By Matthew Reinbold in Newsletter — Dec 2, 2020

Net API Notes for 2020/12/03 - Issue 148 - the CFAA

This past Monday, November 30th, the US Supreme Court heard arguments on the nation's major cybercrime law. The verdict has ramifications not only for screen scrapers but net API usage, as well.

The US Congress passed the Computer Fraud and Abuse Act (CFAA) in 1986. It prohibits intentionally accessing a protected computer "without authorization" or in a manner that exceeds authorized access. In short, it was a cultural response to the growing importance of computers (and hacker boogeymen that soon followed). Since its inception, the ambiguous phrase "without authorization" has led to different interpretations. Some, cynically, refer to the CFAA as the law called upon when 'you've done something people dislike "with a computer"*. Others have said that the CFAA "has evolved into a weapon which website operators wield against data scrapers who crawl their sites".

USAGE OF THE CFAA THUS FAR

Southwest Airlines is notorious for preventing its fares from appearing in travel aggregators like Expedia or Kayak. In Southwest Airlines v. Farechase (2004), the courts stated that Farechase broke the CFAA law in screen scraping the Southwest site. The First, Fifth, Seventh, and Eleventh Circuits broadly align with this interpretation.

However in hiQ Labs, Inc. v. LinkedIn Corp. (2019), the Ninth Circuit ruled that scraping publicly available LinkedIn profiles is not a violation of the CFAA. The Second and Fourth Circuits have followed this interpretation, as well.

It may seem sensible that gathering information from web pages that are publicly available is legit. However, what about information only accessible behind a login? According to Facebook v Power.com (2009), giving your login credentials to another service that subsequently uses them to access your account is a no-no, even if you authorize them to do so. That case further established a precedent that sending a cease and desist letter constituting a revoking of authorization to accessing information, even that for publicly available profiles; something that Craigslist used in 2017 (the defendants settled out of court).

That's scratching the surface. There are, literally, decades of other examples. The bottom line is that building upon ambiguity is difficult.

THE IMPACT

THE PRO-ACCESS ARGUMENT

The outcome of this trial has researchers and journalists concerned. Non-malicious security researchers often find themselves in precarious legal situations when they discover and disclose a website's vulnerability. Researchers and journalists often resort to scraping and mobile-app API reverse-engineering to conduct discrimination and political ad auditing. If access to this information was deemed to be done "without authorization", this work would be criminalized.

So too, would a lot of the casual online hootenanny we take for granted. Several weeks ago, I mentioned a user gaining access to the McDonald's API. He then contorted the functionality available to create a website to report which McDonald's locations had a broken ice cream machine. McDonald's hadn't thought to do that. It's creative and a demonstration of how an API can support use cases a dev team is either too busy or too indifferent to support. Under the CFAA it could also be a felony.

Businesses like ParseHub and OctoParse could also be impacted. These, along with many other services, turn website content into APIs. In the past, for example, these services allowed me to easily aggregate multiple auction site searches into a single API result for subsequent processing. Is creating an API any of the original site owners' intent? No. Does that mean I accessed information in an unauthorized way? Maybe?

THE ANTI-ACCESS ARGUMENT

Of course, if folks accessing things in unexpected ways were always the path to Skittles and Mountain Dew, we wouldn't be having this discussion. For example, imagine a financial services site that - when given people's logins - gathers together their financial information and presents it in one spot. That username and password is now shared with multiple sites. The practice, known as credential sharing, is only secure as the worst practice on any participating sites.

The CFAA offers companies leverage to push aggregators away from credential sharing and toward a well-managed means of information exchange. Companies Schwab and Fidelity have created secured APIs in response to screen scraping concerns.

The Electronic Privacy Information Center (or EPIC) filed an amicus brief on the case heard Monday. In it, EPIC argued that databases "hold vast quantities of some of the most sensitive personal data imaginable" and that "we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems."

THE AFTERMATH

In these divided times, the CFAA seems to be something that makes justices on both sides of the political spectrum queasy. Justice Neil Gorsuch opined that the pro-CFAA argument risked "making a federal criminal of us all". Justice Sonia Sotomayor described the law as "a very broad statute, and dangerously vague".

Whether information is accessed through screen scraping or via API, I'm concerned we're missing pieces of this debate. The first is who owns the data accessed. I'd assume the owner of the information would be the party responsible for deciding who does and does not have authorization. However, in most of these cases it appears that provider of the site or service determines authorization. Is my transaction history my data or my financial institution? I'm uncomfortable with assumptions here.

The second missing piece seems to be around intent. If I access information without authorization with the intent to commit a crime, that's a problem. A site that shows where McDonald ice cream machines are out of order might cause slight, and temporary, reputational harm. But that's something different. Somewhere in the middle are businesses creating new business by repurposing the work done by others. Each of these examples of access without authorization are not like each other. However, we don't seem to account for that in the CFAA.

Of course, I'm not a lawyer. I don't even care for legal procedurals. I haven't even seen My Cousin Vinny, so take my opinions with a grain of salt.

The Court has until June 2021 to make a decision.

For more on this case, in increasingly level of wonkery, check out:

WRAPPING UP

Thank you to my Patreons. There was a ridiculous amount of TechDirt trawled to make this edition that didn't even make it in (Pokemon!). I appreciate people financially supporting these types of deep cuts.

Till next time,

Matthew @libel_vox and matthewreinbold.com