Craigslist V 3Taps

C

Craigslist Inc. v. 3Taps Inc. - Wikipedia

Craigslist Inc. v. 3Taps Inc. – Wikipedia

Craigslist Inc. v. 3Taps urtUnited States District Court for the Northern District of CaliforniaFull case nameCRAIGSLIST INC., Plaintiff, v. 3TAPS INC. ET AL., Defendants. DecidedN/AHoldingCraigslist took adequate measures to revoke 3Taps’s authorization and to notify 3Taps in order to sue for CFAA violationCourt membershipJudge(s) sittingCharles R. BreyerKeywordsComputer Fraud and Abuse Act, trademark, copyright, breach of contract
Craigslist Inc. 3Taps Inc., 942 962 (N. D. Cal. 2013) was a Northern District of California Court case in which the court held that sending a cease-and-desist letter and enacting an IP address block is sufficient notice of online trespassing, which a plaintiff can use to claim a violation of the Computer Fraud and Abuse Act.
3Taps and PadMapper were companies that partnered to provide an alternative user interface for browsing Craigslist’s housing ads. In doing so, they scraped Craigslist’s site for data, which Craigslist did not approve of. Craigslist sent both companies a cease-and-desist letter and blocked their IP addresses, but this did not stop 3Taps from scraping through other IP addresses. Craigslist then sued, resulting in this case.
In pre-trial motions 3Taps moved to dismiss the lawsuit on multiple grounds. In response, the court issued an order that set precedent on whether online hosts can use the CFAA to protect public data. The court held that sending a cease and desist letter and blocking a client’s IP address are sufficient to qualify as notice under the Computer Fraud and Abuse Act. The court also held that 3Taps should have known that Craigslist was revoking its authorization to access the site. [1] The motion to dismiss was granted in part, and denied in part.
On June 26, 2015, Craigslist came to separate settlements with 3Taps and Padmapper. [2] Both settlements required the defendants to permanently stop taking content from Craigslist, directly or indirectly. 3taps paid $1, 000, 000 which Craigslist will donate to the EFF over ten years. Press coverage said that 3Taps would shut down, but as of July 16 it was still active with content from other sites.
Background[edit]
Craigslist is a website where users post and browse classified ads for, among other things, housing.
PadMapper is a website specialized for browsing housing ads.
PadMapper collected data from Craigslist and offered a map of the ads. [3]
3Taps, a data scraping and hosting company, was also collecting data from Craigslist as part of a larger effort to gather public datasets. [4]
On 22 June 2012, Craigslist sent a cease-and-desist letter to PadMapper, requesting that PadMapper stop scraping Craigslist’s real estate listings. [3]
Earlier in 2010, Craigslist’s founder Craig Newmark had written that “we take issue with only services which consume a lot of bandwidth. “[5][6]
Craigslist also blocked PadMapper’s and 3Taps’s IP addresses from accessing its site, causing a significant drop in traffic to PadMapper. [3]
3Taps continued to collect data from Craigslist by accessing the site through proxies, which allowed it to conceal its IP address and bypass Craigslist’s block. [1]
On 9 July 2012, PadMapper restored its site by getting its data from 3Taps instead of directly from Craigslist. [3]
On July 16, 2012 Craigslist changed their terms of service to claim exclusive ownership, and exclusive right to enforce copyright of all postings made by users. Craigslist later rescinded these changes under pressure from the Electronic Frontier Foundation and others on August 8, 2012. [7]
On 20 July 2012, Craigslist sued both PadMapper and 3Taps.
Craigslist’s complaint specified several reasons that 3Taps’s continued use of Craigslist was unlawful:
it was in violation of the Computer Fraud and Abuse Act;
it was a breach of Craigslist’s terms of service contract;
it infringed on Craigslist’s copyright of the listings;
it was also contributory copyright infringement, since 3Taps shared the listings with PadMapper;
and it infringed on and diluted Craigslist’s trademark. [3] 3Taps opposed the claim that it violated the CFAA. [4]
On July 12, 2013 the Electronic Frontier Foundation filed an amicus brief in support of PadMapper and 3Taps. [8][9]
Opinion of the court[edit]
On April 29, 2013 the court denied 3Taps’ motion to dismiss Craigslists’s CFAA claim. Most importantly the court held that Craigslist could continue its damages claim on posts made between July 16, 2012 and August 8, 2012. This was the period during which Craigslist had modified its terms of service to claim exclusive copyright on all postings. [7]
Response of the court to 3Taps’ arguments for dismissal[edit]
3Taps provided three reasons for dismissing the claim which the court granted in part, and dismissed in part. [1]
First, 3Taps argued that it had Craigslist’s authorization to access the listings.
The CFAA claim only applies to access of a protected computer system without authorization.
It claimed that Craigslist was a public website, so anyone, including 3Taps, always had authorization.
The court disagreed with this, stating that although Craigslist had granted 3Taps authorization initially, it then revoked the authorization.
The court cited the case LVRC Holdings v. Brekka, in which the Ninth Circuit held that a former employee of an employer no longer had the employer’s authorization to log into a work computer.
Thus, the court held that 3Taps was unauthorized when it continued to access Craigslist after Craigslist rescinded the authorization. [1]
Second, 3Taps suggested that Craigslist had set restrictions on how 3Taps must use the data, rather than restricting 3Taps’s access to the data altogether.
3Taps cited the Ninth Circuit’s sentiment from United States v. Nosal that violating a use policy was less severe than violating an access restriction.
The argument in Nosal was that use policies could be complex, while denying access is simple and easy to follow.
Thus, it would be dangerous for the court to criminalize use violations.
3Taps likened Nosal to its own case, alleging that Craigslist had taken measures to prevent 3Taps from using the listings in a certain way, rather than enacting a straightforward access revocation.
The court viewed it differently: it considered Craigslist’s cease-and-desist letter and IP blocking as access revocation. [1]
The court pointed to language Craigslist’s cease-and-desist letter affirming its interpretation, “You… are hereby prohibited from accessing and using the CL Services for any reason. “[10]
Third, 3Taps warned of negative consequences of a decision that criminalizes a vague access restriction.
It criticized Craigslist’s enforcement as unclear about what exactly what it was prohibiting.
3Taps stated that an ordinary user would be more likely to misunderstand Cragslist’s IP blocking than, for example, a system that required a password to gain access.
The court found this not of much concern, highlighting that the personalized cease-and-desist letter and subsequent lawsuit provided adequate notice and information.
This, the court found, would be sufficient in differentiating the case from more benign incidents where a user accidentally stumbles upon a protected system.
The court admitted that it could not comment on whether it would consider Craigslist’s IP blocking to be effective, but considered the fact that 3Taps went out of its way to bypass it as enough evidence that 3Taps acted without authorization. [1]
3Taps also said that this decision would be a judgment on Internet culture.
It promoted the idea of publicly accessible websites as a great social benefit, which a decision for permission controls would harm.
It claimed that the CFAA was meant to protect private information against malicious hackers, and that it was not meant to limit the social benefit created by public data.
It also predicted that a broad interpretation of the CFAA would limit competition and harm innovation, ultimately harming the openness of the Internet.
The court refused to make a judgement on these matters; it considered those matters to be better handled through legislation.
The court likened its decision to allowing a store to open itself to the public but also to ban a disruptive person if it needed to. [1]
Reactions[edit]
The court, in many instances, pointed to Craigslist’s cease-and-desist letter as evidence that 3Taps knew that its authorization had been revoked.
Law professor Eric Goldman questioned this, stating that “[cease-and-desist letters] are wish lists by the senders. They describe what the sender wants to happen. ” As such they may easily overstate what a defendant must lawfully do. Goldman found it troubling that the court had treated the cease and desist letter as a legally-binding document that revoked 3Taps’s authorization to access Craigslist. [11][12]
Critics of the decision have called it anti-competitive.
They claimed that this case sets a precedent that allows businesses to use the CFAA to keep public data away from competitors.
Further, they highlighted that such a holding sets a precedent of marginalizing the public good for the prosperity of a single business. [11][13]
The case has also brought criticism towards Craigslist for enforcing its exclusive copyright of user-generated content.
The critics pointed out that the entire lawsuit depended on a short, one-week-long period where Cragslist’s terms of use required that users assign Craigslist the exclusive copyright of any posted content. [12][14]
While some users may be happy to have other companies use their classified ads, another reaction was that there may also be users who do not want it.
Craigslist would be under similar criticism if it had allowed the sharing and violated these users’ privacy expectations. [13]
The Electronic Frontier Foundation was critical of the court’s decision to uphold Craiglist’s copyright claim in their temporary terms of service between July 26, 2012 and August 8, 2012. Stating, “claiming an exclusive license to users’ posts to the exclusion of everyone—including the original poster—threatens both innovation and users’ rights, and, even worse, sets terrible precedent. “[15]
References[edit]
^ a b c d e f g Craigslist v. 3Taps (N. N. 16 August 2013)
^ “3taps to pay Craigslist $1 million to end lengthy lawsuit, will shut down”. Ars Technica. 29 June 2015.
^ a b c d e Mirsky, Andrew. “Copyright of “Public Facts”: Craigslist v. PadMapper”. Digital Media Law Project. Retrieved 3 March 2014.
^ a b DMLP Staff. “Craigslist v. 3taps”. Retrieved 4 March 2014.
^ Newmark, Craig. “Craig Newmark’s answer to Why hasn’t anyone built any products on top of Craigslist data? “. Quora. Retrieved 4 March 2014.
^ Bilton, Nick. “Disruptions: Innovations Snuffed Out by Craigslist”. New York Times. Retrieved 19 March 2014.
^ a b Opsahl, Kurt. “Good News: Craigslist drops exclusive license to your posts”. Electronic Frontier Foundation. Retrieved 19 March 2014.
^ Schultze, Steven. “I Join the EFF and Others in Calling for Craigslist to Drop CFAA Claims”. Freedom to Tinker. Retrieved 19 March 2014.
^ Electronic Frontier Foundation. “BRIEF OF AMICI CURIAE” (PDF). Retrieved 19 March 2014.
^ Lassen, Daniel E. “Re: DEMAND FOR IMMEDIATE CEASE AND DESIST OF CRAIGSLIST ABUSE” (PDF). Retrieved 4 March 2014.
^ a b Goldman, Eric. “Craigslist Wins Routine But Troubling Online Trespass to Chattels Ruling in 3Taps Case (Catch-up Post)”. Technology & Marketing Law Blog. “Craigslist’s Anti-Consumer Lawsuit Threatens to Break Internet Law”. Forbes. Retrieved 4 March 2014.
^ a b Franzen, Carl. “Craigslist vs. 3taps: Who Owns Your Content? “. Retrieved 22 December 2015.
^ McCullagh, Declan. “Craigslist wins early legal victory against PadMapper, 3Taps”. CNET. Retrieved 4 March 2014.
^ Opsahl, Kurt. “Craigslist Owns What You Did Last Summer”. Retrieved 19 March 2014.
External links[edit]
Commentary from Nick Akerman, in January 2014 frames this and three related cases in a survey of litigation surrounding the CFAA.
Craigslist v. 3Taps Inc., et al[permanent dead link] Full docket from the United States Courts Archive
Text of Craiglist v. 3Taps is available from: [dead link] Google Scholar Justia Digital Media Law Project
Craigslist, Inc v. 3Taps, Inc., 964 F. Supp. 2d 1178 - Casetext

