Internet Access and Computer Fraud Laws

DrJimbo writes "Groklaw has an explanatory article covering the Computer Fraud and Abuse Act (CFAA) in layman's terms. The article discusses legal precedents that might make it illegal to access much of the internet. The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."

WTF?

[afstanton]

This sounds just completely insane. Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud? It sounds like entrapment, or bait and switch, to me.

Re:WTF?

[ReelOddeeo]

Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud?

It is not Fraud because the software is GPL. It is Fraud because, as SCO has claimed in their recent court filing, IBM hacked into SCO's anonymous ftp server, in order to obtain the GPL software.

Even worse, evil IBM earlier admitted doing the dastardly deed.... In an earlier court declaration by an IBM employee, "I supervised while a member of my team..." logged into SCO's anonymous ftp server and downloaded the kernel sources, which include source code copyrighted by IBM, and which SCO is distributing in violation of the GPL.


It sounds like entrapment, or bait and switch, to me

I would be careful of making such libelous statements that could tarnish the valuable unblemished reputation of a paragon of virtue such as The SCO Group.



Don't forget to pay your $699 license fee to SCO for your Linux kernel which includes SCO's copyrighted <errno.h> file.

Re:WTF?

[ReelOddeeo]

This sounds just completely insane.

Did you mean it sounds like typical SCO behavior? Or am I misunderstanding you?

Re:WTF?

[cayenne8]

The part where the court said that assumptions that openly up for display on the web/internet was not assumed to be free and public?!?!?

From the Article:

"The court felt the need to further explain its rationale. It wanted to be clear that the basis for the rejection of "reasonable expectations" test is not "as some have urged, that there is a "presumption" of open access to Internet information". There is not. (Some might call that astounding and disturbing news.)"

So, if they put it out there, in a public format...it still can't be presumed as public access?

Ok, so it is ok to put up cameras everywhere...because "you can't expect privacy in a public place", but, a public website isn't presumed to be public and freely viewable?

Re:WTF?

[silicon+not+in+the+v]

The other possibility is that they're going to claim that IBM needed explicit permission to access a resource that was publically posted and anonymously available, which doesn't seem supported by current case law.

I hope you do not get modded up for this mis-information. This is exactly what Jon Stanley's article on Groklaw is about. The current case law is (unfortunately) in support of the concept that a flimsy usage policy is enough to establish something as being "unauthorised", and therefore subject to the CFAA (Computer Fraud and Abuse Act). Here is how disturbing this could be: If instead of being on an ftp site, it was plain text, linked to from their main website, but they had a notice that "The following link contains information whose access is restricted to our customers." That would be enough to make the viewing subject to the CFAA. Technical protection measures are not necessary. I encourage everyone to read Jon's article on Groklaw. It is very informative (in a disturbing, "How can they get away with this &%*$#@?" kind of way.) about the current legal precedents with respect to this act.

Re:WTF?

[cosmo7]

Although the site was anonymous, meaning anyone can LOG IN, the SCO may still have ground to stand on if they displayed a terms of use when you login, and say something like "if you don't agree to these terms, you are not permitted to download and must log out immediately."

Here is the agreement from SCO's ftp site:

Welcome to SCO's UnixWarez Site

All downloads are for BACK-UP only. If you are from a law enforcement agency then you are not allowed to log on. No kiddie pr0n. Upload to download. No leeching. Enjoy.

( Agree ) ( Disagree )

Re:WTF?

[jp10558]

So... this means that many warez sites are now protected?? I never really thought those disclaimers would be worth anything, but I guess they might just be...

Re:Illegal to access much of the internet?

[StevenHenderson]

Go outside and lay touch football or something.

You might want to wine and dine the football before you go for home...

No more RTFA ??

[ParadoxicalPostulate]

I guess that means we can no longer blame people for not RTFA - hey, it could be illegal!

Re:Illegal to access much of the internet?

[youknowmewell]

Like you're doing right now mr. first post?

