The case in question, Craigslist vs. 3Taps, revolved around a copyright infringement claim by Craigslist against data gathering company 3Taps. 3Taps had been scraping Craigslist rental apartment ads and then feeding the data via an API to the apartment listing company PadMapper. This business, in turn, used the data to create interactive maps using Google Maps for would-be renters. Craigslist claimed that this violated its terms of service (ToS).
As is so often the case in circumstances like this, 3Taps countersued, claiming that Craigslist was trying to create a monopoly by squeezing out other would-be online classified advertising businesses.
Craigslist then blocked 3Taps Internet Protocol (IP) addresses from accessing its site. 3Taps continued, however, to pull Craigslist's data by concealing its identity with different IP addresses and proxy servers. Craigslist then argued that the 3Taps' subterfuge violated the CFAA which prohibits the intentional access of a computer without authorization that results in the capture of information from a protected computer.
Craiglist's CFAA claim bothered many experts.
The Electronic Frontier Foundation (EFF) in an amicus curiae to the Court stated that the CFAA had "been stretched to cover all sorts of non-hacking behavior. (PDF Link) This case perhaps represents the zenith of this trend: plaintiff Craigslist, Inc. (“Craigslist”) alleges defendant 3Taps Inc. (“3Taps”) violated the CFAA and Penal Code § 502 by copying data on Craigslist’s publicly available website and then republishing that information on its own website. Imposing CFAA liability under these circumstances means that it can now become criminal to copy and paste data from a publicly available website intended to be seen by as many people as possible on the Internet. A person using Craigslist to look for an apartment is authorized to write notes on a pen and paper, or manually plot apartment listings on a paper map. The same behavior should not be treated as criminal simply because it was done with a computer."
3Taps tried to have this CFAA claim thrown out but Breyer ruled that "This Court cannot grant an exception on to the statute (the CFAA) with no basis in the law’s language or this circuit’s interpretive precedent. Accordingly, the Court DENIES 3Taps’ motion." (PDF Link).
Kerr wrote, "IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t 'block' them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them."
Another legal expert, who doesn't wish to be named, doesn't see this decision having any broad effect. He summarized the decision as "The defendant moves to dismiss a CFAA complaint because the operator of a publicly-available Website cannot, it says, ban any particular user and use CFAA to enforce the ban. The court says it can't dismiss the complaint on that ground, because there's no support for the claimed immunity in the specific wording of the statute. The court says it isn't criminalizing widespread conduct, because the question involved (whether CFAA liability can attach for accessing websites one has been specifically banned from) doesn't involve those ordinary forms of cloaking," such as proxies, VPNs, or Tor.
In short, this is a decision applying only to a narrow, specific circumstance.
Hanni M. Fakhoury, staff attorney for the EFF, disagrees with the decision, "The court held that since everyone is 'authorized' to access a publicly accessible website under the CFAA, a party (here Craigslist) has to prove that this authorization was somehow revoked. In this case, the court said Craigslist's act of blocking 3Taps IP address and the cease and desist letter were enough to 'revoke' the authorization. We disagree that IP address blocking is a sufficient type of technological circumvention to prove 'access with authorization' under the CFAA since (1) its common and easy to mask your IP address; and (2) there are legitimate reasons to do so."
But could this decision affect you and your use of such IP masking technologies? Fakhoury replied, "As to whether it would impact other technologies like Tor, etc., the decision doesn't criminalize those steps in isolation. The opinion only says that if you use one of these techniques to work around the revocation of your access, there's a CFAA claim." So, while not a correct decision, it's still rather narrow in its potential application.