Blog Post

Craigslist can use anti-hacking law to stop firm from scraping its data, court rules

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Craigslist has won another victory in a closely-watch court fight over who can use the treasure trove of public data found on the classified ad giant’s website.

In a ruling handed down last week in San Francisco, a federal judge said that Craigslist can invoke a controversial anti-hacking law to stop a start-up known as 3Taps from gaining access to its website.

3Taps had argued that the law in question, known as the Computer Fraud and Abuse Act (CFAA), should only apply to non-public information protected by passwords or firewalls — not free, public data found on sites like Craigslist. US District Judge Charles Breyer disagreed with this view, ruling that 3Taps had accessed Craigslist’s website “without authorization” under the plain meaning of the CFAA.

While Craigslist is a public website, the company blocked 3Taps from accessing the site and also issued a cease-and-desist letter in order to stop the start-up from collecting its classified data and making it available to others.

After Craigslist blocked it, 3Taps turned to so-called “IP rotation technology” (tools that disguised its identity) to continue to visit the site and scrape data. The judge ruled that this IP-masking was enough to violate the anti-hacking statute, dismissing concerns that this ruling would criminalize ordinary internet use:

The calculus is different where a user is altogether banned from accessing a website. The banned user has to follow only one, clear rule: do not access the website […]

Nor does prohibiting people from accessing websites they have been banned from threaten to criminalize large swaths of ordinary behavior. It is uncommon to navigate contemporary life without purportedly agreeing to some cryptic private use policy governing an employer’s computers or governing access to a computer connected to the internet. In contrast, the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter.

The decision is already causing a stir in the legal and technology community, where scholars like Orin Kerr have argued that masking IP addresses is a common tactic that does not amount to “circumventing a technological barrier” under the CFAA.

The decision is also likely to fuel debate over Craigslist’s aggressive legal tactics against other companies that use it data to create more user-friendly websites. Critics argue thatCraigslist has become an ugly, out-dated monopoly and resent its efforts to crush sites like PadMapper, a real estate site that uses Craigslist data to plot rental listings on a map.

Judge Breyer’s ruling on the CFAA is only a preliminary one, and part of a more complicated, ongoing case that also turns on copyright and antitrust laws. Here’s last week’s CFAA ruling:

Craigslist Ruling on CFAA

[protected-iframe id=”6d9f8308c41b5ae9ced219047770d516-14960843-34118173″ info=”” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

5 Responses to “Craigslist can use anti-hacking law to stop firm from scraping its data, court rules”

  1. Tetracycloide

    Yet another warped and twisted interpretation of the CFAA to add to the pile which makes ordinary internet browsing a crime if a third party decides ex post facto that they didn’t want you to access their site. It’s pretty disgusting that ‘authorization’ is being interpreted by the court as ethereal permission from the site runner rather than what it actually means in a technical sense.

  2. The court ruled correctly in this instance I believe and it supports the notion of brand and service trademarks.

    Technically it comes down on the side of fair practice when it comes to building new services. If you dont like the way Craigslist does what it does build a competitor and start building your own data and customers!

    These data leechers should try to partner with Craigslist to provide an improved service instead of trying to build something off of metadata they did not build or take any part in acquiring.

    • Tetracycloide

      The court could not have ruled more incorrectly if they had tried. ‘Authorization’ has a specific meaning and it is not the meaning the court applied.

      • Tim Gregory

        How should the court have ruled? Craiglist should be able to decide who can access and repurpose content on their site.
        Why should Craiglist allow another company to scrape them and build a business on the scraped data?
        3Taps could negotiate a feed with Craigslist, but chose instead to try evade the blocks put in place and take the data anyway.
        Even Google allows you to opt out of them indexing your site with a simple robots.txt file.