Section 5(a)(1) of the Federal Trade Commission Act [9 U.S.C. § 45] as from time to time amended by the Federal Trade Commission and the courts of the United States." 9 V.S.A. § 2453(b). Notably, however, the provision of the FTC Act on which Clearview relies provides in part:

The Commission shall have no authority under this section ... to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

15 U.S.C. § 45(n) (emphasis added). Based on a fair reading of the complaint, the State alleges that Clearview's conduct is at least "likely to cause substantial injury" by exposing Vermonters to unwanted surveillance and through Clearview's  marketing of its product to law enforcement. Clearview's argument that consumers can reasonably avoid such injury by not uploading photographs of themselves online is spurious at best. It is a matter of common knowledge that a significant portion of the population has uploaded photographs or (often unwittingly) appeared in photographs uploaded by others. See Compl. ¶ 45. Further, the court cannot conclude from the complaint alone whether such
injury is "outweighed by countervailing benefits to consumers." 15 U.S.C. § 45(n).

B. Deception

Count II alleges several deceptive statements by Clearview. To establish a "deceptive act or practice" under the Consumer Protection Act requires three elements: "(1) there must be a representation, omission, or practice likely to mislead consumers; (2) the consumer must be interpreting the message reasonably under the circumstances; and (3) the misleading effects must be material, that is, likely to affect the consumer's conduct or decision regarding the product." Carter v. Gugliuzzi, 168 Vt. 48, 56 (1998). "Deception is measured by an objective standard, looking to whether the representation or omission had the capacity or tendency to deceive a reasonable consumer; actual injury need not be shown." Id. at 56 (quotation omitted).

Clearview first argues that Vermonters are not "consumers" since they did not purchase the app, and that only law enforcement, financial institutions, and security companies are purchasers and, thus, consumers in this context. Because the users of the app are not the people allegedly harmed-the Vermont public whose photos are used­ Clearview contends that the Act is inapplicable. Therefore, Clearview asserts, the deception claim fails. The court rejects this argument. First, the Act includes a specific definition of"consumer" that is limited to purchasers, 9 V.S.A. § 2451a(a), but that applies to private actions brought by individuals under§ 2461(b); it does not somehow limit the State's enforcement rights under§ 2458. No Vermont cases say that, to be actionable, deceptive statements must have caused direct harm to an actual or would-be purchaser of the product or service in question.

Second, the FTC has brought actions against companies whose deceptive conduct allegedly misled non-purchasers of those companies' products or services, indicating that the FTC does not interpret the FTC Act to include such a "purchaser" requirement. See, e.g., In re Epic Marketplace, No. C-4389 (F.T.C. Mar. 13, 2013), available at https://www.ftc.gov/enforcement/cases-proceedings/112-3182/epic-marketplace-inc (online advertising company used "history sniffing" to secretly and illegally gather data from millions of consumers' web-browsing histories); FTC v. Equifax, No. 1:19-cv-03297- TWT (N.D. Ga. July 23, 2019), available at: https://www.ftc.gov/enforcement/cases­ proceedings/172-3203/equifax-inc (credit reporting agency failed to secure personal information of millions of consumers stored on its network, leading to security breach that exposed information to identify theft and fraud).

Moreover, the Consumer Protection Act is to be construed "liberally ... in light of its remedial purposes." Anderson v. Johnson, 2011 VT 17, ¶ 7, 189 Vt. 603. It is "designed not merely to compensate consumers for actual monetary losses resulting from fraudulent or deceptive practices in the marketplace, but more broadly to protect citizens from unfair or deceptive acts in commerce, and to encourage a commercial environment highlighted by integrity and fairness." Id. (citation and quotations omitted). Under Clearview's logic, the State could never enforce the Act against patently false advertising so long as no person had yet been duped into buying the advertised product or service. Such a result is untenable, especially since "actual injury need not be shown." Carter, 168 Vt. at 56.

Next, Clearview contends that the State has not adequately pled that each of the alleged statements in Count II were deceptive and material, and that some of those statements are mere opinion or commercial puffery rather than objective fact. The complaint lists seven allegedly deceptive statements.

1. Opt-Out Rights

In the privacy policy on its website, Clearview makes the following statement concerning consumers' privacy rights: "Users and members  of the  public are entitled to ... The right to erasure - You have the right to request that we erase your personal data  under certain conditions." Compl. ¶ 56. The policy goes on to clarify that this right is "subject to limitations that vary by jurisdiction. We will honor  such  requests  ...  as required under applicable data protection rules but these  rights  are not  absolute:  they do not always apply and exemptions may be engaged." Id. The State alleges that the data protection rights listed are actually from the European Union's General Data Protection Regulation, which is not applicable to U.S. citizens, and that the only state law that comes close to this is California's consumer privacy act. Id. ¶ 58. Clearview argues that this statement   is   technically   accurate, but the State alleges that this policy "creates a reasonable belief in any Vermont consumer who is not a privacy law scholar that they can take some action to protect their privacy" concerning data stored by Clearview. Id. ¶ 58.

The Vermont Supreme Court has "distinguished statements of fact from statements of opinion in the consumer-fraud context, holding that misrepresentations of the former may constitute fraud while misrepresentations of the latter cannot." Heath v. Palmer, 2006 VT 125, ¶ 14, 181 Vt. 545. Representations about the status of the law are generally considered nonactionable, but the Court has recognized that "[a]n important distinction must be made between representations of legal opinions and representations of fact relating to the law as it exists." Winton v. Johnson & Dix Fuel Corp.. 147 Vt. 236, 240 (1986) (emphasis in original). Legal opinions "involve[] the legal meaning and effect of a statute, court ruling, document, instrument or other source of law," while factual representations about the law "involve[] statements that imply the existence of accurate and readily ascertainable facts that either concern the law or have legal significance, but which are not part of the law themselves." Id. at 240. Such legal facts "may imply the existence or non-existence of an applicable statute, regulation, or judicial decision, and this is one kind of external fact which may seem very important to the person addressed by the statement." Id. at 241 (statements in hot water heater advertisement that emphasized availability of state energy tax credit were "fashioned as facts, rather than opinions about the application of the law" and therefore actionable under Consumer Fraud Act); see also Webb v. Leclair, 2007 VT 65, ¶ 22, 182 Vt. 559.

The alleged statement involves an "objectively verifiable statement of fact," that is, whether consumers have a right to have their data erased, rather than a subjective "opinion." Heath, 2006 VT 125, ¶ 14. To the extent it involves a component of legal status, it is a representation of fact regarding  the law as it exists, rather than a legal opinion. Winton, 147Vt. at 240. While the policy's statements might not be literally false and might not be so clear as the statement in Winton, Clearview could  have presented the policy in a less misleading manner, for example, by making it clear that these opt-out "rights" in fact do not apply to most U.S. citizens. The complaint sufficiently alleges that these statements could mislead a reasonable consumer regarding their ability to opt out of Clearview's product.

2. Affect on Consumers' Interests or Fundamental Rights and Freedoms

Clearview's privacy policy also states: "We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process personal data if ... the processing is necessary for the legitimate interests of Clearview, and does not unduly affect your interests or fundamental rights and freedoms." Compl. ¶ 59. The State alleges that this statement is false because "Clearview's processing does very much unduly affect consumers' interests and fundamental rights and freedoms." Id. ¶ 60. Essentially, this statement amounts to a legal conclusion or opinion about whether Clearview's alleged unfair acts as stated in Count I implicate consumers' privacy rights. It goes far beyond a mere assertion that a particular statute does or does not exist or apply. See Winton, 147  Vt. at 240-41. Moreover, as it would require a resolution on the merits of Count I, it was not objectively verifiable at the time the statement was made. Consequently, this statement does not constitute a deceptive act under the Consumer Protection Act. See generally Heath, 2006 VT 125, ¶ 14.

3. Strength of Data Security

Clearview's privacy policy also includes a paragraph with assertions about the strength of the data security technology it uses to protect personal information. Compl. ¶ 61. While parts of this paragraph undoubtedly constitute vague commercial puffery, other parts plainly consist of facts capable of objective analysis, likely by computer security experts. This statement could lead a reasonable consumer to believe that Clearview's stored personal data is completely secure. Id. ¶ 62. The complaint sufficiently alleges a deceptive statement regarding the strength of Clearview's data security. Compl. ¶¶ 63-68.

4. Use by Law Enforcement and Public Availability

In its "User Code of Conduct," Clearview states that users may use its app for only "legitimate law enforcement and security purposes," and not for "personal purposes." Compl. ¶ 69. Clearview also states on its website that its app is not available to the public. Id. ¶ 30. However, the State alleges that this is not true because Clearview has provided access to its app to numerous for-profit corporations, universities, investors,  reporters, and governments in dozens of countries, and has not limited its use to authorized users even in the law enforcement context. Id. ¶¶ 31-32. Furthermore, in private marketing statements, Clearview has allegedly told users to use the app on friends and family and to "feel free to run wild with your searches." Id. ¶¶ 33, 70. The complaint fairly alleges that Clearview's statements about law enforcement use and the public availability of its app are deceptive.

5. Removal of Customer Data from Database

Clearview has allegedly claimed or implied that it removes consumer data from its database to comply with existing law. Compl. ¶¶ 50, 56, 81(e). However, the State alleges that Clearview does not yet have the capability to remove individuals by geographic region or age. Id. ¶ 51. This plainly states a claim for a deceptive act.

6. Accuracy of Matching Technology

According to the State's allegations, Clearview has claimed (1) an accuracy rate of 98.6% to 99.6% for its photograph matching technology without providing any evidence or a standard  benchmark,  and  (2) an  accuracy  rate of 100%  according  to the ACLU's methodology which it then retracted after the ACLU complained that Clearview had not properly applied its technology and called Clearview's claim "absurd." Compl. ¶¶ 71-72. Clearview also has allegedly not provided its matching algorithm for testing to the only entity that provides public testing of facial recognition technology. Id. ¶ 73. These allegations  state a claim for deceptive statements  regarding the  accuracy of Clearview's matching technology. Clearview provides an affidavit asserting that it has tested its technology's accuracy using the Megaface benchmark test. Clearview's Mem. at 66 n.231. That may be so, but the court cannot consider an affidavit on a motion to dismiss.

7. Success in Assisting Law Enforcement Investigations

According to the complaint, Clearview claimed to have assisted the NYPD in solving several cases, but the NYPD denied that Clearview was used in any of those cases. Compl. ¶¶ 74-75. This also is sufficient to survive a motion to dismiss.

Moreover, all of the alleged statements described above are material in that they are "likely to affect [a] consumer's conduct or decision regarding the product," Carter, 168 Vt. at 56, at least for purposes of the motion to dismiss. The State does not allege a de minimus misrepresentation such as, for example, if Clearview claimed to have a 95.3% accuracy rate when the actual rate was 95.2%. Such an insignificant deception would not reasonably affect a consumer's conduct regarding the product. The alleged deceptions here, however, are significant, and are reasonably likely to affect the conduct of either law enforcement or the general public with respect to Clearview's app.

C. Vermont's Fraudulent Acquisition of Data Law

Vermont's Fraudulent Acquisition of Data law prohibits the acquisition of "brokered personal information through fraudulent means." 9 V.S.A. § 2431(a)(1). A violation of this law constitutes "an unfair and deceptive act in commerce in violation of [9 V.S.A. §] 2453." Id. § 2431(b)(1). "Brokered personal information" means "computerized data elements about a consumer, if categorized or organized for dissemination to third parties," including "unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of  biometric data." Id.§ 2430(1)(A)(vi).[FN5] For purposes of this statute, "consumer" means "an individual residing in this State." Id.§ 2430(3).

Clearview asserts that this law does not apply because the data it acquires is "not brokered" and "not acquired by fraud." Clearview's Mem. at 68. The data it acquires plainly falls within the statutory definition  of "brokered personal information." 9 V.S.A. § 2430(1)(A)(vi). However, the complaint does not adequately allege that the data was acquired by fraudulent means. The court disagrees with the State's contention that, in this context, "fraud" refers to consumer fraud, i.e., an unfair or deceptive act or practice in commerce. While the statute does not explicitly define "fraud," and the legislature's statement of findings and intent unsurprisingly provides little assistance in that regard, see 2017, No. 171, § 1, the court concludes that "fraud" here means fraud in the traditional or common law sense, rather than in the "consumer fraud" sense. The statute would simply make no sense otherwise. That a fraudulent acquisition of brokered personal information constitutes "an unfair and deceptive act in commerce in violation of' the Consumer Protection Act does not also mean that any variation of "consumer fraud" necessarily constitutes acquisition of "brokered personal information through fraudulent means." Id. § 2431(a)(1).[FN6] That is circular reasoning that would render the Fraudulent Acquisition of Data law meaningless. Under that logic, the law would proscribe virtually no conduct beyond that also proscribed by the Consumer Protection Act.[FN7]

Fraud traditionally requires some form of misrepresentation. lanelli v. U.S. Bank, 2010 VT 34, ¶ 14  n.*, 187 Vt.  644  (mem.).  The complaint, however, alleges no such misrepresentation with respect to Clearview's acquisition of the data. The State argues in its memorandum that Clearview's "indiscriminate screen-scraping ... involved using spiders that misrepresented their purpose in accessing websites," State's Opp'n at 71, yet alleges nowhere in the complaint that Clearview's "spiders" actually misrepresented their purpose. It argues that Clearview violated the terms of service of the websites it scraped, yet the complaint is devoid of any allegation that Clearview actually misrepresented its purpose in accessing the websites rather than merely contravening the terms of service. The State also argues that Clearview collected personal photos without consumers' knowledge or consent "in order to turn those photographs against their owners through the use of facial recognition." Id. Again, no allegation of misrepresentation in the complaint supports this argument. Clearview's actions in acquiring the photos is akin to someone walking into a store and surreptitiously stealing an item. In that example, the person's action might be larceny and it might violate the store's posted rules, but it is not fraud because it does not involve a misrepresentation. Moreover, the post-acquisition use of those photographs is immaterial to Count III, which asserts that Clearview acquired brokered personal information by fraudulent means under 9 V.S.A. § 2431(a)(1), not that it "acquire[d] or use[d] brokered personal information for the purpose of' stalking, harassment, committing a fraud, or engaging in unlawful discrimination under § 2431(a)(2).

The court could imagine how the deceptive statements alleged in Count II might support the alleged fraudulent acquisition of data in Count III by inducing someone to continue posting photographs on social media, or to refrain from deleting their photographs from social media. However, that would depend on the deceptive statements being presented before the screen scraping began, so that consumers would have time to act on those statements. There is no such information in the complaint concerning the dates the deceptive statements were made and when the screen scraping began, nor does the State allege that a Clearview misrepresentation induced anyone to make their photographs available for Clearview's acquisition.

