New Indictment Tries To Tie Julian Assange To A Hacking He Had Nothing To Do With

from the several-versions-of-truth-and-this-one-is-the-DOJ's dept

The government is still trying to get Julian Assange out of the UK so it can ring him up on a variety of charges related to obtaining and publishing a large number of sensitive documents. Most of the charges are still related to the documents obtained from Chelsea Manning. The DOJ wants to use the oft-abused CFAA to put Assange behind bars because he supposedly helped Manning hack a CIA database.

Another indictment [PDF] has been issued by the DOJ, making this its third attempt to throw the book at Assange. If the DOJ can prove Assange contributed to hacking attempts, it may end up with a case worth pursuing. But much of what the indictments deal with is normal journalism behavior: the cultivation of sources and the encouragement of sources to locate/leak newsworthy documents. The blurry line the DOJ is walking on is the same line the previous administration seemed to feel wasn't worth crossing, no matter how much harm/embarrassment Assange had caused with the release of sensitive documents.

The latest indictment expands the government's espionage theories. The government's second superseding indictment deals with Assange's alleged "unlawful overt acts:" the hacking attempts supposedly made targeting Defense Department computers, possibly with the aid of Chelsea Manning and other Wikileaks associates.

Much of this expanded narrative seems to rely on the input of FBI informants, including Sigurdur Thordarson, who was convicted twice for sex with minors after he began working for the FBI in 2011. Sketchy contributors aside, there are some major omissions in the government's narrative.

First, as Dell Cameron points out for Gizmodo, the indictment casually ignores the government's contribution to cyber attacks on American businesses located overseas, as well as some foreign government targets. But there is a significant omission in the new indictment. And the purpose of this crucial admission appears to be an attempt to link Assange to a data breach he never participated in.

A section of the indictment titled “Sabu, Hammond, and ASSANGE” begins on the date December 25, 2011, and refers to an attack on servers belonging to a private firm identified only as “Intelligence Consulting Company.” This is obviously Stratfor, the Austin-based private intelligence company whose millions of pilfered emails comprise the WikiLeaks drop known as the Global Intelligence Files.

DOJ omits several crucial details about the Stratfor hack in its attempts to name Assange as a conspirator in a breach that happened without his knowledge. Most notably, prosecutors exclude that the actual breach of Stratfor’s security, in late 2011, occurred 83 days prior to the events they describe, unknownst by anyone DOJ identifies as part of the conspiracy, including Assange.

Assange and Wikileaks may have helped distribute the documents obtained in the breach and there does appear to be evidence Assange provided the hackers with some tools for searching the stash of five million emails, but there's nothing in the indictment that ties Assange to the underlying hacking. The only thing in the indictment is stuff the DOJ is generously calling "evidence."

At best, these are copies of exchanges taken from chat rooms in which a user claims to be Assange, which is not likely to hold up in court.

To be sure, indictments are often a pile of helpful omissions designed to speedily initiate prosecutions. But the more the government adds to its accusations, the more glaring its omissions become. This case was already problematic -- willing to walk right up to the First Amendment and dare it to do something about it. Now it's become more farcical, with the government accusing someone of doing something it appears clear they didn't do and bolstering it with half-truths about the FBI's own involvement in malicious hacking efforts.

Filed Under: cfaa, doj, extradition, hacking, indictment, julian assange, leaks
Companies: stratfor, wikileaks

Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California

from the not-immune-from-its-own-carelessness dept

Things are getting even more interesting in Facebook's lawsuit against Israeli malware merchant, NSO Group. Facebook was getting pretty tired of NSO using WhatsApp as an attack vector for malware delivery, which resulted in the company having to do a lot more upkeep to ensure users were protected when utilizing the app.

Unfortunately, Facebook wants a court to find that violating an app's terms of service also violates the CFAA -- something most of us really don't want, even if it would keep NSO and its customers from exploiting messaging services to target criminals, terrorists… and, for some reason, lots of journalists, dissidents, and activists.

NSO finally responded to Facebook's lawsuit by saying it could not be sued over the actions of its customers. Its customer base is mainly government agencies -- including some especially sketchy governments. NSO claims all it does is sell the stuff. What the end users do with it is between the end users and their surveillance targets. Since its customers are governments, sovereign immunity applies… which would dead-end this lawsuit (wrong defendant) and any future lawsuits against governments by Facebook (the sovereign immunity).

NSO's claims it can't be touched by this lawsuit are falling apart. Citizen Lab researcher John Scott-Railton pointed out on Twitter that Facebook's latest filings point to NSO operating its malware servers from inside the United States -- apparently doing far more than simply selling malware to government customers and letting them handle the deployment details.

Facebook's answer to NSO's attempt to dismiss the lawsuit concedes NSO's point: it is not its customers. But that's precisely why it can be sued. From Facebook's response [PDF]:

A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court; and the Complaint states valid claims for relief based on Defendants’ unauthorized access to and hijacking of WhatsApp’s servers.

[...]

The statute confers immunity only on foreign states—not private companies who develop and operate their own technology and then claim to act on a foreign state’s behalf.

The claim that NSO Group operates from California (making this venue appropriate for the lawsuit) isn't some distended stretch where malware briefly passed through WhatsApp servers in the US on its way to its targets. Declarations [PDF] by Facebook's expert witnesses show NSO is routing malware deliveries through California data centers. This is only a small part of the list of IP addresses linked to NSO deployments Facebook has uncovered.

Attached as Exhibit 1 is a true and accurate screenshot from IP2Location.com obtained on April 22, 2020, for IP address 104.223.76.220. Exhibit 1 shows that IP address 104.223.76.220 is currently located in Los Angeles, California, and is owned by QuadraNet Enterprises LLC.

