Is evading an IP address block to access a website against the law?

A ruling in a lawsuit mounted by Craigslist and against ad indexing firm 3Taps has once again brought attention to the Computer Fraud and Abuse Act (CFAA), its vague wording, and the need to modernize it.

Craigslist accused 3Taps of harvesting, aggregating and publishing ads posted on Craigslist even when faced with a cease-and-desist letter.

In order to bypass the blocks that Craigslist put up to ban access to the site from IP addresses associated with 3Taps’ systems, the latter company used proxy servers and alternative IP addresses. This time, Craigslist decided to get the law on its side and sue 3Taps to make it stop the practice.

Under the CFAA, “whoever […] intentionally accesses a computer without authorization […] and thereby obtains […] information from any protected computer” shall be liable both civilly and criminally, but 3Taps argued that “an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website.”

The company filed a motion to dismiss Craigslist’s complained, but the judge ruled against it.

“The law of trespass on private property provides a useful, if imperfect, analogy,” US District Court Judge Charles Breyer wrote in the document explaining his decision. “Store owners open their doors to the public, but occasionally find it necessary to ban disruptive individuals from the premises. That trespass law has enforced those bans with criminal penalties has not, in the brick and mortar context, resulted in the doomsday scenarios predicted by 3Taps in the internet context.”

3Taps argued that the decision to allow the civil lawsuit to pass would set a dangerous precedent when it comes to the application of the vague CFAA, but the judge said that “the Court’s decision concerning 3Taps’ persistent scraping efforts undertaken after receiving a cease-and-desist letter and employing IP rotation technology to mask its identity and overcome Craigslist’s technological barriers does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.”

“The current broad reach of the CFAA may well have impacts on innovation, competition, and the general ‘openness’ of the internet,” he allowed, but added that “it is for Congress to weigh the significance of those consequences and decide whether amendment would be prudent.”

The Congress may soon do so, as US Representative Zoe Lofgren and US Senator Ron Wyden have introduced in both houses of the US Congress a reform proposal for the outdated CFAA.

Dubbed Aaron’s Law after Aaron Swartz – the online innovator and activist who killed himself because he was facing up to 35 years in prison for an act that the government argued went against the CFAA – the proposal aims to distinguish the difference between common online activities and harmful attacks.

In the meantime, it’s unclear what now happens to the lawsuit. 3Taps said that they will respect the court’s decision, and that they will “immediately cease all access to Craigslist’s servers”.

“Going forward, 3Taps will operate based on its understanding that if it does not access Craigslist’s servers, it has a right to collect public information originally posted on Craigslist’s website,” they said. “Although Craigslist may use the CFAA as currently interpreted to prevent 3Taps from accessing its servers, 3Taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to Craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA.”