Craigslist, Inc v. 3Taps, Inc., 964 F. Supp. 2d 1178 – Casetext

Opinion No. CV 12–03816 CRB 2013-08-16 Craigslist Inc., Plaintiff, v. 3Taps Inc. et al., Defendants. Bobbie Jean Wilson, Geraldine Mary Daly Alexis, Jason A. Yurasek, Perkins Coie LLP, San Francisco, CA, Christopher Kao, Brian Patrick Hennessy, James Patrick Corrigan, Perkins Coie LLP, Palo Alto, CA, Shylah R. Alfonso, Perkins Coie LLP, Seattle, WA, for Plaintiff. Allen Ruby, Jack Patrick Dicanio, Skadden Arps Slate Meagher & Flom LLP, Palo Alto, CA, Abraham A. Tabaie, Skadden Arps Slate Meagher and Flom LLP, Los Angeles, CA, James A. Keyte, Marissa E. Troiano, Michael Menitove, Skadden, Arps, Slate, Meagher and Flom, LLP, New York, NY, Venkat Balasubramani, Focal PLLC, Seattle, WA, for Defendants. ORDER DENYING MOTION TO DISMISS CAUSES OF ACTION 13 AND 14 IN PLAINTIFF’S FIRST AMENDED COMPLAINT CHARLES R. BREYER, UNITED STATES DISTRICT JUDGE Defendant 3taps, Inc. (“3Taps”) has moved to dismiss Plaintiff craigslist, Inc. ‘s (“Craigslist”) claims under the Computer Fraud and Abuse Act (CFAA) and its state-law counterpart, California Penal Code section 502. The CFAA imposes civil and criminal liability on “whoever… intentionally accesses a computer without authorization… and thereby obtains… information from any protected computer. ” 18 U. S. C. § 1030(a)(2)(c). The dispute here is limited to whether 3Taps accessed Craigslist’s computers “without authorization. ” 3Taps asks this Court to hold that an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website. However compelling 3Taps’ policy arguments, this Court cannot graft an exception on to the statute with no basis in the law’s language or this circuit’s interpretive precedent. Accordingly, the Court DENIES 3Taps’ motion. I. BACKGROUND Craigslist operates a well-known and widely-used website that allows users to submit and browse classified advertisements. First Am. Compl. (dkt. 35) ¶¶ 1, 25, 28–34. According to the First Amended Complaint (“FAC”), “[m]ore than 60 million Americans visit craigslist each month, and they collectively post several hundred million classified ads each year. ” Id. ¶ 25. Craigslist’s service is organized by geographic area, and within each given area by types of products and services. Id. ¶ 29. Craigslist provides ancillary features, such as anonymous email forwarding, to support its classified ad service. E. g., id. ¶ 34. Defendant 3Taps aggregates and republishes ads from Craigslist. ¶¶ 63, 65, 99, 104, 112. Craigslist alleges that 3Taps copies (or “scrapes”) all content posted to Craigslist in real time, directly from the Craigslist website. ¶¶ 3, 78–80. 3Taps markets a “Craigslist API” to allow third parties to access large amounts of content from Craigslist, id. ¶¶ 3, 5, 64, and also operates the, which “essentially replicated the entire craigslist website, ” id. ¶ 65, including “all of craigslist’s posts, ” id. ¶ 68. An Application Programming Interface (API) is a set of programming instructions and standards to allow third parties to develop software that draws information from, or otherwise interacts with, a website, program, or database. After learning about 3Taps’ scraping activities, Craigslist took two relevant steps to stop it. First, it sent a cease and desist letter to 3Taps, informing it that “[t]his letter notifies you that you and your agents, employees, affiliates, and/or anyoneacting on your behalf are no longer authorized to access, and are prohibited from accessing craigslist’s website or services for any reason. ” FAC ¶ 132; Hennessy Letter, Kao Decl. Ex. A (dkt. 60–2) at 3. Second, Craigslist configured its website to block access from IP addresses associated with 3Taps. FAC ¶¶ 80–81. 3Taps bypassed that technological barrier by using different IP addresses and proxy servers to conceal its identity, and continued scraping data. FAC ¶¶ 82–84. An IP address is an identification number for a device that accesses the internet. Craigslist sued 3Taps (and other defendants not relevant to this motion), alleging in relevant part that 3Taps’ scraping activities violated the CFAA and its state-law analogue, Code § 502. 3Taps moved to dismiss those claims, and this Court concluded that Craigslist’s allegations that 3Taps ignored the cease-and-desist letter and circumvented Craigslist’s IP blocking efforts stated a claim under the CFAA. at 5–8. The Court rejected Craigslist’s argument that 3Taps’ alleged violation of Craigslist’s “Terms of Use” stated a claim under the CFAA, and this Order does not revisit that conclusion. The Court also noted that “[t]he parties have not addressed a threshold question of whether the CFAA applies where the owner of an otherwise publicly available website takes steps to restrict access by specific entities. ” Order at 7 n. 8. 