Company Using Proxy To Evade Craigslist Block Violated CFAA

WillgasM writes "Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act, according to a judge's broad ruling (PDF) during a case on Friday involving Craigslist and 3taps. Opponents argue that this creates a slippery slope that many unsuspecting web users may find themselves upon. With your typical connection being assigned an address dynamically, is an IP ban really a 'technological barrier' to be circumvented? How long until we see the first prosecution for unauthorized viewing of a noindex page?" Probably a long time; the judge in the case rejected the slippery slope argument: 'There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a "friend" — apparently not a very good one — says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.' Willful evasion of blocks for commercial gain, on the other hand ...

Oh FFS

This is so fucked it's beyond belief...

Braindead, much?

Re:Exponential Backoff

[buchner.johannes]

Try using Slashdot through Tor. You'll soon be "killall -HUP tor" trigger happy (tor creates a new circuit when you do that).

Trespassing

[guytoronto]

Seems no difference than trespassing. Putting on a fake mustache, sunglasses, and a wig doesn't mean you can ignore the trespass order.

Re:Trespassing

[Thanshin]

Seems no difference than trespassing. Putting on a fake mustache, sunglasses, and a wig doesn't mean you can ignore the trespass order.

But the limit being non-existent or impossible to detect does.

Re:Trespassing

[lightknight]

Wait. Time out. What exactly does 3Taps do?

The article states: "3taps drew Craigslist's ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps' systems."

However, a brief glance at their website (unless they changed things that quickly) does not show anything of this sort.

Does anyone have a screenshot from earlier, with the offending material?

Re:Trespassing

The company knew they were banned, because Craigslist had sent them a cease and desist letter. Blocking their IP address range was just an enforcement measure, but the ban was against the company, not the IP address range.

Re:Trespassing

[gmuslera]

There is no trespassing if is a public place, you can block a person, but not the direction from which is coming. Is like not forbidding you specifically, but putting a barrier in a street of the city that is between your home and that public place, and put you in jail if you take another route to get there, there is always another way to get in, and you have the right to go anywhere in the city.

But more important, real world analogies specifically in a point where internet diverges from the real world (ubiquity) are dangerous.

Re:Trespassing

[bws111]

Since when is craigslist (or any other web site) a public place?

Re:Trespassing

[spectro]

Let's say I am watching a baseball game in one of these Chicago buildings just outside Wrigley Field. The Cubs decide they don't want us to watch the ballgame for free anymore so they block our view by putting a tarp or building a new scoreboard. According to this ruling it would be illegal tresspass for us to find another, maybe taller building from where to keep watching...

Re:Trespassing

[BitZtream]

What the fuck was undetectable about being blocked? The fact that they were blocked, they knew they were blocked and then intentionally worked around it.

They intentionally did something the other side didn't want done. It took deliberate actions to get around the block.

It wasn't an accident. It wasn't a few times til someone noticed. They KNEW they were blocked ... you know, case craigslist TELLS YOU THAT YOU'RE BLOCKED ... and then they went around it.

Fry'em. This is the kind of shit that causes us problems and fucking morons like yourself defending it are worse.

Re:Trespassing

[bws111]

Uh, no. When you access a website you are using the web site owners property (the server). When you are watching a ballgame from outside the stadium you are not using their property. I can not tell you where not to look, but I sure as hell can tell you to stay off my property.

So, to fix your very flawed analogy, it is more like 'I got caught using a hole in the fence to get into Wrigley Field. They told me not to do that anymore, and fixed that hole in the fence. According to this ruling it would be illegal for me to find and use another hole in the fence.'

Re:Trespassing

[Zontar+The+Mindless]

You're soaking in it.

Re:Trespassing

[Zero__Kelvin]

"Since when is craigslist (or any other web site) a public place?"

Since the moment you could could got to *.craigslist.org without having to authorize (i.e. enter a user name and password) Or in other words, always.

Re:Trespassing

[bws111]

Say what?? That makes it a publicly accessible private place, which is far different from a public place. And being a private place, they are perfectly free to restrict who uses it, authorization required or not.

Re:Trespassing

[shentino]

Craigslist is not a public place to begin with, it is a private site.

If it's a public place you cannot be kicked out by anyone but the government in the first place. Nobody but the police would be allowed to put those barriers in the street to begin with.

Someone who owns a mansion, however, can put up fences and prosecute someone for going through them, if that person has already been kicked out and commanded not to return.

Craigslist is private property and anyone can be expelled at any time for any or no reason at their sole discretion, and they can prosecute for trespassing anyone who defies them, even if craigslist itself is being patently unreasonable.

In another example, Walmart can suddenly decide they hate Seahawks fans, and ban people wearing green and blue clothes. Yes, it's patently unreasonable. But Walmart would still be within its rights to expel anyone wearing blue and green, put that person on a blacklist, and call the police to arrest them if they came back.

Re:Trespassing

[shentino]

Depends on if you're watching the game from your own property or not.

There's a scene from Angels in the Outfield where the kids are spying on a ballgame from a tree...that is inside the private property of the stadium.

Re:Trespassing

[alex67500]

Imagine a massive banner on every website:
NO PUBLIC RIGHT OF WAY

Re:Trespassing

[gmuslera]

The open internet, is, by definition, a public place, any place that you can access without a login and password are the digital equivalent of a public place, anyone can visit it. If you put "fences", require user/password to access certain pages, that would be the private places, and there you can say "ok, you can't enter", but for places where everyone, even in an anonymous way can enter, is at the very least harder if not impossible (if you can't use proxy for your fixed IP office connection, can go to the next starbucks to access it). Putting limits on that (and worse, bringing the law to that place) is like giving an homicidal maniac a weapon in a stadium, it will be used, and a lot of innocent people will be hurt.

Re:Trespassing

[Zero__Kelvin]

That isn't a bad analogy, except that it assumes a single access point. On the Internet, every URL is an access point. It turns out there is a way to do the equivalent of posting a similar sign on every entry point, and that is an authorization mechanism. Google does this with gmail, etc. for example. Craigslist doesn't do this, so they have no leg upon which to stand. This means of course that the judge is a misinformed idiot, but that should come as no surprise to anyone on Slashdot.

Re:Trespassing

[pr0fessor]

Hold on now. The internet is full of businesses and individuals with websites that they run and maintain it's not run by the city, state, or parks and recreation. Trust me if you park your car on my front lawn I'll have you towed and the fact that it's not fenced in means nothing it's still private property.

Now here is what you have a business Craig's list and a third party 3taps standing in the parking lot giving out fliers with the Craig's list ads and their competitors ads. They sent them written notice not to do it anymore and took a picture of the employee they had in the parking lot {aka ip adress} handing out the fliers so their employees could recognize them and 3taps sent someone else out and told them to hide what they are doing {aka a proxy} cause the first guy would get recognized and told to leave again.

Re:Trespassing

[bws111]

Wrong, wrong, wrong. Authorization is a property, not a technical control. No, everybody does NOT access the site 'without authorization', because the site owner has implicitly given authorization to the general public. That in no way prevents him from revoking that authorization from specific people.

You have not given a single reason that the analogy is incorrect, other than that you apparently wish it were.

Do you require explicit 'authorization' to enter a Walmart? Does Walmart check the ID of each person entering the store to see if they are authorized? Can Walmart ban certain people from entering their stores? The answers to these questions are no, no, and yes.

Finally, your idiotic use of bold reminds me of the adage 'when the law is on your side, pound on the law. When the facts are on your side, pound on the facts. When neither are on your side, pound on the table.' You are doing a hell of a job pounding on the table, without offering a single reason or even example of why your argument is correct.

Re:Trespassing

[bws111]

What do you think happens when you go to a website? Too stupid to know? OK, I'll tell you: you use their servers. There is NO WAY that you are looking at ANYTHING on Craigslist, or any other website, without using their property.

Re:Trespassing

[david_thornley]

What part of the Internet don't you understand? You're making a direct analog between meat-space and cyberspace where it doesn't work.

If I look at a Wal-Mart entrance from off their property, I am standing there being passive. I'm just receiving and interpreting large numbers of photons that go from the entrance to my eyes. I might be doing this even if I have no desire to look at a Wal-Mart. If I look at a web page, I'm sending a HTTP request to the appropriate server, and expecting to have that server do the appropriate work to return some HTML/etc. No HTTP request, no returning web page. This is, in a very real sense, computer access. A better meat-space analogy would be if I walked into the Wal-Mart to look at the fliers. This is normally harmless, accepted, and perfectly legal. If I'm barred from entering Wal-Mart, it turns into trespass.

You've also said there was no authorization mechanism, but CL used an IP block. It isn't much of an authorization mechanism, but a pitiful lock is still, legally, a lock.

The ruling said that CL had formally notified 3taps that it was no longer authorized to access CL's systems (the C&D letter), and that CL had taken steps to prevent this access (the IP block). Therefore, 3taps (a) knew it wasn't to access CL's servers, and (b) intentionally took action to access them anyway. Without (a), there'd be no case. Without (b), it would be hard to prove intent.

Re:Trespassing

[shipofgold]

Try that argument the next time you are obnoxious in a bar and they kick you out. There may be a back door to the bar, but just because you use it to enter a second time doesn't mean you get to stay.

If you get a disguise and try to come back through front or back door doesn't entitle you entrance either. I am pretty sure if you keep coming back you are going to end up in a 6x8 cell.

Re:Trespassing

[david_thornley]

First, "authorization" is not a technical term here. It is a legal issue. In general, you're authorized to access all websites you can, and that appears to be the judge's presumption. This can change when you are formally told you're unauthorized to access one. If a site is concerned with authorization, it usually has some sort of sign-in mechanism, but that isn't legally necessary. If you haven't been formally notified that you're unauthorized, you can rely on implicit authorization. Frankly, I don't see any other way of running the web.

Second, IP blocking is not a good blocking mechanism, but it is a blocking mechanism. Similarly, a cheap spring lock is a lock. The judge does not seem to have considered circumvention of an IP block to be unauthorized access in itself. However, using a proxy to get around an IP block is evidence of intent to access the site, and since 3taps had no authorization that established intent for unauthorized access. There's no law against me wearing a baseball cap and hoodie to Wal-Mart, but if I was forbidden to access that particular Wal-Mart it may be evidence that I knew I was doing something wrong.

Third, a publicly facing website is not the same as a publicly facing billboard. The billboard stands there, and I can see it without doing anything to it. The web site is active, and accepts and deals with HTTP packets. Any HTTP request is a request to access the computer system. This is a technical point, but it does have legal consequences.

Fourth, the Internet does need, and does have, legal regulation of some sort. The question is what sort we are going to get. Judgments like this one are good, since they establish a clear line where illegal behavior occurs, and won't affect people in normal use.

Re:Trespassing

[Zero__Kelvin]

"Second, IP blocking is not a good blocking mechanism, but it is a blocking mechanism."

No. It isn't. Until you realize that an IP address does not identify a user (and the courts have ruled this as well) then there is no sense in discussing anything with you.

"Third, a publicly facing website is not the same as a publicly facing billboard."

Hey ... it's almost like analogies in meat space don't map to the internet! I think I've heard that before. What makes a public website public is the act of hooking your server up to the public internet, and then not requiring authorization to access it.

Good luck getting an education on the internet and how it works! I hope to hear from you in about ten years or so.

Re:Trespassing

[david_thornley]

Sure, IP blocking is a blocking mechanism. If I IP-block you, and you don't change your IP or use a proxy, you're blocked. So is everybody else using that IP, if more than just you, but that's a side effect. It's not a particularly good block, but I've seen it used. In this case, the significance was that 3taps deliberately got around the block. That is strong evidence that they weren't doing the access accidentally. Similarly, if I were to open a door with an old-fashioned spring lock, I'd be legally held to have bypassed a lock, and that's about as difficult as bypassing an IP block.

Also, analogies in meatspace do apply to the internet, at least for legal purposes. Judges have to apply existing laws, and legislators have to pass new ones, and both will be very heavily influenced by meatspace analogies. About the best we can do is try to make them use the right analogies, and try to tell them where the analogies break down.

And you persist in misunderstanding the legal concept of "authorization". It doesn't depend on some sort of automatic mechanism.

Re:Trespassing

[Zero__Kelvin]

"Sure, IP blocking is a blocking mechanism. If I IP-block you ..,"

Listen. You proved to me that you are an idiot a long time ago. There is no need to keep trying to prove it over and over. Seriously. You cannot possibly IP Block me, since an IP Address not only doesn't identify me in any way, it doesn't even identify a state."

"And you persist in misunderstanding the legal concept of "authorization". It doesn't depend on some sort of automatic mechanism."

Again, you are a straight moron. Seriously. How many times do I have to tell you that, in order to meet the legal requirements to claim someone is not authorized, said company ... and I mean any company, on the net or off ... must make a reasonable attempt to restrict access. No company, under any circumstances, can claim they have attempted to restrict access while simultaneously not restricting access in any way.

Just accept the fact that you are an uninformed idiot and move on with your ignorance based life, such as it is.

Re:Trespassing

[david_thornley]

How many times do I have to tell you that, in order to meet the legal requirements to claim someone is not authorized, said company ... and I mean any company, on the net or off ... must make a reasonable attempt to restrict access.

[Citation needed]

Store Ban

[ZombieBraintrust]

Being banned from a site is no different from being banned from a physical location. The security is week. You can come up with hypothetical around wearing a mask into the store. Someone comes into a store wearing a mask and is confused for a criminal. But at the end of the day, if a person tells you go away and you don't, judges are not going to be sympathetic.

Re:Store Ban

[omnichad]

No - this guy actually was stealing data. His site was aggregating and republishing Craigslist ads.

Re:Store Ban

[thaylin]

The internet is not supposed to be an open source free for all, otherwise we would not have standards for SSL and password protection of sites.

Re:Store Ban

[bws111]

There is no such question for anyone who can read. The first three words of the CFAA are "Whoever having knowingly ..."

They weren't banned from 'the internel', they were banned from craigslist, a 100% private web site. Where do you get the idea that craigslist is 'publicly funded'?

Re:Store Ban

[Zero__Kelvin]

You cannot steal that which is freely given. Since craigslist immediately serves up its content to anyone who goes to their URL, you cannot claim it is not freely given. If they want it to be otherwise, they need to require authorization. It isn't as though this technology isn't readily available and easy to implement.

Re:Store Ban

[shentino]

There is no confusion, because that person actually WOULD be a criminal.

The only confusion is that they are a trespasser instead of a thief.

So they pull the mask off, and they find out you're not actually looking to rob the place.

But lo and behold, you ARE on the list of people who are banned from the store, so the cops still arrest you for trespassing.

Re:Store Ban

[shentino]

We call that copyright infringement.

Re:Store Ban

[omnichad]

He was copying copyrighted content. The users who posted the ad gave license to Craigslist to publish the ad freely (via T&C's) but not to this third-party.

Re:Store Ban

[omnichad]

I'm using the terminology of the person I replied to. Feel free to use the proper term while I speak on someone else's terms.

Re:Store Ban

[WillgasM]

It's more like this: You go to a store, harass employees and get banned. Security is told not to let that guy in the Slayer shirt back into the store. You then go out to your car, change shirts, and back in past the security guard and start harassing employees again. I'm all for charging you with harassment and trespassing, but it's still not illegal to change your shirt.

