In a bit of a strange opinion [via Bag and Baggage], the First Circuit just adopted an explicit opt out requirement for unauthorized access to web sites without technological protections under the Computer Fraud and Abuse Act (18 USC 1030).
The case is EF Cultural Travel BV et al. v. Zefer Corp. and Explorica, Inc., No. 01-2001 (1st Cir. 2003). EF and Explorica are competitors in the student travel business. EF has a web site where it publicly displays its prices. Explorica, formed by former EF employees, hired Zefer* to write an program to scrape EF's site and create a database of EF's prices. Then Explorica undercut EF's prices by 5 percent and, presumably, enjoyed some competitive success. EF brought a motion for a preliminary injunction to stop Explorica and Zefer from scraping its prices. The motion was granted and both Explorica and Zefer appealed. Zefer's appeal was stayed because of bankruptcy proceedings and Explorica's was denied [west summary] based on a breach of a confidentiality agreement argument (that publicly available codes and prices can be protected by a confidentiality agreement is beyond me, but not the subject of this post). The current opinion tackles the question of whether the injunction was valid against Zefer, the company Explorica hired to make and run the scraper.
Chief Judge Michael Boudin wrote the opinion of the Court. It affirmed the injunction but only to the extent Zefer would be bound not to help Explorica violate the injunction against it in any case (ie without Zefer having done anything wrong in the first case). However, the wonder of the opinion, and why I write that it is a bit strange, is all of the other (unnecessary) things in it.
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
18 USC 1030(a)(4). For the purposes of its opinion the First Circuit assumed that the fraud element(s) were met and focused on the appropriate test for "exceeding authorized access." The District Court had proposed a "reasonable expectations" test based on what the user might have expected was reasonable (a la reasonable expectation of privacy and the Fourth Amendment). The First Circuit flatly rejected that test and instead made clear that in order to "exceed authorized access," in accessing publicly available web pages, that access had to be explicitly prohibited (through a terms of service or other such mechanism).
Later I will try to excavate other interesting nuggets from the decision and give my take on the ramifications...
* note, all links to Zefer are to different Archive.org snapshots of the site (old to closing) because Zefer.com no longer responds.