Forgot your password?
typodupeerror
Businesses The Courts Your Rights Online

Company Using Proxy To Evade Craigslist Block Violated CFAA 186

Posted by Unknown Lamer
from the slashdot-trolls-beware-cfaa dept.
WillgasM writes "Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act, according to a judge's broad ruling (PDF) during a case on Friday involving Craigslist and 3taps. Opponents argue that this creates a slippery slope that many unsuspecting web users may find themselves upon. With your typical connection being assigned an address dynamically, is an IP ban really a 'technological barrier' to be circumvented? How long until we see the first prosecution for unauthorized viewing of a noindex page?" Probably a long time; the judge in the case rejected the slippery slope argument: 'There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a "friend" — apparently not a very good one — says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.' Willful evasion of blocks for commercial gain, on the other hand ...
This discussion has been archived. No new comments can be posted.

Company Using Proxy To Evade Craigslist Block Violated CFAA

Comments Filter:
  • by Anonymous Coward

    This is so fucked it's beyond belief...

    Braindead, much?

  • Trespassing (Score:4, Interesting)

    by guytoronto (956941) on Tuesday August 20, 2013 @07:53AM (#44616861)
    Seems no difference than trespassing. Putting on a fake mustache, sunglasses, and a wig doesn't mean you can ignore the trespass order.
    • by Thanshin (1188877)

      Seems no difference than trespassing. Putting on a fake mustache, sunglasses, and a wig doesn't mean you can ignore the trespass order.

      But the limit being non-existent or impossible to detect does.

      • Re:Trespassing (Score:4, Insightful)

        by Anonymous Coward on Tuesday August 20, 2013 @08:17AM (#44617201)

        The company knew they were banned, because Craigslist had sent them a cease and desist letter. Blocking their IP address range was just an enforcement measure, but the ban was against the company, not the IP address range.

      • by BitZtream (692029)

        What the fuck was undetectable about being blocked? The fact that they were blocked, they knew they were blocked and then intentionally worked around it.

        They intentionally did something the other side didn't want done. It took deliberate actions to get around the block.

        It wasn't an accident. It wasn't a few times til someone noticed. They KNEW they were blocked ... you know, case craigslist TELLS YOU THAT YOU'RE BLOCKED ... and then they went around it.

        Fry'em. This is the kind of shit that causes us pr

    • Re:Trespassing (Score:4, Informative)

      by lightknight (213164) on Tuesday August 20, 2013 @08:16AM (#44617183) Homepage

      Wait. Time out. What exactly does 3Taps do?

      The article states: "3taps drew Craigslist's ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps' systems."

      However, a brief glance at their website (unless they changed things that quickly) does not show anything of this sort.

      Does anyone have a screenshot from earlier, with the offending material?

    • by gmuslera (3436)

      There is no trespassing if is a public place, you can block a person, but not the direction from which is coming. Is like not forbidding you specifically, but putting a barrier in a street of the city that is between your home and that public place, and put you in jail if you take another route to get there, there is always another way to get in, and you have the right to go anywhere in the city.

      But more important, real world analogies specifically in a point where internet diverges from the real world (

      • by bws111 (1216812)

        Since when is craigslist (or any other web site) a public place?

        • You're soaking in it.

        • Re:Trespassing (Score:5, Insightful)

          by Zero__Kelvin (151819) on Tuesday August 20, 2013 @10:03AM (#44618649) Homepage

          "Since when is craigslist (or any other web site) a public place?"

          Since the moment you could could got to *.craigslist.org without having to authorize (i.e. enter a user name and password) Or in other words, always.

          • by bws111 (1216812)

            Say what?? That makes it a publicly accessible private place, which is far different from a public place. And being a private place, they are perfectly free to restrict who uses it, authorization required or not.

            • Imagine a massive banner on every website:
              NO PUBLIC RIGHT OF WAY

              • That isn't a bad analogy, except that it assumes a single access point. On the Internet, every URL is an access point. It turns out there is a way to do the equivalent of posting a similar sign on every entry point, and that is an authorization mechanism. Google does this with gmail, etc. for example. Craigslist doesn't do this, so they have no leg upon which to stand. This means of course that the judge is a misinformed idiot, but that should come as no surprise to anyone on Slashdot.
        • if the cops try to use different IPs they are breaking the law. ahhahhaa

      • by shentino (1139071)

        Craigslist is not a public place to begin with, it is a private site.