Re:Store Ban

The difference is the internet is suppose to be an open source

It is open source, you can go read any of the RFC's any time you want.

free for all

Says who?

trespassing is reserved for private property

Just because you have the capability of reaching my network doesn't give you the right to access anything past the edge of my network.

He wasn't stealing data, or trying to commit fraud, this is a gross abuse of a flawed law

No, you're completely wrong. Someone was told "Don't come to our site" and that PERSON was given a hardcopy letter stating they were no longer welcome. It doesn't matter if that PERSON uses my computer, your computer, the computer at the library, or any other system to try and gain access- he's forbidden from using their service.

and the prosecution doesn't even have to make a case, or prove without any doubt what a persons intentions were with the CFAA.

It doesn't matter- he was told not to come back, he came back, thus he violated the provision of the CFAA which says you can't access a computer system when you've been told to GTFO.
And the standard in the courts is beyond a reasonable doubt, not beyond ALL doubt.

Re:Store Ban

[ZombieBraintrust]

Computer Fraud and Abuse Act is the trespassing charge. Perhaps website trespassing needs to be seperated out into its own thing. Lumping it in with theft of data and corporate sabotage is a bit unfair.

Re:Store Ban

[gnasher719]

You cannot steal that which is freely given. Since craigslist immediately serves up its content to anyone who goes to their URL, you cannot claim it is not freely given. If they want it to be otherwise, they need to require authorization. It isn't as though this technology isn't readily available and easy to implement.

That's the geek speaking, confusing authorisation via some computer-implemented authorisation mechanism with legal authorisation. On a website like craigslist with no computer-implemented authorisation mechanism that keeps you out, you can assume that you have the legal authorisation to visit the site. Until you get violently kicked out, like in this case via a court order. Then you have no legal authorisation anymore. Whether the security mechanism employed are strong or weak, you have no authorisation.

Re:Store Ban

[Zero__Kelvin]

No. The judge is an ignorant moron who doesn't understand technology. The legal authorization part is a non-issue since there is no law in place which correctly addresses it. Since the laws were written by the ignorant they have zero applicability. For example, the judge explicitly points out: "But it (the law) does not answer the question here, which is whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website. ". Craigslist cannot tell a single person or company that they cannot look at their freely available data they serve to the world through a cease and desist letter any more than I can send a letter telling one of my neighbors that they are hereby forbidden to look through my open windows. The judge admits that the law doesn't address this, and then goes on to state (paraphrasing) that he decided to make up a statute in his mind and enforce it. If the law doesn't specifically grant the right to craigslist, then they have no such right, regardless of the asinine ruling of this particular judge.

Re:Store Ban

[WillgasM]

Agreed. If they want to argue that accessing the site was illegal because of the C&D letter, then that's fine. The method of accessing it shouldn't be criminalized. If CL had never even instituted an IP ban and 3taps kept doing what they were doing, it should have made no difference to this case. If I post no trespassing signs but leave the gate open, it's still trespassing. This ruling sets an unnecessary and dangerous precedent.

Re:Store Ban

[Agent0013]

Craigslist cannot tell a single person or company that they cannot look at their freely available data they serve to the world through a cease and desist letter any more than I can send a letter telling one of my neighbors that they are hereby forbidden to look through my open windows.

But you can get a court to tell a neighbor they are forbidden to be within 500 yards of your windows. It's called a restraining order. If 3taps had a restraining order from visiting the Craigslist site would that make more sense to you?

Re:Store Ban

[Zero__Kelvin]

It might, but they don't have any such order. A cease and desist letter is not such a court order. In order to get said restraining order you would have to appear in court and show cause. This didn't happen. When the neighbor did show up in court complaining "he is looking in my window and taking pictures", no such order would be granted. The judge would tell you to keep your blinds closed if you don't want him looking in. You did know that in order to get a restraining order you need to show that you are in justifiable fear for your life, or in less strict states, that you are in justifiable fear of bodily harm, right?

Re:Store Ban

[bws111]

What is the precendent? The ruling does not say that changing your IP address is a violation. The only reason the IP address change is important is because that is shows the defendant intentionally accessed the site after they were told not to. The first words of the CFAA are 'whoever having knowingly ...'. They got a C&D letter, they had their IP blocked, so the changed their IP to get around the block. Kind of hard at that point to claim you didn't know you were not authorized.

Re:Store Ban

[Agent0013]

But isn't a cease and desist still a court order? So if a person has a restraining order, then it's ok for them to come look in the windows anyway? You have me confused here. To me it seems that they broke a court order telling them not to do what they did, and they did it anyway. And that sounds similar to someone having a restraining order that came to the sidewalk in front of your house anyway.

Re:Store Ban

[Zero__Kelvin]

No. You are missing two points. The first and most important is that there is no analog in meat space. Every analogy you or I try to make will be broken. The judge failed at his job because he doesn't understand this important point. The second is that, to the extent that all models are broken but some are useful, no "restraining order" was issued prior to the judges ruling, and there is no cause for such an order.. A cease-and-desist letter is not a court order. It is a letter from a craigslist lawyer telling them that if they continue they will attempt to get one. They then attempted to get one. The judge, ignorant of technology as he is, not only granted the "restraining order", but then retroactively enforced the bogus "restraining order" as if it had been in place the whole time.

Re:Store Ban

[WillgasM]

I guess. So long as it's only used to establish intent to access the system and there's other evidence to prove you weren't authorized. I just fear that our tech illiterate judges will come to interpret an IP block as a revocation of authorization in and of itself. Boils back down to "I am not my IP"

Re:Store Ban

[Agent0013]

Ok, good point. C&D is only from the lawyer not from a court. If a court had told 3tap to stop then I would think they were completely in the wrong. Since it was only Craigslist telling them to stop it is a little more murky. Doesn't a business have the right to refuse service, even if it's a store that is open to the public. Kinda sounds like that maybe. I don't like the misuse of the CFAA and the precedent it sets to be used in any case where someone changes their IP or breaks a stupid TOS or whatever. But when the business tells you that they don't want you coming back then you have been warned at least.

Re:Store Ban

[Zero__Kelvin]

Now the problem gets even more murky. As a craigslist poster I have contracted with them to make my content available to the world. I have also agreed that they may, on my behalf, aggressively pursue any copyright infringement. Here is the problem: I own the copyright, not craigslist. I merely granted them a license to use/copy my content. I didn't send a cease-and-desist to anyone. In fact, when craigslist tries to stop anyone from accessing my content they are violating their contract with me!

Craigslist has no right to go to court on my behalf when I have not indicated that the copying is unauthorized (i.e. I am not asserting my copyright claim, and it is my copyright)

Craigslist cannot claim that 3Tap, or anyone, accessed their website without authorization, since they don't implement an auth system (OK, they do, but they don't require it. It is merely a convenience for me, the user.)

Are you starting to see how the judge, who just couldn't understand that cyberspace is fundamentally different than meat space, applied a broken model and lack of understanding of technology to make a bogus ruling? To re-iterate, I would go so far as to suggest that craigslist is in violation of every agreement with every poster in fact.

Don't get me wrong. I don't think 3Tap is morally in the right here. They are however legally in the right, regardless of what an ignorant judge rules.

If craigslist wants a say who regarding who can and cannot access their site there is a means to do that. It is called auth. They don't implement auth because they figure it will cut into their user base. Unfortunately, they want to have their cake and eat it to, without regard to the fact that they are undermining the efficacy of,and tearing a whole in the fabric of, the internet.

Re:Store Ban

[bugnuts]

Craigslist has their own copyright. While your individual article is copyrighted by you, they have a copyright (which is wholly their own of which you have no interest) in the compilation. The list is not a simple collection of facts, but rather, a collection of creative works which each individual poster has granted usage to craigslist. According to SCOTUS when referring to a trial regarding collections of material in a phone book, "copyright can only apply to the creative aspects of collection: the creative choice of what data to include or exclude, the order and style in which the information is presented, etc., but not on the information itself".