It appears that this is the first time the Fraudulent Acquisition of Data Law-which went into effect in 2019 and is apparently the first of its kind in the country-has been discussed or construed in a court decision. See generally Note, The Federalist Regulation of Privacy: The Happy Incidents of State Regulatory Activity and Costs of Preemptive Federal Action, 84 Mo. L. Rev. 1055, 1073-75 and nn.130, 138-43 (2019). As this court has recognized many times, "[a] motion to dismiss ... is not favored and [is] rarely granted[,] ... especially ... when the asserted theory of liability is novel or extreme," as such cases "should be explored in the light of facts as developed by the evidence, and, generally, not dismissed before trial because of the mere novelty of the allegations." Alger v. Dep't of Labor & Indus., 2006 VT 115, ¶ 12, 181 Vt. 309 (citation and quotations omitted). "Nonetheless, where the plaintiff does not allege a legally cognizable claim, dismissal is appropriate." Montague v. Hundred Acre Homestead. LLC, 2019 VT 16, ¶ 11, 209 Vt. 514. Because the State has not sufficiently alleged that the data was acquired by "fraudulent means," dismissal of Count III is appropriate.

VI. Standing

Finally, Clearview contends that the State lacks standing to bring this action. Typically, the standing doctrine requires that a plaintiff "must have suffered a particular injury that is attributable to the defendant and that can be redressed by a court of law." Paige v. State, 2018 VT 136, ¶ 8, 209 Vt. 379 (quotation omitted). However, the standing analysis is different when the plaintiff is a sovereign state rather than a private individual. Massachusetts v. E.P.A., 549 U.S. 497, 518 (2007). The U.S. Supreme Court has recognized that where the state has a procedural right to bring that action and a "stake in protecting its quasi-sovereign interests, the [state] is entitled to special solicitude in our standing analysis." Id. at 520-21 & n.17 (Massachusetts has quasi-sovereign standing to challenge EPA's refusal to regulate greenhouse gas emissions).

The State asserts that it has such standing under the "parens patriae" doctrine. "[T]o have such standing the State must assert an injury to ... a 'quasi-sovereign' interest," an admittedly vague judicial construct with no "simple or exact definition. Its nature is perhaps best understood by comparing it to other kinds of interests that a State may pursue and then by examining those interests that have historically been found to fall within this category." Alfred L. Snapp & Son. Inc. v. Puerto Rico. ex rel.. Barez, 458 U.S. 592, 601 (1982). Quasi-sovereign interests generally "consist of a set of interests that the State has in the well-being of its populace." Id. at 602. The Court has summarized the doctrine as follows:

In order to maintain such an action, the State must articulate an interest apart from the interests of particular private parties, i.e., the State must be more than a nominal party. The State must express a quasi-sovereign interest. Although the articulation of such interests is a matter for case-by-case development-neither an exhaustive formal definition nor a definitive list of qualifying interests can be presented in the abstract-certain characteristics of such interests are so far evident. These characteristics fall into two general categories. First, a State has a quasi-sovereign interest in the health and well-being-both physical and economic-of its residents in general. Second, a State has a quasi-sovereign interest in not being discriminatorily denied its rightful status within the federal system.

Id. at 607. Additionally, the State must "allege[] injury to a sufficiently substantial segment of its population." Id.

The State has a clear procedural right to bring this action. The Consumer Protection Act prohibits "unfair or deceptive acts or practices in commerce." 9 V.S.A. § 2453(a). "Whenever the Attorney General ... has reason to believe that any person is using or is about to use any method, act, or practice declared by section 2453 ... to be unlawful, ... and that  proceedings  would  be in the public interest," he may "bring an action in the name of the State against such person to restrain by temporary or permanent injunction the use of such method, act, or practice." 9 V.S.A. § 2458(a).

The State also has quasi-sovereign interests in protecting a fair and honest marketplace from deceptive advertising statements, and in avoiding  societal  harm  from mass surveillance. Mass surveillance could reasonably chill citizens' freedoms of assembly and political expression. See Compl. ¶ 78. These interests go beyond those  of  any individual party, and courts have recognized these  interests  as  sufficient  to  confer standing. See People ex rel. Cuomo v. Liberty Mut. Ins. Co., 861 N.Y.S.2d 294, 296 (N.Y. App. Div. 2008) ("the Attorney General sued to  redress  injury  to  its quasi-sovereign interest in securing an honest marketplace  for all  consumers")  (quotation  omitted);  State ex rel. Hatch v. Cross Country Bank. Inc., 703 N.W.2d 562, 569 (Minn. Ct. App. 2005)  ("The state is pursuing its claim[] not with the purpose of obtaining relief for particular victims, but to vindicate a 'quasi-sovereign' interest: protecting the privacy of its citizens."); State of N. Y. by Abrams v. Gen. Motors Corp., 547 F. Supp. 703,705 (S.D.N.Y. 1982) ("The State's goal of securing an honest marketplace in which to transact business is a quasi-sovereign interest."); Kelley v. Carr, 442 F. Supp. 346, 356-57 (W.D. Mich. 1977), affd in part. rev'd in part, 691 F.2d 800 (6th Cir. 1980) ("Surely some of the most basic of a state's quasi-sovereign interests include ... protection of its citizens from fraudulent  and deceptive  practices [and] support for the general welfare of its residents and its economy").

Moreover, the State estimates that millions of photographs of Vermonters may be part of Clearview's database, State's Opp'n at 75, a reasonable implication from the complaint. See Compl. ¶¶ 24-25, 44, 47-49. This surely constitutes a substantial segment of Vermont's population. "This is not a case in which the state is gratuitously attempting to prosecute purely personal claims of its citizens, but rather is one in which the state is seeking to protect the public interest." Kelley, 442 F. Supp. at 357. Given the lower bar for standing at the pleading stage, the complaint adequately alleges sufficient facts to confer standing on the State as parens patriae in this action. See Connecticut v. Am. Elec. Power Co., 582 F.3d 309, 333 (2d Cir. 2009), rev'd on other grounds, 564 U.S. 410 (2011); see also 13B Wright & Miller, Fed. Prac. & Proc. Juris.§ 3531.11.1 (3d ed.) ("There can be no doubt whatever that in its own courts and under its own law, a state has standing to enforce broad concepts of the public interest against individual defendants, whether through criminal or civil proceedings.").

Order

Clearview's motion to dismiss is granted as to one of the deceptive statements alleged in Count I-specifically paragraph 81(b) of the complaint-and  as to Count  III.  The motion is denied in all other respects. The parties shall proceed with scheduling according to the court's May 6, 2020 order.

Footnotes

[FN1] The State has requested oral argument on this motion. State's Opp'n at 78. Given that the State has largely prevailed on this motion, and in the interest of resolving this motion prior to the undersigned's rotation to another court, the court denies that request.

[FN2] Clearview asks the court to disregard several paragraphs from the Complaint that, it asserts, are conclusory allegations or legal conclusions masquerading as facts. Clearview's Reply at 35-38 & n.135. The court observes that most of the cited paragraphs are proper factual allegations but, to the extent they are not, the court does not assume their truth for purposes of this motion to dismiss. Clearview also asks the court to disregard numerous paragraphs "which appear to be drawn from newspaper articles and other news reports without independent investigation as required by Rule 11." Id. at 38-41& n.141. All statements in a pleading "shall be made subject to the obligations set forth in Rule 11." V.R.C.P. 8(e)(2). Rule 11 requires that "to the best of the person's knowledge, information, and belief, formed after an inquiry reasonable under the circumstances … the allegations and other factual contentions have evidentiary support…." V.R.C.P. 11(b)(3). The court has no reason to believe there was a Rule 11 violation here. In any event, Clearview has not properly initiated a Rule 11 motion. See V.R.C.P. 11(c)(1).

[FN3] To the extent it is relevant to the motion to dismiss, the court rejects as entirely unpersuasive Clearview's suggestion that the State's action is preempted by 23 V.S.A. § 634(c). See Clearview's Mem. at 67-68.

[FN4] Clearview contends that VanBuren undermines the State's privacy argument. Clearview's Mem. at 48-51. VanBuren involved a criminal prosecution for the unconsented disclosure of an intimate image of the complainant under Vermont's relatively new "revenge porn" statute. The Court affirmed the dismissal of the charge because "the State has not established that it has evidence showing that complainant had a reasonable expectation of privacy in the images she sent to" the intended recipient, necessary to prove an element of the crime. VanBuren, 2018 VT 95, 97. Clearview's argument about VanBuren is unpersuasive. First, VanBuren was a criminal case, deciding whether the State could prove an element of the charged crime (beyond a reasonable doubt). It did not hold that individuals have no privacy interests whatsoever in photos they post on any digital platform. Second, VanBuren involved merely republishing a photo, while Clearview's alleged conduct (extracting biometric data and adding the photos to a searchable database for easy identification) goes beyond mere republication. Finally, whereas the VanBuren Court noted that the State offered no "evidence of any promise by [intended recipient], or even express request by complainant, to keep the photos confidential," or any other basis from which the complainant could "reasonably assume that he would  not share the photos she sent with  others," id. 106, many social media sites to which consumers post photos have terms of service policies that expressly prohibit screen scraping. Compl. ¶ 38- 39, 43. Those terms of service provide a reasonable basis for consumers to assume that their photos would not be scraped and used in a facial recognition search engine without their consent.

[FN5] The definition also includes "other information that, alone or in combination with the other information sold or licensed,  would allow a reasonable person  to identify the consumer  with  reasonable certainty." 9 V.S.A. § 2430(a)(ix).

[FN6] Notably, several years before the Fraudulent Acquisition of Data law was added in 2018, the legislature changed the title of the "Consumer Fraud Act" to "Consumer Protection Act" in 2012. See 2011, No. 109, § 3 ("Redesignation of term 'consumer fraud' to read 'consumer protection"'); McKinstry v. Fecteau Residential Homes,  Inc.,  2015 vr 125, ¶ 4 n.1,  200  Vt. 392. This  makes  it  even less likely that  the legislature's intent behind using the term "fraud" in section 2431(a)(1) was to refer to "consumer fraud" rather than common law fraud.

[FN7] The Attorney General's own guidance about this law suggests that acquisition by "fraudulent means" refers to common law fraud. See Vermont Office of the Attorney General, Guidance on Vermont's Act 171 of 2018 Data Broker Regulation at 11 (Dec. 11, 2018) ("The concepts of fraud, stalking and harassing, identity theft, and unlawful discrimination are addressed in the common law and other statutes.") (available at: https://perma.cc/BK6G-YBHH).

141 S.Ct. 1648
Supreme Court of the United States.

Nathan VAN BUREN, Petitioner
v.
UNITED STATES

Argued November 30, 2020
Decided June 3, 2021

BARRETT, J., delivered the opinion of the Court, in which BREYER, SOTOMAYOR, KAGAN, GORSUCH, and KAVANAUGH, JJ., joined. THOMAS, J., filed a dissenting opinion, in which ROBERTS, C. J., and ALITO, J., joined.

Opinion

Justice BARRETT delivered the opinion of the Court.

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren's conduct plainly flouted his department's policy, which authorized him to obtain database information only for law enforcement purposes. We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

I.

A.

Technological advances at the dawn of the 1980s brought computers to schools, offices, and homes across the Nation. But as the public and private sectors harnessed the power of computing for improvement and innovation, so-called hackers hatched ways to coopt computers for illegal ends. After a series of highly publicized hackings captured the public's attention, it became clear that traditional theft and trespass statutes were ill suited to address cybercrimes that did not deprive computer owners of property in the traditional sense. See Kerr, Cybercrime's Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N. Y. U. L. Rev. 1596, 1605–1613 (2003).

Congress, following the lead of several States, responded by enacting the first federal computer-crime statute as part of the Comprehensive Crime Control Act of 1984. § 2102(a), 98 Stat. 2190–2192. A few years later, Congress passed the CFAA, which included the provisions at issue in this case. The Act subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U.S.C. § 1030(a)(2). It defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6).

Initially, subsection (a)(2)’s prohibition barred accessing only certain financial information. It has since expanded to cover any information from any computer “used in or affecting interstate or foreign commerce or communication.” § 1030(e)(2)(B). As a result, the prohibition now applies—at a minimum—to all information from all computers that connect to the Internet. §§ 1030(a)(2)(C), (e)(2)(B).

Those who violate § 1030(a)(2) face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. § 1030(c)(2). They also risk civil liability under the CFAA's private cause of action, which allows persons suffering “damage” or “loss” from CFAA violations to sue for money damages and equitable relief. § 1030(g).

B.

This case stems from Van Buren's time as a police sergeant in Georgia. In the course of his duties, Van Buren crossed paths with a man named Andrew Albo. The deputy chief of Van Buren's department considered Albo to be “very volatile” and warned officers in the department to deal with him carefully. Notwithstanding that warning, Van Buren developed a friendly relationship with Albo. Or so Van Buren thought when he went to Albo to ask for a personal loan. Unbeknownst to Van Buren, Albo secretly recorded that request and took it to the local sheriff ’s office, where he complained that Van Buren had sought to “shake him down” for cash.

The taped conversation made its way to the Federal Bureau of Investigation (FBI), which devised an operation to see how far Van Buren would go for money. The steps were straightforward: Albo would ask Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo, no stranger to legal troubles, would tell Van Buren that he wanted to ensure that the woman was not in fact an undercover officer. In return for the search, Albo would pay Van Buren around $5,000.

Things went according to plan. Van Buren used his patrol-car computer to access the law enforcement database with his valid credentials. He searched the database for the license plate that Albo had provided. After obtaining the FBI-created license-plate entry, Van Buren told Albo that he had information to share.

The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate for Albo violated the “exceeds authorized access” clause of 18 U.S.C. § 1030(a)(2).[FN1] The trial evidence showed that Van Buren had been trained not to use the law enforcement database for “an improper purpose,” defined as “any personal use.” App. 17. Van Buren therefore knew that the search breached department policy. And according to the Government, that violation of department policy also violated the CFAA. Consistent with that position, the Government told the jury that Van Buren's access of the database “for a non[-]law[-]enforcement purpose” violated the CFAA “concept” against “using” a computer network in a way contrary to “what your job or policy prohibits.” Id., at 39. The jury convicted Van Buren, and the District Court sentenced him to 18 months in prison.

Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. While several Circuits see the clause Van Buren's way, the Eleventh Circuit is among those that have taken a broader view.[FN2] Consistent with its Circuit precedent, the panel held that Van Buren had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” 940 F.3d 1192, 1208 (2019). We granted certiorari to resolve the split in authority regarding the scope of liability under the CFAA's “exceeds authorized access” clause. 590 U. S. ––––, 140 S.Ct. 2667, 206 L.Ed.2d 822 (2020).

II.

A.

1.

Both Van Buren and the Government raise a host of policy arguments to support their respective interpretations. But we start where we always do: with the text of the statute. Here, the most relevant text is the phrase “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain ... information in the computer that the accesser is not entitled so to obtain.” § 1030(e)(6).

The parties agree that Van Buren “access[ed] a computer with authorization” when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren “obtain[ed] ... information in the computer” when he acquired the license-plate record for Albo. The dispute is whether Van Buren was “entitled so to obtain” the record.

