First, editorailized headlines are not allowed by site rules. (EDIT: The headline is now changed. It previously read, "Change your IP, go to jail" or something like that.)
Anyway, Craigslist told 3taps in a legal notice: "Don't abuse our website." 3taps did anyway. IANAL but this appears clear from the second and third quoted paragraphs (and Orin Kerr, a noted expert on these things, seems to agree):
The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts...
You might as well say, "Enter a building, go to jail"... if the door is a side entrance to a privately owned public space (such as a shop) which has banned you from their property. That is how the judge sees it.
I personally have some sympathy for 3taps and I expect most of HN does also. The open Internet is not like any old public space. But the ruling doesn't threaten to ambiguously target people who just change an IP to get around an ordinary IP ban.
I personally have some sympathy for 3taps and I expect most of HN does also.
I don't. Craigslist said 'stay off our site' and they refused. I do not subscribe to this HN meme that 'if you can hack it, you should enjoy the benefits.' All that has resulted in is a security arms race which doesn't benefit anyone.
I think where we have sympathy for them is in that they solve a problem / are trying to provide value to people when craigslist has refused to do so. We dont like that innovation is being thrown out because it isnt in the controlling companies best interests. I understand that the right to control your software/hardware comes first (and would not ever change that), but it just sucks that this is the result in this case.
well, they should solve the chicken and egg problem of getting customers, tech problems are easy enough to solve, business problems are hard!
building your own social networking site that does everything facebook does and better is easy, get user's to sign up is not. trying to mine facebook for customers and data to jump start your site, well, that's not going to fly.
As I said, there's plenty of room in the market for competitors. I hate how poor the CL user experience is and how indifferent the company seems to their users. I'd love to see them disrupted. Nonetheless, my desire to see competitors succeed doesn't give the competitors the right to republish CL ads. Yes, it's tough to get around CL's first mover advantage but that's why successful innovators get paid the big bucks.
> All that has resulted in is a security arms race which doesn't benefit anyone.
On the contrary, if we lack low level predators on a short feedback/evolution cycle, then the high level ones operating on a longer cycle will be more effective when the threat environment changes abruptly.
I don't buy the 'public service' argument. Even if my security is lackluster, you're not doing me a favor by breaking it. You know who does this right? Insurance companies. They'll assess risk prior to writing insurance for it, and lay out what they consider to be reasonable standards for securing a home/grocery store/bank/nuclear power station (typically in the form of discounts from a high initial premium). Insurance companies are not especially nice or generous people, but they are usually economically efficient (though I don't feel this way about health insurance - I think that's a classic case of market failure because consumers are not able to properly assess or control their risk factors, leading to a drastic information asymmetry that disproportionately benefits insurers).
The obvious correct action in this case from 3taps was to pay someone else to use the site as a proxy ie. have someone else go there and deliver the goods to you.
CL's C&D letter probably demanded they refrain from such, ah, workarounds, and courts take a dim view of such cat's paw tactics. The correct action in this case would have been to stop scraping CL and republishing their adverts. CL doesn't own the market but they do own their own traffic and publishing platform.
I'm not sure how a website can "own its traffic" since traffic is users hitting the site. Certainly an interesting perspective though. As the web continues to alter it's fundamental model to be more established-business-friendly, the conceptualization of the platform's features become more in-line with the idea of private ownership, where no such ownership actually exists, at least in classic architecture and legal definition. (excluding this case which has set the precedent).
It's quite clear that this ruling is a mistake in the long term, I mean, if you think about it beyond the confines of a single business's perspective. Even then, I'm sure that this is a boneheaded move for any business, long-term. It's clear that relying on legal frameworks instead of technological frameworks is a recipe for business disaster. If you don't want that person to have access to your site, you don't serve the data. The defendant in this case requested the data, and the plaintiff served it. I'm sure if the defendant had comparable legal counsel, the ruling would have been different. I can think of many allegories that can symbolize why this is a bad idea. But I think the most clear indication that this is .. for lack of a better word.. pathetic, is that it's 2013 and we're talking about IP blacklisting. This is another example why China continues to eat our lunch.
I'm sure if the defendant had comparable legal counsel, the ruling would have been different.
Unlikely. You do not have an automatic right to content just because you can access it. If a website operator says that you, AsymetricCom, are no longer welcome to visit their website, that is their right as owners of that business property. Changing your username or IP address may allow you to circumvent their ban, in the same way that wearing a disguise may make it possible for you to enter a shopping mall that you've been banned from, but you're still in breach of the owner's lawful order to stay off their property.
As I've said before, just because it's easy doesn't mean you have the right to do it. Put yourself in the position of the injured website operator; do you want the right to ban people from your website if they persistently abuse it? O course you do, same as any business reserves the right to refuse admission/service to troublemakers.
You've completely missed my point and feel that reiterating the same point over and over will somehow change my mind. If you can't be bothered to read or address the points I proposed, then why did you even bother submitting a response?
Are you suggesting that the rule of law is a bad idea?("This is...why China continues to eat our lunch"). I think legal frameworks are more tractable: a "Photography not allowed" sign, with enforcement is a more elegant solution to more technological ones (anti-photography/reflective coating maybe?)
IANAL too and I support Aaron 1000% but the outrage just misses the basics of Anglo-British law.
I am sure that court would hold that [throwing your bubble gum on the side walk] would constitute "Access Without Authorization" if it believed that this act was done with that intent. Because our legal system is ultimately about intent, not action. If [throwing your bubble gum on the side walk] is done with the intent to murder, it would constitute attempted murder, etc...
Edit: All that said, the bigger questions would come down to "the legality of the shrink-wrap-license" (now featured as the "click-through-but-unread-license") question.
Correct me if I'm wrong, but I believe you need to have actus reus (guilty act) and mens rea (guilty mind) to prosecute. Therefore, in addition to intent, the prosecution would have to show that throwing bubble gum on the sidewalk was an act that could lead to murder / lead to accessing a computer system without authorization. In that case, all this talk about what is/isn't authorized access still complies with the basics of common law because it defines what is an actus reus.
Unless it's a strict liability crime. In the bubblegum example, I believe you could be convicted of something like manslaughter without mens rea. The CFAA is not a strict liability offense, however, as far as I'm aware.
You do have to have an act, to avoid punishing thought crimes, but intent is where the real action tends to be. Intent can make the same act (killing a person) anything from murder to no crime at all.
IANAL either, but I don't see how incompetently trying to kill someone using a method that couldn't actually kill the intended victim would get anyone off the hook.
Guilt for most crimes requires two parts:
- Intent, willfulness, recklessness or perhaps even negligence. This is the "mens rea" or "guilty mind"
- An action which is a product of that guilty mind, the "actus reus" or "guilty act"
Part of the latter is that the act has to actually reasonably be able to result in the harm of the crime.
I am not a lawyer, but the author of The Illustrated Guide to the Law is:
http://lawcomic.net/guide/?p=266
You should read all of it.
> The open Internet is not like any old public space. But the ruling doesn't threaten to ambiguously target people who just change an IP to get around an ordinary IP ban.
I don't see why we should sympathize with the 'ordinary' IP changers. I read a number of blogs plagued by persistent trolls. Why shouldn't the proprietors of these blogs have a legal tool available to deal with those who won't take a hint?
It comes up here from time to time. People strongly disagree with this or that poster being banned. That's fine, people can disagree. But what 'right' do you have to post on pg's site after he unequivicably tells you he doesn't want you to?
An issue is that an IP ban is not the same as giving a person notice that they are banned. For example, some consciously use tools which change their ip and or mac addresses on a regular basis; not for nefarius purposes, but simply to protect their privacy. These are the 'ordinary' IP changers in my experience. These people would never know that they've been banned from such a site if the site were to ban them in that way. The referenced case is different because the banned party was given direct legal notice.
The ruling seems to suggest that the cease-and-desist letter was a key factor, and that it might not apply to someone who legitimately didn't know they'd been banned:
"The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts."
Where are you getting this from? If you own a site, you own it; it's your property, and you have a right to decide who can use it and who can't, and you have the right to change your mind whenever you please. Just as,if you let someone into your house, but then their behavior becomes intolerable, you can kick them out; they can't argue that, since you let them in once, they now have irrevocable permission to stay there forever.
3Taps made a similar argument in the court case: they argued that if Craigslist allows the world to access craigslist.org, it can't then turn around and revoke access for a specific person or entity. But that conclusion is obviously too strong: it would not only prevent people from selectively banning, it would also prevent sites from fighting denial of service attacks, since fighting those often involves banning suspect IP addresses.
I think I may have made myself unclear. I'm not saying you don't have the right to ban someone from accessing your server. Of course you do.
I support the right of a site owner to try to prevent a person from accessing his site. But I don't support the right to make it illegal for someone to access this person's site if he's making it publicly available.
I don't support the right to make it illegal for someone to access this person's site if he's making it publicly available.
Even if I've sent the person a C&D letter? Accessing someone's site after they've explicitly given you legal notice not to is basically the online equivalent of trespassing.
I think perhaps it's my understanding of "right" that may be wrong.
I view a "right" as something I can contact the authorities and complain over in case it isn't fulfilled. For example property rights. If someone violates this right I can contact the police and they will enforce this right (remove the person from my property).
In that sense of the word, I don't think anyone should have a right to prevent someone from accessing their website, since this would entail being able to demand that they be kept out by an authority in case my attempt at banning them doesn't work.
> First, editorialized headlines are not allowed by site rules
Apologies. I suppose I should have known this, but I didn't (I've seen many such headline over the years).
> But the ruling doesn't threaten to ambiguously target people who just change an IP to get around an ordinary IP
ban.
If this ruling sticks, I can imagine that instead of blacklisting an IP, standard practice will be to return a web page saying "you are hereby notified...".
How do you legally notify someone if all you know is their IP? (serious question, IANAL)
> How do you legally notify someone if all you know is their IP? (serious question, IANAL)
That is a great question, but the case you linked had zero such ambiguity, and in fact is one of the more straightforward CFAA rulings I've ever seen on HN.
> How do you legally notify someone if all you know is their IP? (serious question, IANAL)
I don't know about legally, but Wikipedia keeps informing me that I have a new message. When I look, it's an IP-based user talk page and the message is from 2008. I'd naively consider that sufficient, but maybe a better-informed legal scholar with technical chops wouldn't.
I mean... I wasn't even living at this address or subscribed to this internet provider in 2008.
You have to find their upstream and subpoena their DHCP (or equivalent) records. That's what the plaintiffs in the P2P lawsuits have been trying to do. You may not be successful for a variety of reasons. In that case this ruling would not apply.
Not the ruling is precedent anyway, since it is a district court (lowest federal court) order.
>> First, editorailized headlines are not allowed by site rules. (EDIT: The headline is now changed. It previously read, "Change your IP, go to jail" or something like that.)
sorry if I find this amusing, the article is also about rules and people interpretation of them, freedom to access information, broadly speaking freedom. As journalists are free to make up their title when reporting news, interpreting by their PoV, why are we not allowed to do same?
Don't get me wrong, good rules are good (though yhey require trust), but that comment on this very news made me smile.
We are, just not in the link title field. From the guidelines: If you want to add initial commentary on the link, write a blog post about it and submit that instead.
To which you reply "Submitter here. I wanted to add my take on it, as per the guidelines: If you want to add initial commentary on the link, write a blog post about it and submit that instead.".
> But the ruling doesn't threaten to ambiguously target people who just change an IP to get around an ordinary IP ban.
Doesn't it? What's stopping me from being prosecuted for accessing a site I've been banned from, as a person instead of (in this case) a business model?
Sure, but what the heck is the proof
that 3taps continued to abuse the
Web site? That the Web site got
traffic on the IP address they banned
is not solid proof that 3taps was
using their Web site.
I assume you didn't read the article? 3taps used a proxy to show up to the website from a completely different IP.
Either way it's easy enough, just see if 3taps has data from the craigslist website that was after the effective date of the IP block and C&D letter being received.
I did read the article. The article
and the legal thinking are badly
confused and, really, nonsense.
Why? The main reason why and
my point in my post is that blocking the IP address
is just silly talk since an IP address can't
be used at all reliably to identify a
computer or user. The IP address is
nearly irrelevant.
The Web site might as well find that the
person, say, Tom, they didn't like
ate at McDonald's and then try to block
everyone who eats at McDonald's. Then
Tom can eat at Wendy's, and everyone
who does continue to eat at McDonald's
gets blocked and maybe accused of violating
the C&D letter. Again, once again,
over again, yet again, IP address just
says next to nothing about who
did or did not connect to the Web site.
So, IP address should be ignored in
this legal discussion.
Away from McDonald's and more specifically
about the Internet,
(1) The user who got
the C&D letter could just use a different
IP address. One way to do that is to us
a proxy as in the article. Another way
is just to disconnect the electrical power
from a cable modem and connect power
again. Then the modem will likely forget the
IP address it was last assigned, use
the internet standard dynamic host
connection protocol (DHCP) to get another
IP address from the Internet service
provider (ISP), and continue on. Another
way is, the ISP can just assign a
different IP address at any time for
any reason. So, the person, Tom, who received
the C&D letter can get a new IP address
and, indeed, be forced to give up his old
IP address. And the user, Tom, need not
even be aware of this change in IP address.
(2) The Web site could get torqued
at the wrong person. So, the ISP
of the person receiving the C&D letter, Tom,
could assign the the IP address
blocked by the Web site to another
person, Joe, not involved in any of
the legal efforts, and Tom could try to connect
to the Web site. Then the Web site could
blame Tom for access to their site by Joe.
Bummer for Joe.
For your
> just see if 3taps has data from the craigslist website that was after the effective date of the IP block
that's not nearly "easy enough". Even to start to
look for this data, need full access to at least
the computer of the person who got the C&D letter,
Tom.
So, have to grab Tom's computer. By what right?
Tom can claim that he has been honoring the C&D letter and
not been accessing the
Web site and that the blocked IP address has
been assigned to someone else, Joe.
Even if get Tom's computer, now what? He could
have several trillion bytes of data on his computer,
and also have other computers in his house/office.
Looking for the Craigslist data could be a lot
of work and very intrusive, whether Tom
had the data or not. The search could
uncover business plans, love letters,
etc. Tom should be able to keep private.
The Craigslist data could be anywhere in that data
or nowhere. The data could be encrypted. Tom
might have copied the data to DVD and hidden it
in the bottom of his kitty cat's litter box,
under insulation in his attic, in one of
several hundred books on his bookshelf, etc.
Pawing through all of Tom's private
possessions all based in IP address or less
is outrageously intrusive and wildly unfair to Tom.
Next, it need not be the least bit clear
in what form the data is. The data, as
sent by Craigslist, is essentially just
simple text plus maybe some pictures in
JPG, GIF, PNG, etc. A lot of that text
data is HTTP, HTML, and CSS tokens,
symbols, and markup that has next to
nothing to do with the Craigslist data
at issue;
those tokens, etc. can easily be
removed by a simple program or text
editor leaving just the data.
That data can be pulled into
a spreadsheet, written to a database
(e.g., SQL Server or MySql),
combined with other data in
files, tables, etc., graphed,
formatted with TeX, PostScript,
PDF, etc., and look nothing much
like a Web page from Craigslist.
So, turning Tom's house upside down
promises to uncover nothing relevant
to the C&D letter.
Since maybe Tom is honoring the C&D letter,
turning his house upside down
is not justified by any evidence and
is unfair to Tom.
Moreover, maybe Tom got the Craigslist
data from, say, a Google archived
copy or a friend or another Web site.
"Easy enough" is a very long way from
being true: It's easy for Tom
to have what looks like Craigslist
data when he did honor the C&D letter.
It's easy for Tom not to have honored
the C&D letter and have some Craigslist
data but be next to impossible to
know this, no matter what devastation
is inflicted on Tom's house or office.
More generally, the Web site is volunteering
to send its data over the Internet to
computers and software that request the
data via a HTTP GET request. About all
the Web site knows is that there was
a GET request from an IP address;
neither the GET request nor the IP
address say anything meaningful
about a person. It's not the least
bit clear who the person is.
That's just how the
Internet works. If the Web site doesn't
like that, then they can shut down.
So, really, the Web site can send all
the letters they want, but they have
no evidence that should justify
searching what data Tom has or if
Tom did or did not honor the C&D letter.
The Web site effectively put the data
out there in the public square
for everyone, anonymously,
to see, copy, keep, and in
some, and maybe all, respects use. Then later
the Web site changed their mind and
wants some absurd restrictions based
on some nearly meaningless evidence.
The data is offered to anonymous users,
and it is not clear just who the users
are, and no amount of C&D letter
writing and IP address tracking, etc.
can change that.
"First, editorailized headlines are not allowed by site rules" - so you must be one of the know-it-all gods of HN that enforce ethical behavior on us, mere mortals.
Hacker News implements permanent IP bans on anyone that performs tasks like reloading Chrome after the 15th HN tab opened for the day's reading crashes the core of the browser. When the browser reloads tabs, 15 concurrent connections are made at once, and the IP gets banned.
This is such a trigger-happy approach that a great number of legitimate users have found themselves IP banned, to the extent that a voluntary unban tool has been created: 1) open Tor for a different IP, and 2) go to http://news.ycombinator.com/unban?ip=<original ip address>.
By extending their argument from "IP block and C&D" (something I accept may be valid here as a civil violation) to merely "IP block", the court may have just found that 1) is a crime independent of any malice or damages, among other things.
Criminal trespass is dealt with on a very limited basis by police officers seeking to uphold short-term civic order, correctively rather than retributively. If it became a strict-liability crime about pursuing criminals and punishing them with decades of jailtime, we would have an unworkable system where the harm of criminalization obviously outweighed the harm of being in a place that was technically off-limits. That is basically the case in most permutations of the CFAA. This happens to be a corporate defendant in a civil suit with an unambiguous C&D... but beware any broader interpretion of the thing while it still has criminal penalties attached.
> By extending their argument from "IP block and C&D" (something I accept may be valid here as a civil violation) to merely "IP block", the court may have just found that 1) is a crime independent of any malice or damages, among other things.
I don't read the opinion to say that. In fact, I'd say that the court put more weight on the C&D than the IP ban (contra Prof. Kerr who reads the statue as giving primacy to the technological measure). Though admittedly the analysis is rather short.
3taps doesn't argue it thought it got caught up in an over aggressive automated filter. It knew Craigslist didn't want it to access its website and did anyway. I don't see why slippery slope arguments ought to let them off the hook. Though I agree a civil forum is generally the best for this sort of thing.
I don't think this is true. The crimes normally charged in the CFAA bundle have mens rea requirements; you can't accidentally commit wire fraud by using Tor. At a minimum, to charge a CFAA felony, a prosecutor would have to establish both substantial damages (easier) and recklessness (harder); that's for the lesser of the two CFAA felonies, the greater of which specifically requires intent.
"A federal parliamentary committee has recommended that consumers find ways to lawfully evade technology that allows IT companies to charge up to twice as much for their products in Australia."
" … said the report had made 10 recommendations to lower prices, included educating Australian businesses on how to bypass geo-blocks."
even if evading geo-blocking is lawful in australia (whether it is or not is another question), services like Steam, if they detect that you did such a thing, have the option of revoking access to your account, and you lose out. And the amazing thing is, steam's revocation is completely legal (plus you also agreed to it in the EULA).
This whole thing is completely anti-consumer. The law needs to catch up and make sure that consumer has the same protection as physical goods.
The optimist in me hopes this is a sign of "the law" doing its slow and steady "catching up". This was the report of a parliamentary inquiry - this was asked for and delivered to our lawmakers. If I were a business with a model predicated on geo-blocking and intending to do business with Australians, I'd be looking for a way to ensure by business model works _without_ that artificial barrier. (I'd suggest that like many consumer laws, you will no more be able to rely on click thru Eula clauses to enforce this than you can evade "fit for purpose" requirements in physical goods)
I dont believe that current sellers of licenses of software (and other media too) would like such consumer protection laws, because it means they no longer control their consumer's collection - e.g., any law that does not enforce the 2nd sale doctrine for digital goods is bound to fail to protect consumers, but media creators would not want to allow 2nd sale of their digital goods (ever!).
IANAL, but I'd have guessed that the answer to Kerr's first question -- does an IP address block constitute a "technological barrier?" -- would be no. My reasoning is this: IP addresses change all the time and so a normal, unsophisticated user could, perhaps even unwittingly evade the barrier without any sort of technological workaround. If you could accidentally do it in the course of your day, it's doesn't pass muster as a "barrier".
Imagine you had a building complex with many roads leading to it and you want to forbid motorcycles from entering it. You set up a blockade on one of those roads, and have a security guard turn away motorcycles. But there are all these other roads leading to the complex without blockades. Normal, every day people roads just like the one that has a blockade, and anyone could use them to drive in on a motorcycle. Does that constitute a barrier that's being circumvented?
That's all all directed at that narrow question. For the record, I don't think you should be allowed to use a website when the owners have asked you not to, but I do see how it's pretty different than, say, brute forcing the SSH password. And so that narrower question might have some impact on what charges their guilty of.
IP addresses assigned by ISPs do, yes. But as I understand it, the IP addresses Craigslist banned in this case were the ones assigned to 3Taps' domain name based on DNS records. That's a different situation.
Seems clear to me that banning an IP address is nothing more than a ban on that IP address. The user could conceivably go to a library and use their IP to access the site. Since that's self-evidently a non-productive approach, the only way to communicate the block of an individual user is to affirmatively contact that user and obtain a signed recognition of that user's banning.
That may create a technical problem for the banner, but the method the judge chose simply ignores the fact that an IP address (unlike a ham radio license but exactly like a telephone number) is never attached to an individual.
Yes, but when that Web site gets traffic
from the banned IP address, what is the
evidence that the person who got the
C&D letter was the one responsible for
the traffic? The traffic could have
been from any customer of the
ISP used by the banned user.
While I think that your argument is flawed in its understanding of the law, a technological approach could be: let x be the suspect IP address. When we receive a request from x, we send them some messages that we don't send to other users; or maybe we change messages slightly (like leave out some footers, or with a different image link, whatever). When the fake/modified messages show up on the suspect website, we can reasonably assume that they accessed our website. At that point, it doesn't even matter any more whether they did it through x or another.
Right. Now are beginning to make a little
sense -- a big change from the OP.
So, the problem was not getting the data from
Craigslist but publishing it elsewhere.
But your point still will not make Craigslist
at all happy: Craigslist has a lot of
data. Maybe someone, Tom, wants to get
a copy of a lot of that data and do some
things with it. The data at issue need not
be in any meaningful way subject to
the marking you describe. That is,
what Craigslist sends is HTTP, HTML,
CSS, simple text, and maybe some files
in JPG, PNG, GIF, etc. Tom can grab
just the text, put it into a database,
analyze it, and republish leaving
the marking far behind.
So, right, if Tom does something sufficiently
stupid, then he can be slapped down
for violating the C&D letter.
Otherwise, not stupid, it's essentially
impossible for the Web site to know
if Tom honored the C&D letter.
Then, searching Tom's computer, etc.
will be based on next to no go evidence
and be wildly unfair to Tom.
The title of the linked article is "District Court Holds That Intentionally Circumventing IP Address Ban Is “Access Without Authorization” Under the CFAA".
Violating the CFAA is, of course, illegal. From the linked article: "During the debate over the Aaron Swartz case, one of the legal issues was whether Swartz had committed an unauthorized access under the CFAA when he changed his IP address to circumvent IP address blocking"
It's not 'about' spoofing his MAC address. It's about respecting the rights of property owners to set the terms of how other people may access their property. You know, when someone is charged with burglary the issue is not that they entered your place through the window rather than by ringing the doorbell, but that they entered without your permission. Try to imagine the outrage that would result if a judge said 'it's your fault for having an insecure window, tough luck.'
EDIT: I might add that I don't care for JSTOR or the copyright system that they derive such benefit from. But then I don't especially care for our laws on taxation and related subjects - my disagreement with those doesn't give me the right to opt out of taxes that I dislike, or to appropriate the possessions of others whose wealth I might envy.
I really hate analogies in law because it always seems to provide very little support for whether a law is a good idea or not. Your analogy is to breaking and entering a physical residence, but you skip over the fact that this is a publicly available website. I'd say it has more in common with photographing a public building. Lets say Dunkin' Donuts doesn't want me photographing their buildings and making a map of all their locations. They demand that I stop taking photo's from the street and put up a small tarp that covers the physical line of sight to their building that I used to photograph. I then come back and photograph their building from 2 feet to the right and they claim I bypassed their building security.
I don't think my analogy is any more correct than your, which is why I would rather we just decide what is best for society. Seems a lot more useful than trying to decide whether IP filtering is analogous to breaking a window.
Dunkin' Donuts could exclude you from their premises if they saw fit. Your analogy is equivalent to 3taps making a list of Craigslist URLs and getting a front page screenshot for each one. Scraping is qualitatively different - you have go on into the website to analyze the content, so I suggest it's more like walking into the DD kitchen and trying to document their customer transactions.
It is nothing like walking into the DD kitchen and trying to document it. It's quite a bizarre fantasy to think that physical property rights are anything like client-server interactions.
The Web site sent a Web page to a user.
What was sent was essentially just
simple text although maybe with
some JPG or PNG files. That's the way
HTTP, HTML, and CSS work -- mostly just simple text. The Web site voluntarily
sent this data, mostly just simple text.
Now the user has the data that the
Web site voluntarily
sent. Commonly the user
keeps the data; e.g., their
Web browser commonly keeps a
copy of this data to speed
future accesses to it.
Besides a Web browser is
perfectly willing to write the
data to files and a directory
so that the Web browser can
display the data again.
Maybe the user will
analyze the data, e.g., see what
colors were used for the fonts.
So what?
Besides, there is no way for the
Web site to tell what the user
does with the data unless maybe
the user republishes the data.
Screen scraping is just using the
data that the Web site freely sent.
If the data is not republished, etc.,
then tough to claim that the user
did anything wrong.
> The Web site voluntarily sent this data, mostly just simple text.
If you know of a way to configure Apache to deliver web data to everyone but a certain subset of users without having to force the authorized subset to use authentication then the whole world is all ears.
In fact, I'm sure HN could use this good news first so that they don't have to use such a non-specific ban system as IP bans...
But until then 3taps had no question that they knew the web site operator did not want them to access their website at all, and in fact had to go out of their way to get around the IP ban, so let's not pretend like the court decision here is setting some kind of general precedent.
IP is irrelevant and not good evidence of
anything. The IP address used by
3taps can be changed by the 3taps ISP
at any time for any reason.
IP can't be used for authentication.
With public key cryptography and
Kerberos, there are some excellent
means of authentication. If Craigslist
wants to use such authentication, fine,
and then they can effectively and accurately
block any given collection of users.
But usually a Web site, e.g., HN, offers
access to any IP address anonymously,
without authentication. In that case,
it's next absurd for the Web site to
complain about some person when they
have next to no good evidence on that
person.
Your "go out of their way" is wildly false;
all that had to happen was just their
electric company to drop power for
one second. My electric company does this
about once a week. Then the cable modem
will forget its assigned IP address
and, when electrical power is restored,
request a new IP address. The 3taps
people need not be aware of this at all.
Moreover, the ISP can have assigned the
banned IP address to someone else,
Joe, not involved. Then Joe's usage
of the Web site is no evidence against
3taps.
Maybe 3taps knew that the Web site did
not want them to use their site,
but more importantly the site had
no good evidence, at least not from IP address,
if 3taps was using
their site at all or not.
> Your "go out of their way" is wildly false; all that had to happen was just their electric company to drop power for one second.
So you're saying that business networks typically have completely random IPs setup by their ISP? I would hope not, as that means SSL sites could not have worked at all for most people prior to Windows Vista. Not to mention the certain problem of how Google DNS is setup for people (Hint: It uses a static IP).
In fact I think you might get even more disappointed if you consider the types of "proof" that are considered acceptable within the legal system, and commerce in general.
For instance, completing a contract by faxing over a document, having it signed, and faxing it back. That has all the same theoretical issues associated with it as blocking static IP address and yet you don't see the entire edifice of the justice system or commerce falling to bits, now do you?
> Moreover, the ISP can have assigned the banned IP address to someone else, Joe, not involved. Then Joe's usage of the Web site is no evidence against 3taps.
Why are you speaking in terms of "maybes"? 3taps themselves admitted to using a proxy to evade the ban. They knew they were blocked, and they knew why. QED
So while I would agree with you in general that an IP address is not a priori an identifier, that's not at issue in this specific case.
> So you're saying that business networks typically have completely random IPs setup by their ISP?
No. If 3taps was using a static IP address to
access Craigslist, then IP address is at least
somewhat meaningful as evidence, but mostly
Internet users do not have static IP addresses
and mostly only organizations that want to
operate Internet servers, or Web servers,
do. Why? Because mostly to get to a server,
a user uses a domain name which uses the
domain name system (DNS) which requires
a static IP address.
Yes, in the specific case 3taps asked for trouble
and got it.
But the article seems to suggest that this case
is a threat to ordinary Internet users who,
maybe, get an unusually large number of Web pages
from a Web site. So, there is also some interest
in the more general situation. There IP address
is poor evidence.
To me, in the general case, say, Web sites that
send data to anonymous users, without strong
authentication, etc., should just f'get
about the lawyers, suck it up, and f'get about
users downloading data. Else the Web site
can use strong authentication of users,
charge for access to the site, etc.
The article, and the court case it references, are about 3Taps. 3Taps had a static IP which was banned, and additionally received a Cease and Desist letter. The court case is very clear that the combination of these factors demonstrate that 3Taps' access had been revoked, and that therefore their continued access (through proxies) constituted an intentional, unauthorized access of a protected system.
If the article "seems to suggest" something other than that, either the article is wrong, or you're reading it wrong. This is only a threat to "ordinary" internet users if they're given clear indication that they are no longer allowed to use a site (something like a C&D letter to go along with an account or IP ban.)
The whole point is that it's not freely sent. Craigslist declined to send it to 3taps any more, blocked their IP address, and told them they were no longer welcome to use the site at all, in addition to adjuring them to stop republishing ads from CL. They were well within their rights to do so.
When your argument requires changing the facts, there's something wrong with it.
J - "You robbed a house."
V - "I broke a windowpane."
The law isn't some nomic built out of analogies. Suppose a free weekly paper sent someone a C&D and told them to quit taking one copy of the paper. Should that demand be enforced?
As it turns out, judges _do_ say stuff like that. Where I live, they've made it illegal to leave your car unlocked… "Car got stolen? Sorry, your fault, you left the window open."
You're missing the point. The question is about the legality of access without authorisation. Just because it's illegal to leave your car unlocked doesn't magically make it legal to steal from an unlocked car.
The penalty rather depends on why you were banned in the first place. If you deliberately violated the ban then it's equivalent to trespass, notwithstanding the publicly accessible nature of websites.
It's not that I love Craiglist particularly, but the fact is that their website remains their private property, same as any other commercial establishment. They have no obligation to serve people who don't respect their policies.
Look, I've avoided bans on many websites on purpose. You're saying this should be a criminal act? If I get banned from Hacker News, and I make a second account using a proxy, I should get prison time?
> Look, I've avoided bans on many websites on purpose. You're saying this should be a criminal act?
Yeah, I'd say so. They're not your servers. If the person who owns them tells you to stop using them, then stop. They don't owe you anything, so just quit using their stuff. Easy, no?
> If I get banned from Hacker News, and I make a second account using a proxy, I should get prison time?
Why didn't you just go all out and say "the death penalty"? :-) No, I'd think a fine or some community service would be more than adequate.
The only thing an IP ban alone conveys is that that IP is no longer allowed access. It does not by itself convey that that user or even that client is not allowed.
From the article: "There was significantly more to the CFAA charges than that, to be clear, including circumventing a subsequent MAC address block and (most significantly) entering an MIT storage closet to install his computer directly. But changing IP addresses to get around IP address blocking was at least one of the possible grounds of unauthorized access."