That collection in itself should be sufficient, as it has tons of creative choices such as separating by cities, who posts, what topics are allowed, categories, etc... but this information itself also has creative aspects; and when you post on craigslist, you explicitly give them permission to pursue copyright infringement against "unauthorized" copying. YOU GRANT THEM THIS RIGHT as part of posting on craigslist. They get to determine whom is authorized, and a C&D clearly demonstrates that 3Tap was not authorized.

You're pretending that there are no analogies to meatspace, but you are wrong. Attaching a computer to the internet does not immediately make it "public space" as you imply, and which is the basis of all your arguments. It is still an "owned" private computer, with the computer owner deciding whom is authorized and not.

There is still a big issue when there are laws that use the same description of "authorized" or not, because it essentially allows anyone to write law in a EULA. Let's say you're trying to protect yourself from being stalked on facebook and create an alias account which is against the EULA. Suddenly, by protecting your right of privacy and freedom from stalking, you're committing a federal felony? That's bullshit. While this aspect of anyone writing felonies into their EULA needs to be fixed, the CFAA law was designed exactly for this type of thing: knowingly accessing private computers you were explicitly told are unauthorized for you to access.

The 3Tap group was attempting to benefit and monetize from a database stored on a private computer, and has clearly broken the law as the law was intended and it has broken copyright law for collections of material. It's rare that laws aren't abused to try to wriggle out some sort of bullshit charge, but this is pretty straightforward.

Re:Store Ban

[ZombieBraintrust]

since there is no law in place which correctly addresses it. Since the laws were written by the ignorant they have zero applicability.

Is there a law or not? Make up your mind. The article says he was prosecuted under the "Computer Fraud and Abuse Act." Maybe only "non-morons" understand what laws were written by the "ignorant". .... sarcasm

Re:Store Ban

[Agent0013]

I don't see that they need to have passwords for the users to tell some of them that they can't use the service. I don't need a private pass or key to get into a bar, but they sure can kick me out and tell me I can't come back in if they want to. And if I try to enter they have the right to call the police or even have their bouncer throw me out. And that verbal information isn't even given by a lawyer through certified mail. Why can't Craigslist tell someone that they aren't welcome back and when they try to come back then take them to court. Seems pretty similar to me.

Re:Store Ban

[Zero__Kelvin]

Show me where I say there is no law. Both sentences you quote state there is a law. The first says there is a law, but it does not correctly address it. The second explains why. Perhaps a remedial reading comprehension course would assist you in making sense of the world around you?

Re:Store Ban

[Zero__Kelvin]

Well, you can't get into my bar because I am blocking your IP Address! Oh wait. That didn't make any sense, did it. I wonder if it could be because the Internet and your local street corner are fundamentally different in some way.

Re:Store Ban

[Agent0013]

Blocking the IP address is like putting up the picture of people who bounce checks. It won't stop the person from coming back and trying again, but maybe the cashier will notice it's them and stop them.

Re:Store Ban

[Zero__Kelvin]

Go back and actually read the TOS, then get back to me.

" Attaching a computer to the internet does not immediately make it "public space" as you imply, and which is the basis of all your arguments."

Of course it does. It makes it publicly accessible from anyplace in the world that has an internet connection. What makes a site not accessible is something people who actually have clue call auth. No auth means publicly accessible. Period.

"You're pretending that there are no analogies to meatspace, but you are wrong"

I didn't say that. There is an analogy for everything. Unfortunately, quite often the analogy is not very good, and in the case of the internet vs meatspace it is literally impossible to come up with one that isn't severely broken. People keep coming up with absurd conclusions because they refuse to keep on point and want to hide behind broken analogies. If you have a counterpoint, make it without an analogy and we'll talk. Until then, you are just one more person who cannot possibly come up with a reasonable conclusion, because all of your conclusions are based on useless and broken analogies.

Of course, there is a reason why people keep going to the analogy pool. If they don't do that they cannot come up with a plausible sounding argument that contradicts the facts as I have presented them.

Re:Store Ban

[Zero__Kelvin]

Blocking an IP Address is absolutely nothing like that. What happens when I change my ISP and my old ISP hands out the address to someone new? Does the picture on the wall change or something? Stop trying to use meatspace analogies. You will consistently make absurd statements if you do. If you cannot make an argument that doesn't involve analogies, you cannot make an argument. Period.

Re:Store Ban

[Agent0013]

Why do you think that a business on the internet should be that different from a business at a storefront. If the person who's picture on the wall come in with a fake mustache and dark sunglasses, he will probably not be recognized and get away with passing off a bad check a second time. Same as changing your IP address. The point is that the IP address block isn't the real point, the cease and desist letter is notification to you that you are not allowed in. If you come back, even without the IP address block, then you are trespassing. Since it isn't a real store where trespassing would be the term, then unauthorized access is the term. Things are different than the real world, but the rights of a business to kick people out of their place of business should not change just because they are on a computer rather than in a store.

Re:Store Ban

[Zero__Kelvin]

"Why do you think that a business on the internet should be that different from a business at a storefront"

Because businesses in a storefront don't have IP addresses, don't support HTTP, and don't conform the the W3C specifications. And that is just for starters.

"Things are different than the real world, but the rights of a business to kick people out of their place of business should not change just because they are on a computer rather than in a store."

I totally agree with you. An internet website absolutley has a right to control who does and does not have access to their website. The point that you just cannot seem to get is that there is a mechanism for asserting that right, and it is called auth. By definition and convention if you don't implement auth you are not making an attempt to control who does and does not enter your "store".

That is the last time I'm even going to bother entertaining a frigging analogy. If you cannot make your point without one (and you cannot) it is because you have no leg upon which to stand (which you don't, as you will surely see when you try to make one and stick to the point rather than using sleight of hand analogies.)

Re:Store Ban

[Agent0013]

Because businesses in a storefront don't have IP addresses

A storefront has a mailing address

don't support HTTP

supports human speech

and don't conform the the W3C specifications

conforms to local regulations and safety codes

I totally agree with you. An internet website absolutley has a right to control who does and does not have access to their website. The point that you just cannot seem to get is that there is a mechanism for asserting that right, and it is called auth. By definition and convention if you don't implement auth you are not making an attempt to control who does and does not enter your "store".

So every grocery store needs to give out key cards to each and every customer so that they would ever have the right to kick someone out if they wanted to in the future? Plus, getting a username and password revoked does not stop me from just signing up with a new username and password. How is that different that changing my IP address? It really didn't do anything to solve the problem of kicking someone out of your business did it? Or maybe you are saying that each and every website needs to verify the persons "Real ID" based on government id and mailing address before they would be given a user account to the site. I think this is much more than most people would want to do to use a site like Slashdot for example.

That is the last time I'm even going to bother entertaining a frigging analogy. If you cannot make your point without one (and you cannot) it is because you have no leg upon which to stand (which you don't, as you will surely see when you try to make one and stick to the point rather than using sleight of hand analogies.)

I see I did use an analogy above with the key cards, but my point about user accounts not stopping people from just making a new account has no analogy for you. Your solution does not solve anything so it is pointless to even make it. If the business does not want you there, then you are not allowed there, it's that simple.

Re:Store Ban

[Zero__Kelvin]

So the first three things you say point out the radical differences. Alas, you can't get a clue can you?

"I see I did use an analogy above with the key cards"

... and yet you went ahead and posted it anyway. I think we both know that this is because you couldn't make a reasonable sounding argument without it, as I already stated.

" If the business does not want you there, then you are not allowed there, it's that simple."

