How an Old Hacking Law Hampers the Fight Against Online Discrimination
In November of 2007, Richard Villarreal applied for a job with the tobacco company R. J. Reynolds. He was forty-nine years old at the time, living in Cumming, Georgia, about an hour’s drive from Atlanta, and working for Coca-Cola to support his wife and teen-age daughter. Villarreal had eight years of sales experience, and believed he was well qualified for the position of territory manager—described in a posting on the employment Web site CareerBuilder as a liaison to retailers stocking R. J. Reynolds products. He filled out a questionnaire and an application form, uploaded his résumé, and waited, but the company never responded. Undeterred, Villarreal reapplied on five subsequent occasions. Each time, the result was the same.
Then, in 2010, Villarreal received a letter from Altshuler Berzon, a law firm based in San Francisco. Through that correspondence and follow-up calls with the firm’s attorneys, Villarreal learned that his failure to land the job had had nothing to do with his qualifications. It turned out that Reynolds had subcontracted with a recruitment agency, which screened applications according to a set of hidden guidelines. Most of the criteria were innocuous (“ability to engage others,” “outside sales experience,” “multi-tasking”), but others were more pointed—“targeted candidate: 2-3 years out of college,” “adjusts easily to changes,” “stay away from: in sales for 8-10 years.” In other words, no old people allowed. The guidelines were known only to Reynolds and its subcontractor—until a whistle-blower from inside the recruiting firm spoke out. “The Deep Throat not only told me about the policy but saved the names and addresses of the people turned away,” Jim Finberg, a lawyer at Altshuler, told me. Of the more than a thousand territory managers whom Reynolds had hired across the United States, only two per cent were over forty, the age that triggers the protections of the Age Discrimination in Employment Act. (The case is now on appeal, and Reynolds has argued that the A.D.E.A. does not apply to job applicants.)
The way that Villarreal’s story unfolded—the whistle-blower, the well-resourced law firm—was unusual, but the barriers he faced online were not. In cyberspace, as in real life, it’s unlawful to discriminate against job candidates on the basis of age, race, nationality, disability, religion, or gender. But detecting such bias is a challenge. Since the nineteen-seventies, civil-rights organizations have ferreted out illegal conduct with a method called pair testing—submitting the fabricated résumés of otherwise identical male and female job applicants to a company, for instance, and seeing who gets hired. A similar tactic is used to enforce fair-housing laws, with white and black actors portraying otherwise identical renters. The federal government has long funded these audits, and the Supreme Court has upheld them as a legitimate strategy, despite the deception involved. Bryan Greene, a deputy assistant secretary in the Department of Housing and Urban Development, told me, “Testing has always been one of the most important tools in our arsenal.”
In the online world, however, testing is effectively illegal. Thirty years ago, during the Reagan Administration, Congress passed the Computer Fraud and Abuse Act, which was designed in large part to prohibit the theft of government data. (Reagan became interested in the issue after watching the 1983 film “WarGames,” in which a young hacker, played by Matthew Broderick, inadvertently gains access to a supercomputer that controls the U.S. nuclear arsenal.) The text of the C.F.A.A. begins reasonably enough, by targeting hacks that put the national defense and foreign relations at risk. From there, though, the law grows like an algae bloom, expanding the definition of fraud to include any “unauthorized access” to a “protected computer.” Rather than explaining precisely what “unauthorized” means, the C.F.A.A. leaves it up to the owner of the computer to decide. As a result, companies have the right to sue people who violate their terms of service, even for such mundane activities as sharing a password with a friend. What’s more, the federal government can subject alleged offenders to criminal prosecution, seeking to impose prison time and hefty fines, essentially turning the U.S. Department of Justice into corporate muscle.
Terms-of-service agreements, which most Internet users consent to without even knowing it, do not explicitly ban pair testing. Rather, they ban the techniques that underlie it. CareerBuilder, the site that Villarreal used to look for work, has rules against providing false personal information and engaging in scraping, a method of automatically recording large amounts of data, even if that data is freely available. Other employment and housing sites—LinkedIn, Airbnb, Craigslist—have similar provisions. Companies say these rules are necessary to insure honest transactions. But digital-rights advocates point to a chilling effect: researchers, fearful of C.F.A.A. litigation, are deterred from uncovering discrimination online. Of the dozen academics and journalists I spoke with for this article, nearly all had recently scrapped or truncated a planned investigation. Although no one has ever been prosecuted for online-discrimination testing, Anupam Datta, a professor at Carnegie Mellon University and the co-author of a 2015 paper finding that women were less likely than men to be shown Google ads for high-paying jobs, told me that “companies’ explicit constraints in terms of use give me pause.” Datta’s colleagues Alessandro Acquisti and Christina Fong, who also study Web-enabled bias, agreed. “The C.F.A.A. is so vague that anyone doing empirical Internet research may find himself or herself at risk,” they wrote in an e-mail.
This argument forms the basis of Sandvig v. Lynch, a lawsuit filed in late June by the American Civil Liberties Union. The plaintiffs—journalists from the investigative news outlet the Intercept and computer scientists from Northeastern University, the University of Illinois, and the University of Michigan—assert that pair testing and other forms of auditing are a species of protected speech, and that the C.F.A.A. is too sweeping in its prohibitions to pass constitutional muster. The Justice Department, led by Attorney General Loretta Lynch, denies this, and has asked the federal district court in Washington, D.C., to dismiss the case. According to the government’s reasoning, the meaning of the C.F.A.A. is clear and the plaintiffs’ claim of harm is theoretical. (Representatives of the Justice Department declined to comment.)
Testing for online discrimination may seem a speculative pursuit, but there’s good reason to believe that violations of federal employment and housing laws are taking place all over the Internet. Earlier this year, three professors at Harvard Business School found that Airbnb users with “distinctively African-American names” have a harder time booking rooms than identical users with white-sounding names. Their study, which relied on artificial user profiles created without Airbnb’s knowledge, caused a public outcry, forcing the company to reconsider some of its policies. Less daring investigators might resort to using only the data that a corporation volunteers, but here, too, there are pitfalls. “If you go through a sanctioned protocol, there are almost always limits on the types of information and the amount you can download,” Ryan Tate, the deputy editor of the Intercept, told me. “To convince the public—to make a point—you need a huge amount of information.” And businesses are constantly tightening the data faucet. Christian Sandvig, the named plaintiff in the A.C.L.U. suit, described a study that he and his colleagues at the University of Michigan’s School of Information had done on the algorithm underlying Facebook’s News Feed. “One of the questions we got when we presented the work was, ‘How did you find out that much?’ ” Sandvig told me. The next time the company updated its algorithm, the method the researchers had used no longer worked. I heard the same thing from many other academics—about Twitter, Airbnb, Google, and so on.
Last year, Representative Zoe Lofgren and Senators Ron Wyden and Rand Paul reintroduced Aaron’s Law, a reform bill named after the information activist Aaron Swartz, who committed suicide while under indictment for violating the C.F.A.A. (He had downloaded a large cache of academic-journal articles.) The legislation would amend the C.F.A.A. to clarify that terms-of-service breaches do not automatically count as transgressions of the statute. In testimony before a Senate subcommittee last summer, the Justice Department’s David M. Bitkower seemed to approve of these “targeted legislative changes.” Yet the agency has continued to prosecute individuals for flouting corporate fine print. Aaron’s Law is bipartisan, and bicameral, but a House aide told me that the Judiciary Committee “currently doesn’t have plans to move it.” Cindy Cohn, the executive director of the Electronic Frontier Foundation, explained why. “If you want to get a tech law passed, you need the support of tech companies, and the big guys aren’t supportive,” she said. (I solicited comment from a dozen prominent companies on Aaron’s Law and the C.F.A.A.; only Twitter, Microsoft, and LinkedIn responded, and all three declined to comment.)
In earlier years, Internet forecasts called for sunshine—access to knowledge, popular democracy, a flatter and fairer world. But, over time, the Web has revealed itself to be no freer of discrimination than the physical world it inhabits. In “Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy,” published earlier this month, the mathematician Cathy O’Neil notes that some seventy per cent of U.S. job applicants must now take online personality tests; seventy-two per cent of résumés, moreover, “are never seen by human eyes.” As our basic needs and services migrate online, so must the enforcement of our fundamental rights. Richard Villarreal had no idea that his résumé would be automatically filtered out. Nor could he have known. Were it not for the whistle-blower, a Deep Throat ex machina, R. J. Reynolds’s coded language of age discrimination—not long out of college, not too much experience in the field—would have stayed buried.