The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist: the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of the CFAA.
The dispute began with Craigslist Inc. sending a letter to 3Taps, Inc. because 3Taps was “scraping” content posted to the Craigslist website in real time and then using that information to create its own website and interface with the Craigslist information. The Craigslist letter told 3Taps that it was “no longer authorized to access” the Craigslist website. Craigslist also blocked IP addresses associated with 3Taps from accessing the Craigslist website. But 3Taps continued scraping information from the Craigslist website by using different IP addresses and proxy servers. Craigslist then sued 3Taps for violating the CFAA. The court applied the language in the CFAA, a criminal statute that also allows a civil cause of action, that prohibits a defendant from “intentionally access[ing] a computer without authorization . . . and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(c). Obvious enough, right?
Not quite. Craigslist is a website that normally is accessible by anyone with Internet access, so the court had to answer the question whether Craigslist’s removal of “authorization” to access its website through the cease-and-desist letter and blocking measures implicates the CFAA. To reach its conclusion, the court first decided that the CFAA does not state that the operator of a publicly available website cannot remove authorization to access that website from certain users. Second, the court concluded that under existing law, website owners have the power to revoke the authorizations that they grant. Third, the court addressed the Ninth Circuit’s concern that people should only be liable under the CFAA for improperly accessing information and not the improper use of information under “terms of use” policies that they may never have read. Since 3Taps received notice from Craigslist through the cease-and-desist letter that its authorization to access the Craigslist website had been revoked, but then circumvented the IP address block anyway, 3Taps clearly knew that it was acting “without authorization” when it accessed the Craigslist website.
I have written before about how the federal courts have struggled with whether the improper use of information obtained from a computer—often an employee downloading an employer’s confidential business information before heading to a rival company—implicates the CFAA, even when the employee had access to the information through his or her job in the first place and did not “hack” through any technological barriers to obtain that information. Some courts, like the First Circuit which includes Massachusetts, have found liability under the CFAA for improper use of information even when no hacking was involved, while others, like the Ninth Circuit, have only found liability when a person “hacks.” The Craigslist court is the Northern District of California, which is in the Ninth Circuit and is a “hacking” court. But some wanted the Craigslist court to go even further. Hanni Fakhoury, for example, a lawyer from the Electronic Frontier Foundation which filed a friend of the court brief in the Craigslist case, criticized the Craigslist decision because it did not interpret the CFAA narrowly enough. He said that “[t]he CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection. Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do.” So the battle over the proper interpretation of the CFAA rages on and will continue, probably until either Congress amends the statute or the Supreme Court steps in to decide which interpretation is the right one.