Slashdot Mirror
Internet Access and Computer Fraud Laws
DrJimbo writes "Groklaw has an explanatory article covering the Computer Fraud and Abuse Act (CFAA) in layman's terms. The article discusses legal precedents that might make it illegal to access much of the internet. The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."
It's just as well. The internet sucks anyway. Go outside and lay touch football or something.
sulli
RTFJ.
This sounds just completely insane. Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud? It sounds like entrapment, or bait and switch, to me.
Reject Fear - Embrace Hope
I guess that means we can no longer blame people for not RTFA - hey, it could be illegal!
"The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."
And this is a perfect example of why nobody takes SCO seriously.
Linux Wireless Hardware in the UK
Generally, bash is superior to python in those environments where python is not installed.
YHBT. HAND.
We just declare the whole jorld a jail, and all people imates. Then there will be no problem with any kind of violations ...
Accessing SCO ftp server...
Login: anonymous
Password: sco_sucks@ibm.com
Access authorized for downloading. Have a good day!
SCO is Micro$oft's bitch. This is a given. .Nyet. This is a given.
.nyet, and therefore licensing fees.
Microsoft is planning on making money through
Microsoft will be pissed when it becomes illegal to use much of the internet since it limits deployment of
I can't see Micro$oft allowing this to continue very far before they start cutting SCO's funding.
If a Chinese thug sells, on an Internet web page, a Chinese child for indentured servitude, what can American law enforcement do?
Maybe extrajudicial vigilantism has a role here. Americans go to Taiwan and kill the Chinese thug selling children on the Internet.
is a big attention whore. hey look at me!!
they are going to get nothing done to help their business model because they are just trying to chase other companies down
hmmm, I have to say that IBM seems to bee a bit anal lately.
I would suggest that you are only violating it if you are not authorized to access the computer you are accessing *by the owner/operator* of that computer, regardless of wether or not you may be authorized by a network provider to use their network.
That you may not be allowed to use your employers internet connection for personal use may get you fired by your employer, but does not constitute a violation against the websites you might have accessed.
having to hit refresh 300 times
...use Ctrl-+ Ctrl-- instead. Faster, and doesn't reload all of the data.
Of course, plain-text mode /. renders wonderfully. You may want to change your settings.
I wouldn't risk it - it might be illegal to do so! ;)
"Of the things we think, say or do:
1. Is it the TRUTH?
2. Is it FAIR to all concerned?
3. Will it build GOODWILL and BETTER FRIENDSHIPS?
4. Will it be BENEFICIAL to all concerned?"
From Rotary International. Simple, but effective.
Too bad they fail all four tests.
The courts had said that you are unauthorized by default. If that's so, you can't even go to a web site and read the terms of service or whatever they claim grants you permission. Hey judge, did you ever read yahoo, groklaw, or used google? Did you obtain authorization before going to the site? Hopefully this judge will overturn that stupidity.
What's that smell? Ah, that's my karma burning...
> most of the Internet is outside of the USA
Is that true? It might be now, but a fairly short time ago it wasn't. Even now I'd guess most of the top servers by traffic are based in the US, so perhaps it depends on how you measure it.
You can put lipstick on a pig(skin), but it'll still be a pig(skin)...
Do not look into laser with remaining eye.
Breakin' the law! Breakin' the law!
Breakin' the law! Breakin' the law!
Can we please get a new Unabomber already. SCO seems a ripe target to me.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
The entire problem here is that SCO is claiming IBM committed fraud by doing exactly what you just did-- that is, typing Login: anonymous Password: somepassword into the ftp login box.
In other words:
POST #11118838 CIRCUMVENTS A MECHANISM THAT EFFECTIVELY CONTROLS ACCESS TO A COPYRIGHTED WORK, MEANING SLASHDOT.ORG IS NOW AN ILLEGAL CIRCUMVENTION DEVICE UNDER THE DIGITAL MILLENIUM COPYRIGHT ACT.
Well, it's been a nice run for slashdot.org. Too bad it'll be shut down soon. Thanks for everything, everyone!
A scraper is basically a robot that goes through one's site and grabs content. Apparently, it was a suped up scraper since it used knowledge from former employees. Like someone at google tm who knows how to decipher the google tm page rank hash code. Quote "The panel held that the use of the scraper tool exceeded the defendants' authorized access to ef's website because (according to the district court's findings for the preliminary injunction) access was facilitated by use of confidential information obtained in violation of the broad confidentiality agreement signed by ef's former employees"
Which would be like a badly configured .htaccess file blocking the error page as user doesn't have access... you are not authorised to access this page plus an addition error occured - access denied.
The amount of analysis Groklaw reviews SCO's claims with is like taking a jackhammer to a microbe.
3,000 words, 100 comments. Yes you destroy the microbe, but...
SCO is always good for a laugh, but I have to smile at groklaw too.
Just keep in mind that they're not here to win. Their purpose is to drag Linux through legal mud for as long as they can, allowing their overlords MS to spread even more FUD.
The Raven
technocrat.net
http://sco.com was running Apache on Linux when last queried at 17-Dec-2004 20:08:47 GMT [netcraft.com]
Now, the purpose of setting up a http server is to distribute some kind of information to the world at large. And maybe accept some information, like Slashdot and a lot of other sites do.
Similarly, if someone sets up an anonymous ftp server they would also be perceived as doing this in order to distribute and maybe also receive information, to and from the world at large. Same thing really.
Now since SCO did just that, how can they then expect to be able to come afterwards and say that IBM shouldn't have looked at their site and downloaded the stuff they had to offer?
Makes no sense to me. One would expect a minimum of "due diligence", such as maybe using a locked-down ftp server with access to only authorized users, if their information was not to be made public and available to world+dog..
But what SCO is on about looks to me like posting a notice with tear-off tabs on a wall somewhere public, where everyone and anyone go by, and then claim some kind of infringement ("unclean hands") from certain people reading this posted text and tearing off a tab.
IANAL, YMMV etc...
SIGBUS @ NO-07.308
Ok, so I have files open to the public on my website but since you downloaded them I change my mind and say you're in violation of the CFAA?? Then why did you have them up in the first place??
Isn't that entrapment to put someone into a situation that could cause them to break the law? Don't we tell law enforcement that this is exactly the type of thing you're not allowed to do.
I sincerely hope this gets thrown out. Because I'm really wondering if I made the best choice in procreating.
Oops, how did this get here?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
WTF is with you moderators?! This is a garcia comment, and it hasn't been modded up yet. Get off your dead asses and MOD THAT FUCKING COMMENT UP. NOW!
Windows NT/2K/XP/2003 have two registry entries for a popup box called legal notice. When you do the cntl-alt-del thing and these registry entries exist you get a dialog box that has a legal message of your choice. Then you click on ok, the you get the username and password box. The understanding is that you can state what authorized/legitimate access is and I can state that you saw the message.
Apparently there have been cases where a defendant used the 'it said welcome, please login' defense and won cases. I have used the legalnotice registry entries for several big customers.
So there is some track history here.
eric
that I have with our customers.
Many of them see port scans and other "intrusion" attempts in their IDS logs and want to do something about it. We generally explain that when you give a machine a public IP address on a public network it implies that you want the public to be able to have access to it. If you wanted to disallow access to the resource, you would not make it available.
Though it is not a good technical defense for keeping people out, having a login and password and a banner message saying that "unauthorized use is prohibited" is a reasonable legal defense to show you didn't want public access to the machine.
The bottom line here is that any resource you make publicly available should have the assumed implication that you meant to make the resource publicly available.
to download our software. We know who we don't want to download it, and so do they. Therefore we don't need to secure our site, if they didn't see the legal.notice, that's their fault for not thoroughly inspecting /pub/*. We know what's right, and IBM is not. PSYCH!!!!!!!
The judge's precedent in the linked opinion (assuming I read it right. IANAL) is really restrictive because it requires that somebody read the terms of use for every website to be sure that they're not running afoul of the CFAA. This makes it impossible to use any sort of tool to crawl the web and extract information unless you've read the terms of service on all the sites before you crawl them. With the so-called "semantic web" finally coming around, this would be a gigantic setback.
Does this judegement have any effect on deep linking, I wonder? Maybe not for the person that posts the link, but what about the person who follows that link, which may be against the explicit rules of the website?.
That said, if I connect to a ftp server and ask to log in, that to me is an explicit request for access. If the ftp server says okay, then isn't that granting explicit permission regardless of the general T's and C's state?
Exigo spamos et dona ferentes
If these experiences continue, try Alt-F4.
You said "maybe using a locked-down ftp server". Thing is, SCO has a history of not being the most competent at administering their own web site. So they put on some "technical access controls" that don't actually work. Then they claim that IBM "hacked" because they "bypassed" the technical access controls...
