Craigslist Inc. v. 3Taps Inc. (ND Ca. Aug. 16, 2013)

Posted byShawn E. Tuma Leave a comment on Craigslist Inc. v. 3Taps Inc. (ND Ca. Aug. 16, 2013)

Craigslist Inc. v. 3Taps Inc., 2013 WL 447520 (ND Ca. Aug. 16, 2013) (9th Cir)

3Taps operates an online service that aggregates and republishes ads from Craigslist, which Craigslist describes as illegally scraping content. After learning about 3 Taps’ activities, Craigslist took two important steps: (1) it sent a cease-and-desist letter to3Taps informing it that “[t]his letter notifies you that you and your agents, employees, affiliates, and/or anyone acting on your behalf are no longer authorized to access, and/or prohibited from accessing Craigslist ‘s website or services for any reason”; (2) Craigslist configured its website to block access from IP addresses associated with 3Taps.Craigslist sued 3Taps for violating the Computer Fraud and Abuse Act. The primary issue before the court was whether the CFAA applies in cases where the owner of an otherwise publicly available website takes steps to restrict access by specific entities. The court reasoned that, initially, Craigslist made its website publicly available and, therefore, had authorized the world to access it. Craigslist sought to revoke that permission on a case-by-case basis through its cease-and-desist letter and IP blocking measures. The issue narrowed to whether Craigslist had the authority to de-authorize access in this manner. It did.

The court found that “authorization” turns on the decision of the “authority” that grants – or prohibits – access and, just as an employer was able to do in Brekka, Craigslist as owner of the website rescinded that permission for 3Taps and further access by 3Taps after that rescission was “without authorization.”

Key Takeaways: (1) the “notice” was clear and specific; (2) the “notice” was not a cryptic, blanket policy that few will likely read; (3) the “authority” used technological measures to block the access, which measures were circumvented; and (4) this shows that when an “authority” actively monitors accesses to its computers, it can control unauthorized accesses or even disapproved uses and, when done in this manner, enforce them under the CFAA.

There is a lot of additional information in the court’s opinion that is well worth reading to learn more about the CFAA.

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading