August 20, 2013
In the ongoing legal battle between craigslist and 3taps, a new court opinion makes clear that people are “authorized” under the Computer Fraud and Abuse Act (CFAA) to access a public website. But what the court gave with one hand it took with the other, as it also ruled that sending a cease-and-desist letter and blocking an IP address is enough to “revoke” this authorization.
3taps collects real-estate data from craigslist and makes it available to other companies to use. One of those companies, Padmapper, republished craigslist apartment postings over a map to enable users to view apartment listings geographically, a feature then unavailable on the craigslist site. Craigslist’s terms of service prohibits people from “scraping” or copying data from craigslist’s site.
After learning about 3Taps and its clients, craigslist sent 3taps a cease-and-desist letter demanding they stop using craigslist data this way and then blocked 3taps’ IP address from accessing the craigslist site. Ultimately, craigslist sued 3taps in federal court, arguing that 3taps had violated the CFAA. 3taps moved to dismiss the case, arguing that under the Ninth Circuit Court of Appeals decision in United States v. Nosal, 3taps could not be liable under the CFAA for violating craigslist’s terms of service.
While the court agreed with 3taps on this point, it questioned whether the CFAA even protected information available on a publicly accessible website like craigslist in the first place. After the court agreed to accept additional briefing on this point, we along with a number of law professors, filed an amicus brief with the court urging it to rule that everyone is “authorized” to visit a public website under the CFAA.
Last week, the court ruled that this interpretation of the CFAA “makes sense,” meaning that everyone starts out as “authorized” to access a publicly accessible website. But it found that, with respect to 3taps, craigslist had used its “power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website” by sending the cease and desist letter and blocking 3taps’ IP address. The decision is certainly a mixed bag.
First the positive.
It is encouraging to see courts recognize that the CFAA—which creates both civil and criminal liability—doesn’t criminalize accessing information from a publicly accessible website. The government used that precise theory to prosecute Andrew “Weev” Auernheimer for exposing an AT&T security flaw that publicly revealed thousands of customers’ email addresses. The possibility of imposing CFAA liability on someone from using information made freely available on the web posed a major threat on the openness and innovation of the Internet.
Moreover, by focusing on the IP blocking, the court essentially agreed with the basic principle we’ve suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have “accessed” information or data “without authorization.” In fact one proposal to reform the CFAA currently before Congress, “Aaron’s Law,” defines “access without authorization” to mean precisely that: “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” The court adopted this idea in principle when it found that craigslist’s CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.
Now for the troubling part of the court’s opinion.
We believe that the CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection.
Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do. And there’s plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination. Plus, in the context of this case, craigslist’s IP address blocking and cease-and-desist letter combined to essentially act as a “use” restriction. In other words, craigslist relied on these two things to enforce its terms of service upon 3taps.
There’s a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to “revoke” and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.
Hopefully future courts thinking about these issues can use the good aspects of this decision to recognize that violating a technological measure is necessary. But they need to think more critically about whether IP address blocking, even if coupled with a cease and desist letter, is enough for a CFAA violation.
Accessing a public website isn’t a crime. Neither is hiding your online identity.