“Entitle” means “to give ... a title, right, or claim to something.” Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black's Law Dictionary 477 (5th ed. 1979) (“to give a right or legal title to”). The parties agree that Van Buren had been given the right to acquire license-plate information—that is, he was “entitled to obtain” it—from the law enforcement computer database. But was Van Buren “entitled so to obtain” the license-plate information, as the statute requires?

Van Buren says yes. He notes that “so,” as used in this statute, serves as a term of reference that recalls “the same manner as has been stated” or “the way or manner described.” Black's Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase “entitled so to obtain” thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is “via a computer [one] is otherwise authorized to access.” Reply Brief 3. Putting that together, Van Buren contends that the disputed phrase—“is not entitled so to obtain”—plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. On this reading, if a person has access to information stored in a computer—e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.

The Government agrees that the statute uses “so” in the word's term-of-reference sense, but it argues that “so” sweeps more broadly. It reads the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one's right to access information. Brief for United States 19. As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.

The Government's interpretation has surface appeal but proves to be a sleight of hand. While highlighting that “so” refers to a “manner or circumstance,” the Government simultaneously ignores the definition's further instruction that such manner or circumstance already will “ ‘ha[ve] been stated,’ ” “ ‘asserted,’ ” or “ ‘described.’ ” Id., at 18 (quoting Black's Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government's approach, the relevant circumstance—the one rendering a person's conduct illegal—is not identified earlier in the statute. Instead, “so” captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else. And while the Government tries to cabin its interpretation by suggesting that any such limit must be “specifically and explicitly” stated, “express,” and “inherent in the authorization itself,” the Government does not identify any textual basis for these guardrails. Brief for United States 19; Tr. of Oral Arg. 41.

Van Buren's account of “so”—namely, that “so” references the previously stated “manner or circumstance” in the text of § 1030(e)(6) itself—is more plausible than the Government's. “So” is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster's Third New International Dictionary 2160 (1986) (so “often used as a substitute ... to express the idea of a preceding phrase”). Myriad federal statutes illustrate this ordinary usage.[FN3] We agree with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.[FN4]

2.

The Government's primary counterargument is that Van Buren's reading renders the word “so” superfluous. Recall the definition: “to access a computer with authorization and to use such access to obtain ... information in the computer that the accesser is not entitled so to obtain.” § 1030(e)(6) (emphasis added). According to the Government, “so” adds nothing to the sentence if it refers solely to the earlier stated manner of obtaining the information through use of a computer one has accessed with authorization. What matters on Van Buren's reading, as the Government sees it, is simply that the person obtain information that he is not entitled to obtain—and that point could be made even if “so” were deleted. By contrast, the Government insists, “so” makes a valuable contribution if it incorporates all of the circumstances that might qualify a person's right to obtain information. Because only its interpretation gives “so” work to do, the Government contends, the rule against superfluity means that its interpretation wins. See Republic of Sudan v. Harrison, 587 U. S. ––––, ––––, 139 S.Ct. 1048, 1058, 203 L.Ed.2d 433 (2019).

But the canon does not help the Government because Van Buren's reading does not render “so” superfluous. As Van Buren points out, without “so,” the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel files he is not entitled to obtain by using his computer. Such a person could argue that he was “entitled to obtain” the information if he had the right to access personnel files through another method (e.g., by requesting hard copies of the files from human resources). With “so,” the CFAA forecloses that theory of defense. The statute is concerned with what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have walked down the hall to pick up a physical copy.

This clarification is significant because it underscores that one kind of entitlement to information counts: the right to access the information by using a computer. That can expand liability, as the above example shows. But it narrows liability too. Without the word “so,” the statute could be read to incorporate all kinds of limitations on one's entitlement to information. The dissent's take on the statute illustrates why.

3.

While the dissent accepts Van Buren's definition of “so,” it would arrive at the Government's result by way of the word “entitled.” One is “entitled” to do something, the dissent contends, only when “ ‘proper grounds’ ” are in place. Post, at 1663 – 1664 (opinion of THOMAS, J.) (quoting Black's Law Dictionary, at 477). Deciding whether a person was “entitled” to obtain information, the dissent continues, therefore demands a “circumstance dependent” analysis of whether access was proper. Post, at 1663 – 1664. This reading, like the Government's, would extend the statute's reach to any circumstance-based limit appearing anywhere.

The dissent's approach to the word “entitled” fares fine in the abstract but poorly in context. The statute does not refer to “information ... that the accesser is not entitled to obtain.” It refers to “information ... that the accesser is not entitled so to obtain.” 18 U.S.C. § 1030(e)(6) (emphasis added). The word “entitled,” then, does not stand alone, inviting the reader to consider the full scope of the accesser's entitlement to information. The modifying phrase “so to obtain” directs the reader to consider a specific limitation on the accesser's entitlement: his entitlement to obtain the information “in the manner previously stated.” Supra, at 1650. And as already explained, the manner previously stated is using a computer one is authorized to access. Thus, while giving lipservice to Van Buren's reading of “so,” the dissent, like the Government, declines to give “so” any limiting function.[FN5]

The dissent cannot have it both ways. The consequence of accepting Van Buren's reading of “so” is the narrowed scope of “entitled.” In fact, the dissent's examples implicitly concede as much: They all omit the word “so,” thereby giving “entitled” its full sweep. See post, at 1663 – 1664. An approach that must rewrite the statute to work is even less persuasive than the Government's.

4.

The Government falls back on what it describes as the “common parlance” meaning of the phrase “exceeds authorized access.” Brief for United States 20–21. According to the Government, any ordinary speaker of the English language would think that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. Id., at 21. The dissent, for its part, asserts that this point “settles” the case. Post, at 1667.

If the phrase “exceeds authorized access” were all we had to go on, the Government and the dissent might have a point. But both breeze by the CFAA's explicit definition of the phrase “exceeds authorized access.” When “a statute includes an explicit definition” of a term, “we must follow that definition, even if it varies from a term's ordinary meaning.” Tanzin v. Tanvir, 592 U. S. ––––, ––––, 141 S.Ct. 486, 490, 208 L.Ed.2d 295 (2020) (internal quotation marks omitted). So the relevant question is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. And as we have already explained, the statutory definition favors Van Buren's reading.

That reading, moreover, is perfectly consistent with the way that an “appropriately informed” speaker of the language would understand the meaning of “exceeds authorized access.” Nelson, What Is Textualism? 91 Va. L. Rev. 347, 354 (2005). When interpreting statutes, courts take note of terms that carry “technical meaning[s].” A. Scalia & B. Garner, Reading Law: The Interpretation of Legal Texts 73 (2012). “Access” is one such term, long carrying a “well established” meaning in the “computational sense”—a meaning that matters when interpreting a statute about computers. American Heritage Dictionary 10 (3d ed. 1992). In the computing context, “access” references the act of entering a computer “system itself ” or a particular “part of a computer system,” such as files, folders, or databases.[FN6] It is thus consistent with that meaning to equate “exceed[ing] authorized access” with the act of entering a part of the system to which a computer user lacks access privileges.[FN7] The Government and the dissent's broader interpretation is neither the only possible nor even necessarily the most natural one.

B.

While the statute's language “spells trouble” for the Government's position, a “wider look at the statute's structure gives us even more reason for pause.” Romag Fasteners, Inc. v. Fossil Group, Inc., 590 U. S. ––––, –––– – ––––, 140 S.Ct. 1492, 1495, 206 L.Ed.2d 672 (2020).

The interplay between the “without authorization” and “exceeds authorized access” clauses of subsection (a)(2) is particularly probative. Those clauses specify two distinct ways of obtaining information unlawfully. First, an individual violates the provision when he “accesses a computer without authorization.” § 1030(a)(2). Second, an individual violates the provision when he “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain.” §§ 1030(a)(2), (e)(6). Van Buren's reading places the provision's parts “into an harmonious whole.” Roberts v. Sea-Land Services, Inc., 566 U.S. 93, 100, 132 S.Ct. 1350, 182 L.Ed.2d 341 (2012) (internal quotation marks omitted). The Government's does not.

Start with Van Buren's view. The “without authorization” clause, Van Buren contends, protects computers themselves by targeting so-called outside hackers—those who “acces[s] a computer without any permission at all.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (CA9 2009); see also Pulte Homes, Inc. v. Laborers’ Int'l Union of North Am., 648 F.3d 295, 304 (CA6 2011). Van Buren reads the “exceeds authorized access” clause to provide complementary protection for certain information within computers. It does so, Van Buren asserts, by targeting so-called inside hackers—those who access a computer with permission, but then “ ‘exceed’ the parameters of authorized access by entering an area of the computer to which [that] authorization does not extend.” United States v. Valle, 807 F.3d 508, 524 (CA2 2015).

Van Buren's account of subsection (a)(2) makes sense of the statutory structure because it treats the “without authorization” and “exceeds authorized access” clauses consistently. Under Van Buren's reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.[FN8] And reading both clauses to adopt a gates-up-or-down approach aligns with the computer-context understanding of access as entry. See supra, at 1657 – 1658.[FN9]

By contrast, the Government's reading of the “exceeds authorized access” clause creates “inconsistenc[ies] with the design and structure” of subsection (a)(2). University of Tex. Southwestern Medical Center v. Nassar, 570 U.S. 338, 353, 133 S.Ct. 2517, 186 L.Ed.2d 503 (2013). As discussed, the Government reads the “exceeds authorized access” clause to incorporate purpose-based limits contained in contracts and workplace policies. Yet the Government does not read such limits into the threshold question whether someone uses a computer “without authorization”—even though similar purpose restrictions, like a rule against personal use, often govern one's right to access a computer in the first place. See, e.g., Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 757 (CA6 2020). Thus, the Government proposes to read the first phrase “without authorization” as a gates-up-or-down inquiry and the second phrase “exceeds authorized access” as one that depends on the circumstances. The Government does not explain why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.[FN10]

The Government's position has another structural problem. Recall that violating § 1030(a)(2), the provision under which Van Buren was charged, also gives rise to civil liability. See § 1030(g). Provisions defining “damage” and “loss” specify what a plaintiff in a civil suit can recover. “ ‘[D]amage,’ ” the statute provides, means “any impairment to the integrity or availability of data, a program, a system, or information.” § 1030(e)(8). The term “loss” likewise relates to costs caused by harm to computer data, programs, systems, or information services. § 1030(e)(11). The statutory definitions of “damage” and “loss” thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequences of hacking.” Royal Truck, 974 F.3d at 760. The term's definitions are ill fitted, however, to remediating “misuse” of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren's situation is illustrative: His run of the license plate did not impair the “integrity or availability” of data, nor did it otherwise harm the database system itself.

C.

Pivoting from text and structure, the Government claims that precedent and statutory history support its interpretation. These arguments are easily dispatched.

As for precedent, the Government asserts that this Court's decision in Musacchio v. United States, 577 U.S. 237, 136 S.Ct. 709, 193 L.Ed.2d 639 (2016), bolsters its reading. There, in addressing a question about the standard of review for instructional error, the Court described § 1030(a)(2) as prohibiting “(1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Id., at 240, 136 S.Ct. 709. This paraphrase of the statute does not do much for the Government. As an initial matter, Musacchio did not address—much less resolve in the Government's favor—the “point now at issue,” and we thus “are not bound to follow” any dicta in the case. Central Va. Community College v. Katz, 546 U.S. 356, 363, 126 S.Ct. 990, 163 L.Ed.2d 945 (2006). But in any event, Van Buren's interpretation, no less than the Government's, involves “using [one's] access improperly.” It is plainly “improper” for one to use the opportunity his computer access provides to obtain prohibited information from within the computer.

As for statutory history, the Government claims that the original 1984 Act supports its interpretation of the current version. In a precursor to the “exceeds authorized access” clause, the 1984 Act covered any person who, “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend,” and thus expressly alluded to the purpose of an insider's computer access. 18 U.S.C. § 1030(a)(2) (1982 ed. Supp. III). According to the Government, this confirms that the amended CFAA—which makes no mention of purpose in defining “exceeds authorized access”—likewise covers insiders like Van Buren who use their computer access for an unauthorized purpose.[FN11] The Government's argument gets things precisely backward. “When Congress amends legislation, courts must presume it intends the change to have real and substantial effect.” Ross v. Blake, 578 U. S. 632, 641–642, 136 S.Ct. 1850, 195 L.Ed.2d 117 (2016) (internal quotation marks and brackets omitted). Congress’ choice to remove the statute's reference to purpose thus cuts against reading the statute “to capture that very concept.” Brief for United States 22. The statutory history thus hurts rather than helps the Government's position.

III.

To top it all off, the Government's interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. Van Buren frames the far-reaching consequences of the Government's reading as triggering the rule of lenity or constitutional avoidance. That is not how we see it: Because the text, context, and structure support Van Buren's reading, neither of these canons is in play. Still, the fallout underscores the implausibility of the Government's interpretation. It is “extra icing on a cake already frosted.” Yates v. United States, 574 U.S. 528, 557, 135 S.Ct. 1074, 191 L.Ed.2d 64 (2015) (KAGAN, J., dissenting).

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government's reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” § 1030(a)(2)(C)—authorize a user's access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government's reading of subsection (a)(2) would do just that—criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook. See Brief for Orin Kerr as Amicus Curiae 10–11; Brief for Technology Companies as Amici Curiae 6, n. 3, 11; see also Brief for Reporters Committee for Freedom of the Press et al. as Amici Curiae 10–13 (journalism activity); Brief for Kyratso Karahalios et al. as Amici Curiae 11–17 (online civil-rights testing and research).

In response to these points, the Government posits that other terms in the statute—specifically “authorization” and “use”—“may well” serve to cabin its prosecutorial power. Brief for United States 35; see Tr. of Oral Arg. 38, 40, 58 (“instrumental” use; “individualized” and “fairly specific” authorization). Yet the Government stops far short of endorsing such limitations. Cf. Brief for United States 37 (concept of “authorization” “may not logically apply”); id., at 38 (“ ‘use’ ” might be read in a more “limited” fashion, even though it “often has a broader definition”); see also, e.g., post, at 1668 – 1669 (mens rea requirement “might” preclude liability in some cases). Nor does it cite any prior instance in which it has read the statute to contain such limitations—to the contrary, Van Buren cites instances where it hasn't. See Reply Brief 14–15, 17 (collecting cases); cf. Sandvig v. Barr, 451 F.Supp.3d 73, 81–82 (D.D.C. 2020) (discussing Department of Justice testimony indicating that the Government could “ ‘bring a CFAA prosecution based’ ” on terms-of-service violations causing “ ‘de minimis harm’ ”). If anything, the Government's current CFAA charging policy shows why Van Buren's concerns are far from “hypothetical,” post, at 1668 – 1669: The policy instructs that federal prosecution “may not be warranted”—not that it would be prohibited—“if the defendant exceed[s] authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or website.”[FN12] And while the Government insists that the intent requirement serves as yet another safety valve, that requirement would do nothing for those who intentionally use their computers in a way their “job or policy prohibits”—for example, by checking sports scores or paying bills at work. App. 39.