3Taps requested that the Court accept supplemental briefing on that legal issue from both sides. See Joint Case Mgmt. Statement, dkt. 78, at 9–10. The Court granted 3Taps’ request and, with the benefit of further briefing from 3Taps, Craigslist, and amici curiae, now turns to the merits of that narrow statutory interpretation question. II. LEGAL STANDARD A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of the claims alleged in a complaint. Ileto v. Glock, Inc., 349 F. 3d 1191, 1199–1200 (9th Cir. 2003). “Detailed factual allegations” are not required, but the Rule does call for sufficient factual matter, accepted as true, to “state a claim to relief that is plausible on its face. ” Ashcroft v. Iqbal, 556 U. 662, 678, 129 1937, 173 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U. 544, 555, 570, 127 1955, 167 929 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. In determining facial plausibility, whether a complaint states a plausible claim is a “context-specific task that requires the reviewing court to draw on its judicial experience and common sense. at 679, 129 1937. Allegations of material fact are taken as true and construed in the light most favorable to the non-moving party. Cahill v. Liberty Mut. Ins. Co., 80 F. 3d 336, 337–38 (9th Cir. 1996). III. DISCUSSION A. The Plain Language of the Statute The CFAA imposes criminal penalties on any person who, among other prohibitions, “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… § 1030(a)(2). A “protected computer” is a computer “used in or affecting interstate or foreign commerce or communication. § 1030(e)(2). “Any person who suffers damage or loss by reason of a violation of [the CFAA] may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief, ” provided that certain factors, not in dispute for the purpose of this motion, are satisfied. § 1030(g). The parties agree that the CFAA provision at issue here and California Penal Code § 502 are identical for purposes of this motion. See 3Taps MTD at 12 (citing Multiven, Inc. Cisco Sys., Inc., 725 887, 895 (N. )); Opp’n to 3Taps MTD at 10 n. 2 (same). Although this is a civil case, the rule of lenity applies here because conduct that triggers civil penalties under the relevant provision of the CFAA would also be a criminal violation. See United States v. Nosal, 676 F. 3d 854, 863 (9th Cir. 2012) (en banc); United States v. Thompson/Center Arms Co., 504 U. 505, 517–18 & n. 10, 112 2102, 119 308 (1992) (plurality) (citing Crandon v. United States, 494 U. 152, 168, 110 997, 108 132 (1990)); United States v. Santos, 553 U. 507, 523, 128 2020, 170 912 (2008) (plurality) (citing Thompson/Center). The parties agree that 3Taps intentionally accessed Craigslist’s protected computer and obtained information from it. The only dispute is whether 3Taps did so “without authorization. ” 3Taps’ argument starts out on firm statutory ground: “[B]y making the classified ads on its website publicly available, craigslist has ‘authorized’ the world, including 3Taps, to ” Supp. Br. at 4; Reply at 4; see also Pulte Homes, Inc. Laborer’s Intern’l Union of N. Am., 648 F. 3d 295, 304 (6th Cir. 2011) (public presumptively authorized to access “unprotected website”). That makes sense. But it does not answer the question here, which is whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website. Craigslist certainly thought it had such authority, and sought to exercise it through its cease-and-desist letter and IP blocking measures. 3Taps says that Craigslist had no power to “de-authorize” anyone, but it cannot point to any language in the statute supporting that conclusion. At oral argument on this motion, counsel for 3Taps relied heavily on Pulte, arguing that it conclusively resolved the issue presented here. In Pulte however, the plaintiff never argued that it had revoked the defendant’s authorization to access its computers. See 648 F. 3d at 304 (“[Plaintiff] does not even allege that one or several calls or e-mails would have been unauthorized. Its complaint thus amounts—at most—to an allegation that [the defendant] exceeded its authorized access. ”) Thus, when the Pulte court observed in dicta that the public was authorized to access an unprotected website, it was not reaching the follow-up issue never argued by the plaintiff in that case: whether the computer owner could revoke that general authorization on a case by case basis, making further access by a banned entity “without authorization. ” In fact, the statutory context and the Ninth Circuit’s interpretation of the phrase “without authorization” both cut against 3Taps’ argument. One way to accomplish the result that 3Taps urges—prohibiting computer owners from revoking “authorization” to access public websites—would be to restrict the kind of information protected by the CFAA. For example, Congress might have written § 1030(a)(2) to protect only “nonpublic” information. A neighboring provision in the CFAA includes that very modifier, and prohibits access without authorization to “nonpublic” government computers. See18 U. § 1030(a)(3). Another adjacent provision applies only to certain kinds of financial information. See§ 1030(a)(2)(A). Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public vs. nonpublic distinction—but § 1030(a)(2)(C) contains no such restrictions or modifiers. Congress also included in a similar statute a restriction like the one 3Taps proposes here. The Stored Communications Act includes a provision that 3Taps describes as “almost identical” to the CFAA. § 2701(a) ( “[W]hoever—intentionally accesses without authorization a facility through which an electronic communication service is provided;…. ”). 