Heh

[NetNifty]

"The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."

And this is a perfect example of why nobody takes SCO seriously.

Re:Heh

[itzfritz]

Acc. to TFA:

"SCO provided its customers who purchased SCO Server 4.O with a password to enter at a log-in screen so that only they could access source code via the internet. Sontag Decl. 17-19. After news of a bug in the website's security system was reported on internet websites, IBM exploited the bug to bypass SCO's security system, hack into SCO's computers, and download the very files IBM has now attached to its motion."

If this is true, SCO has a legitimate beef. Dammit.

Re:Heh

[NetNifty]

Hmm, don't know whats stranger, SCO being right, or IBM admitting to hacking in to SCO's servers.

Re:Heh

[MattT]

The "bug" was that they didn't turn off anonymous FTP, and the "hack" was:

Userid: anonymous
Password: Nazgul@ibm.com

Re:Heh

[rewt66]

IBM didn't admit to any such thing. They said that they downloaded the source to Linux from SCO's server. They didn't say that they hacked to do it; they said that it was freely, publicly available.

SCO says that IBM hacked, but provides no evidence (not even a sworn deposition!) that IBM did so.

Take the SCO claim with several pounds of salt...

A bit of a strech here

[The+Cisco+Kid]

Here is an example of how a violation might occur:

1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my "access" to be "authorized".

2. Then I violate this instrument's conditions, and my access, is, at the very moment of the violation, "unauthorized".

3. And since, given that I'm probably staring at the screen, I am therefore "obtaining"... (viewing) "information from a protected computer..."

4. In theory, we have, a violation of the CFAA.

I would suggest that you are only violating it if you are not authorized to access the computer you are accessing *by the owner/operator* of that computer, regardless of wether or not you may be authorized by a network provider to use their network.

That you may not be allowed to use your employers internet connection for personal use may get you fired by your employer, but does not constitute a violation against the websites you might have accessed.

Re:Chinee Illegality outside of the USA?

[east+coast]

American laws which purport to illegalize behavior on the Internet have a major loophole: most of the Internet is outside of the USA.

Perhaps, but that doesn't mean that American law can not address the goings on of web surfers here in the US.

For example; a webiste containing images of 16 year olds engaging in sex may be legal in plenty of places but when you transport those images on to a PC in the US, using US based communications, you are indeed going to be held to the laws in the US.

Certainly we couldn't enforce the laws of a server and user outside of the US but no one said we're going to try.

Default is unauthorized

[gr8_phk]

The courts had said that you are unauthorized by default. If that's so, you can't even go to a web site and read the terms of service or whatever they claim grants you permission. Hey judge, did you ever read yahoo, groklaw, or used google? Did you obtain authorization before going to the site? Hopefully this judge will overturn that stupidity.

I think Groklaw missed the point on this one...

[Kissing+Crimson]

Yes, I did RTFA. Unless I am completely reading this wrong, a summary of this is that the CFAA uses the term "reasonable expectations", and the court believes this is not sufficient; that sites must post in explicit terms what its users are and are not allowed to do - otherwise it is open season. OTOH, passwords are an example of a site or system clearly stating its intentions:

We agree with the district court that lack of authorization may be implicit, rather than explicit. After all, password protection itself normally limits authorization by implication (and technology), even without express terms.

In short, the court found that sites on the Internet implicitly allow open access unless they explicitly state otherwise.

No, no, you don't get it.

The entire problem here is that SCO is claiming IBM committed fraud by doing exactly what you just did-- that is, typing Login: anonymous Password: somepassword into the ftp login box.

In other words:

POST #11118838 CIRCUMVENTS A MECHANISM THAT EFFECTIVELY CONTROLS ACCESS TO A COPYRIGHTED WORK, MEANING SLASHDOT.ORG IS NOW AN ILLEGAL CIRCUMVENTION DEVICE UNDER THE DIGITAL MILLENIUM COPYRIGHT ACT.

