By Jon Brodkin
Changing your IP address or using proxy servers to access public websites you’ve been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving Craigslist and 3taps.
The legal issue is similar to one in the Aaron Swartz case, in which there was debate over whether Swartz “had committed an unauthorized access under the CFAA when he changed his IP address to circumvent IP address blocking imposed by system administrators trying to keep Swartz off the network,” law professor Orin Kerr wrote yesterday on the Volokh Conspiracy blog.
The ruling in Craigslist v. 3taps (PDF) is the first “directly addressing the issue,” Kerr wrote. 3taps drew Craigslist’s ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps’ systems.
“3taps bypassed that technological barrier by using different IP addresses and proxy servers to conceal its identity and continued scraping data,” wrote Judge Charles Breyer of US District Court in Northern California. Craigslist subsequently accused 3Taps of violating the CFAA, which “imposes criminal penalties on any person who, among other prohibitions, ‘intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… information from any protected computer.’”
3taps asked the court to “hold that an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website” and argued that criminalizing its activity under the CFAA would create a slippery slope that could harm ordinary Internet users and allow Web companies to use anti-competitive practices.
Breyer denied the company’s motion, saying 3taps did not prove that Craigslist’s actions were illegal. Under the “plain language” of the CFAA, 3taps did not have authorization to visit Craigslist:
3taps’ argument starts out on firm statutory ground: “[B]y making the classified ads on its website publicly available, Craigslist has ‘authorized’ the world, including 3taps, to access craigslist.org.
But it does not answer the question here, which is whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website. Craigslist certainly thought it had such authority and sought to exercise it through its cease-and-desist letter and IP blocking measures. 3taps says that Craigslist had no power to “de-authorize” anyone, but it cannot point to any language in the statute supporting that conclusion.
In fact, the statutory context and the Ninth Circuit’s interpretation of the phrase “without authorization” both cut against 3taps’ argument. One way to accomplish the result that 3taps urges—prohibiting computer owners from revoking “authorization” to access public websites—would be to restrict the kind of information protected by the CFAA. For example, Congress might have written § 1030(a)(2) to protect only “nonpublic” information. A neighboring provision in the CFAA includes that very modifier and prohibits access without authorization to “nonpublic” government computers. Another adjacent provision applies only to certain kinds of financial information. Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public vs. nonpublic distinction—but § 1030(a)(2)(c) contains no such restrictions or modifiers.
Breyer also tore down 3taps’ slippery slope arguments. The average person does not use an anonymous proxy to bypass IP blocking enforced through a cease-and-desist letter addressed specifically to that person, the judge wrote:
Without any language in the statute to support its arguments, 3taps lets the cat out of the bag in the concluding section of its brief and urges consideration of “serious policy concerns” raised by straightforward application of the CFAA’s broad language. There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a “friend”—apparently not a very good one—says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps’ actions]… does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.
3taps also invites this Court to make all manner of legislative judgments turning on, for example, the “culture” of the Internet, the Court’s view of whether accessing a website is more like window shopping from a public sidewalk or actually entering a store and whether “a permission-based regime for public websites could implode the basic functioning of the internet itself.” 3taps opines that “the ‘socially prudent’ benefits of finding an implied license [to access public website data] far outweigh any social utility derived from allowing a website owner to selectively block access to publicly available information, including by competitors.”
Maybe, or maybe not—but it is certainly not for this Court to impose its views on those matters on unambiguous statutory language.
IP blocking hardly much of a “technological barrier”
Kerr, a professor of law at George Washington University and a former trial attorney in the Computer Crime and Intellectual Property Section at the US Department of Justice, wrote that Breyer’s decision is consistent with his view that “circumventing some kind of technological barrier is required to violate the CFAA.” However, Kerr is disappointed that Breyer takes it as a given that changing one’s IP address or using a proxy counts as the circumvention of a technological barrier.
Whether Craigslist sent a cease-and-desist letter to 3taps is only necessary to prove 3taps’ intent in accessing the website despite being told not to, Kerr wrote. The “circumvention of a technological barrier” question is a separate one that isn’t addressed in the ruling in any depth, he wrote.
“The counterargument runs like this,” Kerr wrote. “IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t ‘block’ them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrier?”
Kerr wrote by way of disclosure that “I have discussed this case with the defendant’s side but my analysis here remains my independent opinion.”
The CFAA itself could get an overhaul in Congress due to a bill introduced in response to the prosecution of Swartz, who committed suicide before his trial.
The bill’s text “deletes the vague phrase ‘exceeds authorized access and clarifies the definition of ‘access without authorization,’ key fixes in a law that has for years been misinterpreted because of its vague definitions,” according to the Electronic Frontier Foundation. “Without this change, the government could’ve prosecuted everyday Americans for violating low-level terms of service violations… In short, everyone would be a criminal, leaving it up to the government to decide when and where to bring down the hammer.”