8-21-2013
http://www.techdirt.com/articles/20...e-unauthorized-access-to-public-website.shtml
The latest ruling, unfortunately, finds that the combination of a cease-and-desist letter and merely changing your IP address creates unauthorized access to a public website.
The EFF points out how dangerous a ruling this is:
http://www.techdirt.com/articles/20...e-unauthorized-access-to-public-website.shtml
The latest ruling, unfortunately, finds that the combination of a cease-and-desist letter and merely changing your IP address creates unauthorized access to a public website.
The EFF points out how dangerous a ruling this is:
Changing your IP address is simply not hacking. That's because masking your IP address is an easy, common thing to do. And there's plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination....
There's a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to "revoke" and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.
Similarly, Orin Kerr, who tends to be more sympathetic about these kinds of cases, finds the use of a mere IP address change to be quite problematic: There's a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to "revoke" and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.
Judge Breyer sees IP blocking as sufficient. But its unfortunate that Breyer doesnt give the issue more analysis, as I think its a really interesting question. The counterargument runs like this. IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesnt block them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. Its a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrer?
Judge Breyers opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didnt want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didnt raise all the notice and vagueness issues that prompted the Ninth Circuits decision in Nosal.
I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldnt make visiting the website an unauthorized access. The letter is just a written statement of the owners wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.
That's really the key point here. The cease and desist is no different than the terms of service -- and yet it's already been stated that violating the terms isn't a CFAA violation. So the real issue here is the changing of an IP address. And the idea that a mere changing of an IP address opens you up to criminal liability is insane. This is a horrible precedent and one that Craigslist and Craig Newmark should be ashamed of, having brought it into this world for no good reason.Judge Breyers opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didnt want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didnt raise all the notice and vagueness issues that prompted the Ninth Circuits decision in Nosal.
I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldnt make visiting the website an unauthorized access. The letter is just a written statement of the owners wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.
Facebook
Twitter