Monday, September 10, 2012

Craigslist, Terms of Use and Unauthorized Access


This post examines a recent opinion from a federal court in California – an opinion that issued in a civil case but examines issues involving criminal liability.  Craigslist, Inc. v. Kerbel, 2012 WL 3166798 (U.S. District Court for the Northern District of California 2012).  Craigslist sued Alecksey Kerbel, “alleging violations of”, among other things, the Computer Fraud and Abuse Act (18 U.S. Code § 1030) and California Penal Code § 502.  Craigslist, Inc. v. Kerbel, supra.

In this opinion, the federal judge is ruling on craigslist’s motion for a default judgment.  Craigslist, Inc. v. Kerbel, supra.  As Wikipedia explains, a default judgment is a

binding judgment in favor of either party based on some failure to take action by the other party. Most often, it is a judgment in favor of a plaintiff when the defendant has . . . failed to appear before a court of law.

You can read more about default judgment, the procedure used to obtain one and the consequences of such a judgment here.

The opinion begins its analysis of the propriety of granting craigslist a default judgment by explaining what it is and how it operates:

[C]raigslist . . . provides online localized classified advertising service and related online services. . . . [C]raigslist enables authorized users to post classified ads on its website based on their geographic area and the product or service category in which they seek to advertise. . . . The site lists ads within each category in reverse chronological order, so the newest posts are at the top of the list. . . .

[C]raigslist governs access to its site with its Terms of Use (`TOU’). . . . Each user who seeks to post to the site must accept the TOU before the ad is posted. . . . The TOU prohibit . . . repeatedly posting the same or similar content, posting said content in more than one category or geographic area, posting ads on behalf of others, using a Posting Agent to post ads, attempting to gain unauthorized access to craigslist's computer systems or engaging in any activity that disrupts or interferes with craigslist, using any automated device or computer program that enables non-manual postings, and making available content that uses automated means to download data from craigslist. . . .


Once a user accepts the TOU, he or she must successfully respond to a CAPTCHA challenge. . . . CAPTCHAs are challenge-response tests in the form of partially obscured characters that the user must read and type into a box. . . . They are designed to ensure that humans, rather than machines and automated devices, post ads. . . . A user may also create an account to manage his or her postings, which sometimes requires a phone-verified account (`PVA). . . . PVAs are designed to prevent repetitious and unauthorized postings to craigslist by requiring users to provide a valid phone number in order to create an account. . . .

[C]raigslist [also] uses additional security measures to protect its site and systems, including IP address blocking, which blocks multiple ads from the same IP address within a short period of time. . . .

Craigslist, Inc. v. Kerbel, supra.  (The opinion notes that a “Posting Agent” is a “third-party agent, service, or intermediary that posts content to craigslist on behalf of others.”)  Craigslist, Inc. v. Kerbel, supra. 

The defendant in the case, Alecksey Kerbel, is

the owner and operator of the www.craigslist-poster.com website. . . . [C]raigslist alleges [Kerbel] develops, offers, and markets services designed to enable illegitimate uses of craigslist. . . . For example, Craigslist Poster allows customers to create a campaign through which [Kerbel] will repeatedly auto-post ads to craigslist. . . . [Kerbel] will repost customers' ads `24/7,’ in multiple geographic areas and categories. . . .

Customers purchase `credits’ from [Kerbel] which they can use to purchase various services, including ad-posting (1 credit), creating craigslist accounts (5 credits), and creating a PVA for posting in PVA-required categories (10 credits). . . .


[Kerbel’s] services require [him] and his customers to circumvent craigslist's security measures, create fraudulent accounts and PVAs, and fraudulently accept the TOU. . . . [Kerbel] also uses the CRAIGSLIST mark without authorization. . . . [He] has continued his activities despite receiving multiple cease and desist letters from craigslist. . . . [His] activities burden craigslist's systems and cause it to incur expenses to increase server capacity, provide additional customer service and support for its legitimate customers, and investigate and enforce its policies. . . .

Craigslist, Inc. v. Kerbel, supra. 

Before addressing the specific issues, the judge noted that several factors weighed generally in terms of granting craigslist a default judgment on at least some of its claims:  One was that if the motion were denied, craigslist “would likely be left without a remedy”, by which I assume he means Kerbel would not defend himself at trial. Craigslist, Inc. v. Kerbel, supra. 

He also noted (i) that craigslist’s claims “include statutory damages” to which it “would be entitled under federal law” and (ii) that because Kerbel had not filed an answer to craigslist’s complaint, there was little likely that the “material facts” were in dispute.  Craigslist, Inc. v. Kerbel, supra.  Finally, he explained that he also had to consider the “sufficiency of the complaint”, i.e., the extent to which craigslist had stated legitimate claims under the relevant statutes.  Craigslist, Inc. v. Kerbel, supra.