According to historical IP address location information from Maxmind.com for IP address 104.223.76.220 obtained through the website archive.org, IP address 104.223.76.220 was located in Los Angeles, California, and owned by QuadraNet Enterprises LLC as of May 28, 2019. Attached as Exhibit 2 is a true and accurate screenshot of the Maxmind.com csv.zip file available for download at archive.org that contains historical IP location information. Attached as Exhibit 3 is a true and accurate screenshot of the unzipped Maxmind.com csv.zip file showing the date of the files as May 28, 2019. Attached as Exhibits 4a, 4b, and 4c are true and accurate screenshots of the netblock for IP address 104.223.76.220 showing the location and ownership of IP address 104.223.76.220 as of May 28, 2019.

This is the upshot of Facebook's investigation of NSO's WhatApp-based efforts:

NSO used QuadraNet’s California-based server more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.

These filings appear to show something very different than what NSO Group has claimed. It is not a blind provider of malware to government agencies. This indicates NSO is purchasing and operating servers stateside that its customers use to deploy malware. And if it runs these servers, then it quite possibly knows who its customers are targeting. This is far more involved than its sworn statements have said. The plausible deniability it's trying to project just isn't that plausible.

Facebook's response points out the logical leap NSO is demanding from the court.

The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role.

NSO's options are all unappealing at the moment. It can't hope to settle since its customers aren't going to be willing to give up exploitation of an encrypted messaging app used by millions of people around the world. It also can't be looking forward to continued litigation since that's only going to mean more exposure of its actions and inner workings as the lawsuit drags on. But these are the risks you take when your favored attack vector is another company's service and your payload deliveries route themselves through rented/purchased servers located in the United States.

NSO turned itself into a villain by selling its products to governments wanting to target dissidents, journalists, activists, and attorneys. A little more judiciousness would have gone a long way. Running attacks through services owned by one of the most powerful tech companies in the world may have provided NSO's customers with a broad user base to attack, but it also ensured it would find itself in court facing a well-funded and well-equipped adversary.

Filed Under: cfaa, hacking, jurisdiction, spying, surveillance
Companies: facebook, nso group, whatsapp

The Supreme Court Is Being Asked To End Questionable CFAA Prosecutions

from the but-will-it? dept

The Supreme Court is being asked to resolve a circuit split on the reach of the Computer Fraud and Abuse Act. The CFAA has done a lot of damage to security researchers and others who violate terms of service agreements. The "others" include everyday Americans who have no idea they might be violating federal law when they do things like give fake information to social media companies or use work computers for personal reasons.

The CFAA case SCOTUS is being asked to look at involves something a bit more serious than that. It deals with a police officer who took money to search a license plate database for someone who had no legal access to it. Here's a brief description of what triggered the prosecution from the Eleventh Circuit Appeals Court.

During the interview [with the FBI], Van Buren admitted he had concocted a fake story about his son’s need for surgery to justify asking Albo for $15,000. He also conceded he had received a total of $6,000 from Albo. In addition, Van Buren confessed he had run a tag search for Albo and he knew doing so was “wrong.” And while Van Buren asserted that $5,000 of the money he received from Albo was a “gift,” he did reply “I mean he gave me $1,000” when asked if he received anything in exchange for running the tag. Finally, Van Buren conceded he understood the purpose of running the tag was to discover and reveal to Albo whether Carson was an undercover officer.

The Appeals Court tossed out the honest services fraud charge but left the CFAA conviction intact. The end result was a split with other circuits which have declared simply violating a site or system's terms of service cannot trigger criminal charges under the CFAA.

Here's why the case is important, as summarized by Orin Kerr for the Volokh Conspiracy:

The split is clear and acknowledged, and it's crazy important. The CFAA either makes most people or very few people criminals. Indeed, I have testified under oath that I am a criminal in the Eleventh Circuit. I violate Facebook's terms of service by giving a false location, which according to the DOJ and the Eleventh Circuit is a federal crime every time I visit Facebook. You probably ignore terms of service, too. So the stakes are pretty high. The stock line I have when I lecture about the CFAA is that no one can know what the statute means until the Supreme Court finally resolves the split. And I've been offering that line for years, as the split has lingered without being resolved.

This case has the potential to decriminalize acts that should never have been criminalized in the first place. The DOJ has stated it won't pursue prosecutions for mere terms of service violations and yet here's a case where it's doing exactly that. The underlying facts suggest something far more troubling than lying about your exact location when logging into a social media service, but it's the broad reading of the CFAA by the Eleventh Circuit that threatens to do a lot of damage to computer users around the nation. This is the reading the DOJ pursues in that jurisdiction and it will apparently continue to do so until told otherwise.

And it doesn't want to be told otherwise. The DOJ is asking the Supreme Court to take a pass on this case and allow it to pursue questionable CFAA prosecutions in any circuit where this remains unresolved. The DOJ may promise to use its prosecution powers with more discretion when its prosecutorial tactics are challenged in court (as in this case before the DC Appeals Court) but the facts of this case don't bear that out. It has been more than happy to abandon cases in other circuits where rulings have forbidden prosecutions for broad readings of unauthorized access. But in the circuits where it can still get away with it, it still pursues these prosecutions it tells other circuits it's not interested in pursuing.

No one wants to see a crooked cop cut loose because the government chose to pursue a prosecution under a badly-written law. But we don't want to see a bunch of people far less odious than this particular officer prosecuted by the DOJ for far more innocuous activities.

Filed Under: cfaa, scotus, supreme court, terms of service, van buren

NSO Fires Back At Facebook, Says It's Not Responsible For Malware Deployments By Foreign Governments

from the fair-point-but-doesn't-really-make-NSO-Group-look-any-better dept

NSO Group has finally decided to engage in the lawsuit Facebook filed against it late last year. The Israeli surveillance tech company has shown itself to be pretty cavalier about its market expansion plans. Despite being located in a country surrounded by unfriendly governments, NSO is more than willing to give Israel's enemies something to use against it. Its client list includes Saudi Arabia, United Arab Emirates, Bahrain, and Kazakhstan.

