Could Donald Trump Block Hillary Clinton's Campaign From Visiting His Website Via The CFAA?

Legal Issues

from the who-the-hell-knows dept

Fri, Jul 15th 2016 2:28pm — Mike Masnick

In the past few weeks, we've written about two troubling rulings in the 9th Circuit appeals court concerning the CFAA, the Computer Fraud and Abuse Act. That law, that was literally written in response to Ronald Reagan being freaked out by the (fictional) movie War Games, was designed to go after hackers and make computer hacking into other people's computers a crime. The law is woefully outdated and unfortunately vague, with terms like "unauthroized access" and "exceeds authorized access." For years, many of us have been pushing for Congress to reform the law to make it not quite so broad, because in its current setup it's the law the DOJ relies on when all else fails. That's why the DOJ loves it. If you did something it doesn't like on a computer, it'll try to use the CFAA against you.

The two recent cases were not helpful. The first, called Nosal II (because it was the second CFAA case involving David Nosal trying to use data from his former employer), found that convincing a former colleague to share their password with you could violate the CFAA. The court tried to limit the impact of this, by adding some caveats, and insisting that mere password sharing wouldn't qualify without some additional event that indicated a lack of authorization, but it does still seem like a vague standard that many will try to use going forward. The second case, Facebook v. Power, found that Power violated the CFAA by continuing to access Facebook accounts, with permission of those Facebook users, after Facebook had sent a cease-and-desist. The court found that the cease-and-desist acted as a clear point that said "you're not allowed here."

But it's difficult to square that with the original Nosal ruling (Nosal 1) which found that merely violating a terms of service was not a CFAA violation. So ignoring a terms of service is not a CFAA violation, but ignoring a cease-and-desist letter is. It's not clear why one has power over the other, though perhaps there's an argument that a cease-and-desist is a proactive action towards an individual by a website, whereas a terms of service is broadly applicable. Still, it feels weak.

And, it raises tricky situations like the following, first raised by Andy Sellars, about a situation in which one individual alerts another that they can no longer visit a website. Let's say this happened between two presidential candidates. Hypothetically.

If so, that’s devastating for critical speech. Imagine Trump sending a C&D to Clinton’s campaign, barring access to https://t.co/BFK7Ukdtpw.
— Andy Sellars (@andy_sellars) July 12, 2016

And, as Eriq Gardner at the Hollywood Reporter notes in response, the answer is totally unclear. And that seems really problematic. I had tossed out some hypotheticals in my original post on the Facebook v. Power ruling, but this is a good one as well, because you could absolutely see some political candidates issuing that kind of cease-and-desist. There may be arguments about whether then accessing such a website would create a loss necessary to qualify for the CFAA, but it's still quite worrisome that the court has now put in place a vague standard that at least suggests that you can bar someone from a website by merely telling them not to go there. That's going to create a bunch of messy litigation going forward.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cease and desist, cfaa, donald trump, hillary clinton, hypotheticals, public website

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 15 Jul 2016 @ 3:09pm

"Let's say this happened between two presidential candidates"

What about Fox warning away all Democratic voters (they will know who from the leaked voter lists). Huffpo sending 'cease & desists' to all reegistered Republicans? MacDonald's sending them to all Burger King customers? Walmart banning Costco staff from entering their stores? All of this will be possible with leaked information, huge databases and facial recognition/LPRs everywhere.

How often do presidential candidates look at each other's websites? Are there any research studies? Does it matter? Surely everyone has people. So candidates have people, and now those people (if banned) will have people. And so on.

Now if we apply the three hops (or two hops) rule as with communications monitoring (surveillance) then we could really get somewhere. What should the hops number be to ensure that all people are banned from seeing all other people's websites?

At least greedy ISPs will get what's coming to them as traffic plummets while we all sit in our lonely ignorance and vote for the same people we would anyway.
[ link to this | view in chronology ]
- Padpaw (profile), 15 Jul 2016 @ 4:04pm
  
  Re:
  you mean aside from the recent scandal involving bernie sanders staffers and hillary clinton's respective campaign websites?
  [ link to this | view in chronology ]
- Anonymous Coward, 18 Jul 2016 @ 1:29pm
  
  Re:
  If Hillary was legally banned from doing something she would do it anyway, then lie about it, then attempt (and fail) to destroy all of the evidence, then get let off the hook --- so I don't see what the big deal is here. Now for everyone else who isn't completely and utterly above the law then there might be a problem worth examining. But picking Hillary as your example of how terrible this law might be is a lot like picking Superman as your example of what gravity can do to a person. He is simply exempt from it.
  [ link to this | view in chronology ]
Dave Cortright (profile), 15 Jul 2016 @ 3:24pm

TechDirt should test it out
You have a lot of trolls and other undesirables coming to your site and leaving unwanted comments. Why don't you issue a few C&Ds to these folks and then if and when they come back, file a lawsuit. I would help fund such an experiment...
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jul 2016 @ 8:57pm
  
  Re: TechDirt should test it out
  Do they have your mailing address on file?
  [ link to this | view in chronology ]
Anonymous Coward, 15 Jul 2016 @ 3:25pm

There's a law about this...
The answer is usually no.
[ link to this | view in chronology ]
Anonymous Coward, 15 Jul 2016 @ 3:38pm

authorized access vs. selective prosecution
The dischord between the states interest in corporate cyberterrorism against the Constitution, and it's focus on jackass hackers penetrating systems that are insecure by design, is descriminatory.

