The Risk of Extending “without authorization” Under the CFAA To Include a Technological Barrier

Posted by Cyberbear on November 24, 2013 in Internet, Judicial Decisions, Tech News |

Posted by: Tammy Thibodeau

17bits-instagram-superJumboA recent decision has extended the Consumer Fraud and Abuse Act (CFAA)’s definition of “without authorization” to include a website user, who knowingly accessed the website after revocation of permission or eluded a “technology barrier.” Under the civil provisions of CFAA, Craigslist sued 3Taps, an aggregator of Craigslist ads who republishes the data in an API. (Craigslist, Inc. v. 3Taps, Inc.,–F. Supp. 2d–, No. CV 12-03816 CR, 2013 WL 1819999, (N.D. Cal. April 30, 2013)). On 3Taps first motion to dismiss the CFAA claims, which the court denied in April, the court posed the threshold question that neither party had addressed. It asked “whether the CFAA applies where the owner of an otherwise publicly available website takes steps to restrict access by specific entities, such as the owner’s competitors.”(Id., n.8). Instead, the court imposed an expansive reading of the CFAA statute that covered owner-imposed restrictions to otherwise public information on websites.

After receiving the April opinion, 3Taps submitted a new motion to dismiss the CFAA claims based on that threshold question. In the August opinion, the court did not grant the motion to dismiss based on two grounds: (1) the receipt of cease-and-desist letters stating that 3Taps is prohibited from accessing Craigslist website for any reasons and (2) 3Taps bypassed a technological barrier by using different IP addresses and proxy servers to conceal its identity, to continue to scrape data after the cease-and-desist letters. (Craigslist, Inc. v. 3Taps, Inc.,–F. Supp. 2d–, No. CV 12-03816 CR, 2013 WL 4447520, (N.D. Cal. August 16, 2013)). The opinion also noted that a computer owner could revoke general authorization on a case-by-case basis when the public was authorized to access an unprotected website. Thus, it made further access by a banned entity “without authorization.” (Id. at 3).

Congress crafted the CFAA in 1984 in part to criminalize hacking into computer systems. In 1994, Congress added a private right of action to address the rise in computer crimes and the government’s inability to prosecute all these claims. Congress further expanded its language in 1996 by substituting the term “federal interest computer” with “protected computer” and in 2008 as defining a “protected computer” as “affecting interstate commerce,” essentially encompassing every computer connected to the Internet. Sen. Leahy, Vermont Democrat, said “[a]s computers continue to proliferate in business and homes, and new forms of computer crimes emerge, Congress must remain vigilant to ensure that the CFAA statute is up-to-date and provides law enforcement with the necessary framework to fight computer crime.”(S. Rep. No. 104-357, at 5 (1996)).

The CFAA creates five private causes of action, against an individual or corporation’s conduct, if they:

(1) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication (18 U.S.C. § 1030(a)(2));

(2) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consist only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period (18 U.S.C. § 1030(a)(4));

(3) knowingly causes the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally causes damage without authorization, to a protected computer (18 U.S.C. § 1030(a)(5)(A));

(4) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage (18 U.S.C. § 1030(a)(5)(B)); or

(5) intentionally accesses a protected computer without authorization, and as a result of such conduct causes damage (18 U.S.C. § 1030(a)(5)(C)).

Conduct in § 1030(a) applies if a computer system is assessed “without authorization” or if a party “exceeds authorized access.” Under the CFAA, “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”(18 U.S.C. § 1030(e)(6)). Congress did not define the phrase “without authorization,” leaving the courts to interpret it in a number of ways. The Nosal court interpreted “without authorization . . . [to] apply to outside hackers (individuals who have no authorized access to the computer at all)and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).” (U.S. v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012). Facebook v. Power Venturesapplied the CFAA to a breach of “technical barriers” as opposed to contractual provisions or cease-and-desist letters. (Facebook, Inc. v. Power Ventures, Inc., No. C 08-5780JW, 2010 WL 3291750 at 11-12 (N.D. Cal. July 20, 2010)(analyzing under the California Penal Code section 502 which is homogenous to the CFAA).

The Court said that 3Taps ignored the cease-and-desist order as well as circumvented Craigslist’s technology barrier (changing computer IP address to avoid the blocked IP addresses) to keep accessing Craigslist, and that constituted access “without authorization”. The CFAA, however, does not create a cause of action either based on receipt of a cease-and-desist letter or bypassing a technological barrier; nor does it define what constitutes a “technological barrier.”

The court viewed 3Taps as an outside hacker because Craigslist revoked access to the website via a cease-and-desist letter. A cease-and-desist letter, however, is similar to a Terms of Service (ToS) agreement as both are unilaterally drafted by the website owner (Complainant) to control behavior or use of the website. In addition, the cease-and-desist letter only alleges a wrongdoing without proving it and should not carry the same weight that a ToS agreement, contract, or legal complaint filed with the court would.

The court rejected Craigslist argument that 3Taps violated the terms of service agreement to state a claim and noted that Craigslist’s terms of service agreement contains only “use” restrictions and not true “access” restrictions. Since Craigslist attempted to substitute its ToS agreement with a cease-and-desist letter, the cease-and-desist letters should not provide a basis for CFAA liability.

Craigslist used a technological measure to block access to the site in the form of blocking 3Taps IP address, and 3Taps bypassed this measure by using different IP addresses and proxy servers to conceal its identity. Blocking an IP address should not be covered as “without authorization” under the CFAA, though, as people have a variety of reasons for not disclosing their IP address “whether it’s to protect your privacy, preserve innovation or avoid price discrimination.” (Hanni Fakhoury, Court Rules Accessing a Public Website Isn’t a Crime, But Hiding Your IP Address Could Be, EFF, Aug. 20, 2013. In addition, changing an IP address is a relatively easy effort, and does not require the malevolent intent implied by “hacking.”

A key problem with this decision is that despite legitimate reasons to change one’s IP address, all cases would be illegal. Technology is rapidly changing, and this approach would make common practices such as dynamic IP address, hosted cloud desktops, anonymizers or proxies, and VPNs all illegal. Thus, trying to include evading technology barriers under the CFAA is too broad and expansive.

Copyright © 2010-2018 Cyberbear Tracks All rights reserved.
This site is using the Desk Mess Mirrored theme, v2.5, from