Facebook's lawsuit is questionable and if it wins, it would cause a lot of damage. Facebook is unhappy NSO software uses WhatsApp to deliver malware payloads to targets. But seeking precedent that would criminalize terms of service violations isn't going to help anyone, much less stop NSO from using encrypted messaging apps as attack vectors.

NSO is now firing back. And it makes a point that's true, if not all that sympathetic. It is not its customers. Much like the gun dealer who sells the gun eventually used in a mass shooting, NSO's sales of malware to governments that use them in questionable ways isn't really NSO's fault. It may have provided the surveillance tech, but it is not telling governments who to target or participating in the surveillance directly.

In its first substantive legal filing in the case, filed last week, NSO hit back at WhatsApp and its parent company, Facebook, which it said were seen by governments as “safe spaces for terrorists and other criminals” who – without NSO’s services – could operate “without fear of detection by law enforcement”.

NSO Group also argued that WhatsApp had “conflated” NSO Group’s actions with the actions of NSO’s “sovereign customers”. While NSO Group licenses its signature spying technology, Pegasus, to government law enforcement and intelligence agencies and assists with “training, setup, and installation”, it said it did not operate the technology.

This is NSO arguing it cannot be held responsible for the actions of others. If Facebook doesn't like what these governments are doing with NSO's tech, it's welcome to sue those governments directly. Not that those lawsuits would succeed. We're not the only nation that extends sovereign immunity to government agencies. That's standard operating procedure around the world. This is what NSO is hoping will convince the court to toss the suit.

“For that reason,” the company said in the filing, “permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments”.

NSO is also fighting back with a little dirt of its own. Long before it was sued by Facebook, it spent a little time discussing its spyware with the company.

In October 2017, NSO was approached by two Facebook representatives who asked to purchase the right to use certain capabilities of Pegasus, the same NSO software discussed in Plaintiffs' Complaint.

The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices. The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users. Facebook proposed to pay NSO a monthly fee for each Onavo Protect user.

Onavo was Facebook's VPN -- one that had little to do with offering privacy to its users. It may have shielded them from others attempting to take a look at their web traffic, but it didn't do anything to prevent Facebook from collecting tons of data on users, which included a whole lot of minors. It was booted from Apple's App Store in 2018 for hoovering up too much sensitive data. Roughly six months later, Facebook killed the faux VPN for good.

Facebook claims this is an "inaccurate" portrayal of its meeting with NSO, but it's not like Facebook has much credibility on the privacy front. Its thirst for data has been unquenchable and its mitigation attempts have been provoked by Congressional inquiries and years of work by privacy activists. It hasn't suddenly become altruistic.

Facebook is right to be concerned about the use of WhatsApp to spread malware. But this lawsuit that attempts to use the already badly-abused CFAA to cover things Facebook doesn't like other people doing is going to cause collateral damage to researchers and journalists, rather than prevent NSO from selling WhatsApp-exploiting malware to government agencies.

Filed Under: cfaa, governments, hacking, liability, malware, privacy
Companies: facebook, nso, whatsapp

DC Court Says Terms Of Service Violations Can't Trigger Federal CFAA Prosecutions

from the forcing-discretion-on-DOJ-prosecutors dept

In a win for researchers and the ACLU, a federal court has ruled that violating a site's terms of service is not a criminal violation of the CFAA.

The ACLU filed this lawsuit in 2016, representing researchers, scientists, and journalists who were looking into whether employment websites engaged in discriminatory behavior. To do so, the researchers needed to deliberately violate the terms of service of the websites they were studying by creating bogus accounts and providing other false information.

Since the CFAA has been the go-to law for companies seeking to silence security researchers and critics, the ACLU and its plaintiffs raised a pre-enforcement challenge, seeking a ruling declaring this work legal before the DOJ had a chance to abuse this terrible law to shut the research down.

The DC federal court doesn't go so far as to extend First Amendment protection to these actions, but it does hold, importantly, that the CFAA does not criminalize terms-of-service violations. From the decision [PDF]:

The Court agrees with the clear weight of relevant authority and adopts a narrow interpretation of “exceeds authorized access.” Without weighing in on the circuit split over employers’ computer-use policies, the Court concludes that violating public websites’ terms of service, as Wilson and Mislove propose to do for their research, does not constitute a CFAA violation under the “exceeds authorized access” provision.

The DOJ tried to argue the plaintiffs had no case because it would never in a million years even think about bringing a CFAA prosecution over terms of service violations. The court says the government's own words and actions contradict its assertions.

The government argues that plaintiffs fail to establish a credible threat of prosecution under the CFAA, contending that (1) plaintiffs’ testimony shows that they do not fear prosecution (and, indeed, already have engaged in such research); (2) past CFAA prosecutions do not establish a credible threat that plaintiffs’ proposed conduct will be prosecuted; and (3) the government’s charging policies and public statements undercut plaintiffs’ attempt to establish a credible threat of prosecution.

[...]

[E]ven assuming the absence of prior prosecutions, but see Sandvig, 314 F. Supp. 3d at 19–20 (discussing two previous prosecutions under the Access Provision), plaintiffs still are not precluded from bringing this pre-enforcement action. When constitutionally protected conduct falls within the scope of a criminal statute, and the government “has not disavowed any intention of invoking the criminal penalty provision,” plaintiffs are “not without some reason in fearing prosecution” and have standing to bring the suit.

It's not enough for the government to declare it probably won't pursue ToS-violation prosecutions, the court says.

[T]he government points to guidance from the Attorney General that “expressly cautions against prosecutions based on [terms-of-service] violations,” as well as statements to Congress by Department of Justice officials, as evidence that plaintiffs face no credible threat of prosecution. Gov’t’s Opp’n at 16–17. But the absence of a specific disavowal of prosecution by the Department undermines much of the government’s argument.

All we're left with is the DOJ's prosecutorial discretion, which is extremely suspect and not backed by any statements from officials that would assure the plaintiffs the government would not choose to take action against them in the future.

Discovery has not helped the government’s position. John T. Lynch, Jr., the Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, testified at his deposition that it was not “impossible for the Department to bring a CFAA prosecution based on [similar] facts and de minimis harm…" Although Lynch has also stated that he does not “expect” the Department to do so, Aff. of John T. Lynch, Jr. [ECF No. 21-1] ¶ 9, “[t]he Constitution ‘does not leave us at the mercy of noblesse oblige...’”

This may keep the DOJ off researchers' backs but it won't shield them from lawsuits from the targeted sites.

The Court concludes that agreeing to such contractual restrictions, although that may have consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA.

This at least will deter the DOJ from pursuing these prosecutions in its "home" court. Most CFAA action still takes place in the Ninth Circuit, where most tech companies are located. Opinions on civil CFAA cases have been hit and miss, but at least one major case (LinkedIn v. HiQ) saw the court come down on the side of the party doing the scraping, a violation of LinkedIn's terms of service. This decision is being appealed, but for now, it still stands.

The research can move forward without the threat of government prosecution dangling over its head. That's a start.

Filed Under: cfaa, criminal, doj, research, security research, terms of service
Companies: aclu

LinkedIn Appeals Important CFAA Ruling Regarding Scraping Public Info Just As Concerns Raised About Clearview

from the this-could-get-interesting dept

Last fall we were happy to see the 9th Circuit rule against LinkedIn in its CFAA case against HiQ. If you don't recall, the CFAA is the "anti-hacking" law that has been widely abused over the years to try to shut down perfectly reasonable activity. At issue is whether "scraping" information violates a terms of service, and thus, the CFAA. A few years back, the same court ruled in favor of Facebook against Power Ventures, saying that even though Power's users gave permission to Power and handed over their login credentials, Power was violating the CFAA in scraping Facebook, because the information was behind a registration wall -- and because Facebook had sent a cease-and-desist.

In the HiQ case, despite what seemed to be a similar fact pattern, the court ruled against LinkedIn, saying it could not block HiQ's scraping via a CFAA claim, with the main "difference" being that LinkedIn information was publicly viewable, and therefore should be open to scraping. I still don't quite see the difference between the cases -- because in the Facebook situation, once you have a login, the information is effectively available in the same manner, but that is how the courts ruled. After first asking (and not getting) an en banc review (and then asking for more time), LinkedIn has now asked the Supreme Court to weigh in on this issue (hat tip to Media Post). I worry that the court might make things much worse if it does take the case, and block all kinds of scraping.

Of course, one thing that's notable since the 9th Circuit ruling came down -- all of the attention that Clearview AI has received over the last few months, for its frightening facial recognition app, built of of scraping "public" social media images and profiles. This use of scraping has convinced some -- even some who seemed to support the HiQ ruling -- that perhaps there should be limits on scraping. I think that's a kneejerk reaction, and focusing in too narrowly on the wrong issue. The issue there is not with scraping, but with the specific use of the data as an attack on privacy going well beyond the internet itself (i.e., tracking and identifying people out in the real world). It's one thing to focus on that issue, as opposed to saying that's an argument against free scraping.

At a time when we're so worried about competition, the ability to scrape is incredibly important. It's how competitors can be built in a world with network effects. If other companies can build compatible services, without having to do a deal with Facebook or Linkedin or YouTube or Twitter, that enables more competition much more easily. And yet, too many efforts are being made to cut off that kind of interoperability. The LinkedIn case is just one example. If the Supreme Court does take it up, let's hope they recognize just how important this kind of adversarial interoperability can be, rather than buying into some nonsense about how scraping must be blocked and not allowed.

As for the petition itself, the question LinkedIn is asking the Court to review is whether or not bots can scrape websites, even after receiving a cease-and-desist letter:

Whether a company that deploys anonymous computer “bots” to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—“intentionally accesses a computer without authorization” in violation of the Computer Fraud and Abuse Act.

While I can understand the Clearview-like horror stories some may put forth about this activity, to allow companies to block all scraping like this would create huge problems for both a functioning internet (hello search...) as well as competition.

Filed Under: cfaa, interoperability, scotus, scraping, supreme court
Companies: hiq, linkedin

Malware Marketer NSO Group Looks Like It's Blowing Off Facebook's Lawsuit

from the why-bother-being-accountable-in-any-minimal-fashion dept

In late October of last year, Facebook and WhatsApp sued Israeli surveillance tech provider NSO Group for using WhatsApp to deliver device-compromising malware. The lawsuit sought to use the CFAA to stop NSO from using WhatsApp as an attack vector.

The lawsuit is dangerous. It asks the court to read the CFAA to cover attacks targeting users' accounts, rather than attacks on the service provider itself. The CFAA is already problematic enough without this sort of expansion. WhatsApp users certainly appreciate the efforts the developers make to protect them from malware, but asking a court to reinterpret an easily-abused law just so Facebook can go after NSO isn't an acceptable solution.

NSO has been the target of non-stop criticism due to its willingness to sell malware and surveillance tech to countries with long histories of human rights violations. Its malware has also been observed targeting activists, dissidents, journalists, and critics of the governments that have deployed NSO malware.

Facebook's lawsuit is going nowhere fast. While it's not uncommon for there to be a delay between the filing of a complaint and the defendant's response, NSO hasn't filed anything -- not even a notice of appearance from its corporate counsel -- since the filing of the suit.

Facebook wants the court to take notice of this no-show. It's asking for the upcoming case management to be postponed indefinitely since it has heard nothing at all from NSO. But the administrative motion [PDF] is not just there to deal with a logistical problem. It's there to let the court know NSO isn't cooperating with the litigation.

