On The Case

Knight Institute demands Facebook amend its rules for journalists, researchers

(Reuters) - The folks who sued to stop President Donald Trump from blocking Twitter critics have a new target: Facebook.

On Tuesday, the Knight First Amendment Institute disclosed a letter it sent Monday to Facebook CEO Mark Zuckerberg, proposing an amendment to Facebook’s terms of service to create a safe harbor for journalists and academics investigating the social media site. Under Facebook’s current rules, the letter said, investigators risk not just being shut out of the site but also liability under the Computer Fraud and Abuse Act for violations of Facebook’s terms of service. Knight is calling on Facebook to change the rules to allow bona fide journalists and academics to scrape data and use temporary accounts in order to conduct their research.

“Digital journalism and research are crucial to the public’s understanding of Facebook’s platform and its influence on our society,” the letter said. “Facebook’s terms of service limit this kind of journalism and research because they ban tools that are often necessary to it.”

Knight sent the letter on behalf of three journalists – Kate Conger of the New York Times, documentary filmmaker Cameron Hickey and Gizmodo reporter Kashmir Hill – and researchers from Princeton and the University of Michigan. Right after Knight disclosed its letter, Gizmodo’s Hill published a story describing how Facebook, claiming a violation of its terms of service, tried to get her to shut down an open source tool Gizmodo created as part of its investigation of Facebook’s People You May Know feature. (Volunteers who downloaded the tool could find out, for instance, whether Facebook recommended them as prospective friends to users whose profiles they’d viewed.) Hill reported that Gizmodo made some changes after Facebook complained; the tool remains live but Hill said the episode shows why journalists and researchers need a safe harbor.

I asked Knight’s Ramya Krishnan whether the safe harbor could be exploited by Facebook competitors or data-mining outfits trying to monetize Facebook user information. (You surely recall Facebook’s Cambridge Analytica scandal, which the institute acknowledges in its letter.) Knight is proposing qualifying conditions for the safe harbor: Researchers must have a public, not commercial, interest, must reasonably avoid misleading Facebook users about who’s behind temporary research accounts and must pledge to protect users’ privacy. Those qualifiers would exclude bad actors from the safe harbor, Krishnan said. In the Knight Institute’s vision, Facebook-employed monitors would determine after detecting troublesome activity whether the activity qualifies for safe harbor protection.

“We have thought through whether the safe harbor would have protected Cambridge Analytica,” Krishnan said. “The answer is no.”

This is all entirely hypothetical, of course. Knight hasn’t sued, just asked for a change in the terms of service. Its letter has no power to compel the company to do anything – and it’s frankly tough to imagine Facebook exposing itself to a new round of criticism by deeming itself the arbiter of the legitimacy of journalists and researchers who scrape data and use masked accounts.

Facebook seems in no hurry to change its current rules in response to Knight’s letter. “We appreciate the Knight Institute’s recommendations,” the company said in an email statement from Campbell Brown, Facebook’s head of global news partnerships. “Journalists and researchers play a critical role in helping people better understand companies and their products – as well as holding us accountable when we get things wrong. We do have strict limits in place on how third parties can use people’s information, and we recognize that these sometimes get in the way of this work.” Facebook’s statement said it already offers some tools for journalists and plans to introduce a new software-building tool to analyze the impact of political ads on the site. The statement did not mention any intention of beginning discussions with Knight about a safe harbor for journalists and academics.

Regardless of what happens next between Facebook and the Knight Institute, Knight’s letter raises the scary prospect of civil and even criminal exposure under the CFAA for terms of service violations. As you may recall (and as I explained in a story last August), the 1986 anti-hacking law isn’t entirely clear about what constitutes unauthorized access to a computer. It’s easy to say that dark-web hackers with stolen passwords are violating the CFAA, but what about a data scraper mining publicly-available information – the scenario in a suit last year by LinkedIn? Or what about Gizmodo, whose open source tool originally asked Facebook users to provide their user names and passwords so that the tool could sign into the site on their behalf?

Gizmodo wasn’t accessing the accounts or even centralizing the collection of data stored on the computers of individual Facebook accountholders. But according to Hill’s account on Tuesday, when Facebook told the site that its tool violated Facebook’s terms of service, Gizmodo worried it would be sued.

Both Facebook and the Justice Department, as Knight’s letter pointed out, have invoked the CFAA in connection with terms of service violations, though the letter acknowledged that Facebook has not made that claim in litigation against a journalist or researcher. (The company’s best-known assertion of the statute was in a case against the nascent social networking site, which the 9th U.S. Circuit Court of Appeals found liable for CFAA violations, based on’s continued accessing of Facebook computers after it received a cease-and-desist letter.)

Journalists and researchers were sufficiently worried about CFAA criminal exposure for terms of service violations that in 2016 a group of them sued the Justice Department, seeking a declaratory judgment that (among other things) the CFAA breaches the First Amendment to the extent that it prohibits the collection of publicly-available data related to online discrimination. In March, U.S. District Judge John Bates of Washington dismissed most of the plaintiffs’ claims in Sandvig v. Sessions but kept alive First Amendment allegations by two researchers who said they feared prosecution if they carried out plans to create fake user accounts to test discrimination at employment websites. The Justice Department has asked Judge Bates to permit discovery on precisely which sites the researchers are targeting.

The Knight letter references some of the same research tools and public interest goals as the Sandvig suit. Is the institute contemplating litigation to obtain the same protection from CFAA civil liability that Sandvig’s ACLU lawyers are seeking in the criminal context?

For now, Knight’s Krishnan isn’t saying. In an email, she told me the institute is still hoping Facebook decides to engage on its safe-harbor idea. “The proposal is made in good faith and meant to be constructive,” she said. “We’ll wait to see how Facebook responds before considering next steps.”