US court rules masking IP address to access blocked Website violates law

US court rules masking IP address to access blocked Website violates law

Summary: But the verdict is probably far narrower in its implications that some believe. Still, it's a troubling decision about a controversial law.

SHARE:

U.S. District Judge Charles Breyer in Northern District of California has ruled that avoiding an IP address block to connect to a Website is a breach of the Computer Fraud and Abuse Act (CFAA). Some have taken this decision to mean that the court's broad interpretation of the law may mean accessing Websites that are accessible only to some users by proxy servers , virtual private networks (VPN)s, or Tor may be illegal. 

PadMapper
According to the court, neither 3Taps nor Padmapper can use Craigslist's data for their online maps of available apartments.

This decision arose from a case that all started because, unlike many other popular sites, Craigslist does not provide an application programming interface (API) for third party services to use its data. Indeed, in the summer of 2012, Craigslist briefly claimed the copyright over everything posted on Craigslist.

Craig Newmark, founder of Craigslist, who says that he's merely a "customer support representative" for the company, told Ars Technica last year that "I can say that our culture has always been community-driven, and what they tell us, in large numbers and for years, [is] that their posts are not to be used by others for profit." One of Craiglist's sources of income is charging for commercial apartment listings.

The case in question, Craigslist vs. 3Taps, revolved around a copyright infringement claim by Craigslist against data gathering company 3Taps. 3Taps had been scraping Craigslist rental apartment ads and then feeding the data via an API to the apartment listing company PadMapper. This business, in turn, used the data to create interactive maps using Google Maps for would-be renters. Craigslist claimed that this violated its terms of service (ToS).

So typical of a ToS legal disagreement, PadMapper and 3Taps came up with a workaround. Craigslist retaliated with a copyright claim against the two companies.

As is so often the case in circumstances like this, 3Taps countersued, claiming that Craigslist was trying to create a monopoly by squeezing out other would-be online classified advertising businesses.

Craigslist then blocked 3Taps Internet Protocol (IP) addresses from accessing its site. 3Taps continued, however, to pull Craigslist's data by concealing its identity with different IP addresses and proxy servers. Craigslist then argued that the 3Taps' subterfuge violated the CFAA which prohibits the intentional access of a computer without authorization that results in the capture of information from a protected computer.

Craiglist's CFAA claim bothered many experts.

The Electronic Frontier Foundation (EFF) in an amicus curiae to the Court stated that the CFAA had "been stretched to cover all sorts of non-hacking behavior. (PDF Link) This case perhaps represents the zenith of this trend: plaintiff Craigslist, Inc. (“Craigslist”) alleges defendant 3Taps Inc. (“3Taps”) violated the CFAA and Penal Code § 502 by copying data on Craigslist’s publicly available website and then republishing that information on its own website. Imposing CFAA liability under these circumstances means that it can now become criminal to copy and paste data from a publicly available website intended to be seen by as many people as possible on the Internet. A person using Craigslist to look for an apartment is authorized to write notes on a pen and paper, or manually plot apartment listings on a paper map. The same behavior should not be treated as criminal simply because it was done with a computer."

3Taps tried to have this CFAA claim thrown out but Breyer ruled that "This Court cannot grant an exception on to the statute (the CFAA) with no basis in the law’s language or this circuit’s interpretive precedent. Accordingly, the Court DENIES 3Taps’ motion." (PDF Link).

Orin S. Kerr, a professor of law at the George Washington University, believes Judge Breyer's decision is the first to directly address the issue that changing IP addresses to get around a block is an unauthorized access in violation of the CFAA. It's not a decision, he's happy with.

Kerr wrote, "IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t 'block' them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them."

Another legal expert, who doesn't wish to be named, doesn't see this decision having any broad effect. He summarized the decision as "The defendant moves to dismiss a CFAA complaint because the operator of a publicly-available Website cannot, it says, ban any particular user and use CFAA to enforce the ban. The court says it can't dismiss the complaint on that ground, because there's no support for the claimed immunity in the specific wording of the statute. The court says it isn't criminalizing widespread conduct, because the question involved (whether CFAA liability can attach for accessing websites one has been specifically banned from) doesn't involve those ordinary forms of cloaking," such as proxies, VPNs, or Tor.

In short, this is a decision applying only to a narrow, specific circumstance. 

Hanni M. Fakhoury, staff attorney for the EFF, disagrees with the decision, "The court held that since everyone is 'authorized' to access a publicly accessible website under the CFAA, a party (here Craigslist) has to prove that this authorization was somehow revoked. In this case, the court said Craigslist's act of blocking 3Taps IP address and the cease and desist letter were enough to 'revoke' the authorization. We disagree that IP address blocking is a sufficient type of technological circumvention to prove 'access with authorization' under the CFAA since (1) its common and easy to mask your IP address; and (2) there are legitimate reasons to do so."

But could this decision affect you and your use of such IP masking technologies? Fakhoury replied, "As to whether it would impact other technologies like Tor, etc., the decision doesn't criminalize those steps in isolation. The opinion only says that if you use one of these techniques to work around the revocation of your access, there's a CFAA claim." So, while not a correct decision, it's still rather narrow in its potential application. 

Related Stories:

Topics: Networking, Legal, Software, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • This could start a trade war

    Australians are doing this now with tacit approval from the governing political party to access restricted content in the US. (Restricted in breach of the Free Trade Agreement). This could get interesting. The Free Trade US bravado is only free trade when it suits.
    Letterboxfrog
    • just?

      This officially means USA= fascism
      anywherehome
  • Wonder if our insurance company will change...

    We attempted to access our insurance company from a different continent than North America and found the IP range we were connected with blocked. I could at the time SSH to a machine located in the USA and successfully access the insurance company site. Said company did not get paid until our return... sucks to be them! (shrug)
    mdlueck
  • US court rules masking IP address to access blocked Website violates law

    No, the judge only blocked a motion to have a case thrown out. Good heavens, this isn't the broad decision Steven makes it out to be.

    A denied motion does NOT indicate any particular violation of law, it only blocks a motion in this case in this court.

    Wait for the appeals that will surely come. Once it makes its way to the Supreme Court in about a decade, then you can call it law.

    Steven is, once again, spreading FUD and trying to upset people over what amounts to nothing.
    Cynical99
  • SKIM anyone?

    JEEEZZZ.
    All this fuss over a little SKIMMING.
    It's akin to advertisements loading on our PC's email and they never worry about how much bandwidth they SKIM loading said adverts.
    fm-usa
  • future problems

    Whether they're making it an issue with VPNs, proxys and tor now isn't the issue, it's how they use the law in the future, and this law definitely lays the framework for future problems.
    Brian_C
  • Seriously?

    Making something illegal that you cannot stop from happening sounds a bit like our government preparing to sensor the information we can see.

    Yes I get what the author is saying but, I also know that this present administration would give anything to make this Snowden stuff and their illegal activities disappear. I bet they really envy China right now.
    slickjim
  • Being incompetent is not a lawful claim

    No Law has been broken. If their 'construct' on the Internet is that flimsy, the onus is upon them. There is no 'expectation of security' for their site/service. That is their problem, not
    that of any user, or potential user. Being incompetent is not a lawful claim.
    chiliboots2000@...