April 17, 2014

avatar

I Join the EFF and Others in Calling for Craigslist to Drop CFAA Claims

[Cross-posted on my blog, Managing Miracles]

Craigslist is suing several companies that scrape data from Craigslist advertisements. These companies, like Padmapper and 3taps, repurpose the data in order to provide more useful ways of searching through the ads. I have written about this in earlier posts, “Dear Craig: Voluntarily Dismiss with Prejudice,” and “A Response to Jerry: Craig Should Still Dismiss.” Fundamentally, I think that the company’s tactic of litigating against perceived competitors is bad for Craigslist (because it limits the reach of its users’ ads and thus the success of Craigslist), it is bad for the law and policy of the web (because scraping of public web sites has historically been a well-established and permissible practice that beneficially spreads public information), and is in bad taste (given Craiglist’s ethos of doing well by doing good).

One of the most problematic aspects of the lawsuit is the set of claims under the Computer Fraud and Abuse Act (CFAA) and its California state-law counterpart. The CFAA, passed in 1986, introduces criminal and civil penalties for “unauthorized access” to “protected computers.” The CFAA was largely a reaction to generalized fear of “computer hacking,” and it did not envision the public internet as we know it today. Nevertheless, some have tried to apply the CFAA to public web sites. This approach has been widely frowned upon by both the tech community and the courts. For instance, the Center for Democracy and Technology (CDT) and the Electronic Frontier Foundation (EFF) are actively pushing to reform the CFAA because it has been subject to prosecutorial abuse. Craigslist has nevertheless alleged violations of the CFAA based on access to their public web site.

Today I signed on to an an amicus brief written by the EFF–which was also co-signed by other scholars in the field–that urges the court to dismiss these ill-advised CFAA claims. The brief reads, in part:
[Read more...]

avatar

Design is a poor guide to authorization

James Grimmelmann has a great post on the ambiguity of the concept of “circumvention” in the law. He writes about the Computer Fraud and Abuse Act (CFAA) language banning “exceeding authorized access” to a system.

There are, broadly speaking, two ways that a computer user could “exceed[] authorized access.” The computer’s owner could use words to define the limits of authorization, using terms of service or a cease-and-desist letter to say, “You may do this, but not that.” Or she could use code, by programming the computer to allow certain uses and prohibit others.

The conventional wisdom is that word-based restrictions are more problematic.

He goes on to explain the conventional wisdom that basing CFAA liability on word-based restrictions such as website Terms of Use is indeed problematic. But the alternative, as James points out, is perhaps even worse: defining authorization in terms of the technical functioning of the system. The problem is that everything that the attacker gets the system to do will be something that the system as actually constructed could do.
[Read more...]

avatar

A Response to Jerry: Craig Should Still Dismiss

[Cross-posted on my blog, Managing Miracles]

Jerry Brito, a sometimes contributor to this blog, has a new post on the Reason blog arguing that I and others have been too harsh on Craigslist for their recent lawsuit. As I wrote in my earlier post, Craigslist should give up the lawsuit not just because it’s unlikely to prevail, but also because it risks setting bad precedents and is downright distasteful. Jerry argues that what the startups that scrape Craigslist data are doing doesn’t “sit well,” and that there are a several reasons to temper criticism of Craigslist.

I remain unconvinced.

To begin with, the notion that something doesn’t “sit well” is not necessarily a good indicator that one can or should prevail in legal action. To be sure, tort law (and common law more generally) develops in part out of our collective notion of what does or doesn’t seem right. Jerry concedes that the copyright claims are bogus, and that the CFAA claims are ill-advised, so we’re left with doctrines like misappropriation and trespass to chattels. I’ll get to those in a moment.
[Read more...]

avatar

Dear Craig: Voluntarily Dismiss with Prejudice

[Cross-posted on my blog, Managing Miracles]

Last summer, Craigslist filed a federal lawsuit against the company Padmapper (and some related entities). Padmapper.com is a site that, among other things, allows users to view Craigslist postings on a geographical map. It is a business premised on providing value added services to Craigslist postings — with some of that added value going back to Craigslist in the form of more users. Craigslist did not like this, and alleged a host of claims — seventeen of them, by the time they were done with the “First Amended Complaint” (FAC). Among their claims were alleged violations of copyright, trademark, breach of contract, and — surprisingly — Computer Fraud and Abuse Act (CFAA). The CFAA claims were not in the original complaint (they showed up only in the September 2012 FAC). Today, the judge ruled that some of the claims would be dismissed, but that many would survive.

