[Advocacy Advisors] Ars Technica: Changing IP address to access public website ruled violation of US law

[Anirudh Bhati]

Does this mean that block circumvention by users by changing/masking
their IP addresses would now be a violation of the law?

---
Changing IP address to access public website ruled violation of US law

http://arstechnica.com/tech-policy/2013/08/changing-ip-address-to-access-public-website-ruled-violation-of-us-law/

Changing your IP address or using proxy servers to access public
websites you've been forbidden to visit is a violation of the Computer
Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving
Craigslist and 3taps.

The legal issue is similar to one in the Aaron Swartz case, in which
there was debate over whether Swartz "had committed an unauthorized
access under the CFAA when he changed his IP address to circumvent IP
address blocking imposed by system administrators trying to keep
Swartz off the network," law professor Orin Kerr wrote yesterday on
the Volokh Conspiracy blog.

The ruling in Craigslist v. 3taps (PDF) is the first "directly
addressing the issue," Kerr wrote. 3taps drew Craigslist's ire by
aggregating and republishing its ads, so Craigslist sent a
cease-and-desist letter telling the company not to do that. Craigslist
also blocked IP addresses associated with 3taps' systems.

"3taps bypassed that technological barrier by using different IP
addresses and proxy servers to conceal its identity and continued
scraping data," wrote Judge Charles Breyer of US District Court in
Northern California. Craigslist subsequently accused 3Taps of
violating the CFAA, which "imposes criminal penalties on any person
who, among other prohibitions, 'intentionally accesses a computer
without authorization or exceeds authorized access, and thereby
obtains... information from any protected computer.'”

3taps asked the court to "hold that an owner of a publicly accessible
website has no power to revoke the authorization of a specific user to
access that website" and argued that criminalizing its activity under
the CFAA would create a slippery slope that could harm ordinary
Internet users and allow Web companies to use anti-competitive
practices.

Breyer denied the company's motion, saying 3taps did not prove that
Craigslist's actions were illegal. Under the "plain language" of the
CFAA, 3taps did not have authorization to visit Craigslist:

3taps’ argument starts out on firm statutory ground: “[B]y making the
classified ads on its website publicly available, Craigslist has
‘authorized’ the world, including 3taps, to access craigslist.org.

But it does not answer the question here, which is whether Craigslist
had the power to revoke, on a case-by-case basis, the general
permission it granted to the public to access the information on its
website. Craigslist certainly thought it had such authority and sought
to exercise it through its cease-and-desist letter and IP blocking
measures. 3taps says that Craigslist had no power to “de-authorize”
anyone, but it cannot point to any language in the statute supporting
that conclusion.

In fact, the statutory context and the Ninth Circuit’s interpretation
of the phrase “without authorization” both cut against 3taps’
argument. One way to accomplish the result that 3taps
urges—prohibiting computer owners from revoking “authorization” to
access public websites—would be to restrict the kind of information
protected by the CFAA. For example, Congress might have written §
1030(a)(2) to protect only “nonpublic” information. A neighboring
provision in the CFAA includes that very modifier and prohibits access
without authorization to “nonpublic” government computers. Another
adjacent provision applies only to certain kinds of financial
information. Congress apparently knew how to restrict the reach of the
CFAA to only certain kinds of information, and it appreciated the
public vs. nonpublic distinction—but § 1030(a)(2)(c) contains no such
restrictions or modifiers.

Breyer also tore down 3taps' slippery slope arguments. The average
person does not use an anonymous proxy to bypass IP blocking enforced
through a cease-and-desist letter addressed specifically to that
person, the judge wrote:

Without any language in the statute to support its arguments, 3taps
lets the cat out of the bag in the concluding section of its brief and
urges consideration of “serious policy concerns” raised by
straightforward application of the CFAA’s broad language. There, and
sprinkled throughout its earlier, ostensibly text-based, arguments,
3taps posits outlandish scenarios where, for example, someone is
criminally prosecuted for visiting a hypothetical website
www.dontvisitme.com after a “friend”—apparently not a very good
one—says the site has beautiful pictures but the homepage says that no
one is allowed to click on the links to view the pictures. Needless to
say, the Court’s decision [regarding 3taps' actions]... does not speak
to whether the CFAA would apply to other sets of facts where an
unsuspecting individual somehow stumbles on to an unauthorized site.

3taps also invites this Court to make all manner of legislative
judgments turning on, for example, the “culture” of the Internet, the
Court’s view of whether accessing a website is more like window
shopping from a public sidewalk or actually entering a store and
whether “a permission-based regime for public websites could implode
the basic functioning of the internet itself.” 3taps opines that “the
‘socially prudent’ benefits of finding an implied license [to access
public website data] far outweigh any social utility derived from
allowing a website owner to selectively block access to publicly
available information, including by competitors.”

Maybe, or maybe not—but it is certainly not for this Court to impose
its views on those matters on unambiguous statutory language.

IP blocking hardly much of a “technological barrier”

Kerr, a professor of law at George Washington University and a former
trial attorney in the Computer Crime and Intellectual Property Section
at the US Department of Justice, wrote that Breyer's decision is
consistent with his view that "circumventing some kind of
technological barrier is required to violate the CFAA." However, Kerr
is disappointed that Breyer takes it as a given that changing one's IP
address or using a proxy counts as the circumvention of a
technological barrier.

Whether Craigslist sent a cease-and-desist letter to 3taps is only
necessary to prove 3taps' intent in accessing the website despite
being told not to, Kerr wrote. The "circumvention of a technological
barrier" question is a separate one that isn't addressed in the ruling
in any depth, he wrote.

"The counterargument runs like this," Kerr wrote. "IP addresses are
very easily changed, and most people use the Internet from different
IP addresses every day. As a result, attempting to block someone based
on an IP address doesn’t 'block' them except in a very temporary
sense. It pauses them for a few seconds more than actually blocks
them. It’s a technological barrier in the very short term but not in
the long term. Is that enough to constitute a technological barrier?"

Kerr wrote by way of disclosure that "I have discussed this case with
the defendant’s side but my analysis here remains my independent
opinion."

The CFAA itself could get an overhaul in Congress due to a bill
introduced in response to the prosecution of Swartz, who committed
suicide before his trial.

The bill's text "deletes the vague phrase 'exceeds authorized access
and clarifies the definition of 'access without authorization,' key
fixes in a law that has for years been misinterpreted because of its
vague definitions," according to the Electronic Frontier Foundation.
"Without this change, the government could've prosecuted everyday
Americans for violating low-level terms of service violations... In
short, everyone would be a criminal, leaving it up to the government
to decide when and where to bring down the hammer."