        If it's a public place you cannot be kicked out by anyone but the government in the first place. Nobody but the police would be allowed to put those barriers in the street to begin with.

        Someone who owns a mansion, however, can put up fences and prosecute someone for going through them, if that person has already been kicked out and commanded not to return.

        Craigslist is private property and anyone can be expelled at any time for any or no

        • by gmuslera (3436)

          The open internet, is, by definition, a public place, any place that you can access without a login and password are the digital equivalent of a public place, anyone can visit it. If you put "fences", require user/password to access certain pages, that would be the private places, and there you can say "ok, you can't enter", but for places where everyone, even in an anonymous way can enter, is at the very least harder if not impossible (if you can't use proxy for your fixed IP office connection, can go to

          • Hold on now. The internet is full of businesses and individuals with websites that they run and maintain it's not run by the city, state, or parks and recreation. Trust me if you park your car on my front lawn I'll have you towed and the fact that it's not fenced in means nothing it's still private property.

            Now here is what you have a business Craig's list and a third party 3taps standing in the parking lot giving out fliers with the Craig's list ads and their competitors ads. They sent them written notice

      • Try that argument the next time you are obnoxious in a bar and they kick you out. There may be a back door to the bar, but just because you use it to enter a second time doesn't mean you get to stay.

        If you get a disguise and try to come back through front or back door doesn't entitle you entrance either. I am pretty sure if you keep coming back you are going to end up in a 6x8 cell.

    • by spectro (80839)

      Let's say I am watching a baseball game in one of these Chicago buildings just outside Wrigley Field. The Cubs decide they don't want us to watch the ballgame for free anymore so they block our view by putting a tarp or building a new scoreboard. According to this ruling it would be illegal tresspass for us to find another, maybe taller building from where to keep watching...

      • by bws111 (1216812)

        Uh, no. When you access a website you are using the web site owners property (the server). When you are watching a ballgame from outside the stadium you are not using their property. I can not tell you where not to look, but I sure as hell can tell you to stay off my property.

        So, to fix your very flawed analogy, it is more like 'I got caught using a hole in the fence to get into Wrigley Field. They told me not to do that anymore, and fixed that hole in the fence. According to this ruling it would be ill

      • by shentino (1139071)

        Depends on if you're watching the game from your own property or not.

        There's a scene from Angels in the Outfield where the kids are spying on a ballgame from a tree...that is inside the private property of the stadium.

  • Store Ban (Score:5, Insightful)

    by ZombieBraintrust (1685608) on Tuesday August 20, 2013 @08:03AM (#44617003)
    Being banned from a site is no different from being banned from a physical location. The security is week. You can come up with hypothetical around wearing a mask into the store. Someone comes into a store wearing a mask and is confused for a criminal. But at the end of the day, if a person tells you go away and you don't, judges are not going to be sympathetic.
    • by shentino (1139071)

      There is no confusion, because that person actually WOULD be a criminal.

      The only confusion is that they are a trespasser instead of a thief.

      So they pull the mask off, and they find out you're not actually looking to rob the place.

      But lo and behold, you ARE on the list of people who are banned from the store, so the cops still arrest you for trespassing.

    • by WillgasM (1646719)
      It's more like this: You go to a store, harass employees and get banned. Security is told not to let that guy in the Slayer shirt back into the store. You then go out to your car, change shirts, and back in past the security guard and start harassing employees again. I'm all for charging you with harassment and trespassing, but it's still not illegal to change your shirt.
      • Computer Fraud and Abuse Act is the trespassing charge. Perhaps website trespassing needs to be seperated out into its own thing. Lumping it in with theft of data and corporate sabotage is a bit unfair.
        • by WillgasM (1646719)
          Agreed. If they want to argue that accessing the site was illegal because of the C&D letter, then that's fine. The method of accessing it shouldn't be criminalized. If CL had never even instituted an IP ban and 3taps kept doing what they were doing, it should have made no difference to this case. If I post no trespassing signs but leave the gate open, it's still trespassing. This ruling sets an unnecessary and dangerous precedent.
          • by bws111 (1216812)

            What is the precendent? The ruling does not say that changing your IP address is a violation. The only reason the IP address change is important is because that is shows the defendant intentionally accessed the site after they were told not to. The first words of the CFAA are 'whoever having knowingly ...'. They got a C&D letter, they had their IP blocked, so the changed their IP to get around the block. Kind of hard at that point to claim you didn't know you were not authorized.