After filing the Complaint, Plaintiffs promptly sought to serve Defendants under the Hague Convention, which was effected on December 17, 2019.Plaintiffs also contacted Defendants via email, physical mail, and hand service, but have not received any response. As of the date of this filing, no counsel has entered an appearance in this matter on Defendants’ behalf, nor have Defendants filed an answer to the Complaint. Thus, Plaintiffs cannot fulfill their obligations under the Court’s initial case management scheduling order (ECF No. 9), including the obligations to meet and confer regarding initial disclosures, early settlement, ADR process selection, and a discovery plan.

The NSO is certainly welcome to sit this one out. It's not like blowing off the WhatsApp lawsuit will do anything to its reputation that NSO hasn't already done to it by selling hacking tools to authoritarians. It's possible Facebook will receive a default judgment if NSO decides this is a waste of its time. Even if it did, what use would it be? NSO isn't going to stop marketing malware that can be deployed via messaging services and the governments it sells to aren't going to stop targeting WhatsApp users just because a court in California says it violates the CFAA.

This lawsuit is mostly for show. On the odd chance NSO decides to participate, discovery could expose some of its inner workings and the clients it sells this brand of malware to. NSO isn't going to risk that. It makes more sense to let Facebook flail away ineffectively with a civil suit that will have absolutely no effect on its business model.

Filed Under: cfaa, default judgment, lawsuits, spyware
Companies: facebook, nso group

Insider Threats: DOJ Says Twitter Employees Spied On User Accounts For Saudi Arabia

from the internal-controls-matter dept

We live in interesting times. A year ago, the NY Times had reported that the Kingdom of Saudi Arabia was aggressively using Twitter to keep tabs on and harass critics of the government. As part of that story, it also claimed that the Saudis might have a "mole" within the company in the form of Ali Alzabarah, who had risen through the engineering ranks to a point where he could access information on people the Saudi government was interested in. That story only noted that Western intelligence agencies had alerted the company that the Saudis were "grooming" Alzabarah. Now, the DOJ has charged two former Twitter employees, including Alzabarah, along with a third individual who worked in social media marketing, with spying for the Saudis. The complaint is worth reading.

It shows how officials appeared to groom the Twitter employees, starting with Ahmad Abouammo, who was (for a time) a marketing manager at Twitter, but who left the company in 2015. It describes how Saudi officials built up a relationship with him, setting up a tour of Twitter's headquarters, and then later providing gifts, such as an expensive watch. Soon after, Abouammo is accused of accessing information on Saudi critics and dissidents;

Within one week of ABOUAMMO's meeting in London with Foreign Official-1, ABOUAMMO began access private Twitter user information of interest to Foreign Official-1 and the Saudi Royal Family.

On December 12, 2014, ABOUAMMO accessed Twitter User-1's email address through Twitter's computer systems. Based on the FBI's review of Twitter User-1's public postings, Twitter User-1 was a prominent critic of the Kingdom of Saudi Arabia and the Royal Family with over 1,000,000 Twitter followers. ABOUAMMO accessed Twitter User-1's email address again on January 5, 2015, January 27, 2015, February 4, 2015, February 7, 2015, February 18, 2015, and February 24, 2015.

On or about January 17, 2015, Foreign Official-1 began communicating with ABOUAMMO on ABOUAMMO's personal email in addition to his Twitter email account. On January 17, 2015, Foreign Official-1 emailed ABOUAMMO at ABOUAMMO's personal email and stated only "as we discussed in london..." Foreign Offical-1 attached to the email a document that discussed how Twitter User-1 had violated both Twitter policy and Saudi laws. On January 20, 2015, Foreign Official-1 called ABOUAMMO twice (the calls lasting 19 seconds and 51 seconds, respectively). On January 22, 2015, Foreign Official-1 called ABOUAMMO seven times (no answer, 6 seconds, 5 seconds, 3 seconds, 4 minutes 37 sections, 3 minutes 36 seconds, and 39 seconds, respectively). ABOUAMMO also accessed the email address provided by user @KingSalman the same day. The handle @KingSalman was the Twitter Account for Saudi King Salman bin Abdulaziz Al Saud. Foreign Official-1 called ABOUAMMO on January 23, 24, and twice on January 25, 2015 (1 minute 57 seconds, no answer, 1 minute 57 seconds, and 6 seconds, respectively). On January 27, 2015, ABOUAMMO accessed Twitter User-1's user email address again. The next day, Foreign Official-1 called ABOUAMMO three times (11 seconds, 5 seconds, and no answer).

It goes on like this with the Saudi official sending "reports" about different accounts claiming they violate Twitter's policies -- which had nothing to do with Abouammo's role in marketing. And then comes this:

On February 19, 2015, ABOUAMMO created an online user ID and password to access the Bank Audi Account his close relative opened in Lebanon on February 3, 2015. On February 24, 2015, ABOUAMMO accessed Twitter User-1's email address and phone number. On the same day, a $9,963 wire transfer was sent from the Lebanon Bank Audi Account to ABOUAMMO's Bank of America account...

There are a few more such transactions. Even after Abouammo quits Twitter (to go to Amazon) he apparently continues to receive money, and would reach out to former colleagues at Twitter to try to access the information the Saudis were seeking. Also, according to the DOJ, Abouammo lied to the FBI (not a good idea), then tried to "alter" documents he gave to the FBI (a very, very bad idea). Indeed, the DOJ's complaint suggests that while the FBI was talking to him, he asked to go use his computer without them present, and then presented them with what they believe to be a doctored invoice.

During the interview, ABOUAMMO offered to obtain a copy of the consulting contract from a desktop computer that he claimed was in his bedroom, and requested that the Agents not follow him to the bedroom. A few minutes later, ABOUAMMO emailed an undated invoice to the email address of a Palo Alto, California based FBI Special Agent.

