May 24, 2017

I Join the EFF and Others in Calling for Craigslist to Drop CFAA Claims

[Cross-posted on my blog, Managing Miracles]

Craigslist is suing several companies that scrape data from Craigslist advertisements. These companies, like Padmapper and 3taps, repurpose the data in order to provide more useful ways of searching through the ads. I have written about this in earlier posts, “Dear Craig: Voluntarily Dismiss with Prejudice,” and “A Response to Jerry: Craig Should Still Dismiss.” Fundamentally, I think that the company’s tactic of litigating against perceived competitors is bad for Craigslist (because it limits the reach of its users’ ads and thus the success of Craigslist), it is bad for the law and policy of the web (because scraping of public web sites has historically been a well-established and permissible practice that beneficially spreads public information), and is in bad taste (given Craiglist’s ethos of doing well by doing good).

One of the most problematic aspects of the lawsuit is the set of claims under the Computer Fraud and Abuse Act (CFAA) and its California state-law counterpart. The CFAA, passed in 1986, introduces criminal and civil penalties for “unauthorized access” to “protected computers.” The CFAA was largely a reaction to generalized fear of “computer hacking,” and it did not envision the public internet as we know it today. Nevertheless, some have tried to apply the CFAA to public web sites. This approach has been widely frowned upon by both the tech community and the courts. For instance, the Center for Democracy and Technology (CDT) and the Electronic Frontier Foundation (EFF) are actively pushing to reform the CFAA because it has been subject to prosecutorial abuse. Craigslist has nevertheless alleged violations of the CFAA based on access to their public web site.

Today I signed on to an an amicus brief written by the EFF–which was also co-signed by other scholars in the field–that urges the court to dismiss these ill-advised CFAA claims. The brief reads, in part:
[Read more…]

Design is a poor guide to authorization

James Grimmelmann has a great post on the ambiguity of the concept of “circumvention” in the law. He writes about the Computer Fraud and Abuse Act (CFAA) language banning “exceeding authorized access” to a system.

There are, broadly speaking, two ways that a computer user could “exceed[] authorized access.” The computer’s owner could use words to define the limits of authorization, using terms of service or a cease-and-desist letter to say, “You may do this, but not that.” Or she could use code, by programming the computer to allow certain uses and prohibit others.

The conventional wisdom is that word-based restrictions are more problematic.

He goes on to explain the conventional wisdom that basing CFAA liability on word-based restrictions such as website Terms of Use is indeed problematic. But the alternative, as James points out, is perhaps even worse: defining authorization in terms of the technical functioning of the system. The problem is that everything that the attacker gets the system to do will be something that the system as actually constructed could do.
[Read more…]

A Response to Jerry: Craig Should Still Dismiss

[Cross-posted on my blog, Managing Miracles]

Jerry Brito, a sometimes contributor to this blog, has a new post on the Reason blog arguing that I and others have been too harsh on Craigslist for their recent lawsuit. As I wrote in my earlier post, Craigslist should give up the lawsuit not just because it’s unlikely to prevail, but also because it risks setting bad precedents and is downright distasteful. Jerry argues that what the startups that scrape Craigslist data are doing doesn’t “sit well,” and that there are a several reasons to temper criticism of Craigslist.

I remain unconvinced.

To begin with, the notion that something doesn’t “sit well” is not necessarily a good indicator that one can or should prevail in legal action. To be sure, tort law (and common law more generally) develops in part out of our collective notion of what does or doesn’t seem right. Jerry concedes that the copyright claims are bogus, and that the CFAA claims are ill-advised, so we’re left with doctrines like misappropriation and trespass to chattels. I’ll get to those in a moment.
[Read more…]