Maybe that's true the first time, but 3taps business model wouldn't work with just one visit to craigslist. If you keep coming into the shop, the shopkeeper definitely has the right to revoke your implied license and sue you for trespass the next time you step on the premises.
But in the real-world, the shopkeeper would have to ask you to leave. And online, they'd have to use some actual access-control barrier.
The EFF's argument allows that in such a (alternative) case, real 'unauthorized access' could have occurred. They write:
Of course, Craigslist has the right to restrict access to its data through, for example, requiring a username and login, which would password protect access ot its other users' advertisements. If defendants bypassed that security measure by trying to break through this barrier by systematically attempting passwords or "hacking" their way in through some other method, then their access to Craigslist would necessarily have been "unauthorized". ...
But once Craigslist chose not to password protect its data – a decision that would undercut Craigslist's successful business model – it necessarily authorized the public to view the information on the public website.
That seems to be a holding that Craigslist won from the court, which helped assure the settlement.
That's a better standard than the originally-argued "violates terms of use". But it's still problematic given how draconian CFAA penalties can be, and given that the 'unauthorized access' in question penalizes access to information that's freely available to any other anonymous member of the public.
Maybe the EFF will be able to use the $1MM that fell their way to further circumscribe such CFAA application.
What do you mean, "how draconian CFAA penalties can be"? Which penalties are you referring to? The civil cause of action defined by CFAA expressly limits the kinds of damages plaintiffs can pursue, unlike other torts.
This is why it's so upsetting to see these people use this manipulative language. Criminal CFAA --- or, more accurately, federal sentencing law --- can legitimately be criticized for being draconian. But criminal CFAA has almost nothing but a few definitions in common with civil CFAA.
Causing damages under the civil cause of action defined by CFAA does not allow the government to fine you. That's not how this works.
No, a Craigslist judgement on CFAA grounds wouldn't trigger a federal fine. But any activity that wins damages on the civil side could also (at federal prosecutor discretion) be prosecuted criminally.
A civil precedent on what counts as "exceed[ing] authorized access" under the CFAA also affects who might be subject to the full range of federal criminal penalties, in future actions. So Craigslist's interpretation winning, compared to EFF's, ultimately means more people threatened with 1-10 years in federal prison.
