CRAIGSLIST WEB SCRAPING CASE CONTINUES
BIG QUESTION ON WHETHER CFAA BARS ACCESS TO PUBLIC INFORMATION
The court refused to dismiss much of Craigslist’s claim against data scrapers. With respect to the CFAA claims, the court noted that
The parties have not addressed a threshold question of whether the CFAA applies where the wner of an otherwise publicly available website takes steps to restrict access by specific entities, such as the owner’s competitors. “Some commentators have noted that suits under anti-hacking laws have gone beyond the intended scope of such laws and are increasingly being used as a tactical tool to gain business or litigation advantages.”Joseph Oat Holdings, Inc. v. RCM Digesters, Inc., 409 F. App’x 498, 506 (3d Cir. 2010); see also Nosal, 676 F.3d at 857 (describing the CFAA as “an anti-hacking statute”); Mark A Lemley, Place and Cyberspace, 91 Cal. L. Rev. 521, 528 (2003) (“An even more serious problem is the judicial application of the [CFAA], which was designed to punish malicious hackers, to make it illegal—indeed, criminal—to seek information from a publicly available website if doing so would violate the terms of a `browsewrap’ license.”).
The CFAA was passed in 1986, well before the development of the modern internet, and originally only covered certain computers operated by the federal government or financial institutions. See Christine D. Galbraith, Access Denied: Improper Use of the Computer Fraud and Abuse Act to Control Information on Publicly Accessible Internet Websites, 63 Md. L. Rev. 320, 329 (2004). In 1996, Congress amended the CFAA to cover all computers used in interstate commerce, but “[r]eferences can be found throughout the amendment’s legislative history that support the premise that the changes were designed to safeguard the privacy of information,” rather than to “widen dramatically the protection of the CFAA to include all information on all computer systems on the Internet, such as. . . data contained on publicly accessible websites.” Id. at 330-31 (citing 142 Cong. Rec. S10,889; S. Rep. No. 104-357 (1996)).
Although courts in this district have held that the CFAA may apply to unauthorized access to websites, the parties have not cited a case from this district or the Ninth Circuit addressing its application to information that is generally available to the public. In Facebook II, for example, Judge Ware held that the CFAA applied to information protected by a username and password. See 844 F. Supp. 2d at 1027. Although the defendants in that case accessed information with the consent of users who shared their credentials—the access was unauthorized because the defendants bypassed Facebook’s efforts to block their IP addresses—the information at issue was not available to the general public. See id. Applying the CFAA to publicly available website information presents uncomfortable possibilities. Any corporation could subject its competitors to civil and criminal liability for visiting its otherwise publicly available home page; in theory, a major news outlet could seek criminal charges against competing journalists for reading articles on its website.
In Nosal, the Ninth Circuit rejected an “interpretation [that] would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” 676 F.3d at 857. At the same time, Nosal discussed at some length potential problems with an overly expansive interpretation of the CFAA, but did not seize on that opportunity to highlight a possible distinction between public and non-public information. Accordingly, until the Ninth Circuit holds otherwise–and in the absence of any argument on this issue from Defendants at this time–this Court assumes that the expansive language of the statute covers owner-imposed restrictions on access to otherwise public information on public websites.
A similar Yelp case, has settled.