It reminds me of an earlier story about criminal charges filed against Reuters for accessing Intentia's earnings report on the company's own website before it was officially released (by guessing the URL).
That case ended without trial in January 2003 with the prosecutor finding that Intentia had announced the report would be published "around 2pm" rather than "14:00 sharp". Reuters therefore could not know that their successful retrieval of the document about an hour before 14:00 was "unauthorized" by Intentia. Unfortunately, we still don't know whether a more precise announcement would have constituted a legally binding prohibition against Reuters or anybody else attempting to access the file before that time.
However, earlier cases demonstrate that circumvention of a technical access control mechanism is not necessary for "data intrusion" to have been committed according to the language of the Swedish Penal Code. Typical violations of this kind are police officers browsing criminal records they have technical access to, but are not formally authorized to examine (because those records are unrelated to their work). The "data intrusion" statute is only one short article of the entire Penal Code (covering everything from murder and kidnapping to forgery and treason), and it's seldom used when more specific laws apply, but I think it suffers from the same problem of "overbroad applicability" as the U.S. Computer Fraud and Abuse Act. It just hasn't seen that much use in court, even as it has been on the books since the 1970's.
As for Intentia, they (along with two other companies) were given a warning by the Stockholm Stock Exchange disciplinary board for accidentally distributing their earnings report before it became official.
One might suppose that SCO's internal IT
staff (or contractors) MIGHT arguably have
mistakenly posted confidential information
on THE internet, as opposed to THEIR intranet.
The public, visiting this site and reading
confidential information, or perhaps D/Ling
F/OSS packages from their FTP site, would
have absolutely NO WAY to have prior knowledge
of the difference. The responsibility (IANAL)
would/should fall upon SCO for due diligence
of their(?) IP, and not upon the public at
large.
While I did not RTFA (yet), it would appear
that SCO's corporate officers (and lawyers?)
have been partying a wee bit too much lately
(possibly even with illegal or controlled
substances), judging by their arguement.
Invade China. Don't think they won't.
I am trolling
in the "Firefox NYT ad" /. story. One said that Firefox should talk more about IE's vulnerabilities, and another one said:
"The moment you stop speaking about yourself to speak about others, you're politically dead".
Nothing could be more true for SCO.
So if you forget to lock your front door, and I waltz in your living room, but don't take or damage anything, just look around, take a few pictures and leave quietly while you are out, I'm legally in the clear?
:)
I think not. (unless I work for Homeland Security
I am not saying that is what IBM did, but that is something that SCO will try to make it seem like IBM did.
Just because it CAN be done, doesn't mean it should!
This is an interesting question ...
How is connecting to an FTP server, performing a valid anonymous login, and retrieiving a file, qualitatively different than r00t-kitting someone's server and slurping whatever you can find?
Sure - it seems clear as night or day to you or I, but say it in a way that will stand up to judicial review, and keep in mind that the SCOTUS takes a dim view of statutes that include "Go ask Slashdot"...
Now, run the following gray-area test-cases against that statute, and see where they land.
See? It's not always cut and dried.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Note that SCO had to specifically authorize anonymous access by adding an "ftp" user account to /etc/passwd. If IBM accessed the anonymous ftp account, SCO authorized such anonymous access. SCO should might RTFM, eh?
The examples I am seeing of how a violation of the CFAA might occur, and the idea that whole sections of the internet might be "unauthorized" are just plain silly. Especially the GrokLaw example outlining a possible violation of law because at the time of your access to information you had violated your ISP argeement in some way.
1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my "access" to be "authorized".
This inaccurate. Your ISP does not own the internet nor have they been assign the task of policing or collecting funds for the internet, nor is your contract with them what "allows you to be authorized" to access the internet. Your contract with your ISP allow you to access the internet through their service...period. Imagine Microsoft suing millions of hotmail users because they found out that they were accessing their hotmail accounts from a friends computer and did not have an ISP account. GrokLaws assumptions go beyond absurd and are only worth mentioning to shed some common sense and law on the subject so innocent web users are not thrown into a panic by such amateur hysteria.
2. Then I violate this instrument's conditions, and my access, is, at the very moment of the violation, "unauthorized".
What color is the sky is this guys world? If you violate your ISP's conditions of use you might be unauthorized to access the internet using there service and might also be in breach of contract, however that does not mean the broad "unauthorized to access the internet" implied by the above. It simply means using their service to do so. There is nothing to prevent your accessing the internet by some other means as long as you do not violate someone elses terms of use.
