Technician Posted November 11, 2013 US court rules proxies, IP switching illegal A ruling by Northern District of California Judge Breyer suggests that such activity constitutes 'unauthorised access' as enshrined in the CFAA, and leaves the perpetrator open to potential legal action. Spotted by Orin Kerr of The Volokh Conspiracy, the ruling could have serious consequences for some very common usage scenarios. The details of the case are, naturally, complex: a company called 3taps had been scraping content from online classifieds specialist Craigslist in order to direct traffic to its own sites. Craigslist, naturally, was unhappy, and blocked 3taps' IP addresses from accessing its servers following the submission of a cease and desist notice - at which point 3taps started to use proxy servers and new IP addresses to continue to scrape the content. Craigslist sued, arguing that the cease and desist coupled with the blocking of IP addresses assigned to the 3taps was a clear revocation of the company's right to access Craigslist servers. 3taps raised a counterargument that a given company has no right to revoke the general authorisation for an individual to access an otherwise publicly-available website. On the face of it, it's clear that the judge's decision to back Craigslist is a positive: banning users from sites is a common way of dealing with abuse, from denial of service attacks and spam to forum users who flout the rules. Removing this ability and forcing sites to continue permitting access to all without restriction would be a terrible move. But by stating outright that the simple changing of an IP address is abuse under the CFAA, it's possible the judge has opened the floodgates for common, everyday activities to be rendered illegal. Many users, for example, still have dynamic IP addresses that change every time a router is rebooted - which, if it allows them access to a previously-banned site, could be argued as circumvention. Using a service like Google Translate, too, will see a user's traffic originating from a different IP - and, again, could bypass blocks put in place to prevent access. Kerr argues that an IP address block is so easily circumvented - even by accident, as with the above examples - that it should not be considered a technological barrier under the CFAA. The CFAA itself, meanwhile, is up for revision in response to the death of free data activist Aaron Swartz who committed suicide following his prosection under a particularly vaguely-worded passage.Yup. 0 Share this post Link to post
Stupid Bunny Posted November 11, 2013 I felt a great disturbance in the Force, as if millions of sockpuppets cried out in terror and were suddenly silenced 0 Share this post Link to post
Aliotroph? Posted November 11, 2013 I can't see a judge ruling any other way on this. 0 Share this post Link to post
Maes Posted November 11, 2013 Such a ruling is pointless if not followed by a provision to assign each individual and company one -and only one- unique IP "for life", and making the request of additional IPs subject to strict regulations and checks -kinda treating them like passports, social security numbers or ID numbers. Something which is obviously impossible with the current IPv4 addressing system, and even with IPv6 it would need some additional "paranoia" or "Big Brother" layer on top of everything (e.g. every request also compulsory carrying a "centralized Internet user unique ID", even for multiple IP ranges, not just an IP address). 0 Share this post Link to post
Kirby Posted November 11, 2013 Maes said:Such a ruling is pointless if not followed by a provision to assign each individual and company one -and only one- unique IP "for life", and making the request of additional IPs subejct to strict regulations and check -kinda treating them like passports, social security numbers or ID number. Something which is obviously impossible with the current IPv4 addressing system, and even with IPv6 it would need some additional "paranoia" or "Big Brother" layer on top of everything (e.g. every request also compulsory carrying a "centralized Internet user unique ID", even for multiple IP ranges, not just an IP address). This. All of this. They can't possibly think they can keep track and prevent people from continuing to use these methods unless there is a major overhaul in how Internet is provided to customers. 0 Share this post Link to post
geo Posted November 11, 2013 Good. I'm tired of having to track eStore credit card frauds for my company only to discover their IP changes from page to page. Criminals always follow the rules. 0 Share this post Link to post
Maes Posted November 11, 2013 Kirby said:This. All of this. They can't possibly think they can keep track and prevent people from continuing to use these methods unless there is a major overhaul in how Internet is provided to customers. --> Enter highly regulated "Walled Garden" networking and service models, which were actually not that unheard-of in the past. E.g. BBSes, Compuserve, AOL etc. all operated in a way which would make at least single home users immediately identifiable or traceable down to the very phone line. Which is not entirely unlike what e.g. is happening for niches such as Web-based TV services, gaming services etc. Perhaps one day "free-ranging" Internet where you could hunt everything by its IP and port number will be a thing of the past, and everybody, even corporations, will have to use some sort of certified and approved ("secure", "trusted") intermediary, even for businesses, and the use of "free internet" outside of government or the military-industrial complex will be associated with subversive individuals, rogues, cyber-criminals, etc. "Good citizens" will be supposed to access the Internet only through some super-secured and super-regulated abstraction layer, which will hide the old IP addressing scheme forever. 0 Share this post Link to post
fraggle Posted November 11, 2013 This is the same ridiculous law used to prosecute Aaron Swartz. The law predates the modern Internet, making many of its provisions absurd and obsolete nowadays. It was drafted during a panic over the film WarGames, which President Reagan didn't seem to realise was a work of fiction. 0 Share this post Link to post
flubbernugget Posted November 14, 2013 In the article Technician posted: Many users, for example, still have dynamic IP addresses that change every time a router is rebooted - which, if it allows them access to a previously-banned site, could be argued as circumvention. Anyone care to speculate on how this could/would be used/abused to prosecute people using NAT routers? 0 Share this post Link to post
GreyGhost Posted November 14, 2013 flubbernugget said:Anyone care to speculate on how this could/would be used/abused to prosecute people using NAT routers? If you mean your common-or-garden NAT router (as found in home networks worldwide), it shouldn't matter a damn. So far as the outside world's concerned, you're either using the IP address allocated by your ISP, hiding behind a proxy or stealing bandwidth from a neighbor's wireless router. Heh - it looks like 3taps have reserved the right to do unto others as Craigslist have done to them. Here's a snippet from their TOS - "5.15. You agree that 3taps, in its sole discretion, has the right (but not the obligation) to delete or deactivate your account, block your email or IP address, or otherwise terminate your access to or use of the Service (or any part thereof), immediately and without notice, and remove and discard any Content within the Service, for any reason, including, without limitation, if 3taps believes that you have acted inconsistently with the letter or spirit of the TOU. Further, you agree that 3taps shall not be liable to you or any third-party for any termination of your access to the Service." 0 Share this post Link to post