Wednesday, June 19, 2013

I Join the EFF and Others in Calling for Craigslist to Drop CFAA Claims

[Cross-posted on Freedom to Tinker]

Craigslist is suing several companies that scrape data from Craigslist advertisements. These companies, like Padmapper and 3taps, repurpose the data in order to provide more useful ways of searching through the ads. I have written about this in earlier posts, "Dear Craig: Voluntarily Dismiss with Prejudice," and "A Response to Jerry: Craig Should Still Dismiss." Fundamentally, I think that the company's tactic of litigating against perceived competitors is bad for Craigslist (because it limits the reach of its users' ads and thus the success of Craigslist), it is bad for the law and policy of the web (because scraping of public web sites has historically been a well-established and permissible practice that beneficially spreads public information), and is in bad taste (given Craiglist's ethos of doing well by doing good).

One of the most problematic aspects of the lawsuit is the set of claims under the Computer Fraud and Abuse Act (CFAA) and its California state-law counterpart. The CFAA, passed in 1986, introduces criminal and civil penalties for "unauthorized access" to "protected computers." The CFAA was largely a reaction to generalized fear of "computer hacking," and it did not envision the public internet as we know it today. Nevertheless, some have tried to apply the CFAA to public web sites. This approach has been widely frowned upon by both the tech community and the courts. For instance, the Center for Democracy and Technology (CDT) and the Electronic Frontier Foundation (EFF) are actively pushing to reform the CFAA because it has been subject to prosecutorial abuse. Craigslist has nevertheless alleged violations of the CFAA based on access to their public web site.

Today I signed on to an an amicus brief written by the EFF--which was also co-signed by other scholars in the field--that urges the court to dismiss these ill-advised CFAA claims. The brief reads, in part:

"The CFAA does not and should not impose liability on anyone who accesses information publicly available on the Internet. Because the CFAA and Penal Code S 502 imposes both civil and criminal liability, it must be interpreted narrowly. That means information on a publicly accessible website can be accessed by anyone on the Internet without running afoul of criminal computer hacking laws. In the absence of access, as opposed to use, restrictions, Craigslist cannot use these anti-hacking laws to complain when the information it voluntarily broadcasts to the world is accessed, even if it is upset about a competing or complementary business."

Craig Newmark, founder of Craigslist, actually sits on the Advisory Board of the EFF. I have been bewildered about why the company's Founder and Chairman appears to be going along with such a misguided attack. As it happens, I ran into him a couple of weeks ago at the Personal Democracy Forum, where he was advocating for his various philanthropic causes via his organization, craigconnects. Craig has long maintained that he is merely a "customer support representative" for the company, and that he will only comment on how the company's decisions relate to what the users want. He told Ars Technica last year that, "I can say that our culture has always been community-driven, and what they tell us, in large numbers and for years, [is] that their posts are not to be used by others for profit."

When I ran into Craig, I told him that it was my impression that users want their advertisements to find successful buyers (or traders, or whatever), and that it seems logical that they would want their ads spread as widely as possible. He urged me to make sure that when writing about the issue I take care to get my facts straight. I asked him what facts he thought that I was unaware of, but he wouldn't elaborate. He then proceeded to talk at more length about the importance of fact-based journalism--which is apparently one of the issues he is focusing on via craigconnects, although I had trouble figuring out how it related to the issue at hand. Nevertheless, I took to the (nearly unusable) Craigslist forums in order to try to find evidence that users do not want their advertisements spread across the web. I found some users that objected to "parasites" that build businesses on top of user advertisement data, but I also found other users that thought that the lawsuit ran counter to their interests.

What counts as "large numbers," and how does Craig decide which users to listen to? I have no idea. However, in fact-check land, Craig was quoted last year as saying, "Actually, we take issue with only services which consume a lot of bandwidth, it’s that simple." Or maybe it's not. 3Taps was allegedly scraping all Craigslist advertisement data only indirectly, from Google caches until Craigslist allegedly added a "noarchive" tag in order to tell Google to stop offering cached versions. For their part, Craigslist claims that they had long been including the "noarchive" tag, so I suppose that this will come out in the discovery process if we get to that stage. Regardless, it appears that Craigslist is fine with Google or Bing consuming a "lot of bandwidth," but not with them passing it along to services that it perceives to be a threat to its core business. Of course, if Craigslist were really concerned with rate-limiting for the sake of bandwidth, it could offer an API like so many other modern web sites.

In any event, Craigslist is behaving like a jealous incumbent. If that were all that were at stake, then it would be enough to say "shame on them" and move on. However, this lawsuit threatens to create and reinforce bad law precisely at the time when the larger community--of which Craig is a part--is calling for its reform. Drop the case, Craig.

No comments: