Today, privacy on the Internet is a subject that is often on our minds. How can I protect my personal information? Can I ensure my children are safe when surfing the web? Am I a target for identity theft? Can I avoid spam and marketing targeted to my browsing history?
Of course, there can also be more nefarious reasons for wanting to ensure your Internet activities are private.
One tool that is often employed to ensure privacy on the internet is an anonymizer. Generally, an anonymizer masks your Internet protocol address. An IP address is the equivalent of a street address, which allows a specific digital device to be identified and communicated with by another computer. IP addresses can be “anonymized” through, among other things, a proxy server, which acts as an intermediary between a specific digital device and the rest of the Internet — revealing the IP address of the proxy server in place of the device utilizing the service.
Anonymization can also be accomplished through use of a Virtual Private Network (VPN), which provides a secure Internet tunnel from a remote computer to a host computer. Used by many businesses to provide secure access to corporate files, a VPN would also have the effect of “masking” the IP “identity” of the internet user, in that the IP address of the host computer, rather than the remote computer, would be broadcast to any websites visited.
On August 16, 2013, in the case of Craigslist Inc. v. 3Taps Inc., et al., U.S. District Judge Charles R. Breyer, of California, confronted a situation where the plaintiff had served the defendant with a cease and desist letter, and further blocked defendant’s specific IP address, utilizing technological measures to prohibit access to plaintiff’s site. In response, the defendant employed an anonymizer to circumvent the IP block. Judge Breyer held in that case that defendant’s use of an anonymizer after receipt of a C&D letter gave rise to a claim under the Computer Fraud and Abuse Act (CFAA). This was a new twist for the CFAA, which was enacted primarily to address hacking.
As many know, Craigslist provides a centralized location for online communities to post classified advertisements related to such things as jobs, housing, items for sale, and personal ads, among a variety of other things. Craigslist alleged that 3Taps copied the content from the Craigslist website and utilized the information for at least two purposes. First, 3Taps offered a Craigslist application programming interface (API) – which allowed third-parties to access and utilize Craigslist’s content outside of Craigslists’s website. Second, Craigslist contended, 3Taps operated its own website (www.craiggers.com), which duplicated the content of, and competed with, the Craigslist website.
Craigslist commenced litigation against 3Taps raising numerous claims, including one under the CFAA. Specifically, it alleged that 3Taps’s actions violated 18 U.S.C. section 1030(a)(2) which prohibits someone from “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and . . . obtain[ing] . . . information” as a result. The question before Judge Breyer was whether Craigslist, on a case by case basis, could revoke a party’s access to its publically available website and invoke the protections afforded by the CFAA against a visitor whose access rights were revoked.
3Taps argued that it did not act without authorization — and appeared to imply that, once granted, Craigslist could not revoke access to its public website. The court was not persuaded by this suggestion and noted that the nature of the information at issue — i.e., publically available information — was not relevant to the question before it. Judge Breyer stated that while other sections of the CFAA took into consideration the quality of the information at issue, section 1030(a)(2) was silent on that issue. In exploring the “without authorization” language, the court found that cases in the employer/employee context confirmed “that computer owners have the power to revoke the authorizations they grant.”
Judge Breyer further found the term “without authorization” to be plain and unambiguous and accepted that the common meaning of authorization was “permission or power granted by an authority.” The court embraced an interpretation of the phrase as follows: “a person uses a computer ‘without authorization’ under the CFAA when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”
Applying that definition to the facts before it, the court concluded that, while Craigslist had originally granted the world access to the public information on its website, it subsequently revoked that access when it specifically rescinded 3Taps’ right to continue to visit the website. Interestingly, the court did not indicate whether either the cease and desist letter or the IP banning alone would have been sufficient to demonstrate 3Taps’absence of authorization. Rather, the court held that those actions collectively provided 3Taps sufficient notice that the company had been banned from Craigslist. The court’s failure to indicate whether the cease and desist letter alone was enough to create an “unauthorized access” is likely to generate further litigation on this issue in the future.
Some will likely argue that Judge Breyer’s decision added clarity to the CFAA and will contend that the IP banning was the significant step employed by Craigslist. In support of this position, they will note that 3Taps’ use of an anonymizer rose to the level of a technological circumvention that the CFAA was meant to address.
But IP banning, in actuality, provided little protection to Craigslist under the circumstances. One does not need to utilize an anonymizer to get around such a barrier. Rather, you can simply use a computer with a different IP address at a local library or coffee shop, among a variety of other places, to regain access. Indeed, many people access computers via VPN, which would have the same “IP masking” effect. The court, in a footnote, acknowledged this fact and stated: “IP blocking may be an imperfect barrier to screening out a human being who can change his IP address, but it is a real barrier, and a clear signal from the computer owner to the person using the IP address that he is no longer authorized to access the website.”
The court’s footnote calls into question which step taken by Craigslist was the most effective revocation of access rights. Given that Craigslist could not utilize technology to ensure complete effectiveness of a ban, was the sending of the cease and desist letter — the equivalent of a “No Trespassing” sign in the digital world — enough to demonstrate unauthorized access?
This decision in 3Taps raises other potential issues for those accessing websites. Consider for example a company patrolling the Internet to protect itself from gray market, counterfeit, or pirated goods. In order to halt the monitoring activities, the online counterfeiter/pirate may decide to ban the intellectual property owner’s IP address. Must that company now cease accessing the offending site? Should they refuse, will this be enough to give rise to a claim under the CFAA? Similarly, can an offending website halt investigation efforts by sending a cease and desist letter to a law firm and its client? Would an undercover investigator be allowed to utilize an anonymizer under such circumstances to further his efforts to secure infringing material or website content?
Obviously, an extension of the 3Taps decision to these activities would turn the CFAA, a criminal statute, into a powerful weapon favoring criminals and other wrongdoers. Many will hope that the answer to the above questions is no; however, practitioners should continue to closely monitor developments in the CFAA case law in order to counsel their clients accordingly.•