Court Holds That Public Websites Can Revoke Authorized Access Under the CFAA in Craigslist v. 3Taps.

3Taps used scripts to scrape ads from craigslist’s popular website in real time and then re-indexed the ads in different formats and made the information available to third parties.  Craigslist was not amused and sent 3Taps a cease and desist letter and took steps to block 3Taps I.P. addresses.  3Taps ignored the cease and desist letter and took steps to circumvent Craigslist’s I.P. address blocking by changing I.P. addresses and using proxy servers. Craigslist sued under the CFAA provision allowing for civil suits and 3Taps moved to dismiss. On April 30, 2013 the Court denied the part of 3Taps motion that sought to dismiss craigslist’s CFAA claim.  The Court held that access to craigslist’s website became unauthorized for 3Taps after the cease and desist letter and IP address blocking by craigslist.  The Court, however, did not delve into a deep analysis of the issues and noted “[t]he parties have not addressed a threshold question of whether the CFAA applies where the owner of an otherwise publicly available website takes steps to restrict access by specific entities.” 3Taps moved for supplemental briefing on the issue that the Court granted. Which brings us back to the August 16th decision.  The Court again denied 3Taps renewed motion to dismiss the CFAA counts.  It did so for the same reasons as before – cease and desist letters and I.P. address blocking can revoke access to a public website – but gave more depth to its analysis in what is a well written opinion. The Court starts off by saying it “makes sense” to assume that authorization to access information on a publicly available website is presumed. It cites Pulte Homes, Inc. v. Laborer’s Intern’l Union of N. Am., 648 F.3d 295, 304 (6th Cir. 2011) for this proposition.  Pulte involved a disgruntled labor union bombarding the phone and email systems of a home building corporation with robo-calls and e-mails.  The Pulte court rightly held that this did not constitute unauthorized access under the CFAA because Pulte’s systems were publicly facing.  And the craigslist Court rightly followed its logic. The more interesting issue is the Court’s holding that a public website can revoke individual access via a cease and desist letter and I.P. address blocking.  Here things get tricky, and one can spend hours debating the issues. For instance, allowing a publicly available website trafficking in publicly available information – information it did not generate but merely arranged – to make access unauthorized on the turn  of the website owner’s whim has significant criminal implications. It allows the website owner, using a cease and desist letter, or perhaps even a well-drafted terms of service agreement, to  make an individual’s access a CFAA felony just by saying so.  That’s because the CFAA is both a civil and criminal statute, and the civil and criminal provisions are basically identical.  And as for I.P. addresses, as our colleague Hanni Fakhoury notes over at EFF, many innocent computer users mask and çhange their I.P. addresses on a daily basis. In short, the issue is complicated. Judge Breyer’s decision is worth a read.  Here it is: Craigslist__Inc_v_3Taps__Inc__MTD_Denial Craigslist Inc., v. 3Taps Inc, et al. No. 12-CV-03816 (N.D. Ca. 2013) (CRB) -Tor      ]]]]> ]]>