If you've ever looked for an apartment on craigslist, chances are you've taken notes: compiled a list of apartments, ranked them from most expensive to least expensive or by most desirable location to worst. You felt secure that you weren't breaking any laws, and definitely not committing a crime. This should be the case.
But in a federal lawsuit, craigslist -- ordinarily a proponent of good Internet law -- took a different, and much more dangerous, view. Craigslist argued that, because its terms of use prohibit copying or aggregating information from its website except in very limited circumstances, copying data from a users' post violated of the Computer Fraud and Abuse Act ("CFAA"), one of the worst laws in technology. While craigslist made a civil claim, if its view of the law were correct, this would also be a criminal violation.
In a new amicus brief filed yesterday, EFF, along with a number of law professors, explained the dangers to the public interest if the CFAA -- a criminal anti-hacking statute -- was applied to accessing a publicly available website.
Here's the background: the company 3Taps collects data from craigslist and other websites and makes it available to its customers to use. One of 3Taps' customers was the website Padmapper, which republishes craigslist apartments postings over a map allowing users to view apartments geographically rather than in a list as they appear on craigslist's site. craigslist wasn't pleased at a competitor using its data and sued 3Taps in federal court last year, raising a number of legal claims including that 3Taps violated the CFAA. 3Taps moved to dismiss the CFAA claims, but the court denied the motion in April, in a ruling that troubled us and others for a number of reasons. But the Court's handling of the CFAA claims was particularly worrisome.
Because of the Ninth Circuit Court of Appeals decision in United States v. Nosal, the Court correctly held that 3Taps didn't violate the CFAA by simply violating craigslist's website's terms of use. But the Court found something else to hinge the CFAA claims on: the fact that craigslist had sent 3Taps a cease and desist letter, coupled with craigslist's attempt to block 3Taps' IP address. The court decided that this meant 3Taps wasn't "authorized" to access craigslist's website under the CFAA, adopting a view of the CFAA that is dangerous for anonymity and privacy. Of course these are simply disguised use restrictions, ways to force 3Taps to comply with craigslist's terms of use. But that's not even the most problematic part of the court's analysis.
Although the Court found the CFAA claims could go forward, it was troubled by a fundamental premise of the entire lawsuit: that craigslist could call upon the CFAA to protect the information on its otherwise publicly accessible website. Initially finding that the "expansive" language in the CFAA allowed the claims to go forward, the court later agreed to accept additional briefing on the point, so we submitted yesterday's amicus brief urging the court to rule that the criminal anti-hacking law did not apply to accessing information on a publicly accessible website.
We don't doubt that craigslist was upset by 3Taps's actions here, but craigslist's aggressive interpretation of the law has troubling consequences for everyone, and -- as co-signer Steve Schultze has noted -- is out of synch with craigslist's interest in good Internet policy. The CFAA is both a civil and criminal statute and the court noted some of the "uncomfortable possibilities" with allowing the CFAA to cover publicly accessible website information: "any corporation could subject its competitors to civil and criminal liability for visiting its otherwise publicly available home page; in theory, a major news outlet could seek criminal charges against competing journalists for reading articles on its website." Or in the case of Andrew "Weev" Auernheimer, exposing a security flaw that publicly revealed thousands of AT&T users' email addresses results in a 41-month prison stint.
Craigslist's success is owed primarily to the fact it allows anyone anywhere to view its classified ads. craigslist publishes information on the web freely available for anyone to review, without taking any technical steps to restrict access to information on its site and without requiring a username and password login.
By taking advantage of the many benefits of an open and accessible website, craigslist should not complain when that information is used by someone who's seen it -- it's in the interest of its users and craigslist itself to have their information seen by as wide an audience as possible, even if there are ancillary benefits to providers of complimentary services. By definition, no one is breaking in to obtain information; it's purposely there for everyone around the world to see. And so, once again, the CFAA's problems are highlighted in glaring detail. A statute intended to go after malicious hackers and computer trespassers -- people who break into other computers to cause damage and wreak havoc -- can now be used as a bludgeon for companies to decide when to enforce law that can make criminals out of millions of people while harming innovation.
We hope the Court will reconsider its dangerous decision. Joining us on the brief were professors Christine Davik of the University of Maine School of Law, author of ACCESS DENIED: Improper Use of the Computer Fraud and Abuse Act to Control Information on Publicly Accessible Internet Websites, 63 MD. L. REV. 320 (2004), Jennifer Granick of Stanford's Center for Internet and Society, Jordan Kovnot of the Center for Law and Information Policy at Fordham University School of Law, and Stephen Schultze of the Center for Information Technology Policy at Princeton University. Stephen Schultze has blogged about the amicus as well.
You can do your part and tell Congress to fix the CFAA by sending an email to your elected representatives.