Tapped Out: Controlling the internet via selective authorization

Craigslist, Inc. v 3Taps Inc., No. CV 12-03816 CRB. (N.D. Ca. August 16, 2013) is another case in a now long line of cases that establish that in most situations access to even an otherwise publicly accessible website can be controlled via selective authorization.

The 3Taps case is very straightforward.  3Taps scraped Craigslist’s website, and replicated it.  Craigslist sent them a letter revoking all permissions to access the Craigslist site, but 3Taps ignored that and circumvented IP filters and continued accessing the website, and replicating it.  In other words, Craigslist “singled out” 3Taps and told them that they could not access the Craigslist website.  3Taps was singled out because it was copying the entire Craigslist site, in apparent competition with Craigslist.

Note that unlike the Digital Millenium Copyright Act, which requires there to be sufficient technological measures to protect copyrighted content before there would be a finding of circumvention, under the CFAA, no such technological measures are required. 3Taps sought to dismiss the complaint filed by Craigslist, which complaint asserted that 3Taps violated the Computer Fraud and Abuse Act (“CFAA”) which generally prohibits a person from “intentionally accesses[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.”  The essence of 3Taps’ argument was that because the Craigslist website is publicly available, the CFAA does not apply, and therefore, just as anyone else had “authorization” to access and use the website, so did 3Taps.  [Note: this decision did not address copyright issues with 3Taps’ conduct.]

A long line of cases enforce “terms of service ”  either under contract law, under the CFAA, or both – that is, if terms of service authorize access to information on certain conditions, and those conditions are not met, then the access to that information is not authorized and is a violation of the contract and often, the CFAA.  See Register. com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), affirmed on other grounds356 F. 3d 393 (2nd Cir. 2004) and their progeny.

You can now add this case to that list.  This case even more bluntly stands for the proposition that a website owner can, with only the typical “protected class” exceptions, discriminate against a particular user and revoke authorization, while at the same time generally authorize the public to access and use the website.   This right, moreover, does not make the website operator a so-called common carrier, and the website operator does not give up its other important immunities, such as the immunity under the Communications Decency Act (47 USC 230). There may be other limitations on a website’s right to discriminate – for example, there may be first amendment interests in the data being accessed, or there might be an argument that certain provisions in a contract limitation constitute a copyright misuse (and hence might make enforcement of the contract, even under the CFAA, problematic).  However, in the majority of private interest cases like Craigslist (or Twitter, or Facebook or virtually any other social media provider) – the owner of the data is going to have a pretty broad right in the U.S. and under U.S. law to protect access to that data via restrictions either in a terms of service, or more directly as was done in the 3Taps case.

Congress is considering an amendment to the CFAA (Aaron’s law – for background, see this Techdirt article the EFF pages, and what I believe is the current draft here)  that might limit a website platform operator’s use of the CFAA to control its content . . . but that issue has come up in various contexts before and Congress has not seemed to have much appetite for monkeying with the CFAA.  Also, that would not eliminate the breach of contract claim (see the Verio case above).

The 3Taps case has been cited in some online commentary for the proposition that IP proxies or anonymization systems (like Tor) are “illegal.”  That is not what the court held.  There are many legal and pro-privacy reasons to use such systems that would not violate the CFAA.  The simplest example would be use of such a system to avoid being tracked while browsing the web.  In these cases you are not accessing a protected computer without authorization, you are simply sending a false identifier to a computer that is collecting the data on its own volition.  CFAA punishes unauthorized access, not access gained by presenting false location or identification data.  However, under the 3Taps case, apparently a terms of service agreement could be written to withdraw consent to any access of the site if a person is using a location or tracking anonymizer/IP spoofer, and hence, a person using such a service and accessing the site could then be in violation of the CFAA.  That question, however, also raises substantial 1st Amendment issues (right to anonymous speech), which were not present in 3Taps.  Thus, it is not clear at all that a court would hold that the CFAA claim would survive in that instance.