If it were that simple there would be no need for the article or any discussion of it, now would there. In truth it is pretty simple, but you have to actually understand how the internet works and stop thinking of craigslist as a local/physical store on main street first. At that point, it becomes abundantly clear. 3Tap did not attempt to circumvent auth (i.e. make an unauthorized access), so 3Tap did not attempt to gain unauthorized access. If someone from Nigeria attempts to defeat auth, they are attempting to gain unauthorized access, no matter what the local laws say, and the same goes for someone in the same country, state, or town as craigslist. Conversely, if a website is open to the public then there is no attempt to require authorization, and ergo it is impossible to attempt to gain unauthorized access, because it is all authorized, from America to Zimbabwe.

Re:Store Ban

[Agent0013]

You think authorization means some technical means. It simply means you are allowed there by the owners. Definition Authorization: Noun - 1. The action or fact of authorizing or being authorized. 2.A document giving permission or authority. So if Craigslist tell you that you are not allowed back to their site, then you are not authorized. It doesn't matter if they have some technical means to try to stop you, you are legally not authorized to be there. The law form of authorization is about your permission to be there. It is different from the technical form of authorization where the computer tries to verify your account and log you in. You could even be legally unauthorized to access a system where your account has not been removed or locked. If you logged into your account you would be breaking the law, even though the computer let you in. See the difference?

Re:Store Ban

[Zero__Kelvin]

I've given you every chance to get a clue, but you are dead set against it, so enjoy your cluelessness , and have a gret life. Plonk.

Re:Store Ban

[Agent0013]

See from my side, you seem to be the one without a clue. You think that computers are immune to the law. I would say the law is ridiculous and stupid a lot of times and lawyers are scum that just look to twist the words to mean things you didn't want them to mean. But it isn't that hard to understand that we are talking about legal terms and not computer terms.

Re:Store Ban

[Zero__Kelvin]

"You think that computers are immune to the law."

I think no such thing, except with regard to the fact that the vast majority of the computers on the internet are in fact immune to US law. What I get that you don't is that a law written as though the internet is a physical place will necessarily be invalid. You seem to think that anything written on paper and called a law is automagically legal. Furthermore, you can read any law about access control, be it patent, copyright, computer fraud, etc. and you will see that it is always up to the person seeking protection from the law to make all reasonable attempts to ensure that the bound party cannot access or use the resource. You cannot tell someone that they are not invited to the party, then invite them (i.e. public facing website with no auth system) and call the police because they accepted your invitation. By not implementing auth craigslist invites everyone in. No exceptions. There is no way around it. Good luck learning about the law and the internet!

Re: Store Ban

[bugnuts]

Way to ignore the compilation copyright. Typical "look over there" smoke and mirrors argument.

You even posted the TOS which says they can pursue copyright issues for your individual post. It is a right, as the copyright holder, you grant to them to pursue for unauthorized access to their servers. As the owner of the servers, they determine (solely) what is authorized.

Re: Store Ban

[Zero__Kelvin]

The relevant part is here: "including but not limited to any unauthorized downloading, extraction, harvesting, collection or aggregation of content that you post". They have their servers pointing to the public internet with no authorization scheme, ergo it is all authorized. Period. If they want to assert a right to authorize some, but deny others, then they need to take reasonable steps to do that, but to date they don't. They serve up all content without requiring auth. Craigslist wants to have their cake and eat it too, and you clearly support them in trying to destroy the internet, but luckily neither of you get to say what the term authorize means. It has a very clear definition in the context of a website. The fact that their lawyers don't know that is really not anyone's problem. The fact that judges are still adjudicating cases when they are incompetent with technology is everyone's problem.

There was also a cease-and-desist letter

[wonkey_monkey]

Would this ruling still have been made if they hadn't also ignored the cease-and-desist letter sent to them by Craigslist?

Re:There was also a cease-and-desist letter

[cinghiale]

That is the key part. The IP address part is just a distraction.

Re:There was also a cease-and-desist letter

[schneidafunk]

Unfortunately the IP address part got snuck into the ruling, which could have unintended consequences later. However, in this case, 3taps definitely deserves to be punished for their abusive behavior.

Re:There was also a cease-and-desist letter

[Wrath0fb0b]

No, the judge explicitly cites the C&D as part of the evidence that 3Tap was on notice that they no longer had authorization to access the site. From the the opinion

The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Tapsâ(TM) access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craigslistâ(TM)s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.

Re:There was also a cease-and-desist letter

[Wrath0fb0b]

The way the opinion is structured, neither the IP ban nor the C&D letter does enough work by itself. The former does not by itself provide the target with sufficient notice that their conduct is no longer authorized, while the latter doesn't provide the sort of technological barrier (albeit weak) that is circumvented.

The two work together in concert, each providing an element of the crime that the other lacks.

Does CFAA apply to the man?

[WaffleMonster]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

Re:Does CFAA apply to the man?

[uncanny]

Well the constitution doesn't apply to them, so why would some silly little act?

Re:Does CFAA apply to the man?

[TWiTfan]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

Sure, but who are you going to get to punish them when they do?

Re:Does CFAA apply to the man?

[interkin3tic]

I would honestly suggest trying it as a form of protest if you've got some money and time you're willing to part with. Though, how are you going to know if it does get stolen* by the NSA?

("stolen" here using the MPAA/RIAA definition of stealing.)

Re:Does CFAA apply to the man?

[alexgieg]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

No. Governments can do almost everything the laws it imposes say citizens (subjects?) cannot do. That's the point of a government, to be the single exception to the rule so that it can impose the rule on everyone else. Also, when the government promises it won't do something that isn't really binding. Sure, some of the time they'll more or less try, without much emphasis and only if they're feeling like it, most of the time however it'll be like that Star Wards exchange between Lando and Darth Vader:

Darth Vader: "Calrissian! Take the princess and the Wookie to my ship."
Lando Calrissian: "You said they'd be left at the city under my supervision."
Darth Vader: "I am altering the deal. Pray I don't alter it any further."

Over and over and over again.

Re:Does CFAA apply to the man?

[Wrath0fb0b]

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

No. Read the opinion.

Now, if you gave notice to the individual agencies that they weren't welcome and instituted a technological control measure to block them from accessing it and they circumvented that block, then it would fall within the four corners of the opinion.

[ And anyway, there's probably a provision in the CFAA exempting law enforcement, but even if there weren't, your hypo doesn't even being to cover the fact pattern necessary here. ]

Re:Does CFAA apply to the man?

[Bruce66423]

It's interesting because in the earliest days of the net dubious sites with porn on them often sported 'NO entry for police' notices. They've now gone out of fashion, but it appears that this ruling may enable them to have a legal effect, which given the significance of due process in US jurisprudence, could be huge.

Re:Does CFAA apply to the man?

[shentino]

Two words.

Sovereign immunity.

You cannot prosecute the government itself for a crime. You'd have to press charges against a John Doe. Private citizens cannot prosecute federal crimes against anyone, that's the job of the US district attorneys.

The feds would have to investigate, the feds would have to subpoena the feds to find out whodunit, the feds would have to prosecute them, and the feds would have to fight the feds fighting it every step of the way on grounds of state secrets.

Yeah, fat chance. I can dream though. Basically it would be the DOJ vs either the CIA or the NSA.

More roadblocks come from the fact that the NSA is a subdivision of the DOD, which means there could even be military implications.

Plus, the DOJ is a hierarchial organization under the same executive branch that heads the CIA, the DOD (and thus the NSA), and the FBI.

Getting a spook prosecuted under the CFAA for trespassing on your system is an uphill battle through an obstacle course with snipers trained on you ready to sneak off a bullseye shot on your achilles heel.

Finally, they could always just get a FISA warrant rubber stamped and upgrade the snooping to a search and seizure, and punt the whole thing into 4th amendment territory, causing your legal quest to start all over again.

Re:Does CFAA apply to the man?