3Taps cites an Eleventh Circuit case interpreting that provision, Snow v. DirecTV, Inc., 450 F. 3d 1314 (11th Cir. 2006), and argues that the reasoning from Snow applies here. Reply at 5–6. But 3Taps does not mention that Congress included in the SCA language stating that “[i]t shall not be unlawful under this [law] for any person—(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public. § 2511(2)(g) (emphasis added). No such language appears in the CFAA provision at issue here. And, the Ninth Circuit’s interpretation of the CFAA’s phrase “without authorization” confirms that computer owners have the power to revoke the authorizations they grant. In LVRC Holdings LLC v. Brekka, 581 F. 3d 1127 (9th Cir. 2009), an employee logged into his work computer with valid credentials provided by his employer and e-mailed valuable documents from the employer’s computer to the employee’s personal e-mail address for use in his own competing business. at 1129–30, 1134. Turning first to the “plain language” of the statute, the court approvingly cited the Second Circuit’s conclusion that the phrase “without authorization” has an unambiguous, plain meaning. at 1132–33 (citing United States v. Morris, 928 F. 2d 504, 511 (2d Cir. 1991)). The “ordinary, contemporary, common meaning” of the word “authorization” is “permission or power granted by an authority. at 1133. The court also distinguished access “without authorization” from use that “exceeds authorized access, ” which is a separate provision in the CFAA. “A person who uses a computer ‘without authorization’ has no rights, limited or otherwise, to access the computer in question. The court rejected the employer’s invitation to read into the word “authorization” a requirement that the employee be acting as an agent of the employer at the time of access. The employer’s argument was that the basis of the employee’s authorization was his status as an agent, and a breach of the duty of loyalty under common law agency principles terminated the agency relationship. at 1134. Noting that the CFAA was a criminal statute and that the rule of lenity applied, the court emphasized that the CFAA made no mention of state law duties of loyalty, and “[t]he plain language of the statute… indicates that ‘ authorization’ depends on actions taken by the employer. at 1135 (emphasis added). Accordingly, “a person uses a computer ‘without authorization’ under [the CFAA] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission) or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway. (emphasis added). Here, under the plain language of the statute, 3Taps was “without authorization” when it continued to pull data off of Craigslist’s website after Craigslist revoked its authorization to access the website. As the “ordinary, contemporary, common meaning” of the word indicates, and as Brekka expressly held, “authorization” turns on the decision of the “authority” that grants—or prohibits—access. In Brekka, the authority was the employer. Here, it is Craigslist. Craigslist gave the world permission (i. e., “authorization”) to access the public information on its public website. Then, just as Brekka instructed that an “authority” can do, it rescinded that permission for 3Taps. Further access by 3Taps after that rescission was “without authorization. ” B. The Ninth Circuit’s Access vs. Use Distinction 3Taps tries to muddy the waters by plucking a few stray quotes from a more recent Ninth Circuit case, United States v. 3d 854 (9th Cir. 2012), and arguing that the Ninth Circuit has significantly narrowed the reach of the CFAA’s broad language. In Nosal, the government brought criminal charges under the CFAA against David Nosal for encouraging corporate employees to access confidential information on their employer’s computer system and to transfer the information to Nosal. at 856. The employees were authorized to access the information but violated a corporate policy by disclosing it to Nosal. The Ninth Circuit held that the phrase “ ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use. at 863–64. The Ninth Circuit’s thoughtful discussion of the dangers of criminalizing violations of private use policies adds little here because in Nosal the court was considering scenarios where a computer user has some legitimate access to the protected computer in the first place. In that context, criminalizing violations of private use policies “that most people are only dimly aware of and virtually no one reads or understands”—and that are subject to change at any time—presents serious notice concerns and also threatens to “transform whole categories of otherwise innocuous behavior into federal crimes. at 860–61. The calculus is different where a user is altogether banned from accessing a website. The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all. Nor does prohibiting people from accessing websites they have been banned from threaten to criminalize large swaths of ordinary behavior. It is uncommon to navigate contemporary life without purportedly agreeing to some cryptic private use policy governing an employer’s computers or governing access to a computer connected to the internet. In contrast, the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter. See Compl. ¶ 84. Thus, a meaningful distinction exists between restricting uses of a website for a certain purpose and selectively restricting access to a website altogether. 