Join 3,552 readers in helping fund MetaFilter (Hide)


Innovation or Exploitation
August 29, 2013 11:05 AM   Subscribe

The Limits of Computer Trespass Law (Lengthy video with audio available) "Have you ever borrowed a smartphone without asking? Modified a URL? Scraped a website? Called an undocumented API? Congratulations: you might have violated federal law!" Legal and internet thinkers (including Ed Felten, Jennifer Granick, Dan Auerbach, & others) talk about vagueness in the Computer Fraud and Abuse Act, chilling effects, and the prosecution of Aaron Swartz in a panel discussion at Stanford's Center for Internet and Society.

Previously on Metafilter, "Manning Trial and the CFAA"
posted by gauche (16 comments total) 12 users marked this as a favorite

 
Lawyers of MetaFilter, you can watch this video for CLE credit here if you like (search for "Innovation"). That's where I found it.
posted by gauche at 11:08 AM on August 29, 2013


And now I get CLE credit for browsing MeFi. Excelleeeeent.
posted by monju_bosatsu at 11:43 AM on August 29, 2013


IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules
posted by homunculus at 11:49 AM on August 29, 2013 [1 favorite]


Oh, yeah, that was mentioned as well. Apparently that was among the charges being brought against Aaron Swartz: he assigned himself a new IP address on MIT's network when his first one was blocked. Thing is, according to one of the presenters, MIT's network has a big block of IP addresses that anybody on campus can self-assign. Nevertheless, the prosecutor called this an attempt to circumvent a security measure.
posted by gauche at 11:55 AM on August 29, 2013


Which it was. If you're told that you're no longer allowed in a certain place and you don a disguise so you can re-enter, the simplicity of your disguise has no bearing on the fact that you are trespassing. There are many acts that taken alone are perfectly legal, but when a criminal motive is added then become a criminal act.

Intent matters.
posted by NoxAeternum at 1:48 PM on August 29, 2013 [2 favorites]


Called an undocumented API?

Oh great. Thanks, Microsoft, for making me a criminal apparently.
posted by Foosnark at 3:25 PM on August 29, 2013


I hope they don't extend it to poorly documented API calls or a whole lot of us are going to the stony lonesome.
posted by double block and bleed at 4:27 PM on August 29, 2013 [6 favorites]


If you're told that you're no longer allowed in a certain place and you don a disguise so you can re-enter, the simplicity of your disguise has no bearing on the fact that you are trespassing.

Nevertheless, a federal prosecutor cannot bring charges against you for wearing a wig to get free drinks on Ladies' Night.
posted by RobotVoodooPower at 5:41 PM on August 29, 2013


RobotVoodooPower: I'm more attacking the EFF's asinine position that "IP/MAC spoofing shouldn't be considered a breach of a technological barrier because it's too easy." Well, washing a knife with bleach is pretty easy, and by itself is legal. But if that knife was just used to stab someone 57 times, then you're engaging in evidence tampering at the very least, and that is a crime, ease of the task or not.
posted by NoxAeternum at 6:14 PM on August 29, 2013


IP/MAC spoofing shouldn't be considered a breach of a technological barrier because it's too easy

I didn't read the EFF's position quite like that. They are concerned about the felonization of a common, often automatic act (changing your IP address, not spoofing). It would be very hard to operate a web search engine, for instance, if you had to worry about federal charges if your crawler accidentally crawled a site you were told to avoid.
posted by RobotVoodooPower at 6:34 PM on August 29, 2013


"They are concerned about the felonization of a common, often automatic act (changing your IP address[...]"

With a specific and provable intent to circumvent a restriction. There has to be legitimate prior warning.
posted by gjc at 7:12 PM on August 29, 2013


There's no requirement for a prior warning in the CFAA. It's just about intent and whether you did something that could be argued to be "exceeding authorized access".

The changes to the law supported by EFF seem pretty reasonable to me, and are mainly about decoupling CFAA from TOS agreements, as recent court decisions have already decided.
posted by RobotVoodooPower at 8:12 PM on August 29, 2013 [1 favorite]


homunculus: "IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules"

That is not a good example of something that should evoke outrage. It would be one thing if 3Taps had through some fluke happened to be renumbered and some employee unthinkingly browsed over to Craigslist, but that's not what happened. They were knowingly and willingly evading an IP ban.

The issue there is the intent to gain access after specifically being notified that they were not in fact welcome to access Craigslist's network. That's computer trespass, and should be.

If you personally have not been disinvited from using a computer system and it is left open for public use, you are welcome to access that service with any IP you like. If you do not have legitimate access, however, and you take an overt act with the intent of gaining access that you are not entitled to have, that is a problem. As it should be.
posted by wierdo at 10:30 PM on August 29, 2013 [1 favorite]


It's completely ridiculous that "URL modification" can be considered a crime.
posted by Mitheral at 10:05 PM on August 30, 2013


We take meatspace trespass seriously because trespass creates a potential for violence. We've no such justification in cyberspace, well outside hospitals.

Also, even potentially automatic or legitimately forgetful actions should never be felonies : Revisiting websites a website is potentially automatic or legitimately forgetful. Altering IP address is potentially automatic. What if you just run Tor to confuse the advertisers and accidentally revisit an old URL?

After Aaron Swartz, there can be no benefit of the doubt granted to DOJ prosecutor's selection of cases. At best, they're trying to collects as many and as unusual convictions as possible, like Pokémon or something. At worst, they're actively pursuing they're own nefarious intent through selecting their cases.
posted by jeffburdges at 4:23 AM on September 9, 2013


I don't disagree that the DOJ is far too political in choosing which cases to prosecute vigorously and which to either ignore completely or plea bargain to a short sentence.

That said, I seem to recall that intent is an element of the crime. So if you're banned from a site and genuinely forget and visit the site again at a later date, that's in no way against the law. Nor would that likely be prosecuted even if intent were not an element of the crime.

3Taps clearly acted with the intent to evade the ban after previously being explicitly informed of said ban (it's not like it was a silent fail2ban block that could just as easily indicate a site or network outage rather than a block), so I'm not really sure where the complaints with that particular case are coming from.

I don't think it's unreasonable to argue that cases that don't involve espionage or concrete and significant financial loss should have a lesser maximum sentence, and it even seems like it might be a good idea given the Swartz case.

Furthermore, it's short sighted to say that trespass law only exists to prevent violence. It also exists to protect privacy and property rights, economic interests, and for other reasons. It's not really any more awesome for me if you snoop on my private papers stored on a server (or my home computer) over the network than if you peep in my windows. Nor is it better for me to have to wipe and reinstall said server or computer because of your trespass than it is to lose a few rows of crops because you were traipsing through my field.

In the real world, you can't be convicted of trespass if you traipse through my field unless it is either posted "no trespassing" or I have previously told you that you are not welcome in my field. The same goes in the computer world, at least when prosecutors aren't bending the meaning of words. That's less a problem with the words as with the ethics of a certain part of the legal profession.
posted by wierdo at 3:51 PM on September 10, 2013


« Older ライナーノーツ (translation: "liner notes") is a short vi...  |  Using documents obtained from ... Newer »


This thread has been archived and is closed to new comments