[FuzzNugget]

Silly rabbit, the law doesn't apply to government and police!

Re:Does CFAA apply to the man?

[Agent0013]

Silly child, laws are for the plebes. The TLA's don't follow the laws, they enforce the laws as they desire.

3Taps responds

[digitallife]

3Taps responds:

"3taps Statement Regarding craigslist’s Misuse of the CFAA
At craigslist’s urging, a federal court has recently interpreted the Computer Fraud and Abuse Act (CFAA), known as the “worst law in technology,” to apply when an owner of a public website decides that it no longer wants an Internet user accessing its website. The court held that “the statute protects all information on any protected computer accessed ‘without authorization’ and nothing in that language prohibits a computer owner from selectively revoking authorization to access its website.” Order at 12. 3taps is obviously disappointed in the Judge’s ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information. 3taps believes that the CFAA was meant to protect private and confidential information and that it was never meant to be used to selectively criminalize accessing public websites and obtaining the public information found on those sites. Importantly, the Court noted that the “current broad reach of the CFAA may well have impacts on innovation, competition, and the general ‘openness’ of the internet . . . but it is for Congress to weigh the significance of those consequences and decide whether amendment would be prudent.” Order at 12. 3taps continues to urge Congress to clarify the scope of the CFAA so that companies like craigslist cannot use it as a tool to stifle competition, innovation, and access to public websites.
While we disagree with the Court’s interpretation of the CFAA, we of course respect the Court’s ruling. Accordingly, 3taps will adhere to the current interpretation of the law and will immediately cease all access to craigslist’s servers. (Significantly, 3taps only began accessing craigslist’s servers because, as alleged in 3taps’ antitrust counterclaim, craigslist interfered with 3taps’ ability to source content through general search engines.)
Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA.
Going forward, 3taps will operate based on its understanding that if it does not access craigslist’s servers, it has a right to collect public information originally posted on craigslist’s website. In particular, 3taps reasserts four fundamental points:
3taps does not now scrape craigslist’s servers, and therefore, cannot be in violation of the CFAA.
3taps' indexing and caching of exchange posting data reduces (rather than increases) the net computing resources expended by craigslist and other publishers to deliver complex search results to end users.
As the Court previously held, craigslist cannot rely on its current Terms of Use to claim the right to enforce copyrights associated with user-generated ads posted on its website.

The United States Patent and Trademark Office recently confirmed that craigslist cannot trademark a peace sign – even if that peace sign is purple. See http://ttabvue.uspto.gov/ttabvue/ttabvue-77956067-EXA-24.pdf. 3taps and others cannot be harassed for using the peace sign to indicate where information was sourced.
3taps will hold a public event to demonstrate to any interested party that it is possible (despite assertions to the contrary) to obtain public information on the Internet without reliance on accessing a particular source website. 3taps believes that, by no

Re:3Taps responds

[Wrath0fb0b]

3taps [...] believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information.

This sounds plausible until you realize the subtle trick they are pulling in conflating the information itself with the instance of the information stored on CL servers. 3T does, in fact, have every right to access and publish that information. What they do not have is the right to use any particular server to access that information against the express desire of the owner of that server.

It's a bit like confusing the contents of a book with a particular copy of it. Anyone can read Shakespeare, but if the library forbids you from entering, you can't read the particular copy that is on their shelf -- even if they generally let everyone in without checking ID. Craigslist has not forbidden 3T from accessing the information, they have forbade them from accessing CL's servers.

Re:3Taps responds

[Maow]

3Taps responds:

"3taps Statement Regarding craigslist’s Misuse of the CFAA

3taps is obviously disappointed in the Judge's ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information.

I'll admit I didn't read the *entire* post, but the "without ... firewall" part stuck out to me.

Craigslist put an IP block in place against 3taps. Whether it was with a firewall like iptables or whether it was enacted within the Craigslist software, it seems 3taps' argument has fallen apart already. There was, for all intents and purposes, a firewall in place to block them.

Rulings should go past technical review

[sandbagger]

When judges write their rulings -- or rather their employees write their rulings -- the document may go onto a few peoples' desks before release. The more complicated the ruling, the more this is likely as judges don't like things getting overturned. Lots of overturned on appeal looks bad, apparently. Well, it may time for judges to get their rulings to pass some elementary technical review.

Re:Rulings should go past technical review

[Virtucon]

That's what the appeals process is for so lawyers on both sides can argue what's right or wrong with the ruling. Amicus briefs can be filed by knowledgeable and respected organizations or individuals on both sides of the arguments as well to point out specific flaws or finer points that weren't exposed in the original trial. These briefs or amici curiae are most often used in appeals. So the EFF or the FSF could file a brief in the appeal on this case based on the legal and technical problems for society that it creates.

That doesn't solve the problem of a bad law, like the CFAA which is rotten to the core. In this case it sounds like 3Taps was told to stop particular activity, scraping servers, by Craigslist and when they didn't stop Craigslist pursued the matter in court. 3Taps also appears to have used masking techniques to try to hide their activities which also forced Craigslist to seek a judicial ruling. In this case the C&D didn't work, which is more friendly, 3Taps said screw that and then went after using proxy servers which Craigslist detected and somehow tracked back to 3Taps so in this case you have somebody you've told to stop accessing your website against your ToS and the CFAA applies there. Not that I agree with all of the CFAA but certainly telling somebody to stop breaking into your house, time and time again, is more than reasonable and when they won't stop you can seek legal means to make them stop. Craigslist has also shut down other apps that scraped their servers as well. Even though their UI sucks and it seems their legal team doesn't. Good for them.

Not Unreasonable

[ggraham412]

It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on.

Anyone who uses a proxy does not have to worry about violating the CFAA unless they are doing it specifically to get somewhere they have been explicitly banned from. 3taps apparently was taking ads from Craiglist and pawning them off on some other website. Sorry, you can't ethically do that any more than I could scrape comments off of this site and pass them off as coming from pishpot.org.

I do think that it is inane to call this a criminal matter, however. As it was inane in the Schwarz/JSTOR case too. Over-criminalization is a general problem.

Re:Not Unreasonable

[Jane+Q.+Public]

"It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on. "

Sorry, but that doesn't follow. The issue here is not whether 3taps had permission. The issue is whether accessing the site without permission should be a crime (much less a felony).

And Aaron Schwarz is indeed a good example of that already happening. The problem here seems not to be that it's not a slippery slope, but that 3taps' did not present a good argument that it was.

The "slippery slope" is actually pretty darned evident, and 3taps should simply have made their argument better. For example, allowing CFAA prosecution simply on violation of the terms of use is itself a slippery slope, because in effect it allows website owners to write their own laws.

The judge's argument appears to be "but it would never be enforced that way". When if fact we know that it has been.

Re:Not Unreasonable

[david_thornley]

This ruling does not imply that Aaron Schwarz was acting illegally, and it isn't a slippery slope. Terms of use had nothing to do with the decision.

The important features are the formal letter CL sent to 3taps, informing them that they didn't have permission to access CL servers with HTTP requests, and the IP block CL set up. Schwarz was never formally notified that he didn't have access permission, although he did evade some technical restrictions. If the judge's ruling stood up as the definitive interpretation of the law, Schwarz wouldn't be guilty of violating the CFAA (which of course would not have prevented the overzealous prosecutor from threatening him)

Re:Not Unreasonable

[Jane+Q.+Public]

"This ruling does not imply that Aaron Schwarz was acting illegally, and it isn't a slippery slope. Terms of use had nothing to do with the decision."

Did you read OP and TFA?

First, I didn't say the ruling implied Aaron Schwarz acted illegally. What I stated was that Aaron Schwarz's case was an example of the actual slippery slope related to attempts to criminalize violations of Terms of Use.