One final observation: The Government's approach would inject arbitrariness into the assessment of criminal liability. The Government concedes, as it must, that the “exceeds authorized access” clause prohibits only unlawful information “access,” not downstream information “ ‘misus[e].’ ” Brief in Opposition 17 (statute does not cover “ ‘subsequen[t] misus[e of] information’ ”). But the line between the two can be thin on the Government's reading. Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions. For example, one police department might prohibit using a confidential database for a non-law-enforcement purpose (an access restriction), while another might prohibit using information from the database for a non-law-enforcement purpose (a use restriction). Conduct like Van Buren's can be characterized either way, and an employer might not see much difference between the two. On the Government's reading, however, the conduct would violate the CFAA only if the employer phrased the policy as an access restriction. An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.

IV

In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.

It is so ordered.

Footnotes

[FN1] Van Buren also was charged with and convicted of honest-services wire fraud. In a separate holding not at issue here, the United States Court of Appeals for the Eleventh Circuit vacated Van Buren's honest-services fraud conviction as contrary to this Court's decision in McDonnell v. United States, 579 U. S. 550, 136 S.Ct. 2355, 195 L.Ed.2d 639 (2016).

[FN2] Compare Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756 (CA6 2020); United States v. Valle, 807 F.3d 508 (CA2 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (CA4 2012); United States v. Nosal, 676 F.3d 854 (CA9 2012) (en banc), with United States v. Rodriguez, 628 F.3d 1258 (CA11 2010); United States v. John, 597 F.3d 263 (CA5 2010); International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (CA7 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (CA1 2001).

[FN3] See, e.g., 7 U.S.C. § 171(8) (authorizing Secretary of Agriculture “[t]o sell guayule or rubber processed from guayule and to use funds so obtained in replanting and maintaining an area”); 18 U.S.C. § 648 (any person responsible for “safe-keeping of the public moneys” who “loans, uses, or converts to his own use ... any portion of the public moneys ... is guilty of embezzlement of the money so loaned, used, converted, deposited, or exchanged”); § 1163 (“[W]hoever embezzles, steals, [or] knowingly converts to his use” money or property “belonging to any Indian tribal organization,” or “[w]hoever, knowing any such moneys ... or other property to have been so embezzled, stolen, [or] converted ... retains the same with intent to convert it to his use,” is subject to punishment); § 1708 (“[W]hoever steals, takes, or abstracts, or by fraud or deception obtains, or attempts so to obtain,” parcels of mail is subject to punishment).

[FN4] The dissent criticizes this interpretation as inconsistent with “basic principles of property law,” and in particular the “familiar rule that an entitlement to use another person's property is circumstance specific.” Post, at 1664 (opinion of THOMAS, J.). But common-law principles “should be imported into statutory text only when Congress employs a common-law term”—not when Congress has outlined an offense “analogous to a common-law crime without using common-law terms.” Carter v. United States, 530 U.S. 255, 265, 120 S.Ct. 2159, 147 L.Ed.2d 203 (2000) (emphasis deleted). Relying on the common law is particularly ill advised here because it was the failure of pre-existing law to capture computer crime that helped spur Congress to enact the CFAA. See supra, at 1652.

[FN5] For the same reason, the dissent is incorrect when it contends that our interpretation reads the additional words “under any possible circumstance” into the statute. Post, at 1663 – 1664 (emphasis deleted). Our reading instead interprets the phrase “so to obtain” to incorporate the single “circumstance” of permissible information access identified by the statute: obtaining the information by using one's computer.

[FN6] 1 Oxford English Dictionary 72 (2d ed. 1989) (“[t]o gain access to ... data, etc., held in a computer or computer-based system, or the system itself ”); Random House Dictionary of the English Language 11 (2d ed. 1987) (“Computers. to locate (data) for transfer from one part of a computer system to another ...”); see also C. Sippl & R. Sippl, Computer Dictionary and Handbook 2 (3d ed. 1980) (“[c]oncerns the process of obtaining data from or placing data in storage”); Barnhart Dictionary of New English 2 (3d ed. 1990) (“to retrieve (data) from a computer storage unit or device ...”); Microsoft Computer Dictionary 12 (4th ed. 1999) (“[t]o gain entry to memory in order to read or write data”); A Dictionary of Computing 5 (6th ed. 2008) (“[t]o gain entry to data, a computer system, etc.”).

[FN7] The dissent makes the odd charge that our interpretation violates the “ ‘presumption against’ ” reading a provision “contrary to the ordinary meaning of the term it defines.” Post, at 1667. But when a statute, like this one, is “addressing a ... technical subject, a specialized meaning is to be expected.” Scalia, Reading Law, at 73. Consistent with that principle, our interpretation tracks the specialized meaning of “access” in the computer context. This reading is far from “ ‘repugnant to’ ” the meaning of the phrase “exceeds authorized access,” post, at 1667—unlike, say, a definitional provision directing that “ ‘the word dog is deemed to include all horses.’ ” Scalia, supra, at 232, n. 29.

[FN8] For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach).

[FN9] Van Buren's gates-up-or-down reading also aligns with the CFAA's prohibition on password trafficking. See Tr. of Oral Arg. 33. Enacted alongside the “exceeds authorized access” definition in 1986, the password-trafficking provision bars the sale of “any password or similar information through which a computer may be accessed without authorization.” § 1030(a)(6). The provision thus contemplates a “specific type of authorization—that is, authentication,” which turns on whether a user's credentials allow him to proceed past a computer's access gate, rather than on other, scope-based restrictions. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1470 (2016); cf. A Dictionary of Computing, at 30 (defining “authorization” as a “process by which users, having completed an ... authentication stage, gain or are denied access to particular resources based on their entitlement”).

[FN10] Unlike the Government, the dissent would read both clauses of subsection (a)(2) to require a circumstance-specific analysis. Doing so, the dissent contends, would reflect that “[p]roperty law generally protects against both unlawful entry and unlawful use.” Post, at 1666. This interpretation suffers from structural problems of its own. Consider the standard rule prohibiting the use of one's work computer for personal purposes. Under the dissent's approach, an employee's computer access would be without authorization if he logged on to the computer with the purpose of obtaining a file for personal reasons. In that event, obtaining the file would not violate the “exceeds authorized access” clause, which applies only when one accesses a computer “with authorization.” § 1030(e)(6) (emphasis added). The dissent's reading would therefore leave the “exceeds authorized access” clause with no work to do much of the time—an outcome that Van Buren's interpretation (and, for that matter, the Government's) avoids.

[FN11] While the Government insists that Congress made this change “ ‘merely to clarify the language’ ” of § 1030(a)(2), Brief for United States 28, the dissent has a different take. In the dissent's telling, the 1986 amendment in fact “expand[ed]” the provision to reach “time and manner” restrictions on computer access—not just purpose-based ones. Post, at 1667 – 1668. The dissent's distinct explanation for why Congress removed § 1030(a)(2)’s reference to “purpose” requires accepting that the “exceeds authorized access” definition supports a circumstance-specific approach. We reject the dissent's premise for the textual and structural reasons already discussed.

[FN12] Memorandum from U. S. Atty. Gen. to U. S. Attys. & Assistant Attys. Gen. for the Crim. & Nat. Security Divs., Intake and Charging Policy for Computer Crime Matters 5 (Sept. 11, 2014), https://www.justice.gov/criminal-ccips/file/904941/download (emphasis added). Although the Government asserts that it has “[h]istorically” prosecuted only “core conduct” like Van Buren's and not the commonplace violations that Van Buren fears, Brief for United States 40, the contrary examples Van Buren and his amici cite give reason to balk at that assurance. See Brief for Petitioner 32–33; Brief for Orin Kerr as Amicus Curiae 18–23; Brief for Technology Companies as Amici Curiae 11.

Memorandum Opinion and Order

Pamela McLean Meyerson, Judge.

This matter came before the Court on Defendant's motion to dismiss the Complaint. For the reasons explained below, the motion is denied.

Background

The central conflict in this case is the clash between privacy rights and First Amendment protections in an age of ever-more-powerful technology. Defendant Clearview AI, Inc. (“Clearview”) used facial recognition technology to capture more than three billion faceprints from publicly-available photos on the internet.[FN1] A faceprint is a biometric identifier used to verify a person's identity. To create a faceprint, Clearview's system scans the photo, measures and records data such as the shape of the cheekbones and the distance between eyes, nose, and ears, and assigns that data a numerical value. These faceprints are then collected into a database, with faceprints for similar-looking faces clustered together. Clearview sells access to its technology, database, and investigative tools—the “world's best facial-recognition technology combined with the world's largest database of headshots”—by subscription to public and private entities. When a user wants to identify someone, the user uploads a photo. The system then processes the request, finds matches, and returns links to publicly-available images on the internet. Often, the linked websites will include additional information about the person identified.

Clearview does not seek or receive permission to create and store faceprints of the persons depicted in the photos.

On May 28, 2020, Plaintiffs filed their one-count Complaint in this action, seeking relief under the Illinois Biometric Information and Privacy Act (“BIPA”), 740 ILCS 14/1 et seq. Plaintiffs are the national and Illinois American Civil Liberties Union organizations and four other organizations suing on behalf of their members, clients and program participants. The Complaint alleges that these individuals—including survivors of domestic violence and sexual assault, undocumented immigrants, current and former sex workers, and individuals who regularly exercise their constitutional rights to protest and to access reproductive healthcare—live in Illinois and have particular reasons to fear loss of privacy, anonymity and security.

The Complaint alleges that Clearview violated Section 15(b) of BIPA, which provides:

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:

(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

Plaintiffs allege that Clearview “systematically and automatically captured, used and stored their biometric identifiers without first obtaining the written release” as required. Cplt. at ¶ 70.

In addition, Plaintiffs allege that Clearview did not publicly provide a retention schedule or guidelines for permanently destroying individuals' biometric identifiers, in violation of Section 15(a) of BIPA:

(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

Cplt. at ¶ 72.

Plaintiffs seek an injunction ordering Clearview to destroy all biometric identifiers that Clearview collected and stored in violation of BIPA, to comply with BIPA's disclosure and consent requirements in the future, and to award Plaintiffs their attorneys' fees and costs.

Clearview moved to dismiss. The parties briefed the motion and the Court also received amicus briefs from the Electronic Frontier Foundation and from two groups of law professors (one in support and one in opposition to the motion). The Court heard oral argument by Zoom on April 2, 2021 and took the matter under advisement.

Analysis

Clearview describes itself as a “small technology company” that helps law enforcement agencies identify perpetrators and victims of crimes using publicly-available images from the internet. (Clearview Memo at 1). Plaintiffs describe Clearview's business model as a “nightmare scenario.” (Complaint at ¶ 41). Whichever description is closer to the truth, this case touches on matters of significant public interest.

Clearview makes a variety of constitutional, common law and statutory arguments in support of dismissal. First, Clearview contends it is not subject to personal jurisdiction in Illinois. Second, it argues that the extraterritoriality doctrine and the dormant Commerce Clause preclude the application of BIPA to Clearview's conduct. Next, it argues that BIPA is unconstitutional, as applied to Clearview, under the First Amendment to the U.S. Constitution and Article I, Section 4 of the Illinois Constitution. Finally, it argues that BIPA by its terms does not apply to Clearview's collection of biometric data from publicly-available photos.

Procedural Standard

To begin, Clearview does not specify the section of the Illinois Code of Civil Procedure under which it brings this motion. The Court assumes Clearview's request to dismiss for lack of jurisdiction is brought under 735 ILCS 5/2-301, which deals with objections to jurisdiction over the person. Such a motion may be brought either singly as the first substantive motion in a case, or combined with another motion as described in Section 2-619.1 of the Code.

Clearview has chosen to combine its motion to dismiss for lack of jurisdiction with a motion to dismiss on other grounds, but does not specify whether its other arguments are made under section 2-615 or 2-619 of the Code. It makes a difference. A section 2-615 motion to dismiss challenges the legal sufficiency of a complaint based on defects apparent on its face. Marshall v. Burger King Corp., 222 Ill. 2d 422, 429 (2006). The court must consider, in a light most favorable to the plaintiff, if the complaint is sufficient to state a cause of action upon which relief can be granted. Id. On the other hand, a section 2-619 motion admits the legal sufficiency of the complaint and raises defects, defenses, or other affirmative matters that defeat the plaintiff's claim. Those defects may appear on the face of the complaint or be established by affidavit or other evidence. Spirit of Excellence v. Intercargo Ins. Co., 334 Ill. App. 3d 136, 145 (1st Dist. 2002).

While it is not entirely clear, Clearview's non-jurisdictional arguments appear to challenge the legal sufficiency of the Complaint, rather than admitting the legal sufficiency of the Complaint and raising affirmative matter to defeat it. Therefore, the Court will treat the non-jurisdictional arguments as being brought under section 2-615.

Jurisdiction

To analyze an Illinois court's jurisdiction over a case, we start from Illinois' long-arm statute, 735 ILCS 5/2-209. Subsection (c) is a catchall provision allowing Illinois courts to exercise jurisdiction “on any other basis now or hereafter permitted by the Illinois Constitution and the Constitution of the United States.” So if the contacts between a defendant and Illinois are sufficient to satisfy federal due process concerns, the requirements of Illinois' long-arm statute have been met, and no further inquiry is necessary. Morris v. Halsey Enters. Co., 379 Ill. App. 3d 574, 579 (1st Dist. 2008).
Personal jurisdiction may be general or specific. Clearview is incorporated in Delaware and has its principal place of business in New York, so it is not “at home” in Illinois and general jurisdiction does not apply—nor do Plaintiffs say it does. Rather, Plaintiffs contend the Court has specific jurisdiction over Clearview.

Specific jurisdiction applies when a defendant is “less intimately connected with a State” and yet is still sufficiently connected to meet the requirements of due process. Ford Motor Co. v. Montana Eighth Judicial Dist. Court, 141 S. Ct. 1017, 1024 (2021).

To determine whether the due process standard has been met, we consider whether (1) the nonresident defendant had “minimum contact” with Illinois such that there was “fair warning” that the nonresident defendant may be haled into an Illinois court; (2) the action arose out of or related to the defendant's contacts with Illinois; and (3) it is reasonable to require the defendant to litigate in Illinois. In other words, the defendant should be able to “reasonably anticipate” being called into an Illinois court. Burger King Corp. v, Rudzewicz, 471 U.S. 462 (1985).

Morgan, Lewis & Bockius LLP v. City of E. Chicago, 401 Ill. App. 3d 947, 954 (1st Dist. 2010) (internal citation omitted).

