Unfortunate Ruling Says Changing Your IP Address Can Be 'Unauthorized Access' To A Public Website

from the really-now? dept

Wed, Aug 21st 2013 12:23pm — Mike Masnick

We've covered for a while why we think Craigslist made a mistake in suing 3taps and Padmapper over scraping of Craigslist data. Of particular concern were the very bad legal precedents this may set, which tend to be completely contrary to Craig Newmark's own stance on internet freedom (of which he's been a strong supporter). Indeed, the legal arguments made by Craigslist are insulting to those who believe in internet freedom and really put Craigslist in a poor light. 3taps and Padmapper were driving more traffic to Craigslist and enhancing the service -- something that lots of sites on the internet do all the time. And yet they're facing very harsh penalties.

While an initial court ruling found that some of Craigslist's wackier theories didn't apply (e.g. violating the terms of service isn't a CFAA violation and the copyright claims concerning Craigslist posts failed), the latest ruling, unfortunately, finds that the combination of a cease-and-desist letter and merely changing your IP address creates unauthorized access to a public website. That's troubling on a variety of levels, mostly because changing an IP address isn't any form of "hacking." It's incredibly easy to do, and in many cases happens automatically without any input from users, if they have a dynamic IP address.

The EFF points out how dangerous a ruling this is:

Changing your IP address is simply not hacking. That's because masking your IP address is an easy, common thing to do. And there's plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination....

There's a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to "revoke" and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.

Similarly, Orin Kerr, who tends to be more sympathetic about these kinds of cases, finds the use of a mere IP address change to be quite problematic:

Judge Breyer sees IP blocking as sufficient. But it’s unfortunate that Breyer doesn’t give the issue more analysis, as I think it’s a really interesting question. The counterargument runs like this. IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t “block” them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrer?

Judge Breyer’s opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didn’t want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didn’t raise all the notice and vagueness issues that prompted the Ninth Circuit’s decision in Nosal.

I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.

That's really the key point here. The cease and desist is no different than the terms of service -- and yet it's already been stated that violating the terms isn't a CFAA violation. So the real issue here is the changing of an IP address. And the idea that a mere changing of an IP address opens you up to criminal liability is insane. This is a horrible precedent and one that Craigslist and Craig Newmark should be ashamed of, having brought it into this world for no good reason.

Order Denying Renewed Motion to Dismiss (PDF)Order Denying Renewed Motion to Dismiss (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, changing ip, hacking, ip address, unauthorized access
Companies: 3taps, craigslist, padmapper

34 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 21 Aug 2013 @ 11:04am

Is there room for appeal? There are sound arguments to debunk this absurd ip rationale as far as I can see.

If the site is public then it's public and unless there is explicit, identifiable damages a determined party is causing there should be no issues with changing an IP and circumventing an arbitrary block. Sounds like the damages the MAFIAA seeks in copyright cases, they are not proven but hell why not punish some people just for the heck of it?
[ link to this | view in chronology ]
- Anonymous Coward, 21 Aug 2013 @ 12:25pm
  
  Re:
  There was a C&D letter in addition to the IP block which is roughly the grounds the court used to justify the ruling.
  [ link to this | view in chronology ]
  - Jesse (profile), 21 Aug 2013 @ 4:25pm
    
    Re: Re:
    But then go after them for violating the cease and desist. The matter of the IP address is irrelevant
    
    Arguing that circumventing an IP address block is hacking, is like saying that driving over a speed bump is trespassing.
    [ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 12:32pm

So seeing as I was on Dial Up a couple years ago (i live out in the sticks, hush) and I d/c it upwards of 30-40 times to change my ip address to "vote" for a website for rewards, i broke the law? Wow.
[ link to this | view in chronology ]
Internet Zen Master (profile), 21 Aug 2013 @ 12:32pm

Apparently the judge hasn't heard of this neato Internet gizmo called a proxy before...
[ link to this | view in chronology ]
- Anonymous Coward, 21 Aug 2013 @ 7:22pm
  
  Re:
  "VPN? Never heard of that TV channel. Is it a new one?"
  [ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 12:35pm

So seeing as I was on Dial Up a couple years ago (i live out in the sticks, hush) and I d/c it upwards of 30-40 times to change my ip address to "vote" for a website for rewards, i broke the law? Wow.
[ link to this | view in chronology ]
Sojahsay, 21 Aug 2013 @ 12:35pm

So then using Tor is now illegal?
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 21 Aug 2013 @ 12:40pm

NO, says that BUSINESS "3taps" can't use someone else's work!
You can stop panicking! Has no obvious application to your personal activities, kids. You are entirely confusing persons with corporations.

But corporations are not persons, don't have any inherent rights, don't have any right to use the products of another corporation, and DEFINITELY not after receiving a cease-and-desist letter! All access is then definitely UNAUTHORIZED and they knew it!

