9th Circuit: It’s a federal crime to visit a website after being told not to visit it
Orin Kerr writes:
The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani, which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act, the decision is quite troubling. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.
Read more on Washington Post. As always, Orin provides a lot of food for thought.
By now, I’ve only read the opinion once, and oddly, perhaps, what caught my eye was fn4:
Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.
So someone going directly to a file on a server from search results – without going through the site’s or server’s front door – is not necessarily engaging in “unauthorized use” under CFAA without more? But what more would be needed in that situation to make criminal application of CFAA appropriate? And if that’s the case, think of the raid on Justin Shafer who accessed files on a Patterson FTP server when there was nothing he saw that would have suggested he didn’t have authorization.