When a defendant is a nonresident, the plaintiff bears the burden of proof to establish personal jurisdiction. Morris, 379 Ill. App. 3d at 579. Here, Plaintiffs contend they have met that burden by showing that “Clearview has extensive contacts with Illinois, those contacts relate to Plaintiffs' cause of action, and it is reasonable to require Clearview to litigate in Illinois.” (Pltfs' Resp at 5). Plaintiffs detail those contacts in their Complaint and in two declarations attached to their response. They assert that Clearview directly marketed its faceprint database in Illinois, offering its service to employees of the Illinois Secretary of State, Springfield Police Department, Chicago Police Department, and more. The Complaint alleges that Clearview provided its faceprint database to over 105 public and private entities in Illinois and facilitated thousands of searches by those entities.

Clearview contends it does not target Illinois through advertising and marketing. Rather, it says, its app is marketed “nationwide.” (Schwartz Declaration ¶ 6, Exh. B to Def's Memorandum).

Where, as here, there is a conflict between the facts set forth by plaintiff and defendant on a motion to dismiss for lack of personal jurisdiction, that factual conflict must be resolved in plaintiff's favor. Mutnick v. Clearview AI, Inc., 2020 U.S. Dist. LEXIS 144583 *7 (N.D. Ill. 2020). Clearview need not especially or exclusively target Illinois in its marketing; rather, Clearview must only have been able to reasonably foresee that its service would be sold here. Id. at *8. In Mutnick, the U.S. District Court for the Northern District of Illinois decided this very issue, finding it had personal jurisdiction over Clearview in Illinois because Clearview “took biometric information from Illinois residents, created a surveillance database, and then marketed and sold licenses to use this database to entities in Illinois.” Id. at *7.

Clearview argued in its motion that its actions in Illinois did not “give rise” to any alleged harm. At oral argument, the parties discussed the implications of the then-week-old U.S. Supreme Court decision in Ford Motor Co. v. Montana Eighth Judicial Dist. Court, 141 S. Ct. 1017 (2021). That case emphasized the second part of the requirement that an action “arise out of” or “relate to” a defendant's contacts with a state. While “arise out of” requires a causal connection, “relate to” does not. The court cautioned that, while “relate to” is broader than “arise out of,” there are “real limits” to its reach. The court based those limits on concepts of fairness, reciprocity, and predictability. In Ford, the defendant advertised, sold, and serviced vehicles in Montana and Minnesota. Plaintiffs filed product liability actions against Ford in Montana and Minnesota in two separate cases. In both cases, the injury took place in the forum state, but the vehicle that caused the injury was not sold there. The court found sufficient grounds for the state courts to exercise jurisdiction, even though the injuries could not be said to “arise out of” the state contacts. The cases did “relate to” each of the states because “Ford had systematically served a market in Montana and Minnesota for the very vehicles that the plaintiffs alleged malfunctioned and injured them in those states.” Id. at 1028.

The same is true in our case. Taking Plaintiffs' allegations and verified statements as true, Clearview deliberately and successfully marketed its services in Illinois to Illinois customers. Those Illinois customers (and others) were then able to search a database of faceprints that included faceprints of Illinois residents collected in violation of BIPA. Just as Ford was required to litigate in forums where it had marketed its allegedly defective products, Clearview's regular activity in Illinois is sufficiently “related to” this case that it is reasonable to require Clearview to litigate it in Illinois.

Clearview relies upon Gullen v. Facebook.com, Inc., 2016 U.S. Dist. LEXIS 6958 (N.D. Ill. 2016), but Mutnick and Ford are more recent and more on point. Further, Gullen is distinguishable from our case. Gullen was a proposed class action against Facebook under BIPA. Facebook's alleged connections to Illinois consisted of registering to do business here, maintaining a general sales and marketing office here, and making its website available to Illinois residents. Id. at *5. The court found that the first two contacts had “no relationship” to the face recognition technology at issue in the suit, and that making its website accessible to Illinois residents was not the same as intentionally targeting them. By contrast, Plaintiffs in our case showed that Clearview targeted Illinois by marketing its faceprint database to a substantial number of Illinois customers. Those activities related to the very product at issue in this case.

The motion to dismiss on jurisdictional grounds is denied, and the Court will consider the arguments on the merits.

Application of BIPA to Faceprints

Clearview argued that BIPA by its terms does not apply to photographs, or to faceprints derived from photographs. It's important to distinguish between the two. While BIPA provides that “biometric identifiers do not include … photographs,” it also defines “biometric identifiers” to include a “scan of … face geometry.” 740 ILCS 14/10. The Complaint describes a faceprint as just that, a scan of face geometry. The fact that the scan was made from a photo and not from a live person does not change that fact. Federal district court cases have considered this issue and concluded that BIPA's protections apply to faceprints created from photos. Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1096 (N.D. Ill. 2017); In re Facebook Biometric Privacy Info. Litig., 185 F. Supp. 3d 1155, 1172 (N.D. Cal. 2016); Monroy v. Shutterfly Inc., 2017 U.S. Dist. LEXIS 149604, *11-12 (N.D. Ill. 2017). Clearview essentially conceded this point at oral argument, choosing simply to rest on its briefs and not argue the matter further.

The Court holds that BIPA's protections apply to faceprints.

Extraterritoriality

In related arguments, Clearview contends that the Complaint fails under Illinois' extraterritoriality doctrine because BIPA cannot regulate out-of-state conduct; and that the Complaint fails under the U.S. Constitution's dormant Commerce Clause because applying BIPA to Clearview would have the practical effect of regulating commerce in another state.

Concerning extraterritoriality, Illinois courts have recognized a “long-standing rule of construction” that a statute will not have extraterritorial effect “unless a clear intent in this respect appears from the express provisions of the statute.” Avery v. State Farm Mut. Auto. Ins. Co., 216 Ill. 2d 100, 184-85 (2005). While that intent may not have been expressed explicitly in BIPA, its legislative findings come close. The Ninth Circuit Court of Appeals found it “reasonable to infer [from the BIPA's legislative findings] that the General Assembly contemplated BIPA's application to individuals who are located in Illinois, even if some relevant activities occur outside the state.” Specifically, the court noted the statute's finding that “[m]ajor national corporations” were targeting locations in Illinois as “pilot testing sites for new applications of biometric-facilitated financial transactions.” Patel v. Facebook, Inc., 932 F.3d 1264, 1276 (9th Cir. 2019) (emphasis added); 740 ILCS 14/5(b).[FN2]

The court in Rivera v. Google, 238 F. Supp. 3d 1088, 1100 (N.D. Ill. 2017) denied a motion to dismiss a BIPA complaint on extraterritoriality grounds, holding that discovery was needed to develop facts concerning where the violation “primarily and substantially” took place. In Rivera, plaintiffs claimed that their Google Droid device uploaded photos automatically to the cloud, scanned the photos, and made a template (what our Plaintiffs call a “faceprint”) without their knowledge or consent. The Rivera court noted that plaintiffs were residents of Illinois, the photos in question were taken in Illinois and uploaded to the cloud from an Illinois IP address, and the defendant failed to give plaintiffs the required notice and get their consent in Illinois. The court held that these facts, if proven true, “tip toward a holding that the alleged violations primarily happened in Illinois.” Id. at 1101-1102.

The Court holds that the extraterritoriality doctrine does not warrant dismissal of Plaintiffs' Complaint. When considering a 2-615 motion to dismiss, the court must take as true all well-pled allegations of a complaint and all reasonable inferences that could be drawn from those facts. Village of Wheeling v. Stavros, 89 Ill. App. 3d 450, 453 (1st Dist. 1980). The Complaint alleges that Plaintiffs are Illinois residents and that photos of them appear on the internet. It is reasonable to infer, as Plaintiffs suggest, that “of the many millions of images uploaded by Illinoisans and collected by Clearview, many were uploaded from Illinois” and that Clearview's Illinois customers used Clearview to search for Illinois residents. Pltf. Resp at 11.

Dormant Commerce Clause

The Commerce Clause of the U.S. Constitution provides that Congress has the exclusive power to “regulate Commerce … among the several States.” U.S. Const. Art. I, § 8, Cl 3. The dormant Commerce Clause “precludes the application of a state statute to commerce that takes place wholly outside of the State's borders, whether or not the commerce has effects within the State.... The critical inquiry is whether the practical effect of the regulation is to control conduct beyond the boundaries of the State.” Healy v. Beer Inst., 491 U.S. 324, 336 (1989).

Clearview argues that BIPA cannot be applied to it in this case because that would have the practical effect of controlling its conduct outside of Illinois, given that “in many cases it is in fact impossible to identify where a photo on the Internet comes from—or where the person in the photo resides.” Clearview objects to being made subject to BIPA's constraints “merely because some small percentage of Clearview's database of ‘three billion’ publicly-available photographs contain images of Illinois residents.” Def. Memo at 14-15.

This argument is troubling. A “small percentage” of three billion is a very large number. One percent of three billion is thirty million. Maybe the percentage is not exact, but many Illinois residents have indisputably had their biometric information captured by Clearview. Yet Clearview argues that BIPA should not apply to it because Clearview built a system and a business model—the “world's best facial-recognition technology combined with the world's largest database of headshots”—in such a way that it cannot identify which of its faceprints are associated with Illinois residents, so it cannot comply with Illinois law.

The dangers of accepting this argument are apparent. It would reward reckless disregard of the law in blind deference to technology—a kind of “too big to comply” argument. The Court rejects Clearview's dormant Commerce Clause argument.

The Facebook court in California also soundly rejected the dormant Commerce Clause argument:

Facebook's cursory reference to the specter of inconsistent regulations is equally unavailing. Facebook says that the Commerce Clause “precludes Illinois from overriding the decisions of California and other states” to not regulate biometric information …, but there is no risk of Illinois law overriding the laws of the other states. This suit involves Facebook's conduct with respect to Illinois users only, and even so, evidence in the record shows that Facebook can activate or deactivate features for users in specific states with apparent ease when it wants to do so. … Nothing indicates that liability under BIPA would force Facebook to change its practices with respect to residents of other states.

In re Facebook Biometric Info. Privacy Litig., 2018 U.S. Dist. LEXIS 81044, at *14 (N.D. Cal. 2018).

First Amendment

Clearview argues that BIPA is unconstitutional as applied in this case. Clearview contends it is engaged in protected speech under the First Amendment, that the proper standard of review is strict scrutiny, and that BIPA cannot survive strict scrutiny. Clearview emphasizes that all the photos it uses in its system were obtained from publicly-available online sources.

Is It Speech?

The First Amendment protects not just expression, but some necessary predicates to expression such as making an audio recording (ACLU v Alvarez, 679 F.3d 583 (7th Cir. 2012)) or observing a trial (Richmond Newspapers, Inc. v. Virginia, 448 U.S. 555). It can protect not just words but also symbolic notations such as musical scores and computer code. (Universal City Studios, Inc. v. Corley, 273 F.3d 429, 449 (2d Cir. 2001).

Clearview describes the creation and use of its app as the “creation and dissemination of information,” which constitutes speech under Sorrell v. IMS Health Inc., 564 U.S. 552, 570 (2011) and People v Austin, 2019 IL 123910 ¶ 31. All the amici agreed or assumed that Clearview's activities involve speech entitled to some level of First Amendment protection. Plaintiffs argue that Clearview's activities involve conduct, not speech. At the same time, they concede that applying BIPA to Clearview has an incidental effect on Clearview's speech.

The Court finds that Clearview's activities involve expression and its predicates, which are entitled to some First Amendment protection. That does not end the inquiry. The First Amendment does not fully protect every act that involves collection or analysis of data. For instance, stealing documents and private wiretapping involve collection of data, but they are not protected by the First Amendment even if the purpose is to obtain information for a news story. Branzburg v. Hayes, 408 U.S. 665, 691 (1972). To determine whether a law violates the First Amendment, the Court must first decide what level of scrutiny to apply.

Level of Scrutiny

Clearview argues that BIPA is subject to strict scrutiny, because it is a content-based regulation of speech. Plaintiffs argue that BIPA is subject to intermediate scrutiny because it is a content-neutral regulation that only incidentally burdens speech.

Clearview contends that BIPA is content-based because it targets specific content—biometric information such as faceprints, but not other content such as photos. This is a distinction between types of media, not their content. If BIPA regulated, say, capture of faceprints of people yelling but not faceprints of people smiling, that would be a content-based distinction. BIPA does nothing of the sort.

Amici Law Professors in Opposition to Defendant's Motion emphasize the content/source distinction and suggest that intermediate scrutiny is proper. The fact that BIPA grants privacy protections for certain kinds of communications does not make it a content-based speech restriction, they contend. They cite Bartnicki v. Vopper, 532 U.S. 514, 526 (2016), which held that the Electronic Communications Privacy Act's prohibition on intercepting and disseminating the contents of wire, oral, and electronic communications was not a content-based speech restriction. The communications were “singled out … by virtue of the source, rather than the subject matter.” Id.[FN3] The Court finds that BIPA imposes content-neutral time, place or manner restrictions.

Clearview also argues that strict scrutiny is appropriate because BIPA distinguishes between which speakers are subject to the law and which are not, by exempting from the statute's coverage any “subcontractor, contractor, or agent of a State agency.” 740 ILCS 14/25(e); see Sorrell v. IMS Health Inc., 564 U.S. 552, 570-571 (2011). Speaker-based distinctions should lead to strict scrutiny only if those exemptions are hiding content- or viewpoint-based preferences. In Sorrell, the court found that a speaker-based distinction (regulating who could and who could not talk about certain drugs) reflected a viewpoint-based distinction in favor of speech promoting generic drugs. In summarizing its holding, the court focused on the effect of the law on suppressing certain ideas: “Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers.” Id. at 580.

By contrast, BIPA's speaker-based exemptions do not appear to favor any particular viewpoint. As BIPA's restrictions are content-neutral, the Court finds that intermediate scrutiny is the proper standard.

BIPA Survives Intermediate Scrutiny

The U.S. Supreme Court described the application of intermediate scrutiny as follows:

[A] government regulation is sufficiently justified

[1] if it is within the constitutional power of the Government;

[2] if it furthers an important or substantial governmental interest;

[3] if the governmental interest is unrelated to the suppression of free expression; and

[4] if the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest.

United States v. O'Brien, 391 U.S. 367, 377 (1968) (numbering and formatting added).

BIPA meets all these requirements. First, the Illinois legislature unquestionably had the power to enact the statute. Second, BIPA furthers an important governmental interest, which the statute describes explicitly. The Illinois Supreme Court in Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186 ¶ 35, pointed out that BIPA contains the General Assembly's “stated assessment of the risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person's biometric identifiers or biometric information has been compromised.” The court stated that BIPA tries “to head off such problems before they occur,” by imposing safeguards and punishing violators. Id. at ¶ 36.

This governmental interest is unrelated to the suppression of free expression. BIPA proscribes non-consensual face printing not for what it expresses, but for the risks it poses to the subject's privacy and security. The legislature was concerned about “the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.” It was concerned about “public welfare, security, and safety.” Id. at ¶ 37.

