Company Using Proxy To Evade Craigslist Block Violated CFAA

WillgasM writes "Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act, according to a judge's broad ruling (PDF) during a case on Friday involving Craigslist and 3taps. Opponents argue that this creates a slippery slope that many unsuspecting web users may find themselves upon. With your typical connection being assigned an address dynamically, is an IP ban really a 'technological barrier' to be circumvented? How long until we see the first prosecution for unauthorized viewing of a noindex page?" Probably a long time; the judge in the case rejected the slippery slope argument: 'There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a "friend" — apparently not a very good one — says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.' Willful evasion of blocks for commercial gain, on the other hand ...

Oh FFS

This is so fucked it's beyond belief...

Braindead, much?

Trespassing

[guytoronto]

Seems no difference than trespassing. Putting on a fake mustache, sunglasses, and a wig doesn't mean you can ignore the trespass order.

Re:Trespassing

[lightknight]

Wait. Time out. What exactly does 3Taps do?

The article states: "3taps drew Craigslist's ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps' systems."

However, a brief glance at their website (unless they changed things that quickly) does not show anything of this sort.

Does anyone have a screenshot from earlier, with the offending material?

Re:Trespassing

The company knew they were banned, because Craigslist had sent them a cease and desist letter. Blocking their IP address range was just an enforcement measure, but the ban was against the company, not the IP address range.

Re:Trespassing

[bws111]

Since when is craigslist (or any other web site) a public place?

Re:Trespassing

[BitZtream]

What the fuck was undetectable about being blocked? The fact that they were blocked, they knew they were blocked and then intentionally worked around it.

They intentionally did something the other side didn't want done. It took deliberate actions to get around the block.

It wasn't an accident. It wasn't a few times til someone noticed. They KNEW they were blocked ... you know, case craigslist TELLS YOU THAT YOU'RE BLOCKED ... and then they went around it.

Fry'em. This is the kind of shit that causes us problems and fucking morons like yourself defending it are worse.

Re:Trespassing

[bws111]

Uh, no. When you access a website you are using the web site owners property (the server). When you are watching a ballgame from outside the stadium you are not using their property. I can not tell you where not to look, but I sure as hell can tell you to stay off my property.

So, to fix your very flawed analogy, it is more like 'I got caught using a hole in the fence to get into Wrigley Field. They told me not to do that anymore, and fixed that hole in the fence. According to this ruling it would be illegal for me to find and use another hole in the fence.'

Re:Trespassing

[Zero__Kelvin]

"Since when is craigslist (or any other web site) a public place?"

Since the moment you could could got to *.craigslist.org without having to authorize (i.e. enter a user name and password) Or in other words, always.

Re:Trespassing

[bws111]

Say what?? That makes it a publicly accessible private place, which is far different from a public place. And being a private place, they are perfectly free to restrict who uses it, authorization required or not.

Re:Trespassing

[gmuslera]

The open internet, is, by definition, a public place, any place that you can access without a login and password are the digital equivalent of a public place, anyone can visit it. If you put "fences", require user/password to access certain pages, that would be the private places, and there you can say "ok, you can't enter", but for places where everyone, even in an anonymous way can enter, is at the very least harder if not impossible (if you can't use proxy for your fixed IP office connection, can go to the next starbucks to access it). Putting limits on that (and worse, bringing the law to that place) is like giving an homicidal maniac a weapon in a stadium, it will be used, and a lot of innocent people will be hurt.

Re:Trespassing

[bws111]

Wrong, wrong, wrong. Authorization is a property, not a technical control. No, everybody does NOT access the site 'without authorization', because the site owner has implicitly given authorization to the general public. That in no way prevents him from revoking that authorization from specific people.

You have not given a single reason that the analogy is incorrect, other than that you apparently wish it were.

Do you require explicit 'authorization' to enter a Walmart? Does Walmart check the ID of each person entering the store to see if they are authorized? Can Walmart ban certain people from entering their stores? The answers to these questions are no, no, and yes.

