Internet Access and Computer Fraud Laws

DrJimbo writes "Groklaw has an explanatory article covering the Computer Fraud and Abuse Act (CFAA) in layman's terms. The article discusses legal precedents that might make it illegal to access much of the internet. The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."

WTF?

[afstanton]

This sounds just completely insane. Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud? It sounds like entrapment, or bait and switch, to me.

Re:WTF?

[ReelOddeeo]

Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud?

It is not Fraud because the software is GPL. It is Fraud because, as SCO has claimed in their recent court filing, IBM hacked into SCO's anonymous ftp server, in order to obtain the GPL software.

Even worse, evil IBM earlier admitted doing the dastardly deed.... In an earlier court declaration by an IBM employee, "I supervised while a member of my team..." logged into SCO's anonymous ftp server and downloaded the kernel sources, which include source code copyrighted by IBM, and which SCO is distributing in violation of the GPL.


It sounds like entrapment, or bait and switch, to me

I would be careful of making such libelous statements that could tarnish the valuable unblemished reputation of a paragon of virtue such as The SCO Group.



Don't forget to pay your $699 license fee to SCO for your Linux kernel which includes SCO's copyrighted <errno.h> file.

Re:WTF?

[ReelOddeeo]

This sounds just completely insane.

Did you mean it sounds like typical SCO behavior? Or am I misunderstanding you?

Re:WTF?

[silicon+not+in+the+v]

The other possibility is that they're going to claim that IBM needed explicit permission to access a resource that was publically posted and anonymously available, which doesn't seem supported by current case law.

I hope you do not get modded up for this mis-information. This is exactly what Jon Stanley's article on Groklaw is about. The current case law is (unfortunately) in support of the concept that a flimsy usage policy is enough to establish something as being "unauthorised", and therefore subject to the CFAA (Computer Fraud and Abuse Act). Here is how disturbing this could be: If instead of being on an ftp site, it was plain text, linked to from their main website, but they had a notice that "The following link contains information whose access is restricted to our customers." That would be enough to make the viewing subject to the CFAA. Technical protection measures are not necessary. I encourage everyone to read Jon's article on Groklaw. It is very informative (in a disturbing, "How can they get away with this &%*$#@?" kind of way.) about the current legal precedents with respect to this act.

Re:Illegal to access much of the internet?

[StevenHenderson]

Go outside and lay touch football or something.

You might want to wine and dine the football before you go for home...

No more RTFA ??

[ParadoxicalPostulate]

I guess that means we can no longer blame people for not RTFA - hey, it could be illegal!

Heh

[NetNifty]

"The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."

And this is a perfect example of why nobody takes SCO seriously.

Re:Heh

[itzfritz]

Acc. to TFA:

"SCO provided its customers who purchased SCO Server 4.O with a password to enter at a log-in screen so that only they could access source code via the internet. Sontag Decl. 17-19. After news of a bug in the website's security system was reported on internet websites, IBM exploited the bug to bypass SCO's security system, hack into SCO's computers, and download the very files IBM has now attached to its motion."

If this is true, SCO has a legitimate beef. Dammit.

Re:Heh

[MattT]

The "bug" was that they didn't turn off anonymous FTP, and the "hack" was:

Userid: anonymous
Password: Nazgul@ibm.com

A bit of a strech here

[The+Cisco+Kid]

Here is an example of how a violation might occur:

1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my "access" to be "authorized".

2. Then I violate this instrument's conditions, and my access, is, at the very moment of the violation, "unauthorized".

3. And since, given that I'm probably staring at the screen, I am therefore "obtaining"... (viewing) "information from a protected computer..."

4. In theory, we have, a violation of the CFAA.

I would suggest that you are only violating it if you are not authorized to access the computer you are accessing *by the owner/operator* of that computer, regardless of wether or not you may be authorized by a network provider to use their network.

That you may not be allowed to use your employers internet connection for personal use may get you fired by your employer, but does not constitute a violation against the websites you might have accessed.

Default is unauthorized

[gr8_phk]

The courts had said that you are unauthorized by default. If that's so, you can't even go to a web site and read the terms of service or whatever they claim grants you permission. Hey judge, did you ever read yahoo, groklaw, or used google? Did you obtain authorization before going to the site? Hopefully this judge will overturn that stupidity.

I think Groklaw missed the point on this one...

[Kissing+Crimson]

Yes, I did RTFA. Unless I am completely reading this wrong, a summary of this is that the CFAA uses the term "reasonable expectations", and the court believes this is not sufficient; that sites must post in explicit terms what its users are and are not allowed to do - otherwise it is open season. OTOH, passwords are an example of a site or system clearly stating its intentions:

We agree with the district court that lack of authorization may be implicit, rather than explicit. After all, password protection itself normally limits authorization by implication (and technology), even without express terms.

In short, the court found that sites on the Internet implicitly allow open access unless they explicitly state otherwise.

No, no, you don't get it.

The entire problem here is that SCO is claiming IBM committed fraud by doing exactly what you just did-- that is, typing Login: anonymous Password: somepassword into the ftp login box.

In other words:

POST #11118838 CIRCUMVENTS A MECHANISM THAT EFFECTIVELY CONTROLS ACCESS TO A COPYRIGHTED WORK, MEANING SLASHDOT.ORG IS NOW AN ILLEGAL CIRCUMVENTION DEVICE UNDER THE DIGITAL MILLENIUM COPYRIGHT ACT.

Well, it's been a nice run for slashdot.org. Too bad it'll be shut down soon. Thanks for everything, everyone!

SCO's strategy

[vlad_petric]

... is what I call the spreadshit approach. Pretty much like a student who has no idea what to write on an exam, and out of desperation writes whatever he/she can think of (and prays to the God of Partial Credit), so does SCO try every possible judicial technicality (no matter how preposterous it is) to delay the final judgement.

Just keep in mind that they're not here to win. Their purpose is to drag Linux through legal mud for as long as they can, allowing their overlords MS to spread even more FUD.

Please tell me this is all a bad dream...

[IgLou]

Ok, so I have files open to the public on my website but since you downloaded them I change my mind and say you're in violation of the CFAA?? Then why did you have them up in the first place??

Isn't that entrapment to put someone into a situation that could cause them to break the law? Don't we tell law enforcement that this is exactly the type of thing you're not allowed to do.

I sincerely hope this gets thrown out. Because I'm really wondering if I made the best choice in procreating.