Finally, the incidental restrictions on Clearview's First Amendment freedoms are no greater than necessary to further the governmental interest of protecting citizens' privacy and security. BIPA does not prohibit Clearview from collecting or republishing publicly-available photographs or expressing an opinion about who is pictured in them. Nor does BIPA prohibit all use of faceprints. Instead, it requires Clearview to first provide notice and receive consent from the Illinois individuals involved. This is “to insure that individuals' and customers' privacy rights in their biometric identifiers and biometric information are properly honored and protected to begin with, before they are or can be compromised.” Id.

Clearview emphasizes that the photos from which they make faceprints are publicly available and that Plaintiffs have no “expectation of privacy” in them. We must distinguish between the publicly-available photos Clearview harvested and what Clearview does with them. Clearview says it “collects publicly-available images from the Internet, analyzes them, and returns search results to licensed users of Clerview's service.” Dft's Memo at 1. BIPA comes in at the “analysis” stage, regulating the particular manner in which biometric information is captured from the photos, used, and stored.

The fact that something has been made public does not mean anyone can do with it as they please. In the Fourth Amendment context, where the “expectation of privacy” concept is most common, law enforcement is not always allowed to use technology to analyze what is public and visible. For instance, the U.S. Supreme Court held in Kyllo v. United States, 533 U.S. 27, 35-36, that law enforcement could not aim an infrared heat scanner at the exterior of a house to search for drugs. So, too, in our case the photos may be public, but making faceprints from them may be regulated.

In discussing the burden BIPA imposes upon its expression, Clearview focuses on BIPA's practical effect. Clearview relies heavily on Sorrell, 564 U.S. at 565, for the proposition that “the First Amendment prohibits the application of laws that have the purpose and/or practical effect of burdening speech by reducing the effectiveness of its content.” Dft's Memo at 21 (emphasis added). Clearview argues that the “inevitable effect” of BIPA would be to cripple its app—“nothing less than preventing the identification of individuals whose published photographs were on the Internet.” Dft's Memo at 21. They contend it is “quite literally impossible to know based on publicly-available photos on the Internet from whom BIPA requires consent.” Trans. of 4/2/21 argument at 51.

The debate over Clearview's “reduced effectiveness” argument can be simplified as follows:

Clearview: In our business, we scrape billions of photos off the internet, download them blindly,[FN4] turn them into faceprints and allow our customers to search them.

Plaintiffs: You can't do that to people from Illinois without their permission.

Clearview: We can't possibly get their permission.

In balancing privacy rights and the First Amendment, should the Court's response be:

A: Then go ahead.

or

B: Then figure out a way, or you might be liable under BIPA.

The Court favors B, fully recognizing that this may have an effect on Clearview's business model. Inevitably, Clearview may experience “reduced effectiveness” in its service as it attempts to address BIPA's requirements. That is a function of having forged ahead and blindly created billions of faceprints without regard to the legality of that process in all states.

Suppose a company collected pictures of naked young people from the internet and shared the links with its customers without regard to whether or not the subjects were under 18. Suppose they did it blindly and said, “we have no way of knowing.” Applying child pornography laws to this company would surely reduce the effectiveness of their service. But that would not excuse the company from complying with those laws. By the same reasoning, Clearview is not excused from complying with BIPA.

In sum, BIPA's restrictions on Clearview's First Amendment freedoms are no greater than what's essential to further Illinois' interest in protecting its citizens' privacy and security. Requiring notice and opt-in consent is a reasonable and well-tailored solution that returns control over citizens' biometrics to the individuals whose identities could be compromised.

Clearview's final First Amendment argument is that BIPA is unconstitutionally overbroad because its application would suppress a large amount of speech that is fully protected under the First Amendment. This argument also hinges on the fact that Clearview cannot identify where its images came from. The Court finds that BIPA is not overbroad, as it does not concern the rights of non-Illinois residents.

Of course, today's decision does not mean the Court has found Clearview liable for violating BIPA. Rather, today the Court rules that it has jurisdiction over the case and that the Complaint states a cause of action for which relief may be granted.

Clearview's motion to dismiss is denied.

Entered.

Footnotes

[FN1] The facts recited here are derived from Plaintiffs' Complaint and its exhibits, and are accepted as true for purposes of Defendant's motion to dismiss. See Kedzie & 103rd Currency Exchange v. Hodge, 156 Ill. 2d 112, 115 (1993).

[FN2] The legislature was concerned about what national actors might do with Illinois residents' biometric information, because “biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse [and] is at heightened risk for identity theft …” Further, “The full ramifications of biometric technology are not fully known.” 740 ILCS 14/5(c) and (f).

[FN3] Amici Professors in Support of Defendant's motion suggest strict scrutiny is appropriate. They contend BIPA is content-based because it prohibits faceprints of humans but not of cats. A true content-based distinction would focus on what the subject communicates, not the subject's species. So if a law allowed a cat to say “Mow” but not “Mew,” that would be content-based.

[FN4] “that is, without knowledge of who the subject of the image is”—Declaration of Clearview General Counsel Thomas Mulcaire, Exh. A to Clearview's Memo.

HIQ LABS, INC., Plaintiff-Appellee,
v.
LINKEDIN CORPORATION, Defendant-Appellant.

No. 17-16783

Argued and Submitted October 18, 2021
San Francisco, California

Filed April 18, 2022

Before: J. Clifford Wallace and Marsha S. Berzon, Circuit Judges, and Terrence Berg, District Judge for the Eastern District of Michigan, sitting by designation.

Opinion

BERZON, Circuit Judge

We first issued an opinion in this case in September 2019, addressing the question whether LinkedIn, the professional networking website, could prevent a competitor, hiQ, from collecting and using information that LinkedIn users had shared on their public profiles, available for viewing by anyone with a web browser. hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). HiQ, a data analytics company, had obtained a preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. At the preliminary injunction stage, we did not resolve the companies' legal dispute definitively, nor did we address all the claims and defenses they had pleaded in the district court. Instead, we focused on whether hiQ had raised serious questions on the merits of the factual and legal issues presented to us, as well as on the other requisites for preliminary relief. We concluded that hiQ had done so, and we therefore upheld the preliminary injunction.

The Supreme Court granted LinkedIn's petition for writ of certiorari, vacated the judgment, and remanded this case for further consideration in light of Van Buren v. United States, ––– U.S. ––––, 141 S. Ct. 1648, 210 L.Ed.2d 26 (2021). LinkedIn Corp. v. hiQ Labs, Inc., ––– U.S. ––––, 141 S. Ct. 2752, 210 L.Ed.2d 902 (2021). We ordered supplemental briefing and held oral argument on the effect of Van Buren on this appeal. Having concluded that Van Buren reinforces our determination that hiQ has raised serious questions about whether LinkedIn may invoke the Computer Fraud and Abuse Act (“CFAA”) to preempt hiQ's possibly meritorious tortious interference claim, we once again affirm the preliminary injunction.

I.

Founded in 2002, LinkedIn is a professional networking website with over 500 million members.1 Members post resumes and job listings and build professional “connections” with other members. LinkedIn specifically disclaims ownership of the information users post to their personal profiles: according to LinkedIn's User Agreement, members own the content and information they submit or post to LinkedIn and grant LinkedIn only a non-exclusive license to “use, copy, modify, distribute, publish, and process” that information.

LinkedIn allows its members to choose among various privacy settings. Members can specify which portions of their profile are visible to the general public (that is, to both LinkedIn members and nonmembers), and which portions are visible only to direct connections, to the member's “network” (consisting of LinkedIn members within three degrees of connectivity), or to all LinkedIn members.2 This case deals only with profiles made visible to the general public.

LinkedIn also offers all members—whatever their profile privacy settings—a “Do Not Broadcast” option with respect to every change they make to their profiles. If a LinkedIn member selects this option, her connections will not be notified when she updates her profile information, although the updated information will still appear on her profile page (and thus be visible to anyone permitted to view her profile under her general privacy setting). More than 50 million LinkedIn members have, at some point, elected to employ the “Do Not Broadcast” feature, and approximately 20 percent of all active users who updated their profiles between July 2016 and July 2017—whatever their privacy setting—employed the “Do Not Broadcast” setting.

LinkedIn has taken steps to protect the data on its website from what it perceives as misuse or misappropriation. The instructions in LinkedIn's “robots.txt” file—a text file used by website owners to communicate with search engine crawlers and other web robots—prohibit access to LinkedIn servers via automated bots, except that certain entities, like the Google search engine, have express permission from LinkedIn for bot access.3 LinkedIn also employs several technological systems to detect suspicious activity and restrict automated scraping.4 For example, LinkedIn's Quicksand system detects non-human activity indicative of scraping; its Sentinel system throttles (slows or limits) or even blocks activity from suspicious IP addresses;5 and its Org Block system generates a list of known “bad” IP addresses serving as large-scale scrapers. In total, LinkedIn blocks approximately 95 million automated attempts to scrape data every day, and has restricted over 11 million accounts suspected of violating its User Agreement,6 including through scraping.

HiQ is a data analytics company founded in 2012. Using automated bots, it scrapes information that LinkedIn users have included on public LinkedIn profiles, including name, job title, work history, and skills. It then uses that information, along with a proprietary predictive algorithm, to yield “people analytics,” which it sells to business clients.

HiQ offers two such analytics. The first, Keeper, purports to identify employees at the greatest risk of being recruited away. According to hiQ, the product enables employers to offer career development opportunities, retention bonuses, or other perks to retain valuable employees. The second, Skill Mapper, summarizes employees' skills in the aggregate. Among other things, the tool is supposed to help employers identify skill gaps in their workforces so that they can offer internal training in those areas, promoting internal mobility and reducing the expense of external recruitment.

HiQ regularly organizes “Elevate” conferences, during which participants discuss hiQ's business model and share best practices in the people analytics field. LinkedIn representatives participated in Elevate conferences beginning in October 2015. At least ten LinkedIn representatives attended the conferences. LinkedIn employees have also spoken at Elevate conferences. In 2016, a LinkedIn employee was awarded the Elevate “Impact Award.” LinkedIn employees thus had an opportunity to learn about hiQ's products, including “that [one of] hiQ's product[s] used data from a variety of sources—internal and external—to predict employee attrition” and that hiQ “collected skills data from public professional profiles in order to provide hiQ's customers information about their employees' skill sets.”

In recent years, LinkedIn has explored ways to capitalize on the vast amounts of data contained in LinkedIn profiles by marketing new products. In June 2017, LinkedIn's Chief Executive Officer (“CEO”), Jeff Weiner, appearing on CBS, explained that LinkedIn hoped to “leverage all this extraordinary data we've been able to collect by virtue of having 500 million people join the site.” Weiner mentioned as possibilities providing employers with data-driven insights about what skills they will need to grow and where they can find employees with those skills. Since then, LinkedIn has announced a new product, Talent Insights, which analyzes LinkedIn data to provide companies with such data-driven information.7

In May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting that hiQ was in violation of LinkedIn's User Agreement and demanding that hiQ stop accessing and copying data from LinkedIn's server. The letter stated that if hiQ accessed LinkedIn's data in the future, it would be violating state and federal law, including the CFAA, the Digital Millennium Copyright Act (“DMCA”), California Penal Code § 502(c), and the California common law of trespass. The letter further stated that LinkedIn had “implemented technical measures to prevent hiQ from accessing, and assisting others to access, LinkedIn's site, through systems that detect, monitor, and block scraping activity.”

HiQ's response was to demand that LinkedIn recognize hiQ's right to access LinkedIn's public pages and to threaten to seek an injunction if LinkedIn refused. A week later, hiQ filed an action, seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA, the DMCA, California Penal Code § 502(c), or the common law of trespass against it. HiQ also filed a request for a temporary restraining order, which the parties subsequently agreed to convert into a motion for a preliminary injunction.

The district court granted hiQ's motion. It ordered LinkedIn to withdraw its cease-and-desist letter, to remove any existing technical barriers to hiQ's access to public profiles, and to refrain from putting in place any legal or technical measures with the effect of blocking hiQ's access to public profiles. LinkedIn timely appealed.

II.

“A plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest.” Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 20, 129 S.Ct. 365, 172 L.Ed.2d 249 (2008). All four elements must be satisfied. See, e.g., Am. Trucking Ass'n v. City of Los Angeles, 559 F.3d 1046, 1057 (9th Cir. 2009). We use a “sliding scale” approach to these factors, according to which “a stronger showing of one element may offset a weaker showing of another.” Alliance for the Wild Rockies v. Cottrell, 632 F.3d 1127, 1131 (9th Cir. 2011). So, when the balance of hardships tips sharply in the plaintiff's favor, the plaintiff need demonstrate only “serious questions going to the merits.” Id. at 1135.

Applying that sliding scale approach, the district court granted hiQ a preliminary injunction, concluding that the balance of hardships tips sharply in hiQ's favor and that hiQ raised serious questions on the merits. We review the district court's decision to grant a preliminary injunction for abuse of discretion. The grant of a preliminary injunction constitutes an abuse of discretion if the district court's evaluation or balancing of the pertinent factors is “illogical, implausible, or without support in the record.” Doe v. Kelly, 878 F.3d 710, 713 (9th Cir. 2017).

A. Irreparable Harm

We begin with the likelihood of irreparable injury to hiQ if preliminary relief were not granted.

“[M]onetary injury is not normally considered irreparable.” Los Angeles Mem'l Coliseum Comm'n v. Nat'l Football League, 634 F.2d 1197, 1202 (9th Cir. 1980). Nonetheless, “[t]he threat of being driven out of business is sufficient to establish irreparable harm.” Am. Passage Media Corp. v. Cass Commc'ns, Inc., 750 F.2d 1470, 1474 (9th Cir. 1985). As the Second Circuit has explained, “[t]he loss of ... an ongoing business representing many years of effort and the livelihood of its ... owners, constitutes irreparable harm. What plaintiff stands to lose cannot be fully compensated by subsequent monetary damages.” Roso-Lino Beverage Distributors, Inc. v. Coca-Cola Bottling Co. of New York, Inc., 749 F.2d 124, 125–26 (2d Cir. 1984) (per curiam). Thus, showing a threat of “extinction” is enough to establish irreparable harm, even when damages may be available and the amount of direct financial harm is ascertainable. Am. Passage Media Corp., 750 F.2d at 1474.

The district court found credible hiQ's assertion that the survival of its business is threatened absent a preliminary injunction. The record provides ample support for that finding.

According to hiQ's CEO, “hiQ's entire business depends on being able to access public LinkedIn member profiles,” as “there is no current viable alternative to LinkedIn's member database to obtain data for hiQ's Keeper and Skill Mapper services.” Without access to LinkedIn public profile data, the CEO averred, hiQ will likely be forced to breach its existing contracts with clients such as eBay, Capital One, and GoDaddy, and to pass up pending deals with prospective clients. The harm hiQ faces absent a preliminary injunction is not purely hypothetical. HiQ was in the middle of a financing round when it received LinkedIn's cease-and-desist letter. The CEO reported that, in light of the uncertainty about the future viability of hiQ's business, that financing round stalled, and several employees left the company. If LinkedIn prevails, hiQ's CEO further asserted, hiQ would have to “lay off most if not all its employees, and shutter its operations.”

