Persistent Scraper May Violate CFAA By Circumventing IP Blocking
In an order issued on Friday, the Northern District of California found that defendant 3Taps, a company that aggregates Craigslist ads to republish on its own site and as an API service, may be liable under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2). The Court found that 3Taps may have violated the CFAA by accessing the site “without authorization,” because, after receiving a cease and desist letter, it circumvented Craigslist’s attempts to block its IP address from accessing the site.
The key question was “whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website.” Order at 4. Based on the Ninth Circuit’s interpretation in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the Court found that Craigslist had the power to grant or prohibit access to its public site, and took steps that effectively revoked 3Taps’ access by blocking 3Taps’ IP address. The Court offered a brick-and-mortar analogy, writing “[s]tore owners open their doors to the public, but occasionally find it necessary to ban disruptive individuals from the premises.” Order at 12.
Craigslist first sent a cease and desist letter to 3Taps, writing “[t]his letter notifies you that you and your agents, employees, affiliates, and/or anyone acting on your behalf are no longer authorized to access, and are prohibited from accessing craigslist’s website or services for any reason.” Order at 2 (internal citations omitted). Next, Craigslist implemented a technological barrier by blocking IP addresses associated with 3Taps from accessing the site.
3Taps continued its data-scraping “by using different IP addresses and proxy servers to conceal its identity,” thus purposefully circumventing the technological barrier. Id. 3Taps’ continued access was “without authorization” since they had sufficient notice that Craigslist revoked their access. The Court emphasized the significance of bypassing the technological barrier, writing:
3Taps never suggests those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.
Order at 8. Arguably some users could “bypass” IP blocking measures unintentionally; those with dynamic IP addresses might not even know these measures existed. The Court, however, explained that this barrier is sufficient.
…IP blocking may be an imperfect barrier to screening out a human being who can change his IP address, but it is a real barrier, and a clear signal from the computer owner to the person using the IP address that he is no longer authorized to access the website.
Order at 10, note 7.
While the Court limited its decision to the specific facts of this case, such a decision is in line with Ninth Circuit precedent interpreting one of the widely discussed provisions of the Digital Millennium Copyright Act, which similarly prohibits circumventing “a technological measure that effectively controls access to a work protected under this title.” 17 U.S.C. § 1201(a)(1)(A). In MDY Industries v. Blizzard Entertainment, 629 F. 3d 928, 954 n.17 (9th Cir. 2010), the court found that “[t]he statutory definition of the phrase ‘effectively control access to a work’ does not require that an access control measure be strong or circumvention-proof.”
As website owners continue to explore legal and technological means of blocking unwanted users, this type of case may become increasingly common, because of the relative ease in blocking specific IP addresses.