17 September 2013

Cyberspace October 2013 - Access to public websites

Internet services and forums often need to stop some people participating, and the obvious way to do this is to terminate their licence to use the service and disable the account. Unfortunately that doesn't physically stop the user setting up a different account with different details and continuing the poor behaviour. The next step is often to ban connections from that users’ IP address. This can be effective to block businesses and some home users. However, most home users receive a different IP address every time their modem reconnects. If a banned user receives a new IP address from their ISP then they will be able to circumvent the IP block.

In Craigslist Inc v 3Taps Inc et al (US District Court for the N. District of California CV-03816 CRB) Craigslist (a classified advertisement site) claime that the defendant had breached the Computer Fraud and Abuse Act and other legislation by accessing Craigslist without authorisation. The defendant had scraped content from craigslist and on-sold it. Craigslist notified the defendant that it was prohibited from accessing the website or services, and also blocked access from the IP addresses used by 3Taps. 3Taps continued to use the site by changing its IP addresses and using proxy services and moved to dismiss the claims, arguing that the “owner of a publicly accessible website has no power to revoke the authorisation of a specific user to access that website." The motion was denied, and the court found that there was an arguable claim under the CFAA.

The court agreed that by making information publicly available on a website there is an authorisation to the world to access it. In fact, the Stored Communications Act states that it is not unlawful to intercept or access and electronic communication if the system is configured so that it is readily accessible to the general public. However, the CFAA does not have a similar section and the Ninth Circuit had previously interpreted the CFAA to confirm that computer owners have the power to revoke authorisations.

In Craigslist, the court found that 3Taps was accessing data without authorisation, once that authorisation was revoked and the revocation communicated. The court discussed the distinction between unauthorised access to a computer or service, and a violation of a corporate policy —  several USA cases have discussed the need to avoid criminalising behaviour that is merely breach of a corporate policy. Unauthorised access can amount to criminal behaviour, whereas the latter is a contractual or industrial relations issue. The defendant tried to argue that their behaviour here was violation of a policy, but the court rejected that saying that craigslist had told the defendant that it could not access its website for any reason, and effected a technological barrier. The purpose of the restriction may have been commercial, but that was beside the point. The court found that it was adequately notified due to the sending of a letter, imposition of access restrictions, and commencement of proceedings against it.

In drafting Internet service usage policies it is prudent to consider the effect of both the contract entered into between the provider and user, and statutory or criminal law. As we have discussed before, Part Six of the Crimes Act 1900 deals with unauthorised access, but only as it applies in relation to a serious indictable offence, or restricted data, where access is restricted by an access control system associated with a function of the computer. Neither of these would clearly apply to the USA situation, although it is arguable that IP address blocking is an access control system. However, s.308H is not clear on this point.