The judge then addressed craigslist’s Computer Fraud and Abuse claims, noting that to

state a claim under 18 U.S. Code §1030(a)(2)(C), [craigslist] must show [Kerbel] `intentionally access[ed] a computer without authorization or exceed[ed] authorized access, and thereby obtain[ed] . . . information from a protected computer.

Under § 1030(a)(4), [it] must allege [Kerbel] `knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and caused at least $5,000 in damage in a one-year period.

Finally, under § 1030(a)(5)(A)-(C), [craigslist] must allege that Kerbel knowingly or `intentionally accesses a protected computer without authorization, and as a result of such conduct, caused damage or recklessly caused damage or loss.’ 

Craigslist, Inc. v. Kerbel, supra (quoting Craigslist, Inc. v. Naturemarket, Inc., 694 F.Supp.2d 1039 (U.S. District Court for the Northern District of California 2010)).

The judge found that, like the plaintiff in the Naturemarket case, craigslist adequately pled the above causes of action:

`First, [it] established that its computers were used in interstate commerce, and therefore qualify as protected computers under the CFAA. . . . Second, [it] alleged that [the defendant] accessed its computers in violation of the TOUs, and therefore without authorization, for the purpose of employing, implementing and updating [its auto-posting products and services]. . . . [It] sufficiently pled that [the defendant’s] actions caused it to incur losses and damages.’

Craigslist, Inc. v. Kerbel, supra (quoting Craigslist, Inc. v. Naturemarket, Inc., supra).

The judge also noted that craigslist

alleges that Kerbel's conduct was both knowing and intentional because it was designed to circumvent craigslist's security features and [he] had to agree to the TOU with no intention of complying with it. . . . Kerbel also continued said conduct despite receiving cease and desist letters. . . .

His conduct caused harm to craigslist of over $5,000 per year, including increased costs associated with the burden on [craigslist’s] servers, investigation and enforcement costs to maintain the legitimacy of posts to the site, loss of goodwill, and the need for increased customer service and support.

Craigslist, Inc. v. Kerbel, supra.  He therefore held that craigslist was entitled to default judgment on its Computer Fraud and Abuse act claims.  Craigslist, Inc. v. Kerbel, supra.

The judge then addressed craigslist’s claims under California Penal Code §§ 502 (c)(1)-(7).  Craigslist, Inc. v. Kerbel, supra.  Basically, these seven sections make it a crime under California law to knowingly access without permission and (i) alter, damage, delete, destroy, take, copy or make use of any data, computer software or computer programs in a computer or computer network, (ii) use or cause computer services to be used, (iii) disrupt or cause the disruption of computer services or cause the denial of computer services to an authorized user, (iv) provide or assist in providing a means of accessing a computer in violation of this statute and/or (v) access or cause to be accessed any computer, computer system or computer network.  Craigslist, Inc. v. Kerbel, supra.

The judge found that, again like the plaintiff in the Naturemarket case, craigslist had adequately pled four claims under California Penal Code §§ 502 (c)(1)-(7):

`With respect to subsection (c)(1), [it] has alleged that [defendant] knowingly accessed [its] computer system in violation of the TOUs and obtained information which [he] used to develop, update, operate, and maintain their auto-posting software and services. . . .

Under subsection (c)(2), [it] has also alleged that [defendant] knowingly accessed [its] computers and computer system and, without authorization, copied and made use of [its] data. . . .

With respect to subsection (c)(6), [it] has also alleged that [defendant] knowingly and without permission provided a means of accessing its computers through their use and selling of their auto-posing software, services, and devices. . . . Finally, with respect to subsection (7), [it] has alleged that [defendant] accessed [its] computer in an effort to create and implement [his] auto-posting software.’

Craigslist, Inc. v. Kerbel, supra (quoting Craigslist, Inc. v. Naturemarket, Inc., supra).

The judge then noted that in

addition to the subsections considered in Naturemarket, [craigslist] alleges that [Kerbel] `uses or causes to be used [craigslist's] computer services’ in violation of (c)(3), . . . ; added or altered data to craigslist's computer system in violation of (c)(4), . . . and disrupted craigslist's services in violation of (c)(5). . . .

Craigslist, Inc. v. Kerbel, supra.   He therefore found that craigslist had stated a valid claim under California Penal Code § 502.  Craigslist, Inc. v. Kerbel, supra. 

For this and other reasons (concerning craigslist’s other causes of action), the judge granted craigslist’s motion for default judgment and for “injunctive relief”.  Craigslist, Inc. v. Kerbel, supra.  He entered an order that, in part, enjoined Kerbel “and his agents, servants, employees, attorneys, affiliates, distributors, successors and assigns” from, essentially, doing the things craigslist had complained of in its complaint.  Craigslist, Inc. v. Kerbel, supra.  Absent action by Kerbel, that disposes of the case.

No comments: