Unfortunate Ruling Says Changing Your IP Address Can Be 'Unauthorized Access' To A Public Website
from the really-now? dept
While an initial court ruling found that some of Craigslist's wackier theories didn't apply (e.g. violating the terms of service isn't a CFAA violation and the copyright claims concerning Craigslist posts failed), the latest ruling, unfortunately, finds that the combination of a cease-and-desist letter and merely changing your IP address creates unauthorized access to a public website. That's troubling on a variety of levels, mostly because changing an IP address isn't any form of "hacking." It's incredibly easy to do, and in many cases happens automatically without any input from users, if they have a dynamic IP address.
The EFF points out how dangerous a ruling this is:
Changing your IP address is simply not hacking. That's because masking your IP address is an easy, common thing to do. And there's plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination....Similarly, Orin Kerr, who tends to be more sympathetic about these kinds of cases, finds the use of a mere IP address change to be quite problematic:
There's a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to "revoke" and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.
Judge Breyer sees IP blocking as sufficient. But it’s unfortunate that Breyer doesn’t give the issue more analysis, as I think it’s a really interesting question. The counterargument runs like this. IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t “block” them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrer?That's really the key point here. The cease and desist is no different than the terms of service -- and yet it's already been stated that violating the terms isn't a CFAA violation. So the real issue here is the changing of an IP address. And the idea that a mere changing of an IP address opens you up to criminal liability is insane. This is a horrible precedent and one that Craigslist and Craig Newmark should be ashamed of, having brought it into this world for no good reason.
Judge Breyer’s opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didn’t want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didn’t raise all the notice and vagueness issues that prompted the Ninth Circuit’s decision in Nosal.
I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.