Litigation in the Craigslist vs. Padmapper/3Taps saga has been going on for some time now, and the last time we checked in, we posted the hypothetical question “Could Accessing Craigslist Be Considered A Crime Under The CFAA?” As a broad overview, Craigslist was not happy with the defendants scraping data from its servers, and then reposting it on their own sites, with different visual layouts. Among other arguments, Craigslist accused the defendants of violating the Computer Fraud and Abuse Act by continuing to go to the site after having their access “revoked” and their IP addresses blocked. 3Taps just developed new IP addresses, and continued its practice.
After a ruling earlier this month, we have something of an answer to our previously-posed question. As you might expect, this being the law, the answer is not absolute. Prior to this hearing, the EFF and other amici had contended that, since Craigslist is a public website, everyone should be “authorized” – to use the key word from the CFAA – to access it. On its blog, the EFF discusses how that argument was received:
[T]he court ruled that this interpretation of the CFAA “makes sense,” meaning that everyone starts out as “authorized” to access a publicly accessible website. But it found that, with respect to 3taps, craigslist had used its “power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website” by sending the cease and desist letter and blocking 3taps’ IP address. The decision is certainly a mixed bag.
3Taps’ own motion made similar policy-based arguments, but Justice Breyer of the U.S. District Court in Northern California as not swayed, stating:
3Taps asks this Court to hold that an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website. However compelling 3Taps’ policy arguments, this Court cannot graft an exception on to the statute with no basis in the law’s language or this circuit’s interpretive precedent.
Justice Breyer offered a nice analogy:
“Store owners open their doors to the public, but occasionally find it necessary to ban disruptive individuals from the premises.”
As the EFF blog post points out, there are some troubling aspects to this decisi0n:
We believe that the CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection.
Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do. And there’s plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination. Plus, in the context of this case, craigslist’s IP address blocking and cease-and-desist letter combined to essentially act as a “use” restriction. In other words, craigslist relied on these two things to enforce its terms of service upon 3taps.
There’s a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to “revoke” and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.
Though Justice Breyer acknowledged 3Taps’ “compelling.. policy arguments”, he still found that it is “for Congress to weigh” the implications of the law as it stands. 3Taps’ motion to dismiss was denied, and that company was effectively found to have intentionally gone against the letter of the law. We’ll see what the next chapter of this adventure holds.