I am still at a loss about why Craigslist is taking such a scorched earth tactic against a site that appears to help more people find Craigslist postings. Sure, they’re looking to make money while doing it, but that’s how much of the internet business ecosystem works. I’m particularly shocked, because Craig Newmark has been at the forefront of fighting for so much good online policy. We’ve met a few times, including the period when he was embroiled in the fight over whether or not “adult services” would do away with his CDA 230 intermediary liability. He was on the right side of SOPA/PIPA and helped to fight against over-expansive copyright. I’ve always found him to be personally friendly, thoughtful, and savvy about what makes the internet work.
[Read more...]

avatar

The New Freedom to Tinker Movement

When I started this blog back in 2002, I named it “Freedom to Tinker.” On the masthead, below the words Freedom to Tinker, was the subhead “… is your freedom to understand, discuss, repair, and modify the technological devices you own.” I believed at the time, as I still do, that this freedom is more than just an exercise of property rights but also helps to define our relationship with the world as more and more of our experience is mediated through these devices. I also believed that the legal tide was running against the freedom to tinker, as creative uses of technology were increasingly portrayed as illegal or deviant behavior. Now, at last, things may be starting to change.
[Read more...]

avatar

If Wikileaks Scraped P2P Networks for "Leaks," Did it Break Federal Criminal Law?

On Bloomberg.com today, Michael Riley reports that some of the documents hosted at Wikileaks may not be “leaks” at all, at least not in the traditional sense of the word. Instead, according to a computer security firm called Tiversa, “computers in Sweden” have been searching the files shared on p2p networks like Limewire for sensitive and confidential information, and the firm supposedly has proof that some of the documents found in this way have ended up on the Wikileaks site. These charges are denied as “completely false in every regard” by Wikileaks lawyer Mark Stephens.

I have no idea whether these accusations are true, but I am interested to learn from the story that if they are true they might provide “an alternate path for prosecuting WikiLeaks,” most importantly because the reporter attributes this claim to me. Although I wasn’t misquoted in the article, I think what I said to the reporter is a few shades away from what he reported, so I wanted to clarify what I think about this.

In the interview and in the article, I focus only on the Computer Fraud and Abuse Act (“CFAA”), the primary federal law prohibiting computer hacking. The CFAA defines a number of federal crimes, most of which turn on whether an action on a computer or network was done “without authorization” or in a way that “exceeds authorized access.”

The question presented by the reporter to me (though not in these words) was: is it a violation of the CFAA to systematically crawl a p2p network like Limewire searching for and downloading files that might be mistakenly shared, like spreadsheets or word processing documents full of secrets?

I don’t think so. With everything I know about the text of this statute, the legislative history surrounding its enactment, and the cases that have interpreted it, this kind of searching and downloading won’t “exceed the authorized access” of the p2p network. This simply isn’t a crime under the CFAA.

But although I don’t think this is a viable theory, I can’t unequivocally dismiss it for a few reasons, all of which I tried to convey in the interview. First, some courts have interpreted “exceeds authorized access” broadly, especially in civil lawsuits arising under the CFAA. For example, back in 2001, one court declared it a CFAA violation to utilize a spider capable of collecting prices from a travel website by a competitor, if the defendant built the spider by taking advantage of “proprietary information” from a former employee of the plaintiff. (For much more on this, see this article by Orin Kerr.)

Second, it seems self-evident that these confidential files are being shared on accident. The users “leaking” these files are either misunderstanding or misconfiguring their p2p clients in ways that would horrify them, if only they knew the truth. While this doesn’t translate directly into “exceeds authorized access,” it might weigh heavily in court, especially if the government can show that a reasonable searcher/downloader would immediately and unambiguously understand that the files were shared on accident.

Third, let’s be realistic: there may be judges who are so troubled by what they see as the harm caused by Wikileaks that they might be willing to read the open-textured and mostly undefined terms of the CFAA broadly if it might help throw a hurdle in Wikileaks’ way. I’m not saying that judges will bend the law to the facts, but I think that with a law as vague as the CFAA, multiple interpretations are defensible.

But I restate my conclusion: I think a prosecution under the CFAA against someone for searching a p2p network should fail. The text and caselaw of the CFAA don’t support such a prosecution. Maybe it’s “not a slam dunk either way,” as I am quoted saying in the story, but for the lawyers defending against such a theory, it’s at worst an easy layup.