IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules

By David Kravets WIRED
08.20.13

A federal judge has ruled that circumventing an IP address blockade to connect to a website is a breach of the Computer Fraud and Abuse Act, the same law that was used to prosecute Aaron Swartz before he committed suicide earlier this year.

The decision (.pdf) by U.S. District Judge Charles Breyer marks the first time a court has offered this interpretation of a highly controversial law that affords both criminal and civil penalties. Congress passed the law in 1984 to combat hackers.

The legal issue concerns 3Taps, a site that was scraping classified ads from Craigslist and republishing them without consent. Craigslist sent the San Francisco aggregator a cease-and-desist letter and blocked 3Taps’ IP addresses from accessing the site. After circumventing the IP blockade, 3Taps continued scraping and was sued under the CFAA, which has since Swartz’s death been the target of calls for reform by lawmakers and the public.

“3Taps asks this Court to hold that an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website. However compelling 3Taps’ policy arguments, this Court cannot graft an exception on to the statute with no basis in the law’s language or this circuit’s interpretive precedent,” Breyer ruled.

Friday’s decision means 3Taps likely faces a civil-damages trial for the “unauthorized access” unless Craigslist settles out of court.

Hanni Fakhoury, an attorney with the Electronic Frontier Foundation, which filed a friend-of-the-court brief with the judge, said the decision has its pluses and minuses.

Moreover, by focusing on the IP blocking, the court essentially agreed with the basic principle we’ve suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have ‘accessed’ information or data ‘without authorization.’ In fact one proposal to reform the CFAA currently before Congress, ‘Aaron’s Law,’ defines ‘access without authorization’ to mean precisely that: ‘knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.’ The court adopted this idea in principle when it found that Craigslist’s CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.

But the minus, Fakhoury added: “We believe that the CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection. Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do.”

Breyer disagreed:

The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.

The judge added that he believes the decision isn’t going to penalize normal internet-surfing behavior:

Nor does prohibiting people from accessing websites they have been banned from threaten to criminalize large swaths of ordinary behavior. It is uncommon to navigate contemporary life without purportedly agreeing to some cryptic private use policy governing an employer’s computers or governing access to a computer connected to the internet. In contrast, the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter.

Orin Kerr, one of the country’s leading CFAA scholars, had this to say about the decision:

I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3Taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.

3Taps said (.pdf) it would obey Judge Breyer’s ruling. Ironically, however, the site announced it would continue accessing Craigslist’s classified adds.

Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to Craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA. Going forward, 3taps will operate based on its understanding that if it does not access Craigslist’s servers, it has a right to collect public information originally posted on Craigslist’s website.

The Computer Fraud and Abuse Act was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality. The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company’s computer usage policy.

One of the latest criminal prosecutions under the act concerned Andrew “Weev” Auerheimer, who was sentenced to 3.5 years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website.

Angry Designer (from Craigslist)

(Heh, I feel this guy's point for sure!--jef)

Post from CraigsList
Every day, there are more and more Craigs List posts seeking “artists” for everything from auto graphics to comic books to corporate logo designs. More people are finding themselves in need of some form of illustrative service.

But what they’re NOT doing, unfortunately, is realizing how rare someone with these particular talents can be.

To those who are “seeking artists”, let me ask you; How many people do you know, personally, with the talent and skill to perform the services you need? A dozen? Five? One? …none?

More than likely, you don’t know any. Otherwise, you wouldn’t be posting on craigslist to find them.

And this is not really a surprise.

In this country, there are almost twice as many neurosurgeons as there are professional illustrators. There are eleven times as many certified mechanics. There are SEVENTY times as many people in the IT field.

So, given that they are less rare, and therefore less in demand, would it make sense to ask your mechanic to work on your car for free? Would you look him in the eye, with a straight face, and tell him that his compensation would be the ability to have his work shown to others as you drive down the street?

Would you offer a neurosurgeon the “opportunity” to add your name to his resume as payment for removing that pesky tumor? (Maybe you could offer him “a few bucks” for “materials”. What a deal!)

Would you be able to seriously even CONSIDER offering your web hosting service the chance to have people see their work, by viewing your website, as their payment for hosting you?

If you answered “yes” to ANY of the above, you’re obviously insane. If you answered “no”, then kudos to you for living in the real world.

But then tell me… why would you think it is okay to live out the same, delusional, ridiculous fantasy when seeking someone whose abilities are even less in supply than these folks?

Graphic artists, illustrators, painters, etc., are skilled tradesmen. As such, to consider them as, or deal with them as, anything less than professionals fully deserving of your respect is both insulting and a bad reflection on you as a sane, reasonable person. In short, it makes you look like a twit.

A few things you need to know:

1. It is not a “great opportunity” for an artist to have his work seen on your car/’zine/website/bedroom wall, etc. It IS a “great opportunity” for YOU to have their work there.

2. It is not clever to seek a “student” or “beginner” in an attempt to get work for free. It’s ignorant and insulting. They may be “students”, but that does not mean they don’t deserve to be paid for their hard work. You were a “student” once, too. Would you have taken that job at McDonalds with no pay, because you were learning essential job skills for the real world? Yes, your proposition it JUST as stupid.

3. The chance to have their name on something that is going to be seen by other people, whether it’s one or one million, is NOT a valid enticement. Neither is the right to add that work to their “portfolio”. They get to do those things ANYWAY, after being paid as they should. It’s not compensation. It’s their right, and it’s a given.

4. Stop thinking that you’re giving them some great chance to work. Once they skip over your silly ad, as they should, the next ad is usually for someone who lives in the real world, and as such, will pay them. There are far more jobs needing these skills than there are people who possess these skills.

5. Students DO need “experience”. But they do NOT need to get it by giving their work away. In fact, this does not even offer them the experience they need. Anyone who will not/can not pay them is obviously the type of person or business they should be ashamed to have on their resume anyway. Do you think professional contractors list the “experience” they got while nailing down a loose step at their grandmother’s house when they were seventeen?

If you your company or gig was worth listing as desired experience, it would be able to pay for the services it received. The only experience they will get doing free work for you is a lesson learned in what kinds of scrubs they should not lower themselves to deal with.

6. (This one is FOR the artists out there, please pay attention.) Some will ask you to “submit work for consideration”. They may even be posing as some sort of “contest”. These are almost always scams. They will take the work submitted by many artists seeking to win the “contest”, or be “chosen” for the gig, and find what they like most. They will then usually have someone who works for them, or someone who works incredibly cheap because they have no originality or talent of their own, reproduce that same work, or even just make slight modifications to it, and claim it as their own. You will NOT be paid, you will NOT win the contest. The only people who win, here, are the underhanded folks who run these ads. This is speculative, or “spec”, work. It’s risky at best, and a complete scam at worst. I urge you to avoid it, completely. For more information on this subject, please visit www.no-spec.com.

So to artists/designers/illustrators looking for work, do everyone a favor, ESPECIALLY yourselves, and avoid people who do not intend to pay you. Whether they are “spec” gigs, or just some guy who wants a free mural on his living room walls. They need you. You do NOT need them.

And for those who are looking for someone to do work for free… please wake up and join the real world. The only thing you’re accomplishing is to insult those with the skills you need. Get a clue.