            • by WillgasM (1646719)
              I guess. So long as it's only used to establish intent to access the system and there's other evidence to prove you weren't authorized. I just fear that our tech illiterate judges will come to interpret an IP block as a revocation of authorization in and of itself. Boils back down to "I am not my IP"
  • by wonkey_monkey (2592601) on Tuesday August 20, 2013 @08:08AM (#44617045) Homepage
    Would this ruling still have been made if they hadn't also ignored the cease-and-desist letter sent to them by Craigslist?
    • No, the judge explicitly cites the C&D as part of the evidence that 3Tap was on notice that they no longer had authorization to access the site. From the the opinion

      The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Tapsâ(TM) access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Tap

  • by WaffleMonster (969671) on Tuesday August 20, 2013 @08:09AM (#44617055)

    If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

    • by uncanny (954868)
      Well the constitution doesn't apply to them, so why would some silly little act?
    • by TWiTfan (2887093)

      If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

      Sure, but who are you going to get to punish them when they do?

    • I would honestly suggest trying it as a form of protest if you've got some money and time you're willing to part with. Though, how are you going to know if it does get stolen* by the NSA?

      ("stolen" here using the MPAA/RIAA definition of stealing.)
    • Re: (Score:2, Insightful)

      by alexgieg (948359)

      If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

      No. Governments can do almost everything the laws it imposes say citizens (subjects?) cannot do. That's the point of a government, to be the single exception to the rule so that it can impose the rule on everyone else. Also, when the government promises it won't do something that isn't really binding. Sure, some of the time they'll more or less try, without much emphasis and only if they're feeling like it, most of the time however it'll be like that Star Wards exchange between Lando and Darth Vader:

      Darth V

      • If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

        No. Read the opinion [volokh.com].

        Now, if you gave notice to the individual agencies that they weren't welcome and instituted a technological control measure to block them from accessing it and they circumvented that block, then it would fall within

    • It's interesting because in the earliest days of the net dubious sites with porn on them often sported 'NO entry for police' notices. They've now gone out of fashion, but it appears that this ruling may enable them to have a legal effect, which given the significance of due process in US jurisprudence, could be huge.
    • by shentino (1139071)

      Two words.

      Sovereign immunity.

      You cannot prosecute the government itself for a crime. You'd have to press charges against a John Doe. Private citizens cannot prosecute federal crimes against anyone, that's the job of the US district attorneys.

      The feds would have to investigate, the feds would have to subpoena the feds to find out whodunit, the feds would have to prosecute them, and the feds would have to fight the feds fighting it every step of the way on grounds of state secrets.

      Yeah, fat chance. I can d

    • Silly rabbit, the law doesn't apply to government and police!
  • 3Taps responds (Score:5, Informative)

    by digitallife (805599) on Tuesday August 20, 2013 @08:21AM (#44617243)

    3Taps responds:

    "3taps Statement Regarding craigslist’s Misuse of the CFAA
    At craigslist’s urging, a federal court has recently interpreted the Computer Fraud and Abuse Act (CFAA), known as the “worst law in technology,” to apply when an owner of a public website decides that it no longer wants an Internet user accessing its website. The court held that “the statute protects all information on any protected computer accessed ‘without authorization’ and nothing in that language prohibits a computer owner from selectively revoking authorization to access its website.” Order at 12. 3taps is obviously disappointed in the Judge’s ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information. 3taps believes that the CFAA was meant to protect private and confidential information and that it was never meant to be used to selectively criminalize accessing public websites and obtaining the public information found on those sites. Importantly, the Court noted that the “current broad reach of the CFAA may well have impacts on innovation, competition, and the general ‘openness’ of the internet . . . but it is for Congress to weigh the significance of those consequences and decide whether amendment would be prudent.” Order at 12. 3taps continues to urge Congress to clarify the scope of the CFAA so that companies like craigslist cannot use it as a tool to stifle competition, innovation, and access to public websites.
    While we disagree with the Court’s interpretation of the CFAA, we of course respect the Court’s ruling. Accordingly, 3taps will adhere to the current interpretation of the law and will immediately cease all access to craigslist’s servers. (Significantly, 3taps only began accessing craigslist’s servers because, as alleged in 3taps’ antitrust counterclaim, craigslist interfered with 3taps’ ability to source content through general search engines.)
    Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA.
    Going forward, 3taps will operate based on its understanding that if it does not access craigslist’s servers, it has a right to collect public information originally posted on craigslist’s website. In particular, 3taps reasserts four fundamental points:
    3taps does not now scrape craigslist’s servers, and therefore, cannot be in violation of the CFAA.
    3taps' indexing and caching of exchange posting data reduces (rather than increases) the net computing resources expended by craigslist and other publishers to deliver complex search results to end users.
    As the Court previously held, craigslist cannot rely on its current Terms of Use to claim the right to enforce copyrights associated with user-generated ads posted on its website.