Techdirt's motto: The confusion has become so complete that it's beyond correction.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Aug 2013 @ 12:44pm
  
  Re: NO, says that BUSINESS "3taps" can't use someone else's work!
  someone needs to move out of the internet cafe.
  [ link to this | view in chronology ]
- Gwiz (profile), 21 Aug 2013 @ 1:21pm
  
  Re: NO, says that BUSINESS "3taps" can't use someone else's work!
  NO, says that BUSINESS "3taps" can't use someone else's work!
  
  Really? Where exactly is THAT difference pointed out in the ruling?
  
  But corporations are not persons, don't have any inherent rights...
  
  While I do agree with you that's probably that way it should be, I don't think our current legal atmosphere shares that view.
  
  ...don't have any right to use the products of another corporation...
  
  What "products" are you talking about? You mean the classified ads in Craigslist? The ads that the court refused to give Craigslist copyrights on? Those "products"?
  
  ...and DEFINITELY not after receiving a cease-and-desist letter! All access is then definitely UNAUTHORIZED and they knew it!
  
  Jeez, Blue, that's really silly. I mean seriously, think about it. With this ruling Mike could fire off a cease and desist to you, block your IP and if you ever accessed Techdirt from a different computer or your phone or from your work location, then you could criminally liable. You really think that's a good thing?
  [ link to this | view in chronology ]
  - Pixelation, 21 Aug 2013 @ 5:11pm
    
    Re: Re: NO, says that BUSINESS "3taps" can't use someone else's work!
    " With this ruling Mike could fire off a cease and desist to you, block your IP and if you ever accessed Techdirt from a different computer or your phone or from your work location, then you could criminally liable. You really think that's a good thing?"
    
    Some of us here might think it was a good thing.
    [ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 12:50pm

Says TorrentFreak:

A Comcast spokesperson responded to an inquiry we sent to the company�s lawyers: �[I] am replying to let you know that the cease and desist was sent in error, and you may disregard it. We apologize for any confusion this may have caused.�

Right... an "error".
[ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 12:53pm

Except as far as precedence goes, this case is very limited.
The Judge was clear that it was only because they had received the cease and desist letter, along with a few other conditions precedent.

This is akin to trespassing after receiving a trespass notice.
I go to walmat, and am given a letter by management that I may not re-enter the store.
The next week I put on a special tin foil hat which hides my features from the facial recognition security cameras.
Anyone is allowed to walk into Walmart wearing this special helmet. But because I was already told I was not allowed on the premises, I now not only trespassed, but used a device to circumvent to do so.

But just because I understand the decision and can explain why its not as horrible, yeah, it is still bad, and sadly the justice department will do everything it can to enlarge the facts which it covers.
[ link to this | view in chronology ]
- joe, 21 Aug 2013 @ 7:37pm
  
  Re: exactly
  You got it right. It's amazing to hear these idiots posting about what they don't even bother to read.
  [ link to this | view in chronology ]
- Anonymous Coward, 23 Aug 2013 @ 1:10am
  
  Re:
  I think you are confused with the example. walmart isnt a public website, they actually do have security and yet some other rules to follow in order to use their stores. On the other hand public websites do not have officers to watch their traffic to block some of them because of any of their activity unless there is some membership to cancel that membership or DDos relative attacks...
  [ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 12:56pm

Sweet, now I can boast being a hacker by pressing reset on my modem!

*Adds hacking to resume*
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

slinkySlim, 21 Aug 2013 @ 1:04pm

You patronizing idiot - now lick my balls.
[ link to this | view in chronology ]
Zangetsu (profile), 21 Aug 2013 @ 1:22pm

A lot of the world is guilty
Where I work everything goes through a proxy server. Almost 20,000 of us using the same IP address. When I go from WiFi hotspot to WiFi hotspot I change my IP address. If I leave a WiFi address and go to 3G my IP address changes.

I can understand a more localized ruling, such that if you change your IP address to avoid a C&D order, but generic IP address changing is so common place that the judge himself is probably guilty of it every day and he doesn't know it.
[ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 1:27pm

So can I tell my ISP they need to give me a static IP now so I don't inadvertently break the law?
[ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 1:41pm

the most troubling thing is that there are still judges sitting on cases that involve the Internet in some way or another and they either dont know a damn thing about what they are ruling on or these particular judges are bing given these cases on purpose, so as to appear dim on the subjects but are in actual fact extremely well versed on the subject and rule intentionally how they do so as to enforce the way the various entertainment industries want things, given how things have been molded in the past.
[ link to this | view in chronology ]
sporkie (profile), 21 Aug 2013 @ 1:48pm

Cease and Desist notice
I see the C&D notice along the lines of an author telling someone that they are not welcome to read a copy of the author's book that is in a public library.

Publishing a website is akin to seeding a torrent. By placing the site in public view, unrestricted access is implied.
[ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 2:47pm

Anyone who has their IP address dynamically allocated via DHCP, is a felon. Any internet service provider that employs DHCP to assign IP addresses on their network, is guilty of employing a hacking tool, and is also a felon.

