'No Trespassing!': An Expansion Of The Computer Fraud Act?
Today, privacy on the Internet is a subject that is often on our minds. How can I protect my personal information? Can I ensure my children are safe when surfing the web? Am I a target for identity theft? Can I avoid spam and marketing targeted to my browsing history?
Of course, there can also be more nefarious reasons for wanting to ensure your Internet activities are private.
One tool that is often employed to ensure privacy on the internet is an anonymizer. Generally, an anonymizer masks your Internet protocol address. An IP address is the equivalent of a street address, which allows a specific digital device to be identified and communicated with by another computer. IP addresses can be "anonymized" through, among other things, a proxy server, which acts as an intermediary between a specific digital device and the rest of the Internet — revealing the IP address of the proxy server in place of the device utilizing the service.
Anonymization can also be accomplished through use of a Virtual Private Network (VPN), which provides a secure Internet tunnel from a remote computer to a host computer. Used by many businesses to provide secure access to corporate files, a VPN would also have the effect of "masking" the IP "identity" of the internet user, in that the IP address of the host computer, rather than the remote computer, would be broadcast to any websites visited.
On August 16, 2013, in the case of Craigslist Inc. v. 3Taps Inc., et al., U.S. District Judge Charles R. Breyer, of California, confronted a situation where the plaintiff had served the defendant with a cease and desist letter, and further blocked defendant's specific IP address, utilizing technological measures to prohibit access to plaintiff's site. In response, the defendant employed an anonymizer to circumvent the IP block. Judge Breyer held in that case that defendant's use of an anonymizer after receipt of a C&D letter gave rise to a claim under the Computer Fraud and Abuse Act (CFAA). This was a new twist for the CFAA, which was enacted primarily to address hacking.
As many know, Craigslist provides a centralized location for online communities to post classified advertisements related to such things as jobs, housing, items for sale, and personal ads, among a variety of other things. Craigslist alleged that 3Taps copied the content from the Craigslist website and utilized the information for at least two purposes. First, 3Taps offered a Craigslist application programming interface (API) – which allowed third-parties to access and utilize Craigslist's content outside of Craigslists's website. Second, Craigslist contended, 3Taps operated its own website (www.craiggers.com), which duplicated the content of, and competed with, the Craigslist website.
Craigslist commenced litigation against 3Taps raising numerous claims, including one under the CFAA. Specifically, it alleged that 3Taps's actions violated 18 U.S.C. section 1030(a)(2) which prohibits someone from "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and . . . obtain[ing] . . . information" as a result. The question before Judge Breyer was whether Craigslist, on a case by case basis, could revoke a party's access to its publically available website and invoke the protections afforded by the CFAA against a visitor whose access rights were revoked.
3Taps argued that it did not act without authorization — and appeared to imply that, once granted, Craigslist could not revoke access to its public website. The court was not persuaded by this suggestion and noted that the nature of the information at issue — i.e., publically available information — was not relevant to the question before it. Judge Breyer stated that while other sections of the CFAA took into consideration the quality of the information at issue, section 1030(a)(2) was silent on that issue. In exploring the "without authorization" language, the court found that cases in the employer/employee context confirmed "that computer owners have the power to revoke the authorizations they grant."
Judge Breyer further found the term "without authorization" to be plain and unambiguous and accepted that the common meaning of authorization was "permission or power granted by an authority." The court embraced an interpretation of the phrase as follows: "a person uses a computer 'without authorization' under the CFAA when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway."
Applying that definition to the facts before it, the court concluded that, while Craigslist had originally granted the world access to the public information on its website, it subsequently revoked that access when it specifically rescinded 3Taps' right to continue to visit the website. Interestingly, the court did not indicate whether either the cease and desist letter or the IP banning alone would have been sufficient to demonstrate 3Taps'absence of authorization. Rather, the court held that those actions collectively provided 3Taps sufficient notice that the company had been banned from Craigslist. The court's failure to indicate whether the cease and desist letter alone was enough to create an "unauthorized access" is likely to generate further litigation on this issue in the future.