Changing your IP address to access a blocked site might violate the Computer Fraud and Abuse Act — the 1980s anti-hacking law used to help prosecute Aaron Swartz, Andrew "weev" Auernheimer, Bradley Manning, and others. Late last week, a Californian US district court handed down a ruling that allowed Craigslist to go forward with part of its lawsuit against 3Taps, which aggregated its classified ads without permission. Because 3Taps continued to scrape and republish ads even after Craigslist banned a set of its IP addresses, Judge Charles Breyer found that it had intentionally accessed the company's servers without authorization, meeting the conditions of the CFAA.
The suit against 3Taps dates back to 2012, when Craigslist filed copyright cases against third-party sites that were mapping out or otherwise collecting listings in hopes of making them more user-friendly. But earlier this year, Judge Breyer dismissed Craigslist's copyright suit on the grounds that it didn't have an exclusive license on posts. That left only the CFAA charge, based on a cat and mouse game between Craigslist and 3Taps. In its attempt to stop third-party services, Craigslist sent a cease and desist letter to 3Taps, saying it was "prohibited from accessing craigslist's website or services for any reason." Then, it blocked all IP addresses associated with 3Taps from the site, but the service kept copying data, changing its IP addresses or running through proxy servers.
"The parties agree that 3Taps intentionally accessed Craigslist's protected computer."
"The parties agree that 3Taps intentionally accessed Craigslist's protected computer and obtained information from it," wrote Breyer. "The only dispute is whether 3Taps did so 'without authorization.'" The CFAA's rules about authorization often get boiled down into metaphors, and 3Taps argued that because Craigslist and its ads were open for everyone to see, ruling against it would be like fining someone for walking into an open store. Likewise, everyday users are likely to access a site from different IP addresses in the course of normal use.
Breyer, however, found this unconvincing. "Store owners open their doors to the public, but occasionally find it necessary to ban disruptive individuals from the premises," he wrote, and 3Taps' examples explaining ways the ruling would criminalize everyday behavior were "absurd" and "outlandish." While 3Taps had posited examples of how an innocent user could be liable for spending time on a site called "Don't Visit Me" after being warned not to click its links, Breyer said that the level of intent shown by 3Taps meant the ruling wouldn't apply to everyday activity, especially because Craigslist had specifically told it to stop collecting data.
The case against 3Taps is a civil lawsuit, not a criminal investigation like Swartz's case. It's also not yet over. Breyer's ruling slapped down 3Taps' attempt to get the case dismissed, meaning that the case could either officially go to trial or be concluded with a final judgment by Breyer. As it stands, though, Breyer has made a firm statement that 3Taps knew what it was doing, and that its actions clearly violate the letter of the law. "The current broad reach of the CFAA may well have impacts on innovation, competition, and the general 'openness' of the internet," he wrote in response to 3Taps' warnings, "but it is for Congress to weigh the significance of those consequences."