3. And since, given that I'm probably staring at the screen, I am therefore "obtaining"... (viewing) "information from a protected computer..."
This guys website should more appropriatly be called "GrokUninformedLayman". Violation of your ISP's agreement does not suddenly make Microsoft's Hotmail servers "protected computers" with regard to authorized access. If accessing your hotmail account before you violated your ISP's service agreement was authorized it is still so even after the violation. One has nothing to do with the other. You might be unauthorized to use your ISP's service however that does not mean Microsoft can make a case for criminal charges or a lawsuit. Of course anyone can sue.
4. In theory, we have, a violation of the CFAA.
I cannot wait to meet him in court. Anyone want to take odds? Oh wait that might be interpreted as an offer for gambling and in violation of my ISP's service agreement which according to Groklaw means that I am now unauthorized to acces the internet, which means that Slashdot is now part of a criminal conspiracy to defraud that gods of the internet and we are all doomed to burn in the firey pits of hell. Merry Christmas!
Please people, go for a walk and infuse your brains with oxygen. Sitting at a computer to long has been known to leed to severe cases of paranoia, madness and hysteria. You are not in danger of loosing the internet because SCO makes some dumbass claim and GrokLaw hypes everything to an all time high. I see a parallel here. SCO rides the coattails of Linux --> GrokLaw rides the coattails of SCO...
Everything contains its opposite.
Not unless there's significant quantities of petroleum involved. Oh, and a few Weapons of Mass Destruction, and a tyrant or two, and ... huh. Well.
The higher the technology, the sharper that two-edged sword.
- You will exercise due respect for the posted comment and the posting author:
- You will only exercise moderation powers upon this comment in ways that enhance the author's karma. Funny, Troll, Overrated and other non-karma-enhancing moderations are a violation of the TOS.
- You will only post replies to this comment that are supportive, complimentary, and/or friendly. Comments that contradict, ridicule, insult, or otherwise damage or weaken this comment or its author are a violation of the TOS.
- You will not post comments here or in any other forum, blog, website, or other service accessible through the Internet that in any way copy, duplicate, echo, or reflect the original intelligence, insight, humor, and wit of this comment, unless this comment is included in its entirety with due credit given to the original author and the original comment posting in this forum.
- You will exercise due respect for these Terms of Service:
- These Terms of Service may be altered at any time by the poster, without notice. Such alterations to the TOS will not be published in any public location whatsoever.
- Any violation of the TOS will retroactively revoke your authorization to read this comment.
- If you cannot agree to these Terms of Service, you are not authorized to read any portion of this comment.
Now I just sit back and wait. Somebody here will give me grounds for a CFAA prosecution, I just know it.I figure by 2030 or so my 6-digit UID will be something to brag about.
Maybe the appellate court will in its wisdom outlaw the posting of prices on the internet so that it doesn't lead to unwanted competition.
That way they can do what a million communists could never do. Prevent capitalism in order to preserve it.
IMHO, if the plaintiffs are worried about such a horrible thing as allowing their competitors to see their prices and who then use that information to out compete them with lower prices, the plaintiffs deserve only one thing: to go bankrupt.
If they are unable to compete on price then they should deny the defendants their advantage and not post their prices on the internet. Or failing that indicate what additional benefits the buyer gets for the extra money they must pay to do business with them.
If the plaintiffs actually win appeal on this basis, capitalism as we have known it is dead. Following such logic to other situations (one competitor using the other's higher prices to advantage), it can only lead to a system in which buyers will only be allowed to see the price of any product, until after they have bought it. Comparison shopping will for all intents and purposes have been adjudicated out of existence. For some reason I find it difficult to imagine a situation in which a competitor uses the public statement of pricing information as beyond "reasonable expectations" of an ordinary consumers. Most ordinary consumers usually comparison shop and when they do, they take price into account.
Only in America where political hacks are appointed as judges precisely because they are political hacks, could one expect an email page posted for public consumption be ruled a confidential document.
Then again, since that is how are political campaigns now work. Why not spread it to all "purchases". True capitalism is just about dead in America already anyway. It is evolving into fascism, a far more stable system. Ironic that Kurt Godel the famous logician predicted this decades ago.
Plenty, if an American makes the buy.
Does this apply to vote fraud too?