LinkedIn maintains that hiQ's business model does not depend on access to LinkedIn data. It insists that alternatives to LinkedIn data exist, and points in particular to the professional data some users post on Facebook. But hiQ's model depends on access to publicly available data from people who choose to share their information with the world. Facebook data, by contrast, is not generally accessible, see infra p. ––––, and therefore is not an equivalent alternative source of data.

LinkedIn also urges that even if there is no adequate alternative database, hiQ could collect its own data through employee surveys. But hiQ is a data analytics company, not a data collection company. Suggesting that hiQ could fundamentally change the nature of its business, not simply the manner in which it conducts its current business, is a recognition that hiQ's current business could not survive without access to LinkedIn public profile data. Creating a data collection system would undoubtedly require a considerable amount of time and expense. That hiQ could feasibly remain in business with no products to sell while raising the required capital and devising and implementing an entirely new data collection system is at least highly dubious.

In short, the district court did not abuse its discretion in concluding on the preliminary injunction record that hiQ currently has no viable way to remain in business other than using LinkedIn public profile data for its Keeper and Skill Mapper services, and that HiQ therefore has demonstrated a likelihood of irreparable harm absent a preliminary injunction.

B. Balance of the Equities

Next, the district court “balance[d] the interests of all parties and weigh[ed] the damage to each in determining the balance of the equities.” CTIA - The Wireless Ass'n v. City of Berkeley, Calif., 928 F.3d 832, 852 (9th Cir. 2019) (internal quotation marks and citation omitted). Again, it did not abuse its discretion in doing so.

On one side of the scale is the harm to hiQ just discussed: the likelihood that, without an injunction, it will go out of business. On the other side, LinkedIn asserts that the injunction threatens its members' privacy and therefore puts at risk the goodwill LinkedIn has developed with its members. As the district court observed, “the fact that a user has set his profile to public does not imply that he wants any third parties to collect and use that data for all purposes.” LinkedIn points in particular to the more than 50 million members who have used the “Do Not Broadcast” feature to ensure that other users are not notified when the member makes a profile change. According to LinkedIn, the popularity of the “Do Not Broadcast” feature indicates that many members—including members who choose to share their information publicly—do not want their employers to know they may be searching for a new job. An employer who learns that an employee may be planning to leave will not necessarily reward that employee with a retention bonus. Instead, the employer could decide to limit the employee's access to sensitive information or even to terminate the employee.

There is support in the record for the district court's connected conclusions that (1) LinkedIn's assertions have some merit; and (2) there are reasons to discount them to some extent. First, there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do. LinkedIn's privacy policy clearly states that “[a]ny information you put on your profile and any content you post on LinkedIn may be seen by others” and instructs users not to “post or add personal data to your profile that you would not want to be public.”

Second, there is no evidence in the record to suggest that most people who select the “Do Not Broadcast” option do so to prevent their employers from being alerted to profile changes made in anticipation of a job search. As the district court stated, there are other reasons why users may choose that option—most notably, many users may simply wish to avoid sending their connections annoying notifications each time there is a profile change. In any event, employers can always directly consult the profiles of users who chose to make their profiles public to see if any recent changes have been made. Employees intent on keeping such information from their employers can do so by rejecting public exposure of their profiles and eliminating their employers as contacts.

Finally, LinkedIn's own actions undercut its argument that users have an expectation of privacy in public profiles. LinkedIn's “Recruiter” product enables recruiters to “follow” prospects, get “alert[ed] when prospects make changes to their profiles,” and “use those [alerts] as signals to reach out at just the right moment,” without the prospect's knowledge.8 And subscribers to LinkedIn's “talent recruiting, marketing and sales solutions” can export data from members' public profiles, such as “name, headline, current company, current title, and location.”

In short, even if some users retain some privacy interests in their information notwithstanding their decision to make their profiles public, we cannot, on the record before us, conclude that those interests—or more specifically, LinkedIn's interest in preventing hiQ from scraping those profiles—are significant enough to outweigh hiQ's interest in continuing its business, which depends on accessing, analyzing, and communicating information derived from public LinkedIn profiles.

Nor do the other harms asserted by LinkedIn tip the balance of harms with regard to preliminary relief. LinkedIn invokes an interest in preventing “free riders” from using profiles posted on its platform. But LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles. And as to the publicly available profiles, the users quite evidently intend them to be accessed by others, including for commercial purposes—for example, by employers seeking to hire individuals with certain credentials. Of course, LinkedIn could satisfy its “free rider” concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line.

We conclude that the district court's determination that the balance of hardships tips sharply in hiQ's favor is not “illogical, implausible, or without support in the record.” Kelly, 878 F.3d at 713.

C. Likelihood of Success

Because hiQ has established that the balance of hardships tips decidedly in its favor, the likelihood-of-success prong of the preliminary injunction inquiry focuses on whether hiQ has raised “serious questions going to the merits.” Alliance for the Wild Rockies, 632 F.3d at 1131. It has.

As usual, we consider only the claims and defenses that the parties press on appeal. We recognize that the companies have invoked additional claims and defenses in the district court, and we express no opinion as to whether any of those claims or defenses might ultimately prove meritorious. Thus, while hiQ advanced several affirmative claims in support of its request for preliminary injunctive relief, here we consider only whether hiQ has raised serious questions on the merits of its claims either for intentional interference with contract or unfair competition, under California's Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seq. Likewise, while LinkedIn has asserted that it has “claims under the Digital Millennium Copyright Act and under trespass and misappropriation doctrines,” it has chosen for present purposes to focus on a defense based on the CFAA, so that is the sole defense to hiQ's claims that we address here.

1. Tortious Interference with Contract

HiQ alleges that LinkedIn intentionally interfered with hiQ's contracts with third parties. “The elements which a plaintiff must plead to state the cause of action for intentional interference with contractual relations are (1) a valid contract between plaintiff and a third party; (2) defendant's knowledge of this contract; (3) defendant's intentional acts designed to induce a breach or disruption of the contractual relationship; (4) actual breach or disruption of the contractual relationship; and (5) resulting damage.” Pac. Gas & Elec. Co. v. Bear Stearns & Co., 50 Cal. 3d 1118, 1126, 270 Cal.Rptr. 1, 791 P.2d 587 (1990).9

HiQ has shown a sufficient likelihood of establishing each of these elements. First, LinkedIn does not contest hiQ's evidence that contracts exist between hiQ and some customers, including eBay, Capital One, and GoDaddy.

Second, hiQ will likely be able to establish that LinkedIn knew of hiQ's scraping activity and products for some time. LinkedIn began sending representatives to hiQ's Elevate conferences in October 2015. At those conferences, hiQ discussed its business model, including its use of data from external sources to predict employee attrition. LinkedIn's director of business operations and analytics, who attended several Elevate conferences, specifically “recall[s] someone from hiQ stating [at the April 2017 conference] that they collected skills data from public professional profiles in order to provide hiQ's customers information about their employees' skill sets.” Additionally, LinkedIn acknowledged in its cease-and-desist letter that “hiQ has stated during marketing presentations that its Skill Mapper product is built on profile data from LinkedIn.” Finally, at a minimum, LinkedIn knew of hiQ's contracts as of May 31, 2017, when hiQ responded to LinkedIn's cease-and-desist letter and identified both current and prospective hiQ clients.

Third, LinkedIn's threats to invoke the CFAA and implementation of technical measures selectively to ban hiQ bots could well constitute “intentional acts designed to induce a breach or disruption” of hiQ's contractual relationships with third parties. Pac. Gas & Elec. Co., 50 Cal. 3d at 1126, 270 Cal.Rptr. 1, 791 P.2d 587; cf. Winchester Mystery House, LLC v. Global Asylum, Inc., 210 Cal. App. 4th 579, 597, 148 Cal.Rptr.3d 412 (2012) (indicating that “cease-and-desist letters ... refer[ring] to a[ ] contractual or other economic relationship between plaintiff and any third party” could “establish ... the ... intent element[ ] of the interference claim[ ]”).

Fourth, the contractual relationships between hiQ and third parties have been disrupted and “now hang[ ] in the balance.” Without access to LinkedIn data, hiQ will likely be unable to deliver its services to its existing customers as promised.

Last, hiQ is harmed by the disruption to its existing contracts and interference with its pending contracts. Without the revenue from sale of its products, hiQ will likely go out of business. See supra pp. –––– – ––––.

LinkedIn does not specifically challenge hiQ's ability to make out any of these elements of a tortious interference claim. Instead, LinkedIn maintains that it has a “legitimate business purpose” defense to any such claim. Cf. Quelimane Co. v. Stewart Title Guar. Co., 19 Cal. 4th 26, 57, 77 Cal.Rptr.2d 709, 960 P.2d 513 (1998), as modified (Sept. 23, 1998). That contention is an affirmative justification defense for which LinkedIn bears the burden of proof. See id.

Under California law, a legitimate business purpose can indeed justify interference with contract, but not just any such purpose suffices. See id. at 55–56, 77 Cal.Rptr.2d 709, 960 P.2d 513. Where a contractual relationship exists, the societal interest in “contractual stability is generally accepted as of greater importance than competitive freedom.” Imperial Ice Co. v. Rossier, 18 Cal. 2d 33, 36, 112 P.2d 631 (1941). Emphasizing the “distinction between claims for the tortious disruption of an existing contract and claims that a prospective contractual or economic relationship has been interfered with by the defendant,” the California Supreme Court instructs that we must “bring[ ] a greater solicitude to those relationships that have ripened into agreements.” Della Penna v. Toyota Motor Sales, U.S.A., Inc., 11 Cal. 4th 376, 392, 45 Cal.Rptr.2d 436, 902 P.2d 740 (1995). Thus, interference with an existing contract is not justified simply because a competitor “seeks to further his own economic advantage at the expense of another.” Imperial Ice, 18 Cal. 2d at 36, 112 P.2d 631; see id. at 37, 112 P.2d 631 (“A party may not ... under the guise of competition ... induce the breach of a competitor's contract in order to secure an economic advantage.”). Rather, interference with contract is justified only when the party alleged to have interfered acted “to protect an interest that has greater social value than insuring the stability of the contract” interfered with. Id. at 35, 112 P.2d 631.

Accordingly, California courts apply a balancing test to determine whether the interests advanced by interference with contract outweigh the societal interest in contractual stability:

Whether an intentional interference by a third party is justifiable depends upon a balancing of the importance, social and private, of the objective advanced by the interference against the importance of the interest interfered with, considering all circumstances including the nature of the actor's conduct and the relationship between the parties.

Herron v. State Farm Mut. Ins. Co., 56 Cal. 2d 202, 206, 14 Cal.Rptr. 294, 363 P.2d 310 (1961). Considerations include whether “the means of interference involve no more than recognized trade practices,” Buxbom v. Smith, 23 Cal. 2d 535, 546, 145 P.2d 305 (1944), and whether the conduct is “within the realm of fair competition,” Inst. of Veterinary Pathology, Inc. v. Cal. Health Labs., Inc., 116 Cal. App. 3d 111, 127, 172 Cal.Rptr. 74 (Cal. Ct. App. 1981). The “determinative question” is whether the business interest is pretextual or “asserted in good faith.” Richardson v. La Rancherita, 98 Cal. App. 3d 73, 81, 159 Cal.Rptr. 285 (Cal. Ct. App. 1979).

Balancing the interest in contractual stability and the specific interests interfered with against the interests advanced by the interference, we agree with the district court that hiQ has at least raised a serious question on the merits of LinkedIn's affirmative justification defense. First, hiQ has a strong commercial interest in fulfilling its contractual obligations to large clients like eBay and Capital One. Those companies benefit from hiQ's ability to access, aggregate, and analyze data from LinkedIn profiles.

Second, LinkedIn's means of interference is likely not a “recognized trade practice” as California courts have understood that term. “Recognized trade practices” include such activities as “advertising,” “price-cutting,” and “hir[ing] the employees of another for use in the hirer's business,” Buxbom, 23 Cal. 2d at 546–47, 145 P.2d 305—all practices which may indirectly interfere with a competitor's contracts but do not fundamentally undermine a competitor's basic business model. LinkedIn's proactive technical measures to selectively block hiQ's access to the data on its site are not similar to trade practices previously recognized as acceptable justifications for contract interference.

Further, LinkedIn's conduct may well not be “within the realm of fair competition.” Inst. of Veterinary Pathology, 116 Cal. App. 3d at 127, 172 Cal.Rptr. 74. HiQ has raised serious questions about whether LinkedIn's actions to ban hiQ's bots were taken in furtherance of LinkedIn's own plans to introduce a competing professional data analytics tool. There is evidence from which it can be inferred that LinkedIn knew about hiQ and its reliance on external data for several years before the present controversy. Its decision to send a cease-and-desist letter occurred within a month of the announcement by LinkedIn's CEO that LinkedIn planned to leverage the data on its platform to create a new product for employers with some similarities to hiQ's Skill Mapper product. If companies like LinkedIn, whose servers hold vast amounts of public data, are permitted selectively to ban only potential competitors from accessing and using that otherwise public data, the result—complete exclusion of the original innovator in aggregating and analyzing the public information—may well be considered unfair competition under California law.10

Finally, LinkedIn's asserted private business interests—“protecting its members' data and the investment made in developing its platform” and “enforcing its User Agreements' prohibitions on automated scraping”—are relatively weak. LinkedIn has only a non-exclusive license to the data shared on its platform, not an ownership interest. Its core business model—providing a platform to share professional information—does not require prohibiting hiQ's use of that information, as evidenced by the fact that hiQ used LinkedIn data for some time before LinkedIn sent its cease-and-desist letter. As to its members' interests in their data, for the reasons already explained, see supra pp. –––– – ––––, we agree with the district court that members' privacy expectations regarding information they have shared in their public profiles are “uncertain at best.” Further, there is evidence that LinkedIn has itself developed a data analytics tool similar to HiQ's products, undermining LinkedIn's claim that it has its members' privacy interests in mind. Finally, LinkedIn has not explained how it can enforce its user agreement against hiQ now that its user status has been terminated.

For all these reasons, LinkedIn may well not be able to demonstrate a “legitimate business purpose” that could justify the intentional inducement of a contract breach, at least on the record now before us. We therefore conclude that hiQ has raised at least serious questions going to the merits of its tortious interference with contract claim. Because such a showing on the tortious interference claim is sufficient to support an injunction prohibiting LinkedIn from selectively blocking hiQ's access to public member profiles, we do not reach hiQ's unfair competition claim.11

2. Computer Fraud and Abuse Act (CFAA)

Our inquiry does not end, however, with the state law tortious interference claim. LinkedIn argues that even if hiQ can show a likelihood of success on any of its state law causes of action, all those causes of action are preempted by the CFAA, 18 U.S.C. § 1030, which LinkedIn asserts that hiQ violated.