Bravo Supreme Court, give yourselves a cookie. You deserve it!
[ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 3:50pm

War on anonymity possibly just got a new tool.
Everyone with a dedicated static IP or banned from everywhere.

Static IP linked to passport or something, for security of course.
[ link to this | view in chronology ]
Anonymous Coward, 21 Aug 2013 @ 6:16pm

On the plus side, it means average_joe and horse with no name can't post without breaking the law, lest their moral superiority be called into question.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Joe, 21 Aug 2013 @ 7:32pm

Clueless comments on idiotic journalism
You should be ashamed for writing an article purely to generate attention instead of the actual truth. This company clearly violated a judges ruling by using a proxy to accomplish what they had been expressly forbidden from. If you are not able to understood the reality of the case, you should not be reporting on it. For shame.

Enjoy the comments from the idiots who are clueless as the author. Do a bit of research and you'll understand.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Aug 2013 @ 7:44pm
  
  Re: Clueless comments on idiotic journalism
  So less than average Joe, Breaking the law again I see.
  
  I would love to see Mike use this ruling to have you charged under the CFAA using this ruling. Let's you cry like the little IP bitch that you are
  [ link to this | view in chronology ]
- Mike Masnick (profile), 22 Aug 2013 @ 12:15am
  
  Re: Clueless comments on idiotic journalism
  You should be ashamed for writing an article purely to generate attention instead of the actual truth. This company clearly violated a judges ruling by using a proxy to accomplish what they had been expressly forbidden from. If you are not able to understood the reality of the case, you should not be reporting on it. For shame.
  
  We've written extensively about legal issues, and the CFAA in particular for years. We've covered this case since the first threats were issued.
  
  The ruling has nothing to do with whether or not 3taps "violated a judges ruling" because this is about whether or not 3taps actions violated a specific *law*, the CFAA.
  
  If you'd care to explain what *FACTS* you think we got wrong, we're happy to hear you out, but the fact that you focus on insults, and don't provide a single fact that we got wrong (instead making statements that are blatantly untrue), I'm not sure you really understand the issues of the case.
  [ link to this | view in chronology ]
Uriel-238 (profile), 21 Aug 2013 @ 9:49pm

Spitting on the sidewalk.
Yep. If my house disconnects and then reconnects, I have a new IP (which can be damn inconvenient since I'm hosting a Terraria server).

This ruling has to be appealed.
[ link to this | view in chronology ]
- John Fenderson (profile), 22 Aug 2013 @ 10:00am
  
  Re: Spitting on the sidewalk.
  (which can be damn inconvenient since I'm hosting a Terraria server)
  
  Dyndns or a similar service will solve that problem for you.
  [ link to this | view in chronology ]
Andrew D. Todd, 22 Aug 2013 @ 1:56am

Shop-In's
Let's reason by analogy. Suppose you are Target, and you decide to hold a 1960's style "shop-In" at Wal-Mart. You pay a thousand people to go into the local Wal-Mart, all at the same time, and they spend three hours in the store, fingering and disarranging the merchandise. A squad of them make small purchases, say a pack of gum or a candy bar, paying in pennies, with the maximum possible delay, and when they're done that, they go outside, throw the candy in a pickup truck, collect more pennies, and go back in to repeat the cycle. Maybe some of them try to return their candy bars. The practical effect is that the Wal-Mart is generating little or no revenue, and is effectively clogged up, so that the regular customers can't shop there, and are forced to go to Target.

In the 1960, political organizers sometimes used this as a technique of coercion. If you decided that a slum neighborhood needed a Kroger's, a Safeway, an A&P, or whatever, you could take your Shop-In to a store in a posh neighborhood, until the corporate headquarters saw the light and agreed to open a store in the slum neighborhood.

Now, of course, in the Craigslist case, the real issue is "bots" impersonating people, and flooding the system so that people can't get in. The intent is to coerce Craigslist to hand over a full data-feed.
[ link to this | view in chronology ]
- Arsik Vek (profile), 22 Aug 2013 @ 8:57am
  
  Re: Shop-In's
  Except that neither of their original claims suggested 3taps was causing service interruptions or other usability issues. They were founded in claims of copyright infringement and terms of use violation.
  
  Your reason by analogy is based on a faulty analogy. This is more like someone looking through a real estate agent's listings and then telling a friend about places for sale, then sending to the agent to purchase.
  [ link to this | view in chronology ]
Anonymous Coward, 3 Dec 2013 @ 11:05am

suck my toe
[ link to this | view in chronology ]
Emma Epps, 5 May 2017 @ 1:35pm

Vpn provides more benefits than troubles. You can read about first here https://thebestvpn.com/proxy-vs-vpn-comparison/
[ link to this | view in chronology ]