Until Congress modifies the CFAA internet users should be cautious about use of “publicly available” but privately owned information on a website, RSS feed, social media firehose, or other resource, and be careful to read and comply with the terms of service.   [Note:  this blog entry does not address governmental or public information, FOIA or the right (or lack of a right) under a contract or CFAA to “privatize” governmental public data]

For more information contact Mike Oliver

(unless specifically attributed, all links on this page are provided for information purposes only and have not been vetted by, and do not necessarily represent the views of, the author)

Cybercrime Series – What is Cybercrime?

This column starts my foray into working with Hacksurfer (a client here) in explaining the legal side of cybercrime.  These articles are first published at the Hacksurfer site, which is a very good resource for this issue.  This article was published there about 3 months ago; more current articles are located there.  In the coming articles I am going to start from ground zero, introduce basic legal constructs and concepts, go through primarily federal criminal statutes, and then start working through major cases.  If I am successful and you manage to stay awake through it, you will have a deep understanding of the major aspects of cybercrime law.  I will throw in a little procedure as well, but criminal procedure is tedious, heavily constitutional, and frankly, more relevant to prosecutors and defense counsel than the average reader here.  I will also be reviewing all of the computer security laws that impact regular businesses, and going over common pitfalls, errors and issues that businesses face trying to navigate through the mass of computer security laws, rules, regulations and orders.

Just a real quick background on me – I grew up in the early 70’s and worked on every computer I could get my hands on – and learned any programming language I could when I was young.  Back then there were no remotely affordable hard drives – I learned on old IBM punch card decks, mainframes and low level consumer computers like the “Trash” 80, Commodore 64 and similar products.  There was no internet as we know it today, no email, and really, no electronic communications like electronic mail, short message service or instant messaging that someone not inside of ARPANET could get their hands on.  To me, “hacking” always meant “hacking code” that is, trying to make the code more efficient  elegant, robust, and resilient.  After a few movies popularizing unauthorized acces to computers, which labeled that activity “hacking” – the term has become more criminal sounding than programming sounding.  In these articles I will usually use “cracking” to describe the efforts to gain unauthorized access to a computer, and “hacking” to refer to source code development – i.e. “code hacking.”

Also a brief word about citations.  I will cite to both primary source materials (i.e. the actual code, case etc) and to secondary sources, such as Wkipedia.  My articles are not intended to be scholarly, so I have not verified any source or statement.  I merely provide the user with additional points of reference if they are interested.   Note that I am also not treating the telephone system as a general purpose computer, and for the purposes of these articles, excluding unauthorized access to non digital telephone networks.

So, let’s start at the beginning.  The first real digital computer, the ENIAC, was invented in 1945, and began operations in 1946.  [Ref]  That computer, and all digital computers after it, until a digital transmission network was reliably established (the first true digital communication packet was transmitted on October 29, 1969 via ARPANET) had one important common feature – they were accessible only from a standard input terminal and had physical limitations, that is, they were generally not accesible remotely.

While these computers could be accessed without authorization, early computers had extremely proprietary software interfaces, it was very hard to gain physical access to them, and they tended to be operated for military or other government activity and hence were very secure.  The number of reported computer crimes against these early computers is very low, and tended to be committed by employees or other persons who had physical access to the computer  – true computer crime was likely related to spying.  See generally, Kabay, M.E.,  A Brief History of Computer Crime: An Introduction for Students, at p. 5 (2008).

So before there was “cyber crime” there was “computer crime” – and conceptually this is quite a distinct crime.  Computer crime was more akin to breaking and entering, or vandalism, because it tended to be destruction of the computer itself.  Cybercrime as we know it today involves unauthorized access to, or exceeding authorized access in respect of, a protected computer.  The key to most current cybercrime statutes is this concept of a protected computer.  A protected computer is defined as “a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”  See 18 USC Sec 1030(e)(2). (emphasis added).

The emphasized language is the first step into the green is blue world of law, and your first introduction to legal terms of art.  A term of art in law is a word or phrase that has a common english meaning, but has a very technical specific meaning in the legal context.  In this particular case, “used in or affecting interstate commerce” essentially means any computer connected to the internet.

More on how we get there in the next installment, where we will discover how the law impacts a person accessing a protected computer.  (consider momentarily you and your spouse are separating, and you want to view your spouses emails for infidelity . . . how does this concept of “protected computer” impact what you can do without committing  a  felony?)  We will see . . .

Best – mike oliver