3Taps says that Craigslist’s purported “de-authorization” was really just a creatively-labeled use restriction, because Craigslist banned 3Taps based on Craigslist’s disapproval of how 3Taps was using the information from Craigslist’s website. It is true that “simply denominating limitations as “access restrictions” does not convert what is otherwise a use policy into an access restriction. ” Wentworth–Douglass Hosp. Young & Novis Prof’l Ass’n, No. 10–CV–120–SM, 2012 WL 2522963, at *4 (D. N. H. June 29, 2012). Thus, purported “de-authorizations” buried in a website’s terms of service may turn out to be use restrictions in disguise, and would present the same problems identified by the Nosal court. See Cvent, Inc. Eventbrite, Inc., 739 927, 932–34 (E. ); Koch Indus., Inc. Does, No. 2:10CV1275DAK, 2011 WL 1775765, at *8–9 ( May 9, 2011). But that is not this case. Here, it is possible to distinguish the kind of restriction in place from Craigslist’s motivation for imposing that restriction. Craigslist made a complete access restriction when it told 3Taps that it could not access Craigslist’s website “for any reason, ” and then put in place a technological barrier designed to completely cut off 3Taps’ ability to view the site. That it did so because of how 3Taps used Craigslist’s information is true, but beside the point, because as discussed above, true access restrictions do not present the same notice and breadth issues that come with the criminalization of use policies. Other Statutory Interpretation Tools 3Taps’ remaining arguments all rest to some degree on the premise that the CFAA is ambiguous and could be reasonably interpreted as prohibiting computer owners from selectively revoking authorization to access public information on a public website. As discussed above, the plain language of the statute, as interpreted by the Ninth Circuit in Brekka, admits of no such interpretation, and so these points carry little weight with this Court. Rule of Lenity: Where a criminal statute suffers from a “grievous ambiguity, ” the law should be interpreted to avoid imposing unintended penalties. Muscarello v. United States, 524 U. 125, 138, 118 1911, 141 111 (1998); Nosal, 676 F. 3d at 863. As the Supreme Court has recognized, however, most statutes are technically ambiguous, and “[t]he mere possibility of articulating a narrower construction does not by itself make the rule of lenity applicable. ” Muscarello, 524 U. at 138, 118 1911. The rule does not create ambiguity where, as here, the plain meaning of the statute indicates that a penalty applies. Constitutional Avoidance and Vagueness: Similarly, where two “plausible” interpretations of a statute present themselves, and one presents serious constitutional doubts as to the validity of the statute, the constitutional avoidance canon says that a court should select the interpretation that avoids the constitutional problem. g., Milavetz, Gallop & Milavetz, P. A. United States, 559 U. 229, 239, 130 1324, 176 79 (2010). Here, 3Taps cannot invoke that cannon for two reasons: First, for the reasons already stated, its alternative interpretation is not plausible. Second, no serious constitutional doubts accompany the Court’s interpretation of the CFAA. 3Taps says that if the CFAA assigns criminal penalties to a computer owner’s selective restriction on access to an otherwise public website, the statute becomes “so vague and sweeping that it [does] not provide an ordinary person with sufficient notice as to what conduct is prohibited. ” Supp. at 12. Supposedly, that is because “an ordinary Internet user would not understand what ‘without authorization’ means in the context of a public website that does not require a password or impose code-based restrictions to protect private or confidential information. The relevant question is whether the statute is vague “as applied to the particular facts at issue, for a plaintiff who engages in some conduct that is clearly proscribed cannot complain of the vagueness of the law as applied to the conduct of others. ” Holder v. Humanitarian Law Project, 561 U. 1, 130 2705, 2719, 177 355 (2010) (internal quotation marks omitted). Here, 3–Taps (1) received a personally-addressed cease-and-desist letter stating that it could not access Craigslist’s website “for any reason”; (2) discovered that it could no longer access the website at all from its IP addresses; and (3) was sued for continuing to access that website after circumventing the IP restrictions. A person of ordinary intelligence would understand Craigslist’s actions to be a revocation of authorization to access the website, and thus have fair notice that further access was “without authorization. ” Accordingly, the Court finds little significance in 3Taps’ point that an IP address is not a person. See Reply at 3. IP blocking may be an imperfect barrier to screening out a human being who can change his IP address, but it is a real barrier, and a clear signal from the computer owner to the person using the IP address that he is no longer authorized to access the website. Taps also makes a passing suggestion in