I believe that ABOUAMMO created the invoice in his residence on a computer while Agents were waiting for ABOUAMMO to provide them with the invoice that was discussed. The address on the invoice for services ABOUAMMO said were rendered in 2015 and 2016 was ABOUAMMO's current address, however, public records show that the property was built in 2017 and ABOUAMMO did not purchase it until August 2017, and the metadata properties associated with the file emailed to the FBI indicates that the file was created on the date of the interview (i.e., October 20, 2018)....

Yeah, don't do that.

As for Alzabarah, the DOJ has details of him flying to DC to meet with various Saudi officials, and then upon returning to work getting pretty damn busy getting info on Twitter users critical of the Saudi government.

Within one week of returning to San Francisco, ALZABARAH began to access without authorization private data of Twitter users en masse. Specifically, although ALZABARAH had not access the private user data of any Twitter Accounts since February 24, 2015, starting on May 21, 2015, through November 18, 2015, ALZABARAH accessed without authorization through Twitter's computer systems the Twitter user data of over 6,000 Twitter users, including at least 33 usernames for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter. A Twitter Security Engineer informed the FBI that, although ALZABARAH may have had grandfathered access to view user information through an internal Twitter tool called "Profile Viewer," ALZABARAH had no legitimate business purpose as a Site Reliability Engineer to access user accounts. ALZABARAH's job was to help keep the site up and running, which did not involve accessing individual user accounts.

The DOJ then notes that the Saudi official had email notes detailing the locations of some of the key Twitter users that Alzabarah was looking up for them. Alzabarah also created notes for himself about whether or not he was eligible for reward money the Saudi government was offering for information on certain "terrorists." There are also notes about "secur[ing]" his "future and my family's." Alzabarah later fled the US and apparently resigned from Twitter via email after his flight took off from LA.

This is all kind of fascinating. For all the concerns about outside hacking, insider attacks are still considered a much bigger threat and much harder to detect or prevent. While it does sound like there were some lax controls in place to prevent people who shouldn't have access to certain information from getting to that info, that's not all that unexpected in Silicon Valley (and an area that many companies need to significantly improve in). The complaint does suggest that Alzabarah made "unauthorized" access to this information, even though he was allowed to access a tool. That certainly suggests criminal CFAA charges, and some aspects of that seem problematic. While it does appear that there are other laws Alzabarah broke, arguing it's a CFAA violation to use tools he was granted access to seems like a stretch. And, of course, there are broader questions with Abouammo and why he even had access to any of this data at all.

If anything, hopefully these charges wake up many Silicon Valley companies to the value and importance of better internal controls on how data is made accessible. In the rush to build up companies, insider controls are often one of the last things companies care about (if no one uses a service, who cares, and if a service is growing like gangbusters, then there are many other, more important issues to focus on). But companies need to recognize that when these services are used as broadly as they are, they become an attack vector, and employees are often targeted by governments to try to access information. Of course, it's always going to be impossible to stop all access to information -- hell, even the NSA has had to deal with poor controls and "insider" attempts to access information (see: Snowden, Ed). But it does seem increasingly important for companies to be aware of how valuable their data might be to governments, and do more to protect it.

Filed Under: ahmad abouammo, ali alzabarah, cfaa, controls, employee access, espionage, insider threats, saudi arabia, spying
Companies: twitter

Facebook's Sues Israeli Malware Marketer With A Lawsuit That Aims To Make An Easily-Abused Law Even More Abusable

from the OK-BOOMER dept

Facebook is suing Israeli exploit developer NSO Group for utilizing WhatsApp to target 1,400 users with malware that allowed NSO's clients to circumvent the chat app's end-to-end encryption.

That NSO is being accused of helping bad people surveill good people is not news. NSO is not very selective when it comes to selling malware, putting its powerful tech in the hands of governments that seem just as likely to target NSO's home country as they are to target local dissidents, journalists, and activists. NSO's software and cavalier approach to sales have been exposed by multiple Citizen Lab investigations, which have outed NSO's sales to blacklisted countries.

Facebook's lawsuit [PDF] basically echoes the findings of Citizen Lab.

In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.

WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”

Abusive it is, especially when you're trying to tout the benefits of end-to-end encryption, only to have a malware developer show you how easy it is to route around these protections. NSO's malware was spread using WhatsApp's video chat feature, which apparently allowed government agencies to eavesdrop on communications and possibly access device contents.

This isn't the only lawsuit NSO is facing.

NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.

Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”

This matters enough to NSO for it to engage in a very limited charm offensive. It has promised to abide by UN guidelines on human rights abuses, which means it's going to have to trim a few countries off its client list. It also claims to have saved the lives of "tens of thousands" of people. It's a great claim to make, especially when no one really expects you to back up it up with evidence or data.

But the lawsuit Facebook is pursuing is questionable, if not a bit dangerous. Facebook likely doesn't have a way to block NSO clients from accessing WhatsApp. It has permanently deleted the accounts of every employee of NSO Group it could find for "violating" Facebook's terms of use. But it's helpless to root out accounts used by NSO's customers, since these aren't nearly going to be as obvious as those belonging to people who list NSO as their employer.

That explains the lawsuit and Facebook's desire to obtain a permanent injunction against NSO Group, blocking it from utilizing WhatsApp to spread malware. But the lawsuit is on pretty shaky legal ground. Worse, if Facebook somehow prevails, the much-abused CFAA will be rewritten in a way that's going to harm plenty of people who've never sold malware to known human rights abusers.

Here's Wired's Andy Greenberg (and defense attorney Tor Ekeland) explaining just one of the problematic aspects of Facebook's lawsuit.

To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp's own systems. Given that NSO's targets were WhatsApp users rather than, say, WhatsApp's servers, they'll have to find an argument that they, as the plaintiff, were the victim. "The fundamental question is, what’s the unauthorized access?" says Ekeland. "You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant."

Facebook's on a clear path if it chooses to stick with the argument NSO violated its terms of service. Those terms specifically forbid reverse-engineering code or sending malware via the app. But even if it's limited to that, the obvious solution is for Facebook to ban NSO from using its services. That may be close to impossible to do since Facebook doesn't have access to its client list or their user accounts. Arguing past that point may cause problems, though.