And I didn't say that terms of use had anything to do with THIS decision, although they did, at least peripherally. The "block" message (which wasn't really a block in any technical sense) was apparently sent because of a violation of the Terms of Use. Though that message was not itself part of their standard terms.

My point was that there *IS* an actual slippery slope in the general concept that violation of terms of use can constitute a crime. That may not apply to this specific case and ruling, but the slippery slope does exist, and the Schwarz case was a prime example of it.

Re:Not Unreasonable

[david_thornley]

Sorry, I didn't get that from your post.

Further, the slippery slope argument doesn't apply to this story, because the judge's ruling cited two actions on CL's part. CL did those because of their terms of use, but the judge didn't say anything implying that violating TOU was criminal. The ruling was that it is possible to deny somebody authorization to access a site by sending formal notice, regardless of why, that accessing the site afterwards is unauthorized access, and bypassing even a trivial IP block is evidence of intentional access. This is a step against the slippery TOU slope, in that the TOU had nothing to do with the judge's decision. (That the TOU caused CL to deny authorization is immaterial; they could have done that just as legally if they didn't like organizations with names beginning with a digit, and the ruling would have been just as applicable.)

Actually, it's an EXCELLENT ruling

So, I set up a few firewall rules to block connections from the NSA and then they circumvent that block, then whammo on them with the CFAA.

Captcha: erection

Re:Actually, it's an EXCELLENT ruling

[Bruce66423]

In your dream... but it's a cute dream...

mod up

[schneidafunk]

mod up

Re:mod up

[bluefoxlucid]

Short version:

Wah wah they told us we couldn't load their servers with screen-scraper shit and sent us legal threats and official notarized C&Ds, and we did it anyway by changing an IP address--a normal thing that users can do even without realizing it--and the judge got pissed at us! I mean how is this different than changing our clothes before walking back into a store we're banned from for harassing the staff?! Are they going to arrest us for changing our clothes now?!

There's a huge logical fallacy in their legal argument.

Re:A call to arms, disguised as a court ruling.

[bluefoxlucid]

Have you already sent legal cease-and-desist letters to everyone who unknowingly or knowingly has abused your domain by accessing it; and have they provably ignored this order by willful intent, possibly by circumventing a minor technical barrier?

Slippery slope arguments are always bad

[doug141]

Their premise is the current case is not bad enough for opposition, and only some hypothetical future case is bad enough for opposition. It's a form of strawman argument.

Re:country borders on the internet

[sosume]

ever seen 'this advertisement is not available in your country'

Try viewing trailers for US shows and movies from outside the US.. The recent trailer for Breaking Bad comes to mind.

Over-eager blacklists?

[nine-times]

Not everyone on a blacklist is guilty. If one person on your work network gets blacklisted from a site, it will hit everyone on that network. Sometimes sites will even blacklist whole IP ranges because too many IPs in the range have been engaged in something malicious, but that doesn't mean that every IP in the range is doing something wrong. And as the summary points out, IPs are allocated dynamically, and not intended to be used as authentication of a real-life identity. Your IP might be blacklisted for actions taken by someone who used that IP previously. And even if you are banned for good reason, it may be that you received an automated ban because your computer was infected with some malware. Once you clean off the malware, you might be fine.

Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

They violated a cease and desist letter, so if that can carry any penalty, hit them with it. But there should not be any criminality applied to changing or obscuring your IP address.

Re:Over-eager blacklists?

[omnichad]

Agree. The CFAA is only being abused to amplify charges. An IP block is a lot different than being told "Leave and don't come back." For one, it could have been an automated process. If the blocked IP literally received a "Leave and don't come back" message instead of a dropped connection, that might be somewhat different but not enough to establish it in my mind. I'm not surprised at all that a judge has trouble understanding the differences - it's still fairly technical.

Re:Over-eager blacklists?

[shentino]

Sorry, that doesn't fly.

Whether you deserve to be on the blacklist or not is an internal matter for Craigslist to decide in its sole and final discretion. Craigslist is private property and they reserve the right to ban anyone they darn please, for any or no reason. It's their blacklist to maintain as they see fit.

The C&D letter proves that they were not welcome, and that they also knew it. It is irrelevant if they deserved to be banned or not. The bottom line is that they were banned and deliberately defied the ban. If it was a mere accident, you'd have a point. But it was not an accident, so your dynamic IP argument doesn't hold water.

Analogy:

I hate the Seahawks with a passion. You come into my tavern wearing blue and green, and I tell you to GTFO and never come back. No, you did not deserve to be 86'ed, because spite bans are unreasonable and I was being an asshole.

You are still in the wrong if you change your clothes and come back in. You are defying my propriety, and I am completely within my rights to have you arrested for trespassing. You would go to jail, and you would also deserve it.

I would deserve a vicious bite on the ass from karma, and my patrons would probably avoid me like the plague. But my being an asshole does not give you a get out of jail free card for trespassing. And more importantly, my reasonableness is not for you to judge.

Furthermore, if I had a good reason to even *believe* you were there to cause trouble, I'd be in the right morally as well as legally. As the owner, I am the rightful judge of what is and is not appropriate, and I cannot afford the time to second guess every single decision I make. If I'm honestly convinced you're bad for the tavern, then out you go. Even if I happen to be wrong, any resistance on your part would only serve to justify my decision. Because at that point, you are showing contempt for my authority over the tavern, which itself is disruptive.

Re:Over-eager blacklists?

[gnasher719]

Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

If _one_ person is blacklisted (lost their legal authorisation to access the site), and a blacklist blocks a whole bunch of people from accessing the site, then all but one of them are still legally authorised. Of course the site may say "we have so much trouble coming from that IP range, we blacklist all of them". Which is a bit unfair, but perfectly legal.

Imagine one person is banned from a shopping mall. If that person puts on a false beard and enters the shopping mall, they may not be recognised, but they are still trespassing. If _you_ put on a false beard, that doesn't make you a trespasser.

Re:Over-eager blacklists?

[nine-times]

Imagine one person is banned from a shopping mall. If that person puts on a false beard and enters the shopping mall, they may not be recognised, but they are still trespassing. If _you_ put on a false beard, that doesn't make you a trespasser.

Right, but what this ruling seems to suggest is that changing/obscuring your IP to get bypass a blacklist is, in itself, a felony because it's considered 'hacking'.

Re:Over-eager blacklists?

[nine-times]

Craigslist is private property and they reserve the right to ban anyone they darn please, for any or no reason.

Yes, but it's 'private property' in a very strange way, in that they're also a public website. It's not 'private property' like your house is private property. It's 'private property' like the newspaper classifieds section is. The newspaper press can ban you from buying their newspaper, but reading the newspaper doesn't suddenly become a felony.

The C&D letter proves that they were not welcome, and that they also knew it.

So what? If violating the C&D constitutes a crime, then that's a crime. Fine, so be it. Punish these guys for knowingly violating the C&D. That shouldn't make the act of bypassing a blacklist illegal.

To use an analogy: I could use email to plan a robbery, but a judge shouldn't then conclude that 'sending email' is an illegal act.

To use your analogy: Yes, you're allowed to ban me from your tavern. If I insist on coming in anyway, you may be able to have me charged with trespassing. If I'm wearing a disguise, it does not then make me more allowed to trespass on your property. However, the fact that someone was wearing a disguise while trespassing on your property should not make it a felony to wear any kind of disguise.

Re:Over-eager blacklists?

[david_thornley]

Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

No, nobody's telling you that.

The judge apparently assumes that people are in general authorized to access public web sites, but that a formal letter revoking that authorization to a particular entity does remove the authorization. A C&D letter isn't a legal mandate, and you won't be prosecuted for violating one, but you could be if you do something potentially illegal. The fact that 3taps circumvented the IP block established intent.

It's possible that there will be a ruling saying that bypassing and IP block is unauthorized access (and I hope not), but this isn't it.