Finally, your idiotic use of bold reminds me of the adage 'when the law is on your side, pound on the law. When the facts are on your side, pound on the facts. When neither are on your side, pound on the table.' You are doing a hell of a job pounding on the table, without offering a single reason or even example of why your argument is correct.

Re:Trespassing

[bws111]

What do you think happens when you go to a website? Too stupid to know? OK, I'll tell you: you use their servers. There is NO WAY that you are looking at ANYTHING on Craigslist, or any other website, without using their property.

Store Ban

[ZombieBraintrust]

Being banned from a site is no different from being banned from a physical location. The security is week. You can come up with hypothetical around wearing a mask into the store. Someone comes into a store wearing a mask and is confused for a criminal. But at the end of the day, if a person tells you go away and you don't, judges are not going to be sympathetic.

Re:Store Ban

[thaylin]

The internet is not supposed to be an open source free for all, otherwise we would not have standards for SSL and password protection of sites.

Re:Store Ban

[bws111]

There is no such question for anyone who can read. The first three words of the CFAA are "Whoever having knowingly ..."

They weren't banned from 'the internel', they were banned from craigslist, a 100% private web site. Where do you get the idea that craigslist is 'publicly funded'?

Re:Store Ban

[omnichad]

He was copying copyrighted content. The users who posted the ad gave license to Craigslist to publish the ad freely (via T&C's) but not to this third-party.

There was also a cease-and-desist letter

[wonkey_monkey]

Would this ruling still have been made if they hadn't also ignored the cease-and-desist letter sent to them by Craigslist?

Re:There was also a cease-and-desist letter

[schneidafunk]

Unfortunately the IP address part got snuck into the ruling, which could have unintended consequences later. However, in this case, 3taps definitely deserves to be punished for their abusive behavior.

Re:There was also a cease-and-desist letter

[Wrath0fb0b]

No, the judge explicitly cites the C&D as part of the evidence that 3Tap was on notice that they no longer had authorization to access the site. From the the opinion

The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Tapsâ(TM) access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslistâ(TM)s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.

Does CFAA apply to the man?

[WaffleMonster]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

Re:Does CFAA apply to the man?

[TWiTfan]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

Sure, but who are you going to get to punish them when they do?

Re:Does CFAA apply to the man?

[Wrath0fb0b]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

No. Read the opinion.

Now, if you gave notice to the individual agencies that they weren't welcome and instituted a technological control measure to block them from accessing it and they circumvented that block, then it would fall within the four corners of the opinion.

[ And anyway, there's probably a provision in the CFAA exempting law enforcement, but even if there weren't, your hypo doesn't even being to cover the fact pattern necessary here. ]

3Taps responds

[digitallife]

3Taps responds:

"3taps Statement Regarding craigslist’s Misuse of the CFAA
At craigslist’s urging, a federal court has recently interpreted the Computer Fraud and Abuse Act (CFAA), known as the “worst law in technology,” to apply when an owner of a public website decides that it no longer wants an Internet user accessing its website. The court held that “the statute protects all information on any protected computer accessed ‘without authorization’ and nothing in that language prohibits a computer owner from selectively revoking authorization to access its website.” Order at 12. 3taps is obviously disappointed in the Judge’s ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information. 3taps believes that the CFAA was meant to protect private and confidential information and that it was never meant to be used to selectively criminalize accessing public websites and obtaining the public information found on those sites. Importantly, the Court noted that the “current broad reach of the CFAA may well have impacts on innovation, competition, and the general ‘openness’ of the internet . . . but it is for Congress to weigh the significance of those consequences and decide whether amendment would be prudent.” Order at 12. 3taps continues to urge Congress to clarify the scope of the CFAA so that companies like craigslist cannot use it as a tool to stifle competition, innovation, and access to public websites.
While we disagree with the Court’s interpretation of the CFAA, we of course respect the Court’s ruling. Accordingly, 3taps will adhere to the current interpretation of the law and will immediately cease all access to craigslist’s servers. (Significantly, 3taps only began accessing craigslist’s servers because, as alleged in 3taps’ antitrust counterclaim, craigslist interfered with 3taps’ ability to source content through general search engines.)
Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA.
Going forward, 3taps will operate based on its understanding that if it does not access craigslist’s servers, it has a right to collect public information originally posted on craigslist’s website. In particular, 3taps reasserts four fundamental points:
3taps does not now scrape craigslist’s servers, and therefore, cannot be in violation of the CFAA.
3taps' indexing and caching of exchange posting data reduces (rather than increases) the net computing resources expended by craigslist and other publishers to deliver complex search results to end users.
As the Court previously held, craigslist cannot rely on its current Terms of Use to claim the right to enforce copyrights associated with user-generated ads posted on its website.