    The United States Patent and Trademark Office recently confirmed that craigslist cannot trademark a peace sign – even if that peace sign is purple. See http://ttabvue.uspto.gov/ttabvue/ttabvue-77956067-EXA-24.pdf [uspto.gov]. 3taps and others cannot be harassed for using the peace sign to indicate where information was sourced.
    3taps will hold a public event to demonstrate to any interested party that it is possible (despite assertions to the contrary) to obtain public information on the Internet without reliance on accessing a particular source website. 3taps believes that, by no

    • mod up
      • Re:mod up (Score:5, Insightful)

        by bluefoxlucid (723572) on Tuesday August 20, 2013 @08:49AM (#44617625) Journal

        Short version:

        Wah wah they told us we couldn't load their servers with screen-scraper shit and sent us legal threats and official notarized C&Ds, and we did it anyway by changing an IP address--a normal thing that users can do even without realizing it--and the judge got pissed at us! I mean how is this different than changing our clothes before walking back into a store we're banned from for harassing the staff?! Are they going to arrest us for changing our clothes now?!

        There's a huge logical fallacy in their legal argument.

    • 3taps [...] believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information.

      This sounds plausible until you realize the subtle trick they are pulling in conflating the information itself with the instance of the information stored on CL servers. 3T does, in fact, have every right to access and publish that information. What they do not have is

    • by Maow (620678)

      3Taps responds:

      "3taps Statement Regarding craigslist’s Misuse of the CFAA

      3taps is obviously disappointed in the Judge's ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information.

      I'll admit I didn't read the *entire* post, but the "without ... firewall" part stuck out to me.

      Craigslist put an IP block in place against 3taps. Whether it was with a firewall like iptables or whether it was enacted within the Craigslist software, it seems 3taps' argument has fallen apart already. There was, for all intents and purposes, a firewall in place to block them.

  • When judges write their rulings -- or rather their employees write their rulings -- the document may go onto a few peoples' desks before release. The more complicated the ruling, the more this is likely as judges don't like things getting overturned. Lots of overturned on appeal looks bad, apparently. Well, it may time for judges to get their rulings to pass some elementary technical review.

    • by Virtucon (127420)

      That's what the appeals process is for so lawyers on both sides can argue what's right or wrong with the ruling. Amicus briefs can be filed by knowledgeable and respected organizations or individuals on both sides of the arguments as well to point out specific flaws or finer points that weren't exposed in the original trial. These briefs or amici curiae are most often used in appeals. So the EFF or the FSF could file a brief in the appeal on this case based on the legal and technical problems for society

  • It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on.

    Anyone who uses a proxy does not have to worry about vio

    • "It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on. "

      Sorry, but that doesn't follow. The issue here is not whether 3taps had permission. The issue is whether accessing the site without permission should be a crime (much less a felony).

      And Aaron Schwarz is indeed a good example of that already happening. The problem here seems not to be that it's not a slippery slope, but that 3taps' did not present a good argument that it was.

      The "slippery slope" is actually pretty darned evident, and 3taps should simply have made their argument better. For example, all

      • This ruling does not imply that Aaron Schwarz was acting illegally, and it isn't a slippery slope. Terms of use had nothing to do with the decision.

