During the debate over the Aaron Swartz case, one of the legal issues was whether Swartz had committed an unauthorized access under the CFAA when he changed his IP address to circumvent IP address blocking imposed by system administrators trying to keep Swartz off the network. There was significantly more to the CFAA charges than that, to be clear, including circumventing a subsequent MAC address block and (most significantly) entering an MIT storage closet to install his computer directly. But changing IP addresses to get around IP address blocking was at least one of the possible grounds of unauthorized access. On Friday, Judge Breyer of the Northern District of California handed down the first decision directly addressing the issue. Judge Breyer ruled that changing IP addresses to get around a block is an unauthorized access in violation of the CFAA. The decision is here: Craigslist v. 3taps, Inc..
The facts of the case are very simple. 3taps aggregates and republishes ads from the popular Craigslist website by scraping data from Craigslist. Craigslist responded by sending 3taps a cease-and-desist letter and by blocking the IP addresses associated with 3taps’s computers. 3taps continued to access Craigslist by changing the IP addresses by which its computers accessed Craigslist’s servers. Craigslist then sued 3taps, alleging claims including copyright, state law violations, and the CFAA. For its CFAA claims, Craigslist argued that 3taps violated the CFAA by (a) violating Craigslist’s Terms of Service, which prohibited scraping; and (b) circumventing the IP address block after receiving a cease-and-desist letter.
In an earlier decision, Judge Breyer had indicated that that violating the Craiglist’s Terms of Service did not trigger a CFAA violation. See Craigslist Inc. v. 3Taps Inc. — F.Supp.2d —-, 2013 WL 1819999 (N.D.Cal. April 30, 2013). In the new opinion issued on Friday, however, Breyer ruled that the same was not true with 3taps’s circumventing the IP address block. To be sure, Craigslist had granted authorization to everyone by setting up a public website that anyone could access. But when Craigslist had sent the cease-and-desist letter and then blocked 3taps’s IP addresses, Breyer ruled, Craigslist had exercised its “power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website.”
Here, under the plain language of the statute, 3Taps was “without authorization” when it continued to pull data off of Craigslist’s website after Craigslist revoked its authorization to access the website. As the “ordinary, contemporary, common meaning” of the word indicates, and as Brekka expressly held, “authorization” turns on the decision of the “authority” that grants — or prohibits — access. In Brekka, the authority was the employer. Here, it is Craigslist. Craigslist gave the world permission (i.e., “authorization”) to access the public information on its public website. Then, just as Brekka instructed that an “authority” can do, it rescinded that permission for 3Taps. Further access by 3Taps after that rescission was “without authorization.”
Judge Breyer distinguished the circumvention of IP blocking after receiving a letter from violating Terms of Service (not covered by the CFAA) on the ground that a person who has received a letter and then had an IP address blocked has clear notice that their right to access the website has been revoked:
The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.
Nor does prohibiting people from accessing websites they have been banned from threaten to criminalize large swaths of ordinary behavior. It is uncommon to navigate contemporary life without purportedly agreeing to some cryptic private use policy governing an employer’s computers or governing access to a computer connected to the internet. In contrast, the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter. See Compl. ¶ 84. Thus, a meaningful distinction exists between restricting uses of a website for a certain purpose and selectively restricting access to a website altogether.
Further, an IP address block imposed a technological barrier whereas Terms of Service do not:
Here, it is possible to distinguish the kind of restriction in place from Craigslist’s motivation for imposing that restriction. Craigslist made a complete access restriction when it told 3Taps that it could not access Craigslist’s website “for any reason,” and then put in place a technological barrier designed to completely cut off 3Taps’ ability to view the site. That it did so because of how 3Taps used Craigslist’s information is true, but beside the point, because as discussed above, true access restrictions do not present the same notice and breadth issues that come with the criminalization of use policies.
. . . IP blocking may be an imperfect barrier to screening out a human being who can change his IP address, but it is a real barrier, and a clear signal from the computer owner to the person using the IP address that he is no longer authorized to access the website.
. . . .
To be sure, later cases may confront difficult questions concerning the precise contours of an effective “revocation” of authorization to access a generally public website. This Court cannot and does not wade into that thicket, except to say that under the facts here, which include the use of a technological barrier to ban all access, 3Taps’ deliberate decision to bypass that barrier and continue accessing the website constituted access “without authorization” under the CFAA.
A few thoughts:
1) I’ve long argued that circumventing some kind of technological barrier is required to violate the CFAA, and this opinion seems consistent with that. Once you accept that premise, though, you run into the issue of what counts as a technological barrier. Judge Breyer sees IP blocking as sufficient. But it’s unfortunate that Breyer doesn’t give the issue more analysis, as I think it’s a really interesting question. The counterargument runs like this. IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t “block” them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrer?
2) Judge Breyer’s opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didn’t want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didn’t raise all the notice and vagueness issues that prompted the Ninth Circuit’s decision in Nosal.
I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.
Anyway, it’s a very interesting case. By way of full disclosure, I have discussed this case with the defendant’s side but my analysis here remains my independent opinion.
UPDATE: I have fiddled with the post a bit shortly after putting it up to make my argument more clear.