While it may work out for Facebook to have the CFAA cover "uses of our stuff that we don't like," it's going to harm a lot of other people. Security researchers, regular researchers, and anyone else who might use Facebook's platform or apps in a way Facebook doesn't like could be prosecuted or sued under this definition. While it's plainly advantageous for Facebook to force all users to use its products only in a way it approves, the downside is a garden with higher walls that put users completely at the mercy of Facebook. Since terms of use can be rewritten on the fly and applied immediately, Facebook could go after "violators" who aren't even aware they've actually violated anything.

Adding to Facebook's hurdles is a recent Ninth Circuit Court of Appeals ruling (this lawsuit is filed in the Ninth Circuit) that says scraping a site for data -- even when forbidden by the terms of use -- isn't necessarily a violation of the CFAA. Making this tougher for Facebook is there's no evidence it ever gave NSO prior notice its abuse of WhatsApp was forbidden. The lack of notice makes it a bit more difficult for Facebook to claim NSO knowingly violated the terms by using WhatsApp to distribute malware. It will be tough to prove NSO clients had unauthorized access, especially since Facebook didn't get around to permabanning anyone until after it filed its lawsuit.

I'm no fan of NSO and its client list, but I'm no fan of Facebook's lawsuit, either. An opinion finding using internet services in a way their developers don't like is not the precedent we need -- not if we're going to keep pushing for a safer internet for everyone. It will allow dominant players to establish rules that benefit the platforms and stave off competition from third-party offerings that attempt to address shortcomings major platforms refuse to correct. It will also prevent researchers from making online services safer or better, which will be a net loss for all platform users, even if it prevents a handful of authoritarians from exploiting a single service to target the people they think need more surveilling.

There's a lot at stake here but Facebook can't see past its immediate (and somewhat convenient, given its recent rakings over Congressional coal) desire to appear to be the good guy for once.

Filed Under: cfaa, encryption, hacking, key logger, malware
Companies: facebook, nso group, whatsapp

Big News: Appeals Court Says CFAA Can't Be Used To Stop Web Scraping

from the this-is-good dept

Two years after a lower court correctly decided that LinkedIn couldn't use the CFAA to stop third parties from scraping their site, the 9th Circuit appeals court has upheld that decision in a very important decision for the future of an open web. For a long time we've talked about how various internet companies -- especially the large ones -- have abused the CFAA to stop competition and interoperability. If you're unaware, the CFAA is basically the US's "anti-hacking" law, which was designed to make it a crime (and a civil infraction) to "break into" someone else's computer. But for years it's been interpreted way too broadly (to the point that it's referred to as "the law that sticks" when trying to get someone for "doing something bad on a computer."

While we have tremendous concerns about criminal CFAA prosecutions, the use of CFAA in civil contexts by companies trying to block competition is perhaps just as troubling. We've called out Craigslist and, especially, Facebook for abusing the CFAA to stop companies from building on what they've built and providing a better service. To this day, we remain troubled by the 9th Circuit siding with Facebook in declaring the CFAA an okay tool to block a third party from building a better service for Facebook users and believe (somewhat strongly) that this particular decision and abuse is part of why Facebook is in the position its in today and that there are no significant competitors it faces. In that decision, the 9th Circuit ruled that because Facebook had sent a cease-and-desist letter to Power, any access after that was now "without authorization" and thus violated the CFAA.

And that's part of what makes this new HiQ v. Linkedin decision, done by the very same court, so fascinating. It seems to go the other way. While Facebook was allowed to use the CFAA to stop Power users from scraping content from Facebook (with permission from the account holder), here, the 9th Circuit has ruled that LinkedIn can't (at this stage) use the CFAA to stop HiQ from scraping its site.

The fact that the results in HiQ and Power came out differently deserves some exploration -- and we can highlight ways in which both decisions are weird and troubling. But from a pure policy standpoint, saying that scraping a site does not violate the law is an undeniably good thing and we should be happy with the overall outcome. Though, the it's now set up a weird system where the 9th Circuit itself seems to disagree with itself and there's a wider circuit split -- meaning it's possible that the Supreme Court could take up this issue at some point.

In discussing the CFAA, this 9th Circuit panel seems to fully understand the intention of the CFAA: to stop hacking. Not to stop companies from blocking people/companies they dislike:

The 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry: “It is noteworthy that section 1030 deals with an ‘unauthorized access’ concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering’ . . . .’” H.R. Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing the problem of “‘hackers’ who have been able to access (trespass into) both private and public computer systems”). Senator Jeremiah Denton similarly characterized the CFAA as a statute designed to prevent unlawful intrusion into otherwise inaccessible computers, observing that “[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.”11 132 Cong. Rec. 27639 (1986) (emphasis added). And when considering amendments to the CFAA two years later, the House again linked computer intrusion to breaking and entering. See H.R. Rep. No. 99-612, at 5–6 (1986) (describing “the expanding group of electronic trespassers,” who trespass “just as much as if they broke a window and crawled into a home while the occupants were away”).

In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a “misappropriation statute,” Nosal I, 676 F.3d at 857–58, we rejected the contract-based interpretation of the CFAA’s “without authorization” provision adopted by some of our sister circuits.

That's all good -- and because of that, the court finds that LinkedIn can't claim that scraping their site is a CFAA violation, even after a cease-and-desist. But, it tries to differentiate from the Facebook v. Power decision by saying that one involves a password, and the other does not. So it's the fact that the information being scraped on LinkedIn is public information that changes the calculus here.

We therefore conclude that hiQ has raised a serious question as to whether the reference to access “without authorization” limits the scope of the statutory coverage to computer information for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer information: (1) information for which access is open to the general public and permission is not required, (2) information for which authorization is required and has been given, and (3) information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to such information, the “breaking and entering” analogue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt.

