Judge Rules IP Masking is a Violation of the Computer Fraud and Abuse Act
In a court decision with potentially far-reaching unintended consequences, US District Judge Charles Breyer has ruled that circumventing an IP address blockade to connect to a website when you have been properly notified that the website wants you to stop visiting it is a violation of the Computer Fraud and Abuse Act (CFAA).
Passed by Congress in 1984, the highly controversial CFAA law was intended to combat hackers, attaching both civil and criminal penalties to enhance the government’s ability to prosecute anyone who accesses computers to steal information, or to disrupt and destroy computer functionality. More recently, the government has interpreted the anti-hacking provisions to include seemingly mundane and commonplace activities that may go so far as violating a corporate website’s terms of service or a company’s computer usage policy.
This particular case is involves 3Taps, an aggregator of Craigslist ads that allowed users to search all of Craigslist’s sites nationwide rather than checking each individual local Craigslist when searching for an item. While 3Taps may argue sites like theirs are providing a service to sellers and buyers, indirectly increasing the value of Craigslist’s ads, the management of Craigslist didn’t see it that way. After sending a cease-and-desist letter to 3Taps, Craigslist blocked the IP addresses 3Taps used to access Craigslist sites.
3Taps allegedly circumvented the blockade by masking their IP addresses, and continued scraping ads from the site, resulting in a lawsuit filed by Craigslist claiming a violation of the CFAA. In it’s argument before the court, Craigslist asserted that by spoofing their IP address, 3Taps committed “access without authorization,” which seems to be interpreted as the online equivalent of breaking and entering. 3Taps took the position that the sites were publicly accessible by anyone with an internet connection and that there was no legal framework for a site owner to have a legally enforceable revocation of access for any specific user of a website.
While friend-of-the-court briefs filed by technologists indicated that simple IP address masking should not constitute hacking, the judge disagreed, and stated in his decision that he did not think ordinary people mask their IP addresses – especially after being sent a cease and desist letter to put them on notice that their access invitation had been revoked. Some argue in the wake of the decision that courts fail to understand just how easy and widespread the practice of IP masking is on the internet these days as people seek to maintain some level of anonymity from advertisers and spying eyes. The result of this decision is that 3Taps will face a civil damages trial unless they settle with craigslist out of court, and they may also face criminal prosecution under the law as well though experts argue that is unlikely in this instance.
Meanwhile, in an official statement issued on their website, 3Taps has indicated that they will continue to aggregate Craigslist ads, stating: “Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowd-sourcing and public search results, require no such access to craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA. Going forward, 3taps will operate based on its understanding that if it does not access craigslist’s servers, it has a right to collect public information originally posted on craigslist’s website.”
The larger implication of this ruling is that relatively average users, now have a ruling that sets precedent in some jurisdictions, that if you do something to access a site by circumventing an IP block, whether to access a forum that has blocked your IP address, or something spoof your IP address to watch shows on the BBC’s Online UK-only iViewer from the United States to watch the latest episodes of Downton Abbey or Doctor Who, you may now be subject to the same harsh penalties intended for criminal hackers which include potential prosecution under the CFAA.
NationalNet will continue to monitor this ongoing litigation and work with our clients to secure their sites from malicious access by hackers while delving more deeply into the privacy implications that a ruling of this sort may have on the evolution of the internet itself, and the ways people use it in the months or years to come.