U.S. District Judge Charles Breyer in Northern District of California has ruled that avoiding an IP address block to connect to a Website is a breach of the Computer Fraud and Abuse Act (CFAA). Some have taken this decision to mean that the court's broad interpretation of the law may mean accessing Websites that are accessible only to some users by proxy servers , virtual private networks (VPN)s, or Tor may be illegal.
This decision arose from a case that all started because, unlike many other popular sites, Craigslist does not provide an application programming interface (API) for third party services to use its data. Indeed, in the summer of 2012, Craigslist briefly claimed the copyright over everything posted on Craigslist.
Craig Newmark, founder of Craigslist, who says that he's merely a "customer support representative" for the company, told Ars Technica last year that "I can say that our culture has always been community-driven, and what they tell us, in large numbers and for years, [is] that their posts are not to be used by others for profit." One of Craiglist's sources of income is charging for commercial apartment listings.
The case in question, Craigslist vs. 3Taps, revolved around a copyright infringement claim by Craigslist against data gathering company 3Taps. 3Taps had been scraping Craigslist rental apartment ads and then feeding the data via an API to the apartment listing company PadMapper. This business, in turn, used the data to create interactive maps using Google Maps for would-be renters. Craigslist claimed that this violated its terms of service (ToS).
So typical of a ToS legal disagreement, PadMapper and 3Taps came up with a workaround. Craigslist retaliated with a copyright claim against the two companies.
As is so often the case in circumstances like this, 3Taps countersued, claiming that Craigslist was trying to create a monopoly by squeezing out other would-be online classified advertising businesses.
Craigslist then blocked 3Taps Internet Protocol (IP) addresses from accessing its site. 3Taps continued, however, to pull Craigslist's data by concealing its identity with different IP addresses and proxy servers. Craigslist then argued that the 3Taps' subterfuge violated the CFAA which prohibits the intentional access of a computer without authorization that results in the capture of information from a protected computer.
Craiglist's CFAA claim bothered many experts.
The Electronic Frontier Foundation (EFF) in an amicus curiae to the Court stated that the CFAA had "been stretched to cover all sorts of non-hacking behavior. (PDF Link) This case perhaps represents the zenith of this trend: plaintiff Craigslist, Inc. (“Craigslist”) alleges defendant 3Taps Inc. (“3Taps”) violated the CFAA and Penal Code § 502 by copying data on Craigslist’s publicly available website and then republishing that information on its own website. Imposing CFAA liability under these circumstances means that it can now become criminal to copy and paste data from a publicly available website intended to be seen by as many people as possible on the Internet. A person using Craigslist to look for an apartment is authorized to write notes on a pen and paper, or manually plot apartment listings on a paper map. The same behavior should not be treated as criminal simply because it was done with a computer."
3Taps tried to have this CFAA claim thrown out but Breyer ruled that "This Court cannot grant an exception on to the statute (the CFAA) with no basis in the law’s language or this circuit’s interpretive precedent. Accordingly, the Court DENIES 3Taps’ motion." (PDF Link).
Orin S. Kerr, a professor of law at the George Washington University, believes Judge Breyer's decision is the first to directly address the issue that changing IP addresses to get around a block is an unauthorized access in violation of the CFAA. It's not a decision, he's happy with.
Kerr wrote, "IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t 'block' them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them."
Another legal expert, who doesn't wish to be named, doesn't see this decision having any broad effect. He summarized the decision as "The defendant moves to dismiss a CFAA complaint because the operator of a publicly-available Website cannot, it says, ban any particular user and use CFAA to enforce the ban. The court says it can't dismiss the complaint on that ground, because there's no support for the claimed immunity in the specific wording of the statute. The court says it isn't criminalizing widespread conduct, because the question involved (whether CFAA liability can attach for accessing websites one has been specifically banned from) doesn't involve those ordinary forms of cloaking," such as proxies, VPNs, or Tor.
In short, this is a decision applying only to a narrow, specific circumstance.
Hanni M. Fakhoury, staff attorney for the EFF, disagrees with the decision, "The court held that since everyone is 'authorized' to access a publicly accessible website under the CFAA, a party (here Craigslist) has to prove that this authorization was somehow revoked. In this case, the court said Craigslist's act of blocking 3Taps IP address and the cease and desist letter were enough to 'revoke' the authorization. We disagree that IP address blocking is a sufficient type of technological circumvention to prove 'access with authorization' under the CFAA since (1) its common and easy to mask your IP address; and (2) there are legitimate reasons to do so."
But could this decision affect you and your use of such IP masking technologies? Fakhoury replied, "As to whether it would impact other technologies like Tor, etc., the decision doesn't criminalize those steps in isolation. The opinion only says that if you use one of these techniques to work around the revocation of your access, there's a CFAA claim." So, while not a correct decision, it's still rather narrow in its potential application.
- CNET: Court rules that IP cloaking to access blocked sites violates law
- CNET: 3Taps countersues Craigslist, alleges unfair 'monopoly'
- CNET: Craigslist sues PadMapper for 'mass harvesting' listings
- No more adult services on Craigslist: 1st Amendment issue or business decision?
- How did Craigslist manage to become the king of classifieds?