the “public policy” section of its brief that application of the statute’s plain language “raises serious First Amendment implications. at 14. But it cites no authority even remotely on point, and does not respond to Craigslist’s observation that criminal enforcement of limits on the use of private property is common and not a presumptive violation of the First Amendment. See, e. g., Lloyd Corp., v. Tanner, 407 U. 551, 569–70, 92 2219, 33 131 (1972). To be sure, later cases may confront difficult questions concerning the precise contours of an effective “revocation” of authorization to access a generally public website. This Court cannot and does not wade into that thicket, except to say that under the facts here, which include the use of a technological barrier to ban all access, 3Taps’ deliberate decision to bypass that barrier and continue accessing the website constituted access “without authorization” under the CFAA. Legislative History: 3Taps says that the legislative history indicates that the CFAA was an “anti-hacking” statute designed to protect private information—not information voluntarily exposed to the world on a public website. Supp. at 9–11. The lengthy legislative history includes statements referring to the protection of private information. No. 99–432, at 1–2 (1986); H. 98–894, at 9–12 (1984); 142 Cong. Rec. S10, 889, 10, 890 (1996); No. 104–357, at 9 (1996). In other places, it says that the statute was modeled on common law trespass, No. 104–357, at 7–11 (1996); No. 99–432, at 7 (1986); 131 Cong. S11, 872 (daily ed. Sept. 20, 1985); H. 98–894, at 10, 20 (1984), where criminal enforcement of selective exclusion decisions by private parties is the norm. This Court has no grounds for favoring one set of vague statements over the other—nor does it make much sense to try, where the statements were not addressed to the facts at issue in this case, which Congress probably could not have foreseen if it tried. In any event, as with the rule of lenity and the constitutional avoidance doctrines, courts “do not resort to legislative history to cloud a statutory text that is clear. ” Ratzlaf v. United States, 510 U. 135, 147–48, 114 655, 126 615 (1994). Public Policy: Without any language in the statute to support its arguments, 3Taps lets the cat out of the bag in the concluding section of its brief and urges consideration of “serious policy concerns” raised by straightforward application of the CFAA’s broad language. There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3Taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website after a “friend”—apparently not a very good one—says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. See Supp. 7 n. Needless to say, the Court’s decision concerning 3Taps’ persistent scraping efforts undertaken after (1) receiving a cease-and-desist letter and (2) employing IP rotation technology to mask its identity and overcome Craigslist’s technological barriers does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site. 3Taps also invites this Court to make all manner of legislative judgments turning on, for example, the “culture” of the internet, the Court’s view of whether accessing a website is more like window shopping from a public sidewalk or actually entering a store, and whether “a permission-based regime for public websites could implode the basic functioning of the internet itself. at 13–14. 3Taps opines that “the ‘socially prudent’ benefits of finding an implied license [to access public website data] far outweigh any social utility derived from allowing a website owner to selectively block access to publicly available information, including by competitors. ” Reply at 10. Maybe, or maybe not—but it is certainly not for this Court to impose its views on those matters on unambiguous statutory language. 3Taps and amici have articulated alternative, intuitive ways that Congress might draw the relevant statutory lines. For example, the statute might only protect “non-public information protected by a password, firewall, or similar restriction. ” Reply at 5. Currently, however, the statute protects all information on any protected computer accessed “without authorization, ” and nothing in that language prohibits a computer owner from selectively revoking authorization to access its website. 3Taps implies that this result borders on absurd, but this Court disagrees. The law of trespass on private property provides a useful, if imperfect, analogy. Store owners open their doors to the public, but occasionally find it necessary to ban disruptive individuals from the premises. That trespass law has enforced those bans with criminal penalties has not, in the brick and mortar context, resulted in the doomsday scenarios predicted by 3Taps in the internet context. The current broad reach of the CFAA may well have impacts on innovation, competition, and the general “openness” of the internet, see Reply at 15, but it is for Congress to weigh the significance of those consequences and decide whether amendment would be prudent. IV. CONCLUSION For the foregoing reasons, the Court DENIES 3Taps’ renewed motion to dismiss the CFAA claim and the § 502 claim. IT IS SO ORDERED.
Craigslist v. 3taps | Digital Media Law Project