The United States Patent and Trademark Office recently confirmed that craigslist cannot trademark a peace sign – even if that peace sign is purple. See http://ttabvue.uspto.gov/ttabvue/ttabvue-77956067-EXA-24.pdf. 3taps and others cannot be harassed for using the peace sign to indicate where information was sourced.
3taps will hold a public event to demonstrate to any interested party that it is possible (despite assertions to the contrary) to obtain public information on the Internet without reliance on accessing a particular source website. 3taps believes that, by no

Re:mod up

[bluefoxlucid]

Short version:

Wah wah they told us we couldn't load their servers with screen-scraper shit and sent us legal threats and official notarized C&Ds, and we did it anyway by changing an IP address--a normal thing that users can do even without realizing it--and the judge got pissed at us! I mean how is this different than changing our clothes before walking back into a store we're banned from for harassing the staff?! Are they going to arrest us for changing our clothes now?!

There's a huge logical fallacy in their legal argument.

they weren't aware they were scraping against C&am

[raymorris]

> that one might follow a link to material on a website without being aware of its being on that website, and then be held accountable for

You think they weren't aware that their business model was scraping craigslist? They were most certainly aware of which site they were scraping. When they signed for the certified C&D letter, they were well aware that they were doing so over the objections of the owner.

To me, this is exactly like criminal trespass. The fact that they set up proxies in attempt to hide their actions is further evidence that they knew what they were doing was wrong.

Correction to: Are you using Bizzaro craigslist?

[Zero__Kelvin]

I just clicked on the link and the E-Mail, and they do in fact require acceptance of a TOS to post, but they do not require an transfer of copyright. They merely say this:

"You automatically grant and assign to CL, and you represent and warrant that you have the right to grant and assign to CL, a perpetual, irrevocable, unlimited, fully paid, fully sub-licensable (through multiple tiers), worldwide license to copy, perform, display, distribute, prepare derivative works from (including, without limitation, incorporating into other works) and otherwise use any content that you post. You also expressly grant and assign to CL all rights and causes of action to prohibit and enforce against any unauthorized copying, performance, display, distribution, use or exploitation of, or creation of derivative works from, any content that you post (including but not limited to any unauthorized downloading, extraction, harvesting, collection or aggregation of content that you post)."

In other words they have a license to copy your copyrighted works. Craigslist does not own the copyright. They merely have permission to copy it. They also claim the right to stop unauthorized copying, but since they don't own the copyright, only the poster can claim copyright infringement. Craigslist has no leg upon which to stand. Period.

Re:Not Unreasonable

[Jane+Q.+Public]

"It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on. "

Sorry, but that doesn't follow. The issue here is not whether 3taps had permission. The issue is whether accessing the site without permission should be a crime (much less a felony).

And Aaron Schwarz is indeed a good example of that already happening. The problem here seems not to be that it's not a slippery slope, but that 3taps' did not present a good argument that it was.

The "slippery slope" is actually pretty darned evident, and 3taps should simply have made their argument better. For example, allowing CFAA prosecution simply on violation of the terms of use is itself a slippery slope, because in effect it allows website owners to write their own laws.

The judge's argument appears to be "but it would never be enforced that way". When if fact we know that it has been.