        The important features are the formal letter CL sent to 3taps, informing them that they didn't have permission to access CL servers with HTTP requests, and the IP block CL set up. Schwarz was never formally notified that he didn't have access permission, although he did evade some technical restrictions. If the judge's ruling stood up as the definitive int

  • Their premise is the current case is not bad enough for opposition, and only some hypothetical future case is bad enough for opposition. It's a form of strawman argument.
    • I agree with your post. This case is plain old criminal trespass.

      I have to comment on your subject line. Some slopes are known to be slippery, so it's valid to be concerned that "if you authorize the NSA to do X, they may well stretch the limits to Y".

      • by Agent ME (1411269)

        Accessing a website through a proxy is "plain old criminal trespass"?

        • Yes, this scenario is criminal trespass in all states.

          Some states define criminal trespass as entering after having received due notice that you are not welcome. They acknowledge they were so notified.
          Other states define criminal trespass as entering with the intent to perform an unlawful act. Again, they entered the system with the intent to commit an unlawful act, to wit copyright infringement, unfair competition, etc.

          So yeah, it's a plain and ordinary case of criminal trespass. The only thing slightly i

  • Not everyone on a blacklist is guilty. If one person on your work network gets blacklisted from a site, it will hit everyone on that network. Sometimes sites will even blacklist whole IP ranges because too many IPs in the range have been engaged in something malicious, but that doesn't mean that every IP in the range is doing something wrong. And as the summary points out, IPs are allocated dynamically, and not intended to be used as authentication of a real-life identity. Your IP might be blacklisted f

    • by omnichad (1198475)

      Agree. The CFAA is only being abused to amplify charges. An IP block is a lot different than being told "Leave and don't come back." For one, it could have been an automated process. If the blocked IP literally received a "Leave and don't come back" message instead of a dropped connection, that might be somewhat different but not enough to establish it in my mind. I'm not surprised at all that a judge has trouble understanding the differences - it's still fairly technical.

    • by shentino (1139071)

      Sorry, that doesn't fly.

      Whether you deserve to be on the blacklist or not is an internal matter for Craigslist to decide in its sole and final discretion. Craigslist is private property and they reserve the right to ban anyone they darn please, for any or no reason. It's their blacklist to maintain as they see fit.

      The C&D letter proves that they were not welcome, and that they also knew it. It is irrelevant if they deserved to be banned or not. The bottom line is that they were banned and deliberate

      • Craigslist is private property and they reserve the right to ban anyone they darn please, for any or no reason.

        Yes, but it's 'private property' in a very strange way, in that they're also a public website. It's not 'private property' like your house is private property. It's 'private property' like the newspaper classifieds section is. The newspaper press can ban you from buying their newspaper, but reading the newspaper doesn't suddenly become a felony.

        The C&D letter proves that they were not welcome, and that they also knew it.

        So what? If violating the C&D constitutes a crime, then that's a crime. Fine, so be it. Punish these guys for knowingly violating the C&D. That should

    • Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

      If _one_ person is blacklisted (lost their legal authorisation to access the site), and a blacklist blocks a whole bunch of people from accessing the site, then all but one of them are still legally authorised. Of course the site may say "we have so much trouble coming from that IP range, we blacklist all of them". Which is a bit unfair, but perfectly legal.

      Imagine one person is banned from a shopping mall. If that person puts on a false beard and enters the shopping mall, they may not be recognised, but

      • Imagine one person is banned from a shopping mall. If that person puts on a false beard and enters the shopping mall, they may not be recognised, but they are still trespassing. If _you_ put on a false beard, that doesn't make you a trespasser.

        Right, but what this ruling seems to suggest is that changing/obscuring your IP to get bypass a blacklist is, in itself, a felony because it's considered 'hacking'.

    • Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

      No, nobody's telling you that.

      The judge apparently assumes that people are in general authorized to access public web sites, but that a formal letter revoking that authorization to a particular entity does remove the authorization. A C&D letter isn't a legal mandate, and you won't be prosecuted for violating one, but you could be if you do something potentially illegal. The fact that 3taps circumvented

  • ... when Moot bans you from /b/, he means it!

  • The more vague and broad a law is the more inconvenient people we can incarcirate! We should strive to make sure the dirty peasants know that the moment they get out of line we will slam the book against them with as many vaguely defined crimes as possible!

The reason why worry kills more people than work is that more people worry than work.

Working...