Well, it's been a nice run for slashdot.org. Too bad it'll be shut down soon. Thanks for everything, everyone!

Auto-Summarize

A scraper is basically a robot that goes through one's site and grabs content. Apparently, it was a suped up scraper since it used knowledge from former employees. Like someone at google tm who knows how to decipher the google tm page rank hash code. Quote "The panel held that the use of the scraper tool exceeded the defendants' authorized access to ef's website because (according to the district court's findings for the preliminary injunction) access was facilitated by use of confidential information obtained in violation of the broad confidentiality agreement signed by ef's former employees"

The jackhammer and the microbe

[augustz]

The amount of analysis Groklaw reviews SCO's claims with is like taking a jackhammer to a microbe.

3,000 words, 100 comments. Yes you destroy the microbe, but...

SCO is always good for a laugh, but I have to smile at groklaw too.

Re:The jackhammer and the microbe

[MinutiaeMan]

>> The amount of analysis Groklaw reviews SCO's claims with is like taking a jackhammer to a microbe.

I disagree. In the legal world, the playing field is leveled, because both sides must be given the opportunity to prove their case (regardless of how nonsensical it may seem outside the courtroom, and assuming of course that the argument has legal grounds to be made) -- you absolutely cannot leave anything to chance or assume anything. If you leave something implied or overlooked, there's a good chance that your opponents can exploit that omission to their own advantage, at the very least by using logic to prove their case given the missing information.

Yes, it's incredibly tedious, but that's a lawyer's job. They have to be as completely accurate and as thorough as humanly possible. There's never (or rarely) any concept of "just enough" in a legal argument. You always go for the slam dunk, if for nothing other than making sure that your case is settled once and for all.

SCO's strategy

[vlad_petric]

... is what I call the spreadshit approach. Pretty much like a student who has no idea what to write on an exam, and out of desperation writes whatever he/she can think of (and prays to the God of Partial Credit), so does SCO try every possible judicial technicality (no matter how preposterous it is) to delay the final judgement.

Just keep in mind that they're not here to win. Their purpose is to drag Linux through legal mud for as long as they can, allowing their overlords MS to spread even more FUD.

Reading being access infringement?

[Ashtead]

Now, the purpose of setting up a http server is to distribute some kind of information to the world at large. And maybe accept some information, like Slashdot and a lot of other sites do.

Similarly, if someone sets up an anonymous ftp server they would also be perceived as doing this in order to distribute and maybe also receive information, to and from the world at large. Same thing really.

Now since SCO did just that, how can they then expect to be able to come afterwards and say that IBM shouldn't have looked at their site and downloaded the stuff they had to offer?

Makes no sense to me. One would expect a minimum of "due diligence", such as maybe using a locked-down ftp server with access to only authorized users, if their information was not to be made public and available to world+dog..

But what SCO is on about looks to me like posting a notice with tear-off tabs on a wall somewhere public, where everyone and anyone go by, and then claim some kind of infringement ("unclean hands") from certain people reading this posted text and tearing off a tab.

IANAL, YMMV etc...

Please tell me this is all a bad dream...

[IgLou]

Ok, so I have files open to the public on my website but since you downloaded them I change my mind and say you're in violation of the CFAA?? Then why did you have them up in the first place??

Isn't that entrapment to put someone into a situation that could cause them to break the law? Don't we tell law enforcement that this is exactly the type of thing you're not allowed to do.

I sincerely hope this gets thrown out. Because I'm really wondering if I made the best choice in procreating.

Using programs to access information

[3.1415926535]

The judge's precedent in the linked opinion (assuming I read it right. IANAL) is really restrictive because it requires that somebody read the terms of use for every website to be sure that they're not running afoul of the CFAA. This makes it impossible to use any sort of tool to crawl the web and extract information unless you've read the terms of service on all the sites before you crawl them. With the so-called "semantic web" finally coming around, this would be a gigantic setback.