In terms of the digitized relationship between the social elite and the average citizen, what part of the terabytes of data gleaned daily, isn't accessed without authorization? Therefore using "authorized access" as a standard, is selective prosecution based on social class.

If the state neglects to criminally prosecute
one case, it invalidates any reasonable expectation of impartiality before the law when prosecuting another.
[ link to this | view in chronology ]
Anonymous Coward, 15 Jul 2016 @ 3:46pm

All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.
[ link to this | view in chronology ]
- Mike Masnick (profile), 15 Jul 2016 @ 3:51pm
  
  Re:
  All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.
  
  Nope. Power.com specifically routed around it by changing IPs when Facebook blocked its original IP. Same would likely apply here.
  [ link to this | view in chronology ]
  - Anonymous Coward, 15 Jul 2016 @ 6:28pm
    
    Re: Re:
    But a VPN, with no logs, would make it all but impossible to trace, and using KillDisk, to wipe the evidence off your hard disk, would leave no evidence.
    [ link to this | view in chronology ]
    - Anonymous Coward, 17 Jul 2016 @ 9:37am
      
      Re: Re: Re:
      If the attacker can log all packets into and out of the VPN, they have a good chance of figuring out who is using to connect to who, at least for a large number of packets over a connection, using statistical analysis of sources and destinations, allowing a maximum delay through the VPN. Using an add blocker makes it easier, by eliminating a lot of noise.
      [ link to this | view in chronology ]
  - Anonymous Coward, 17 Jul 2016 @ 5:12am
    
    Re: Re:
    The better question:
    
    If a minion of the HRC campaign goes to Trumps site (presumably to share recipes for eating babies and incanting pestilence), are the means that Trumps site used to determine the identity of the user legal? Certainly the user didn't consent to having their activities monitored by their competitor?
    
    So yes he can send them a cease and desist letter, but no, he shouldn't really be able to know whether they did cease and desist or not. And if he can, then THAT is what needs to be investigated.
    [ link to this | view in chronology ]
    - That One Guy (profile), 17 Jul 2016 @ 2:57pm
      
      Re: Re: Re:
      Given there's already been one judge who excused a malware infection by a government agency with the absolutely brilliant logic of 'computers get hacked all the time, so it's fine to hack/infect computers if you work for the government', at least one other judge(perhaps several) who have ruled that even if you deliberately attempt to mask your identity online you don't have any expectation of privacy...
      
      Yeah, have fun with the 'investigation' in that hypothetical.
      [ link to this | view in chronology ]
Anonymous Coward, 15 Jul 2016 @ 3:50pm

As if the Clintons were interested in following the law.
[ link to this | view in chronology ]
jms (profile), 15 Jul 2016 @ 3:55pm

Archive
Would this theoretical also bar the viewing of the site on archive.org or a Google cache version? Or would the CFAA fall only on the access of the actual web server?

I would expect the access of the web server, but... now days, who knows:
"The content is the same, so it's effectively the same thing!"
[ link to this | view in chronology ]
Padpaw (profile), 15 Jul 2016 @ 4:02pm

neither candidate seems to make choices based in reality so expecting any outcome based off of laws is random.
[ link to this | view in chronology ]
Anonymous Anonymous Coward (profile), 15 Jul 2016 @ 4:37pm

Already Proven
Wouldn't the FBI's attitude toward a certain email scandal by a certain candidate* for high office show that no candidate could do any wrong? The CFAA is a minor law compared with disseminating classified information, so it would get even less scrutiny.

*No I cannot say the names of either candidate...so disgusted.
[ link to this | view in chronology ]
Whatever (profile), 16 Jul 2016 @ 10:12am

Short answer NO
The short answer here is no, for a whole bunch of reasons.

First and foremost, the Trump 4 Ruler website is a public site. That is to say, it's open to everyone without restriction. No password is required to access the site, you are not entering a secured area.

If those moved to bar them (say by issuing a cease and desist) it would likely not be valid on it's face, as it could be considered discriminatory. Otherwise, Trump could also issue a general Muslim ban as well. Denying service (even a free service) in a discriminatory manner won't fly and won't hold water.

It's a nice attempt to muddy the waters of the law. Reality sets in pretty quick when you realize the difference between an open website and a secured "employees only" server. Even a non-techie judge could catch that simple concept.
[ link to this | view in chronology ]
Uriel-238 (profile), 16 Jul 2016 @ 10:33am

I assume agencies are immune?
Can I block the NSA, FBI, CIA, etc. from looking at my websites, email, etc. via a C&D?

It'd be swell if we could create a website to automate the process of filing them for anyone who wants to make their privacy official.
[ link to this | view in chronology ]
Ken Mitchell, 18 Jul 2016 @ 10:51am

Nosal Was GUILTY of CFAA
While it's true that "hard cases make bad law", there's no doubt whatsoever that Nosal was objectively guilty of CFAA violations AND was guilty of genuine crimes. This isn't a "You're going to jail for sharing your NetFlix password" case. Nosal was trying to steal client information from his previous employer by getting into his previous employer's computer systems using credentials that he was not supposed to have.
[ link to this | view in chronology ]