Craigslist v. 3taps | Digital Media Law Project

Welcome to the website of the Digital Media Law Project. The DMLP was a project of the Berkman Klein Center for Internet & Society from 2007 to 2014. Due to popular demand the Berkman Klein Center is keeping the website online, but please note that the website and its contents are no longer being updated. Please check any information you find here for accuracy and completeness.
NOTE: The information and commentary contained in this database entry are based on court filings and other informational sources that may contain unproven allegations made by the parties. The truthfulness and accuracy of such information is likely to be in dispute. Information contained in this entry is current as of the last event mentioned in the “Description” section below; additional proceedings might have taken place in this matter since this event.
SummaryThreat Type: Date: Status: Disposition: Dismissed (partial)Lawsuit FiledLocation: Verdict or Settlement Amount: Legal Claims: Breach of ContractComputer Fraud and Abuse ActComputer TrespassCopyright InfringementTrademark InfringementTrademark DilutionUnfair CompetitionOther
PartiesParty Receiving Legal Threat: Type of Party: Type of Party: Location of Party: CaliforniaDelawareLocation of Party: CaliforniaDelawareLegal Counsel: Bobbie Wilson, Christopher Kao, Brian Hennessy, J. Patrick Corrigan (Perkins Coie LLP)Legal Counsel: 3taps: Allen Ruby (Skadden, Arps, Slate, Meagher & Flom LLP), Christopher J. Bakes (Locke Lord LLP); PadMapper: Venkat Balasubramani (Focal PLLC)
DetailsWeb Site(s) Involved: Content Type: TextVirtualPublication Medium: Subject Area: CopyrightTrademarkTerms and Conditions
Printer-friendly version

Frequently Asked Questions about craigslist v 3taps

About the author

proxyreview

If you 're a SEO / IM geek like us then you'll love our updates and our website. Follow us for the latest news in the world of web automation tools & proxy servers!

By proxyreview

Recent Posts

Useful Tools