IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules

A federal judge has ruled that circumventing an IP address blockade to connect to a website is a breach of the Computer Fraud and Abuse Act, the same law that was used to prosecute Aaron Swartz before he committed suicide earlier this year.

The decision (.pdf) by U.S. District Judge Charles Breyer marks the first time a court has offered this interpretation of a highly controversial law that affords both criminal and civil penalties. Congress passed the law in 1984 to combat hackers.

The legal issue concerns 3Taps, a site that was scraping classified ads from Craigslist and republishing them without consent. Craigslist sent the San Francisco aggregator a cease-and-desist letter and blocked 3Taps' IP addresses from accessing the site. After circumventing the IP blockade, 3Taps continued scraping and was sued under the CFAA, which has since Swartz's death been the target of calls for reform by lawmakers and the public.

"3Taps asks this Court to hold that an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website. However compelling 3Taps’ policy arguments, this Court cannot graft an exception on to the statute with no basis in the law's language or this circuit's interpretive precedent," Breyer ruled.

Friday's decision means 3Taps likely faces a civil-damages trial for the "unauthorized access" unless Craigslist settles out of court.

Hanni Fakhoury, an attorney with the Electronic Frontier Foundation, which filed a friend-of-the-court brief with the judge, said the decision has its pluses and minuses.

Moreover, by focusing on the IP blocking, the court essentially agreed with the basic principle we've suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have 'accessed' information or data 'without authorization.' In fact one proposal to reform the CFAA currently before Congress, 'Aaron's Law,' defines 'access without authorization' to mean precisely that: 'knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.' The court adopted this idea in principle when it found that craigslist's CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.

But the minus, Fakhoury added: "We believe that the CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection. Changing your IP address is simply not hacking. That's because masking your IP address is an easy, common thing to do."

Breyer disagreed:

The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.

The judge added that he believes the decision isn't going to penalize normal internet-surfing behavior:

Nor does prohibiting people from accessing websites they have been banned from threaten to criminalize large swaths of ordinary behavior. It is uncommon to navigate contemporary life without purportedly agreeing to some cryptic private use policy governing an employer’s computers or governing access to a computer connected to the internet. In contrast, the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter.

Orin Kerr, one of the country's leading CFAA scholars, had this to say about the decision:

I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3Taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.

3Taps said (.pdf) it would obey Judge Breyer's ruling. Ironically, however, the site announced it would continue accessing Craigslist's classified adds.

Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA. Going forward, 3taps will operate based on its understanding that if it does not access craigslist's servers, it has a right to collect public information originally posted on craigslist's website.

The Computer Fraud and Abuse Act was passed in 1984 to enhance the government's ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality. The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company's computer usage policy.

One of the latest criminal prosecutions under the act concerned Andrew "Weev" Auerheimer, who was sentenced to 3.5 years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T's publicly accessible website.