Neither of the cases LinkedIn principally relies upon is to the contrary. LinkedIn first cites Nosal II, 844 F.3d 1024 (9th Cir. 2016). As we have already stated, Nosal II held that a former employee who used current employees’ login credentials to access company computers and collect confidential information had acted “‘without authorization’ in violation of the CFAA.” Nosal II, 844 F.3d at 1038. The computer information the defendant accessed in Nosal II was thus plainly one which no one could access without authorization.

So too with regard to the system at issue in Power Ventures, 844 F.3d 1058 (9th Cir. 2016), the other precedent upon which LinkedIn relies. In that case, Facebook sued Power Ventures, a social networking website that aggregated social networking information from multiple platforms, for accessing Facebook users’ data and using that data to send mass messages as part of a promotional campaign. Id. at 1062–63. After Facebook sent a cease-and-desist letter, Power Ventures continued to circumvent IP barriers and gain access to password-protected Facebook member profiles. Id. at 1063. We held that after receiving an individualized cease-and-desist letter, Power Ventures had accessed Facebook computers “without authorization” and was therefore liable under the CFAA. Id. at 1067–68. But we specifically recognized that “Facebook has tried to limit and control access to its website” as to the purposes for which Power Ventures sought to use it. Id. at 1063. Indeed, Facebook requires its users to register with a unique username and password, and Power Ventures required that Facebook users provide their Facebook username and password to access their Facebook data on Power Ventures’ platform. Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1028 (N.D. Cal. 2012). While Power Ventures was gathering user data that was protected by Facebook’s username and password authentication system, the data hiQ was scraping was available to anyone with a web browser.

That last bit... confuses me. Yes, the information that was at stake in the Power case was locked up with password protection, but (and this is the important part), it was the user whose password it was that gave permission to Power to access the data in Facebook on their behalf. So I have trouble seeing how it's really that different than this HiQ case. This ruling seems to suggest that there's some magical property to a password that doesn't seem supported by the law. In the Power case, the access is still very much "authorized" because the holder of the password is giving it out. But the court tries to dance around this by pretending that the authorization question is different. I don't see how that makes any sense -- even if I'm happy that at least scraping of public info is considered fair game. Still, the panel leans in hard on the password question to distinguish these two cases:

For all these reasons, it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.

Orin Kerr -- who probably knows more about the CFAA than anyone else -- has done a deep dive on this ruling as well, which is worth reading. As he notes, part of the weirdness in this case is procedural. HiQ is focused on getting a preliminary injunction stopping LinkedIn from using the CFAA to stop them from scraping the LinkedIn site. That sets the standards a bit lower than might otherwise be, and means that the ruling is not necessarily the final world on the CFAA in this situation. He also notes that this should be seen as a big win for the open internet, and (in many ways) isolates the Power decision as "an outlier."

I also think this decision renders Power Ventures an outlier. I may be biased, as I thought Power Ventures was wrong. As regular readers may remember, I represented Power Ventures on the petition for rehearing to try to get the panel decision overturned. But Power Ventures seemed to give cease-and-desist letters magical powers given their clarity and notice. It was possible to read Power Ventures broadly as saying that as long as the computer owner sends the cease-and-desist letter, the computer owner's written directive controls the CFAA question—the recipient is sent into Brekka-land where their access rights were withdrawn.

HiQ Labs now places a critical limit on Power Ventures. Under HiQ Labs, the cease-and-desist letter only controls access rights to non-public data. That seems to reduce Power Ventures to a limited application of Nosal II. Under both Nosal II and Power Ventures-as-construed-in-HiQ, once a computer owner tells you to go away, you can't then rely on a current legitimate user's permission to let you back in.

Putting the cases together, the Ninth Circuit law right now seems to go like this. You can scrape a public website, and you can violate terms of service, without violating the CFAA. However, you can only access non-public areas of a computer if you haven't had your access rights canceled before, either through a cease-and-desist letter or through the relationship ending that had granted you access rights.

As Kerr and the 9th Circuit itself note, however, there remains a circuit split between the 9th's hodge podge interpretations of the CFAA and other appeals courts. That certainly suggests that this could end up before the Supreme Court at some point.

One other note: I've seen a few lawyers, including those I respect, worry that this decision could actually lead to restrictions on the tools that sites themselves use to block more malicious parties. As Eric Goldman noted in his analysis:

Meanwhile, if server operators can’t restrict who can access their servers, then it will embolden data scavengers–including trolls, malefactors, and governments–who intend to weaponize the data against users.

This is one of the rare cases where I disagree with Goldman's analysis. I don't see how the ruling would lead to such a result. The ruling does suggest that it's tortious interference (this is separate from the CFAA analysis) for LinkedIn to block HiQ, since doing so undermine's HiQ's entire business. But I don't see how that same analysis would apply "trolls, malefactors, and governments." I do find the tortious interference discussion a bit confusing in its own right. While I don't think LinkedIn should be able to use the law to stop HiQ from scraping its site, it seems silly (and of questionable legality) to argue that it can't even use technical measures to block HiQ. But that's what the ruling appears to say:

LinkedIn’s threats to invoke the CFAA and implementation of technical measures selectively to ban hiQ bots could well constitute “intentional acts designed to induce a breach or disruption” of hiQ’s contractual relationships with third parties.

I agree on the use of the CFAA. But disagree on the point about "technical measures." One involves using the power of the government to block perfectly reasonable activity -- but the other is a purely technical question. And I don't see how or why the law should block any site from implementing technical measures to prevent access, even if overall public policy should encourage such access.

All in all this seems like a mostly good decision, with this oddity, combined with the tap dance to distinguish it from other rulings. Add in the big circuit splits and you can rest assured that this is nowhere near the last word on this matter.

Filed Under: 9th circuit, authorized access, cfaa, hacking, open access, scraping, tortious interference
Companies: facebook, hiq, linkedin, power ventures