Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Sign in to follow this  
Technician

US court rules IP switching illegal

Recommended Posts

US court rules proxies, IP switching illegal
A ruling by Northern District of California Judge Breyer suggests that such activity constitutes 'unauthorised access' as enshrined in the CFAA, and leaves the perpetrator open to potential legal action. Spotted by Orin Kerr of The Volokh Conspiracy, the ruling could have serious consequences for some very common usage scenarios.

The details of the case are, naturally, complex: a company called 3taps had been scraping content from online classifieds specialist Craigslist in order to direct traffic to its own sites. Craigslist, naturally, was unhappy, and blocked 3taps' IP addresses from accessing its servers following the submission of a cease and desist notice - at which point 3taps started to use proxy servers and new IP addresses to continue to scrape the content.

Craigslist sued, arguing that the cease and desist coupled with the blocking of IP addresses assigned to the 3taps was a clear revocation of the company's right to access Craigslist servers. 3taps raised a counterargument that a given company has no right to revoke the general authorisation for an individual to access an otherwise publicly-available website.

On the face of it, it's clear that the judge's decision to back Craigslist is a positive: banning users from sites is a common way of dealing with abuse, from denial of service attacks and spam to forum users who flout the rules. Removing this ability and forcing sites to continue permitting access to all without restriction would be a terrible move.

But by stating outright that the simple changing of an IP address is abuse under the CFAA, it's possible the judge has opened the floodgates for common, everyday activities to be rendered illegal. Many users, for example, still have dynamic IP addresses that change every time a router is rebooted - which, if it allows them access to a previously-banned site, could be argued as circumvention. Using a service like Google Translate, too, will see a user's traffic originating from a different IP - and, again, could bypass blocks put in place to prevent access.

Kerr argues that an IP address block is so easily circumvented - even by accident, as with the above examples - that it should not be considered a technological barrier under the CFAA. The CFAA itself, meanwhile, is up for revision in response to the death of free data activist Aaron Swartz who committed suicide following his prosection under a particularly vaguely-worded passage.

Yup.

Share this post


Link to post

I felt a great disturbance in the Force, as if millions of sockpuppets cried out in terror and were suddenly silenced

Share this post


Link to post

Such a ruling is pointless if not followed by a provision to assign each individual and company one -and only one- unique IP "for life", and making the request of additional IPs subject to strict regulations and checks -kinda treating them like passports, social security numbers or ID numbers.

Something which is obviously impossible with the current IPv4 addressing system, and even with IPv6 it would need some additional "paranoia" or "Big Brother" layer on top of everything (e.g. every request also compulsory carrying a "centralized Internet user unique ID", even for multiple IP ranges, not just an IP address).

Share this post


Link to post
Maes said:

Such a ruling is pointless if not followed by a provision to assign each individual and company one -and only one- unique IP "for life", and making the request of additional IPs subejct to strict regulations and check -kinda treating them like passports, social security numbers or ID number.

Something which is obviously impossible with the current IPv4 addressing system, and even with IPv6 it would need some additional "paranoia" or "Big Brother" layer on top of everything (e.g. every request also compulsory carrying a "centralized Internet user unique ID", even for multiple IP ranges, not just an IP address).


This. All of this. They can't possibly think they can keep track and prevent people from continuing to use these methods unless there is a major overhaul in how Internet is provided to customers.

Share this post


Link to post

Good. I'm tired of having to track eStore credit card frauds for my company only to discover their IP changes from page to page. Criminals always follow the rules.

Share this post


Link to post
Kirby said:

This. All of this. They can't possibly think they can keep track and prevent people from continuing to use these methods unless there is a major overhaul in how Internet is provided to customers.


--> Enter highly regulated "Walled Garden" networking and service models, which were actually not that unheard-of in the past. E.g. BBSes, Compuserve, AOL etc. all operated in a way which would make at least single home users immediately identifiable or traceable down to the very phone line. Which is not entirely unlike what e.g. is happening for niches such as Web-based TV services, gaming services etc.

Perhaps one day "free-ranging" Internet where you could hunt everything by its IP and port number will be a thing of the past, and everybody, even corporations, will have to use some sort of certified and approved ("secure", "trusted") intermediary, even for businesses, and the use of "free internet" outside of government or the military-industrial complex will be associated with subversive individuals, rogues, cyber-criminals, etc.

"Good citizens" will be supposed to access the Internet only through some super-secured and super-regulated abstraction layer, which will hide the old IP addressing scheme forever.

Share this post


Link to post

In the article Technician posted:
Many users, for example, still have dynamic IP addresses that change every time a router is rebooted - which, if it allows them access to a previously-banned site, could be argued as circumvention.


Anyone care to speculate on how this could/would be used/abused to prosecute people using NAT routers?

Share this post


Link to post
flubbernugget said:

Anyone care to speculate on how this could/would be used/abused to prosecute people using NAT routers?

If you mean your common-or-garden NAT router (as found in home networks worldwide), it shouldn't matter a damn. So far as the outside world's concerned, you're either using the IP address allocated by your ISP, hiding behind a proxy or stealing bandwidth from a neighbor's wireless router.

Heh - it looks like 3taps have reserved the right to do unto others as Craigslist have done to them. Here's a snippet from their TOS -

"5.15. You agree that 3taps, in its sole discretion, has the right (but not the obligation) to delete or deactivate your account, block your email or IP address, or otherwise terminate your access to or use of the Service (or any part thereof), immediately and without notice, and remove and discard any Content within the Service, for any reason, including, without limitation, if 3taps believes that you have acted inconsistently with the letter or spirit of the TOU. Further, you agree that 3taps shall not be liable to you or any third-party for any termination of your access to the Service."

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×