The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist: the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of the CFAA.
The dispute began with Craigslist Inc. sending a letter to 3Taps, Inc. because 3Taps was “scraping” content posted to the Craigslist website in real time and then using that information to create its own website and interface with the Craigslist information. The Craigslist letter told 3Taps that it was “no longer authorized to access” the Craigslist website. Craigslist also blocked IP addresses associated with 3Taps from accessing the Craigslist website. But 3Taps continued scraping information from the Craigslist website by using different IP addresses and proxy servers. Craigslist then sued 3Taps for violating the CFAA. The court applied the language in the CFAA, a criminal statute that also allows a civil cause of action, that prohibits a defendant from “intentionally access[ing] a computer without authorization . . . and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(c). Obvious enough, right?
I have written before about how the federal courts have struggled with whether the improper use of information obtained from a computer—often an employee downloading an employer’s confidential business information before heading to a rival company—implicates the CFAA, even when the employee had access to the information through his or her job in the first place and did not “hack” through any technological barriers to obtain that information. Some courts, like the First Circuit which includes Massachusetts, have found liability under the CFAA for improper use of information even when no hacking was involved, while others, like the Ninth Circuit, have only found liability when a person “hacks.” The Craigslist court is the Northern District of California, which is in the Ninth Circuit and is a “hacking” court. But some wanted the Craigslist court to go even further. Hanni Fakhoury, for example, a lawyer from the Electronic Frontier Foundation which filed a friend of the court brief in the Craigslist case, criticized the Craigslist decision because it did not interpret the CFAA narrowly enough. He said that “[t]he CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection. Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do.” So the battle over the proper interpretation of the CFAA rages on and will continue, probably until either Congress amends the statute or the Supreme Court steps in to decide which interpretation is the right one.