Craigslist has been overjealous for some time

Despite posing to contrary, Craigslist has been in overjealous position for some time. There is fine line between protecting your business/IP and vehemently preventing anyone from extending on your service, even when they give you credit.

For example, CL has been going after any service that would display CL postings in a different matter (ordered list etc), even when those sites do not scrape full content, duly link the ad back to CL for full details etc. In a nutshell, CL doesnt want anyone else to access their system in programmatic manner, even if they give credit back to CL, does not want to sell such access for decent price, except for the end users that THEY decide will get in.

On the surface, that may look ok, technically, but using all sorts of crappy laws to prevent any extension is sort of what Microsoft does to others.

Re:country borders on the internet

[BitZtream]

And you shouldn't be telling me how my content has to be distributed either.

You want me to do what you want, while completely ignoring my own wishes.

The web is OPEN, that means NEITHER ONE OF US GET TO DECIDE WHAT ANYONE ELSE DOES WITH THEIR OWN CONTENT.

You don't get to decide who craigslist grants access to. You're a fucking moron for even thinking such a retarded selfish thing. You're not the only person in the world you selfish prick.

they weren't aware they were scraping against C&am

[raymorris]

> that one might follow a link to material on a website without being aware of its being on that website, and then be held accountable for

You think they weren't aware that their business model was scraping craigslist? They were most certainly aware of which site they were scraping. When they signed for the certified C&D letter, they were well aware that they were doing so over the objections of the owner.

To me, this is exactly like criminal trespass. The fact that they set up proxies in attempt to hide their actions is further evidence that they knew what they were doing was wrong.

Re:country borders on the internet

[Zontar+The+Mindless]

Try following a link in your GMail on your tablet or mobile phone to what looks to be an interesting video, only to hit a heartwarming "The owner of this content has not authorised viewing on mobile platforms" YouTube page, for that matter.

fyi over zealous

[raymorris]

Fyi, the phrase is "over zealous". Carry on.

This means ...

[PPH]

... when Moot bans you from /b/, he means it!

that slope isn't slippery

[raymorris]

I agree with your post. This case is plain old criminal trespass.

I have to comment on your subject line. Some slopes are known to be slippery, so it's valid to be concerned that "if you authorize the NSA to do X, they may well stretch the limits to Y".

Re:that slope isn't slippery

[Agent+ME]

Accessing a website through a proxy is "plain old criminal trespass"?

Re:No shit

[mrbester]

Stores and bars can have security on the doors to prevent unauthorised entry. So can Craigslist. That a law conflates physical trespass with accessing an open site is bathetic.

Are you using Bizzaro world craigslist?

[Zero__Kelvin]

So we already agree that it isn't unauthorized access (you are already further ahead of the game than most; congratulations.) It would be copyright infringement, except they don't own any copyright on what I post..

". The users who posted the ad gave license to Craigslist to publish the ad freely (via T&C's) but not to this third-party."

No. They do no such thing. I just posted an ad, and they don't even ask you to agree to a TOS before posting, nor do they have a notice assigning your copyright to them. They have no claim, and the judge is an ignorant buffoon.

Correction to: Are you using Bizzaro craigslist?

[Zero__Kelvin]

I just clicked on the link and the E-Mail, and they do in fact require acceptance of a TOS to post, but they do not require an transfer of copyright. They merely say this:

"You automatically grant and assign to CL, and you represent and warrant that you have the right to grant and assign to CL, a perpetual, irrevocable, unlimited, fully paid, fully sub-licensable (through multiple tiers), worldwide license to copy, perform, display, distribute, prepare derivative works from (including, without limitation, incorporating into other works) and otherwise use any content that you post. You also expressly grant and assign to CL all rights and causes of action to prohibit and enforce against any unauthorized copying, performance, display, distribution, use or exploitation of, or creation of derivative works from, any content that you post (including but not limited to any unauthorized downloading, extraction, harvesting, collection or aggregation of content that you post)."

In other words they have a license to copy your copyrighted works. Craigslist does not own the copyright. They merely have permission to copy it. They also claim the right to stop unauthorized copying, but since they don't own the copyright, only the poster can claim copyright infringement. Craigslist has no leg upon which to stand. Period.

Re:Correction to: Are you using Bizzaro craigslist

[omnichad]

I don't think that's necessarily true. If a media company can hire a firm to send DMCA notices on their behalf, an individual can "hire" Craigslist to police your copyrighted ad for you.

Vague and Broad Laws are Awesome!

[Requiem18th]

The more vague and broad a law is the more inconvenient people we can incarcirate! We should strive to make sure the dirty peasants know that the moment they get out of line we will slam the book against them with as many vaguely defined crimes as possible!

Re:Correction to: Are you using Bizzaro craigslist

[Zero__Kelvin]

Technically you could do that, but nobody did that. As you rightly point out, the person who owns the copyright is the poster, and they would have to complain. Of course, this is where craigslist and the posting person are at odds, since the posting person wants their ad seen by as many people as possible. It is to their advantage to have it replicated.

Re: Correction to: Are you using Bizzaro craigslis

[Zero__Kelvin]

No. They do no such thing. Read the wording again. It says they can go after unauthorized copying. Again, they have no authorization system, so it is all authorized. Period.

Re:Correction to: Are you using Bizzaro craigslist

[omnichad]

Nobody did that? I think that's part of what's in question.

You also expressly grant and assign to CL all rights and causes of action to prohibit and enforce against any unauthorized copying, performance, display, distribution, use or exploitation of, or creation of derivative works from, any content that you post (including but not limited to any unauthorized downloading, extraction, harvesting, collection or aggregation of content that you post).

They offer that "service" for free. It's to the user's advantage to have their ad plastered all over the web, but they could still implicitly accept a contract that waives that. And not everyone necessarily wants their ad elsewhere.

Re: Correction to: Are you using Bizzaro craigslis

[bws111]

Authorization means that the owner has given you permission. Period. It has NOTHING to do with technical controls. The means of notification of authorization (or lack thereof) are immaterial. As soon as they received the C&D letter they were unauthorized and knew it. Stop pretending it is otherwise.

Re:Correction to: Are you using Bizzaro craigslist

[Zero__Kelvin]

"Nobody did that? I think that's part of what's in question."

Nowhere is it even suggested that any craigslist poster went to court over this issue.

Re:Correction to: Are you using Bizzaro craigslist

[omnichad]

You must be reading what you wrote differently than I am. I don't see the word court in either of our posts. I thought by "Nobody did that" you were referring to "an individual can "hire" Craigslist to police your copyrighted ad for you"

Yes, after you've received legal notice, definitio

[raymorris]

Yes, this scenario is criminal trespass in all states.

Some states define criminal trespass as entering after having received due notice that you are not welcome. They acknowledge they were so notified.
Other states define criminal trespass as entering with the intent to perform an unlawful act. Again, they entered the system with the intent to commit an unlawful act, to wit copyright infringement, unfair competition, etc.

So yeah, it's a plain and ordinary case of criminal trespass. The only thing slightly interesting is that they had been notified they were not welcome to enter a web property as opposed to a brick and mortar store or other place.

piratebay can now block, sue the cops

[cheekyboy]

if the cops try to use different IPs they are breaking the law. ahhahhaa

Re: Correction to: Are you using Bizzaro craigslis

[SpanglerIsAGod]

You are an awesome troll.

Re:Yes, after you've received legal notice, defini

[idontgno]

enter a web property as opposed to a brick and mortar store or other place.

Crippling unnoticed fallacy: there's no such thing as web property. Otherwise, where's the web deed? Where's the web plat book?

(And don't try to cite the DNS system. The DNS system confers no ownership.)

Re: Correction to: Are you using Bizzaro craigslis

[Zero__Kelvin]

If I were a troll at all then you would indeed be correct ;-)