Public website owners have the right to selectively block users from their sites and anyone who intentionally circumvents those blocks may be violating provisions of the Computer Fraud and Abuse Act (CFAA), a federal judge in California ruled Friday.
The ruling involves a dispute between Craigslist and 3Taps Inc., an online ad aggregator that basically copies and republishes online ads.
Craigslist claimed that 3Taps scrapes, collects and reposts all of Craigslist's classified advertisements in real time. In 2012, Craigslist sent a cease-and-desist letter asking 3Taps to stop accessing its website. Craigslist also separately configured the site to block access to it from any IP address associated with 3Taps.
However, 3Taps used IP rotation technology and proxy servers to bypass the blocks and continued to harvest and repost data gathered from Craigslist.
In a lawsuit filed in the U.S. District Court for the Northern District of California, Craigslist accused 3Taps of copyright infringement and of "unauthorized access" to its website as defined under the CFAA. Craigslist alleged that 3Taps had not only violated Craigslist's Terms of Service but had also deliberately circumvented Craigslist's IP blocking measures.
3Taps admitted that it intentionally circumvented the blocking. But in a motion to dismiss the lawsuit, 3Taps noted that Craigslist, by making its website publicly available, had essentially authorized the entire Internet to access and use its content. The company claimed that allowing owners of publicly accessible websites to selectively block individuals and groups was dangerous and contrary to the notion of a free and open Internet.
In a 13-page ruling, District Court Judge Charles Breyer dismissed those arguments and held that 3Taps had accessed Craigslist without specific authorization from the website owner.
"The law of trespass on private property provides a useful, if imperfect, analogy," Breyer wrote in his ruling. "Store owners open their doors to the public, but occasionally find it necessary to ban disruptive individuals from the premises. That trespass law has enforced those bans with criminal penalties has not, in the brick and mortar context, resulted in the doomsday scenarios predicted by 3Taps in the Internet context."
Even though Craigslist set up a public website, it was still within its rights to selectively block people it considered undesirable. There is nothing in the CFAA that specifically prohibits websites such as Craigslist from blocking people from their sites on a case-by-case basis, Breyer noted.
"Here, under the plain language of the statute, 3Taps was 'without authorization' when it continued to pull data off of Craigslist's website after Craigslist revoked its authorization to access the website," Breyer wrote.
The key point to consider is not the cease-and-desist letter, but the fact that Craigslist used specific IP blocking technology to keep 3Taps away.
It was "a clear signal from the computer owner to the person using the IP address that he is no longer authorized to access the website," Breyer noted. 3Taps indisputably knew that Craigslist was blocking access its site, but it went ahead anyway by circumventing the barrier Craigslist had in place, he noted.
"The banned user has to follow only one, clear rule: do not access the website," Breyer said.
The ruling caused some concern among rights advocates who have expressed concern over what they call an overly broad use of the CFAA to prosecute people for crimes it was never meant to address.
Concerns over the law peaked earlier this year following the death of Internet activist Aaron Swartz who committed suicide over the prospect of spending up to 35 years in prison on hacking-related charges. Another case that evoked similar concerns involved Andrew Auernheimer, who was sentenced to 41 months in prison for illegally accessing emails and other data belonging to about 120,000 iPad subscribers of AT&T.
In both cases, critics contend that prosecutors improperly used the CFAA to prosecute individuals. The CFAA, enacted by Congress in 1986, makes it illegal to knowingly access a computer without authorization or to exceed authorized use of a system. In intent and spirit, the CFAA is an online anti-trespassing law targeting criminal hackers who break into systems to steal or sabotage data. Critics contend that overzealous prosecutors are using CFAA to pursue individuals for far less serious crimes.
Hanni Fakhoury, staff attorney at the Electronic Frontier Foundation, said the big question raised by the Craigslist case is whether circumventing IP blocking technology constitutes unauthorized access.
"Quite frankly, we don't think it is, since it's an easy and common thing to do that can be done for legitimate reasons -- such as not revealing your location," he said. "Plus it's not really an access restriction, but rather a disguised use restriction."
In a blog post, Orin Kerr, professor of law at the George Washington University Law School, noted that a CFAA violation must involve situations where someone breaks through or circumvents a technical barrier to access a computer system. The big question in this case is whether IP blocking is a measure that can really be considered such a barrier, he said.
"IP addresses are very easily changed, and most people use the Internet from different IP addresses every day," Kerr wrote.
"As a result, attempting to block someone based on an IP address doesn't 'block' them except in a very temporary sense," Kerr said. "It pauses them for a few seconds more than actually blocks them. It's a technological barrier in the very short term, but not in the long term. Is that enough to constitute a technological barrier?"
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about internet in Computerworld's Internet Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.