The CFAA states that “[w]hoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished” by fine or imprisonment. 18 U.S.C. § 1030(a)(2)(C).12 The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” 18 U.S.C. § 1030(e)(2)(B)—effectively any computer connected to the Internet, see United States v. Nosal (Nosal II), 844 F.3d 1024, 1050 (9th Cir. 2016), cert. denied, ––– U.S. ––––, 138 S. Ct. 314, 199 L.Ed.2d 207 (2017)—including servers, computers that manage network resources and provide data to other computers. LinkedIn's computer servers store the data members share on LinkedIn's platform and provide that data to users who request to visit its website. Thus, to scrape LinkedIn data, hiQ must access LinkedIn servers, which are “protected computer[s].” See Nosal II, 844 F.3d at 1050.

The pivotal CFAA question here is whether once hiQ received LinkedIn's cease-and-desist letter, any further scraping and use of LinkedIn's data was “without authorization” within the meaning of the CFAA and thus a violation of the statute. 18 U.S.C. § 1030(a)(2). If so, LinkedIn maintains, hiQ could have no legal right of access to LinkedIn's data and so could not succeed on any of its state law claims, including the tortious interference with contract claim we have held otherwise sufficient for preliminary injunction purposes.

We have held in another context that the phrase “ ‘without authorization’ is a non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.”13 Nosal II, 844 F.3d at 1028. Nosal II involved an employee accessing without permission an employer's private computer for which access permissions in the form of user accounts were required. Id. at 1028–29. Nosal II did not address whether access can be “without authorization” under the CFAA where, as here, prior authorization is not generally required, but a particular person—or bot—is refused access. HiQ's position is that Nosal II is consistent with the conclusion that where access is open to the general public, the CFAA “without authorization” concept is inapplicable. At the very least, we conclude, hiQ has raised a serious question as to this issue.

First, the wording of the statute, forbidding “access[ ] ... without authorization,” 18 U.S.C. § 1030(a)(2), suggests a baseline in which access is not generally available and so permission is ordinarily required. “Authorization” is an affirmative notion, indicating that access is restricted to those specially recognized or admitted. See, e.g., Black's Law Dictionary (11th ed. 2019) (defining “authorization” as “[o]fficial permission to do something; sanction or warrant”). Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of “authorization.” Cf. Blankenhorn v. City of Orange, 485 F.3d 463, 472 (9th Cir. 2007) (characterizing the exclusion of the plaintiff in particular from a shopping mall as “bann[ing]”).

Second, even if this interpretation is debatable, the legislative history of the statute confirms our understanding. “If [a] statute's terms are ambiguous, we may use ... legislative history[ ] and the statute's overall purpose to illuminate Congress's intent.” Jonah R. v. Carmona, 446 F.3d 1000, 1005 (9th Cir. 2006).

The CFAA was enacted to prevent intentional intrusion onto someone else's computer—specifically, computer hacking. See United States v. Nosal (Nosal I), 676 F.3d 854, 858 (9th Cir. 2012) (citing S. Rep. No. 99-432, at 9 (1986) (Conf. Rep.)).

The 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry: “It is noteworthy that section 1030 deals with an ‘unauthorized access’ concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering' ....’ ” H.R. Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing the problem of “ ‘hackers’ who have been able to access (trespass into) both private and public computer systems”). Senator Jeremiah Denton similarly characterized the CFAA as a statute designed to prevent unlawful intrusion into otherwise inaccessible computers, observing that “[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.”14 132 Cong. Rec. 27639 (1986) (emphasis added). And when considering amendments to the CFAA two years later, the House again linked computer intrusion to breaking and entering. See H.R. Rep. No. 99-612, at 5–6 (1986) (describing “the expanding group of electronic trespassers,” who trespass “just as much as if they broke a window and crawled into a home while the occupants were away”).

In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a “misappropriation statute,” Nosal I, 676 F.3d at 857–58, we rejected the contract-based interpretation of the CFAA's “without authorization” provision adopted by some of our sister circuits. Compare Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016), cert. denied, ––– U.S. ––––, 138 S. Ct. 313, 199 L.Ed.2d 206 (2017) (“[A] violation of the terms of use of a website—without more—cannot establish liability under the CFAA.”); Nosal I, 676 F.3d at 862 (“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”), with EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contractual restraints could give rise to a claim for unauthorized access under the CFAA); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). Van Buren, interpreting the CFAA's “exceeds authorized access” clause, approved of Nosal I and abrogated EF Cultural Travel and Rodriguez. 141 S. Ct. at 1653–54 & n.2.

We therefore look to whether the conduct at issue is analogous to “breaking and entering.” H.R. Rep. No. 98-894, at 20. Significantly, the version of the CFAA initially enacted in 1984 was limited to a narrow range of computers—namely, those containing national security information or financial data and those operated by or on behalf of the government. See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, § 2102, 98 Stat. 2190, 2190–91. None of the computers to which the CFAA initially applied were accessible to the general public; affirmative authorization of some kind was presumptively required.

When section 1030(a)(2)(C) was added in 1996 to extend the prohibition on unauthorized access to any “protected computer,” the Senate Judiciary Committee explained that the amendment was designed “to increase protection for the privacy and confidentiality of computer information.” S. Rep. No. 104-357, at 7 (emphasis added).15 The legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort. As one prominent commentator has put it, “an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web.” Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1161 (2016). Moreover, elsewhere in the statute, password fraud is cited as a means by which a computer may be accessed without authorization, see 18 U.S.C. § 1030(a)(6),16 bolstering the idea that authorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information.

We therefore conclude that hiQ has raised a serious question as to whether the reference to access “without authorization” limits the scope of the statutory coverage to computers for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to websites made freely accessible on the Internet, the “breaking and entering” analogue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt.

The reasoning of Van Buren reinforces our interpretation of the CFAA, although it did not directly address the statute's “without authorization” clause. Van Buren held that a police sergeant did not violate the CFAA when he “ran a license-plate search in a law enforcement computer database in exchange for money.” 141 S. Ct. at 1652. Interpreting the “exceeds authorized access” clause of section 1030(a)(2), the Court held that the CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” Id.

Van Buren found the “interplay between the ‘without authorization’ and ‘exceeds authorized access’ clauses of subsection (a)(2) ... particularly probative.” Id. at 1658. “The ‘without authorization’ clause ... protects computers themselves by targeting so-called outside hackers—those who ‘acces[s] a computer without any permission at all.’ ” Id. (quoting LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009)). The “ ‘exceeds authorized access’ clause ... provide[s] complementary protection for certain information within computers ... by targeting so-called inside hackers—those who access a computer with permission, but then ‘ “exceed” the parameters of authorized access by entering an area of the computer to which [that] authorization does not extend.’ ” Id. (quoting United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015)). “[L]iability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Id. at 1658–59.

Van Buren's “gates-up-or-down inquiry” is consistent with our interpretation of the CFAA as contemplating three categories of computer systems. See supra pp. –––– – ––––. Discussing the “without authorization” clause, Van Buren explained that a computer user who has “authorization” is one who “can ... access a computer system,” 141 S. Ct. at 1658, where “access” means “the act of entering a computer ‘system itself,’ ” id. at 1657 (citation omitted). In other words, a user with “authorization” is not subject to “limitations on access,” whether those limitations are “code-based” or “contained in contracts or policies.” Id. at 1659 n.8. Van Buren stated that the CFAA's password-trafficking provision, section 1030(a)(6), which also uses the word “authorization,” “contemplates a ‘specific type of authorization—that is, authentication,’ which turns on whether a user's credentials allow him to proceed past a computer's access gate, rather than on other, scope-based restrictions.” Id. at 1659 n.9 (quoting Patricia L. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1470 (2016)).

Van Buren's distinction between computer users who “can or cannot access a computer system,” id. at 1658, suggests a baseline in which there are “limitations on access” that prevent some users from accessing the system (i.e., a “gate” exists, and can be either up or down). The Court's “gates-up-or-down inquiry” thus applies to the latter two categories of computers we have identified: if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down. As we have noted, however, a defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser. In other words, applying the “gates” analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.17 Van Buren therefore reinforces our conclusion that the concept of “without authorization” does not apply to public websites.

Additionally, neither of the cases LinkedIn principally relies upon casts doubt on our interpretation of the statute. LinkedIn first cites Nosal II, 844 F.3d 1024. As we have already stated, Nosal II held that a former employee who used current employees' login credentials to access company computers and collect confidential information had acted “ ‘without authorization’ in violation of the CFAA.” 844 F.3d at 1038. The computer information the defendant accessed in Nosal II was thus plainly one which no one could access without authorization.

So too with regard to the system at issue in Power Ventures, 844 F.3d 1058, the other precedent upon which LinkedIn relies. In that case, Facebook sued Power Ventures, a social networking website that aggregated social networking information from multiple platforms, for accessing Facebook users' data and using that data to send mass messages as part of a promotional campaign. Id. at 1062–63. After Facebook sent a cease-and-desist letter, Power Ventures continued to circumvent IP barriers and gain access to password-protected Facebook member profiles. Id. at 1063. We held that after receiving an individualized cease-and-desist letter, Power Ventures had accessed Facebook computers “without authorization” and was therefore liable under the CFAA. Id. at 1067–68. But we specifically recognized that “Facebook has tried to limit and control access to its website” as to the purposes for which Power Ventures sought to use it. Id. at 1063. Indeed, Facebook requires its users to register with a unique username and password, and Power Ventures required that Facebook users provide their Facebook username and password to access their Facebook data on Power Ventures' platform. Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1028 (N.D. Cal. 2012). While Power Ventures was gathering user data that was protected by Facebook's username and password authentication system, the data hiQ was scraping was available to anyone with a web browser.

In sum, Nosal II and Power Ventures control situations in which authorization generally is required and has either never been given or has been revoked. As Power Ventures indicated, the two cases do not control the situation present here, in which information is “presumptively open to all comers.” Power Ventures, 844 F.3d at 1067 n.2. As to the computers at issue in those cases, the authorization gate was “down.”

Our understanding that the CFAA is premised on a distinction between information presumptively accessible to the general public and information for which authorization is generally required is consistent with our interpretation of a provision of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq.,18 nearly identical to the CFAA provision at issue. Compare 18 U.S.C. § 2701(a) (“[W]hoever—(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains ... unauthorized access to a wire or electronic communication ... shall be punished ....”) with 18 U.S.C. § 1030(a)(2)(C) (“Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished ....”). “The similarity of language in [the SCA and the CFAA] is a strong indication that [they] should be interpreted pari passu.” Northcross v. Bd. of Educ. of Memphis City Schs., 412 U.S. 427, 428, 93 S.Ct. 2201, 37 L.Ed.2d 48 (1973); see also United States v. Sioux, 362 F.3d 1241, 1246 (9th Cir. 2004).

Addressing the “without authorization” provision of the SCA, we have distinguished between public websites and non-public or “restricted” websites, such as websites that “are password-protected ... or require the user to purchase access by entering a credit card number.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 875 (9th Cir. 2002); see also id. at 879 n.8. As we explained in Konop, in enacting the SCA, “Congress wanted to protect electronic communications that are configured to be private” and are “ ‘not intended to be available to the public.’ ” Id. at 875 (quoting S. Rep. No. 99-541, at 35–36 (1986)). The House Committee on the Judiciary stated, with respect to the section of the SCA at issue, section 2701, that “[a] person may reasonably conclude that a communication is readily accessible to the general public if the ... means of access are widely known, and if a person does not, in the course of gaining access, encounter any warnings, encryptions, password requests, or other indicia of intended privacy.” H.R. Rep. No. 99-647, at 62 (1986). The Committee further explained that “electronic communications which the service provider attempts to keep confidential would be protected, while the statute would impose no liability for access to features configured to be readily accessible to the general public.” Id. at 63.

Both the legislative history of section 1030 of the CFAA and the legislative history of section 2701 of the SCA, with its similar “without authorization” provision, then, support the district court's distinction between “private” computer networks and websites, protected by a password authentication system and “not visible to the public,” and websites that are accessible to the general public.

Finally, the rule of lenity favors our narrow interpretation of the “without authorization” provision in the CFAA. The statutory prohibition on unauthorized access applies both to civil actions and to criminal prosecutions—indeed, “§ 1030 is primarily a criminal statute.” LVRC Holdings, 581 F.3d at 1134. “Because we must interpret the statute consistently, whether we encounter its application in a criminal or noncriminal context, the rule of lenity applies.” Leocal v. Ashcroft, 543 U.S. 1, 11 n.8, 125 S.Ct. 377, 160 L.Ed.2d 271 (2004). As we explained in Nosal I, we therefore favor a narrow interpretation of the CFAA's “without authorization” provision so as not to turn a criminal hacking statute into a “sweeping Internet-policing mandate.” 676 F.3d at 858; see also id. at 863.19

For all these reasons, it appears that the CFAA's prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer's generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ's possibly meritorious tortious interference claim.20

Entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply: state law trespass to chattels claims may still be available.21 And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie. See, e.g., Associated Press v. Meltwater U.S. Holdings, Inc., 931 F. Supp. 2d 537, 561 (S.D.N.Y. 2013) (holding that a software company's conduct in scraping and aggregating copyrighted news articles was not protected by fair use).

D. Public Interest

Finally, we must consider the public interest in granting or denying the preliminary injunction. Whereas the balance of equities focuses on the parties, “[t]he public interest inquiry primarily addresses impact on non-parties rather than parties,” and takes into consideration “the public consequences in employing the extraordinary remedy of injunction.” Bernhardt v. Los Angeles Cnty., 339 F.3d 920, 931–32 (9th Cir. 2003) (citations omitted).

As the district court observed, each side asserts that its own position would benefit the public interest by maximizing the free flow of information on the Internet. HiQ points out that data scraping is a common method of gathering information, used by search engines, academic researchers, and many others. According to hiQ, letting established entities that already have accumulated large user data sets decide who can scrape that data from otherwise public websites gives those entities outsized control over how such data may be put to use.

For its part, LinkedIn argues that the preliminary injunction is against the public interest because it will invite malicious actors to access LinkedIn's computers and attack its servers. As a result, the argument goes, LinkedIn and other companies with public websites will be forced to choose between leaving their servers open to such attacks or protecting their websites with passwords, thereby cutting them off from public view.

Although there are significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ's position. We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

Internet companies and the public do have a substantial interest in thwarting denial-of-service attacks22 and blocking abusive users, identity thieves, and other ill-intentioned actors. But we do not view the district court's injunction as opening the door to such malicious activity. The district court made clear that the injunction does not preclude LinkedIn from continuing to engage in “technological self-help” against bad actors—for example, by employing “anti-bot measures to prevent, e.g., harmful intrusions or attacks on its server.” Although an injunction preventing a company from securing even the public parts of its website from malicious actors would raise serious concerns, such concerns are not present here.23

The district court's conclusion that the public interest favors granting the preliminary injunction was appropriate.

Conclusion

We AFFIRM the district court's determination that hiQ has established the elements required for a preliminary injunction and remand for further proceedings.