What is unauthorized access? That question confounds any lawyer attempting to discern the restrictions and limits of the Computer Fraud and Abuse Act (CFAA). The US District Court of Northern California recently addressed the issue in Craigslist v. 3taps, wherein the court moved not to dismiss Craigslist’s charges of CFAA violations. In this case, 3taps took and republished ads from Craigslist. Craigslist reacted by sending a cease-and-desist letter, then blocking IP addresses originating from 3taps. Craigslist then sued 3taps for violation of the CFAA, along with a number of other causes of action.
While the headlines appear jarring, this case is actually both rather straightforward and an interesting study in the problems with the CFAA. The CFAA, a 1986 law designed to deter hacking, generally makes “accessing a computer without authorization or [by exceeding] authorized access” illegal. There are more specific sections of the law as well, mostly dealing with various forms of fraud or breaking into government computers. The issue with the CFAA and its accompanying case law is that the statute’s language is very broad. Courts could potentially interpret “without authorization” to include any number of activities. Prosecutors have cited the CFAA in cases ranging from violating terms of service to mass-downloading academic and scientific papers from a government database as violations of the CFAA. The courts don’t always agree, rejecting some of these interpretations (like the terms of service case in US v. Lori Drew).
The judge in this case uses straightforward logic: Craigslist normally holds itself open for any user to access. Craigslist then rescinded that access to 3taps by specifically blocking their IP addresses after sending 3taps a cease-and-desist order (removing 3taps’ authorization). Any further attempts to access Craigslist constitutes access without authorization, and results in a CFAA violation. Judge Charles Breyer, the judge in this case, felt that imposing a technological barrier to access constitutes revoking authorization for an otherwise public site.
Orin Kerr of The Volokh Conspiracy feels that it’s a little disappointing that the judge did not explore this notion of requiring some technological barrier for revoking authorization. While I agree, it makes sense in the context of the ruling. Judge Breyer spends most of the time explaining why 3taps’ situation is an access restriction rather than a use restriction (which would not violate the CFAA according to the Ninth Circuit’s case law), and views imposing technological barriers as an obvious limitation on access. The judge does ignore some rather obvious technological questions, such as whether the blocked entity has a dynamic IP (which changes from time to time) or whether accessing the website through a non-blocked IP still constitutes accessing the website without authorization. Would the authorization only apply to blocked IPs, or would it still apply broadly (as in, if a website chose to block a few IP addresses from a user, would any further access constitute access without authorization)?
There is also the issue of verification. IP addresses are, simply put, an unreliable method of verifying a particular user. In copyright infringement cases (where plaintiffs often claim IP addresses act as a form of verification), some courts have held that the address by itself is not enough to identify a defendant. A plaintiff usually needs to prove that the defendant used that particular IP at the time of infringement, which requires supporting documentation (especially in households with more than one internet user). While copyright infringement is obviously very different from a CFAA violation, the identification issue affects both. In some ways, identification is a more serious issue in the context of the CFAA since the CFAA imposes criminal penalties.
After the suicide of Aaron Swartz over CFAA charges, it should be interesting to see how legislators (and prosecutors) handle CFAA issues in the future. The CFAA requires more clarity, even in cases like this one where the nature of the violation is clear.