I hope we see more discussion of the 3Taps case. The Order denying 3Taps Motion to Dismiss Craiglist's CFAA claims is an interesting read. Keep in mind this is not the final disposition of the CFAA claims. This is an order on a pre-trial motion. It just tells us the Court intends to consider those claims along with the others _if_ the case proceeds to trial. (There is always the possibility the case may not get there.)
The Court vociferously rips through 3Taps' arguments for dismissing the CFAA claims.
Anyone who is net savvy who has ever encountered the CFAA has no doubt pondered the problems in its vague, non-technical language and then in its (to no one's surprise) capricious application. The 3Taps case stands to be yet another example of the CFAA's flaws on parade.
Do the Courts see gross deficiencies in the CFAA's language and how this can affect the CFAA's application? If yes, would they rather deal with them now or just leave them for another day?
Consider what this Court says when faced with the question of what constitutes "without authorization" under the CFAA. Note this is when the computer in question is otherwise open to the public and lacks any access controls such as password protection or approved originating IP addresses:
"To be sure, later cases may confront difficult questions concerning the precise contours of an effective 'revocation' of authorization to access a generally public website. This Court cannot and does not wade into that thicket, except to say that under the facts here, which include the use of a technological barrier to ban all access, 3Taps' deliberate decision to bypass that barrier and continue accessing the website constituted access 'without authorization' under the CFAA."
A "thicket" indeed. And we shall let it grow. I often see the word thicket used to describe the problems with patents. And we all see how those problems have played out so far.
Since access authorization and its revocation are apparently difficult standards to pin down in the computer context, just for fun, if you'll join me for a small thought experiment, I invite you to take a different angle and look at the CFAA in a "new" light.
The second sentence of the Order defines the applicability of the CFAA in no uncertain terms: "The CFAA imposes civil and criminal liability on 'whoever... intentionally accesses a computer without authorization... and thereby obtains... information from any protected computer. 18 USC S.1030(a)(2)(c)."
This is quite broad in scope. Anyone with an ounce of computer network savvy can see that.
It's also very general in terms of who it protects. There's no mention of who the presumed victim might be.
What if the protected party is an individual consumer? Might the CFAA protect individual persons, and not just entities like governments and companies?
Let's assume the consumer has a computer. Let's further assume the computer stores information. Sound plausible so far? Let's further assume the consumer tries to protect the information on the computer. Still with me? OK, now let's assume that information has value to some third party. I don't want to limit the reaches of this thought experiment by giving examples (with which you might find fault), but in the case you just cannot fathom a scenario where a person wants to protect information stored on her computer: assume that some companies want access to her email address book or web browsing history and she would rather keep that information private. Finally, let's assume that the consumer wants to revoke the authorization of certain of these third parties to access the information, but the determined engineers employed by these third parties opt to bypass the barriers that the consumer puts up and obtain the information, perhaps by stealth.[1]
Hopefully, if I've done a decent job, you can see the CFAA could, at least in theory, under this Court's very general statement of the law, be used by an individual to protect her information stored on her computer from companies who proceed to access it without her authorization, in addition to, as in the 3Taps case, protecting information of a company like Craigslist from competitors who wish to access CL's information without CL's authorization.[2][3] If not, pay no mind and resume your usual train of thought. Who wants to bet this case gets settled out of court?
1. You might ask how the consumer would go about revoking authorization. Does she need to send cease and desist letters? Maybe. Maybe not. I'd argue whatever she does it needs to be clear.
2. CL's protected information is of course information submitted by individual users. And see 3.
3. The weakness of CL's case, from a copyright infringement perspective, is, according to some commentators, that the information CL is seeking to protect is not created by CL but by users, who may or may not have transferred enforcement rights to CL. Here is another issue to consider: Did the drafters of the CFAA care whether the complainant has any rights to the protected information?
The Court vociferously rips through 3Taps' arguments for dismissing the CFAA claims.
Anyone who is net savvy who has ever encountered the CFAA has no doubt pondered the problems in its vague, non-technical language and then in its (to no one's surprise) capricious application. The 3Taps case stands to be yet another example of the CFAA's flaws on parade.
Do the Courts see gross deficiencies in the CFAA's language and how this can affect the CFAA's application? If yes, would they rather deal with them now or just leave them for another day?
Consider what this Court says when faced with the question of what constitutes "without authorization" under the CFAA. Note this is when the computer in question is otherwise open to the public and lacks any access controls such as password protection or approved originating IP addresses:
"To be sure, later cases may confront difficult questions concerning the precise contours of an effective 'revocation' of authorization to access a generally public website. This Court cannot and does not wade into that thicket, except to say that under the facts here, which include the use of a technological barrier to ban all access, 3Taps' deliberate decision to bypass that barrier and continue accessing the website constituted access 'without authorization' under the CFAA."
A "thicket" indeed. And we shall let it grow. I often see the word thicket used to describe the problems with patents. And we all see how those problems have played out so far.
Since access authorization and its revocation are apparently difficult standards to pin down in the computer context, just for fun, if you'll join me for a small thought experiment, I invite you to take a different angle and look at the CFAA in a "new" light.
The second sentence of the Order defines the applicability of the CFAA in no uncertain terms: "The CFAA imposes civil and criminal liability on 'whoever... intentionally accesses a computer without authorization... and thereby obtains... information from any protected computer. 18 USC S.1030(a)(2)(c)."
This is quite broad in scope. Anyone with an ounce of computer network savvy can see that.
It's also very general in terms of who it protects. There's no mention of who the presumed victim might be.
What if the protected party is an individual consumer? Might the CFAA protect individual persons, and not just entities like governments and companies?
Let's assume the consumer has a computer. Let's further assume the computer stores information. Sound plausible so far? Let's further assume the consumer tries to protect the information on the computer. Still with me? OK, now let's assume that information has value to some third party. I don't want to limit the reaches of this thought experiment by giving examples (with which you might find fault), but in the case you just cannot fathom a scenario where a person wants to protect information stored on her computer: assume that some companies want access to her email address book or web browsing history and she would rather keep that information private. Finally, let's assume that the consumer wants to revoke the authorization of certain of these third parties to access the information, but the determined engineers employed by these third parties opt to bypass the barriers that the consumer puts up and obtain the information, perhaps by stealth.[1]
Hopefully, if I've done a decent job, you can see the CFAA could, at least in theory, under this Court's very general statement of the law, be used by an individual to protect her information stored on her computer from companies who proceed to access it without her authorization, in addition to, as in the 3Taps case, protecting information of a company like Craigslist from competitors who wish to access CL's information without CL's authorization.[2][3] If not, pay no mind and resume your usual train of thought. Who wants to bet this case gets settled out of court?
1. You might ask how the consumer would go about revoking authorization. Does she need to send cease and desist letters? Maybe. Maybe not. I'd argue whatever she does it needs to be clear.
2. CL's protected information is of course information submitted by individual users. And see 3.
3. The weakness of CL's case, from a copyright infringement perspective, is, according to some commentators, that the information CL is seeking to protect is not created by CL but by users, who may or may not have transferred enforcement rights to CL. Here is another issue to consider: Did the drafters of the CFAA care whether the complainant has any rights to the protected information?