Using a workaround for buggy or misconfigured hardware is very different from "these guys told me to stop using their thing, but I can circumvent the measures they put in place to stop me."
EDIT: related quotes from the ruling
"Craigslist gave the world permission (i.e., “authorization”) to access the public information on its public website.... it rescinded that permission for 3Taps."
"3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all."
"3Taps’ deliberate decision to bypass that barrier and continue accessing the website constituted access “without authorization”"
The court decision relied on the clarity of intent from 3taps. They had been both expressly told not to do something, and technically blocked from doing it. Their access to CL wasn't accidentally broken, they didn't misunderstand what they had been told in the C&D letter, and they didn't get caught by some surprising technicality. They had been clearly told to stop, and they circumvented the measures put in place to stop them.
I said elsewhere: this is more or less equivalent to a store telling me not to come back and distributing my photo to staff... and then me shaving my beard and changing my clothes in order to sneak back in. Shaving and changing my clothes are not illegal in and of themselves; trespassing is illegal, and shaving and changing my clothes are the tools I chose to use in my effort to trespass.
No. If you read the ruling at [0], you will find you are quite mistaken.
This decision was not about changing IPs; it was about "whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website" (in the analogy, whether the store can revoke my individual permission to enter.) The court agreed that CL has the power to revoke authorization to access its site.
The decision does not reference the IP ban for its own sake, but always as a part of a multi-step argument, best articulated on page 10. "3-Taps (1) received a personally-addressed cease-and-desist letter stating that it could not access Craigslist’s website “for any reason”; (2) discovered that it could no longer access the website at all from its IP addresses; and (3) was sued for continuing to access that website after circumventing the IP restrictions. A person of ordinary intelligence would understand Craigslist’s actions to be a revocation of authorization to access the website, and thus have
fair notice that further access was “without authorization.”" The decision is quite clear in its focus on the access being "without authorization".
In the analogy, the court would not reference shaving my beard in isolation, but in the context of my being personally told not to come back, discovering that security turned me away after recognizing my photograph, and then making a "deliberate decision" to enter the store through the mechanism of shaving my beard and changing my clothes in order to avoid being denied entry. The court would make it quite clear that the problem was my re-entry to the store.
> If you read the ruling at [0], you will find you are quite mistaken.
I hadn't read the ruling, just Kerr's post, and yeah I'm only more confused now, considering some of Kerr's comments. I'm just going to give up on it for today, no more time.
Most sites that have found the need to implement bans by address consider this collateral damage to be worth it - in fact to get around it being difficult to IP-ban someone on an ISP that hands out variable addresses some will ban a whole range (first banning one address, then another, then another, and after several addresses in a range (something like a /20 or more - a /24 would not cover all but the smallest ISP's dynamic address pool) are banned the whole range gets the hammer, at least temporarily.
IPv6 will make a difference if its adoption means that the use of NAT drops considerably, but even if every device really does have a unique address there is still the problem of several users on the same device (implementing per-user addresses on a single device is never going to happen as it is just too much hassle for little or no gain).
Just trying to understand how far this could be pushed.
Would it be possible in a future case that a judge could deem 'not providing an API' a technological barrier to programmatic access and therefore hold that screen-scraping is in violation of the CFAA?
I'm confused then because according to founder Greg Kidd 3taps does not get its data by scraping Craigslist:
"...We didn't get the data from them anyways. We're finding it from other sources which have already indexed it like Google, like Bing, like other search engines that are out there."
If you read the fine print (which is in various documents linked to on 3Taps' website), you find that it's not quite as simple as that. 3Taps started out getting the data from Google; but when Craigslist found out what they were doing, they restricted Google's access in a way that made it necessary for 3Taps to scrape Craigslist's site directly.
It's notable that, in these documents (which are written by 3Taps), the fact that Craigslist sent them a C&D letter is never mentioned. So it's not clear where, exactly, in the process the C&D letter came in.
An IP address does not for long accurately identify
a computer or a person. E.g.,
Internet service providers (ISP)
make heavy use of dynamic host
connection protocol (DHCP)
which assigns a new IP address
for each new connection from
a user. And, for a user permanently
connected via a cable modem,
losing power to the modem commonly
causes it to forget it's assigned
IP address and when power is on again to request a new
IP address from the ISP. Also,
commonly ISPs change user IP addresses
for whatever reasons without notice.
Really, a user often doesn't know
what IP address he is using.
Fixed IP addresses are important for
servers but not for users. And due to
the fact that with 32 bit IP addresses
there are only about 4 billion IP addresses
to serve the whole Internet, ISPs
commonly assign a new IP address for
each connection and may have
fewer IP addresses than paying
customers.
A Web site has no easy way to know that
a specific IP address is from a
specific computer or a specific person.
And, indeed, just by having electric
power go out, the user's computer
will likely be using a new IP address.
So, for a Web site to block an IP
address does not block a specific
computer or specific user.
So, a user can just say,
"That
you got some traffic from that IP
address is no evidence that
I accessed your Web site. That
traffic could have been from
any customer of my ISP."
Next, there is a problem with
screen scraping: The way the
Web works, with HTTP, HTML, and CSS,
when a Web site sends a Web page
to a user, what is sent is essentially
just simple, plain text. Then screen
scraping is just keeping what was
sent. The Web site sent the text;
the user just kept a copy; keeping
a copy at least until the original
changes is a standard performance
feature of Web browsers. So,
it's standard for a user to have
and keep a copy of what the Web
site sent.
The Web site freely sent the
data as just simple text;
if the Web site doesn't want people
to have that data, then the
Web site should not send that
data to people.
How does the Citizens United ruling factor into this?
Basically, I'm wondering if a valid defense would be to say that although 3Taps as a company was banned from using Craigslist, individual employees and separate companies were not.
As a result, the subsequent retrievals of information by individual employees / a separate company out of their own volition and not using company resources constitute legal access of Craigslist.
The information legally gathered by the separate entities were then passed back to the company, so 3Taps never actually accessed Craigslist after the ban.
Craigslist asked 3taps not to use their data. 3taps continued to use CL's data, even going so far as to circumvent a security measure (the IP block -- weak, but still technically a security measure).
The court decision, which is linked elsewhere in this discussion, consistently connects the IP ban to the C&D letter. They don't seem particularly concerned with the details of how 3Taps accessed the data, only that 3Taps intentionally accessed data whose owners had clearly revoked access.
At college we discussed what an IP is. An IP has two parts, the identification and the location.
If you change your IP to mask your identity, then you are telling the server you are someone else, however if you change IP to mask your location you are only saying you are somewhere else.
Your college explanation was so skimpy as to be useless. An IP, at best, identifies a particular endpoint at a particular point in time, consider dynamically allocated IP addresses or virtual machines with externally visible IPs.
Whoever allocated the IP may have records showing which telephone line was allocated that IP at a particular time. That might narrow it down to a residence, building or office.
But this is all irrelevant. As I understand it, there was a court order forbidding 3taps to access a particular service. Additionally their IP was blocked. Changing IP to try and circumvent the ban is the kind of thing a 13 year old thing might think was clever and 3taps should be slapped down very hard for this it is, in effect, contempt of court.
Quite broadly, that the Web site
got traffic from the banned IP
address is not solid evidence
that the person who got the C&D letter
accessed the Web site. The Web
site will need better evidence
than traffic from the banned IP
address.
Not directly, but if they are used to get around legal limitations then yes.
There is no specific law covering this sort of thing which is why cases of this nature are often grey areas: it all depends on how you interpret/implement laws written to cover the physical world as you transcribe them to operate online. For instance gaining access to money by pretending to be in a country where you would qualify for a grant in, despite living elsewhere, is fraud - gaining access to resources online the same way using a proxy to pretend you come from somewhere else is the same thing.
As with many tools proxies themselves are not illegal (well, in most territories!) and have a great many legal uses, but they can be used as part of an attempt to get away with breaking the law.
Most have dynamic addresses, but business/corporate networks do tend to have static blocks from what I understand. Remember static IP used to be required to use SSL/TLS at all, and still is required if you want to support XP clients.
It depends on your ISP and what kind of service you have. Most providers of high speed internet (meaning cable or fiber optic) these days don't change your IP very often, so although it's technically not "static" (meaning, there is no guarantee that it will stay the same), it ends up being more or less the same thing in practical terms.
Not really: For whatever reason, my
electric company commonly drops power
for a second or so about once a week.
How do I know? Because then the clock
on my microwave oven just blinks not knowing
what time it is.
Well, that one second power drop also
causes my cable modem to forget the
IP address it was assigned via DHCP
by my ISP.
So, the guy with the C&D letter can
tell the Web site that traffic on the
banned IP address was no good evidence
that the traffic was from him and, instead,
could have been from any customer of
the relevant ISP.
Moreover, the ISP could assign the
IP address the Web site banned to
just any customer not involved in
the C&D letter, etc. Then the
Web site would ban that person;
I hope that person would not
get charged with a crime.
that one second power drop also causes my cable modem to forget the IP address it was assigned via DHCP by my ISP.
Does the IP address actually change when this happens? Some ISPs have their DHCP server assign IPs according to the MAC address of the cable modem, which of course won't change if power is shut off and then turned on again.
the guy with the C&D letter can tell the Web site that traffic on the banned IP address was no good evidence that the traffic was from him and, instead, could have been from any customer of the relevant ISP.
If he was a private individual getting internet access from an ISP that did that, sure. But in the particular case referred to in the OP, the "guy with the C&D letter" was a company, not an individual, and as I understand it, the IP addresses that were banned were the ones mapped to that company's domain name based on DNS records. That's a different situation.
the ISP could assign the IP address the Web site banned to just any customer not involved in the C&D letter, etc. Then the Web site would ban that person; I hope that person would not get charged with a crime.
It's not clear how Craigslist found out that 3Taps had changed the IP addresses it was using and resumed scraping the site. However, whatever means it used to find that out was apparently accurate, since 3Taps admitted that it had changed IP addresses and was still scraping the site. The court case was based entirely on Craigslist saying that 3Taps was no longer authorized to access their site; there was no dispute about whether they had actually done so.
> Does the IP address actually change when this happens? Some ISPs have their DHCP server assign IPs according to the MAC address of the cable modem, which of course won't change if power is shut off and then turned on again.
My ISP does this. I get a new IP address whenever
I cycle power on my cable modem. And sometimes
my ISP gives me a new IP address for whatever reason.
Maybe their reason is that they want to charge
a little more for a fixed IP address. Or maybe
they have more paying customers than IP addresses
so must dynamically assign IP addresses to
users actually connected.
Yes, if 3taps was accessing Craigslist from
a fixed IP address, then that can be fair,
although not really good, evidence that
3taps was continuing to access Craigslist
after the C&D letter.
If 3taps just admitted continuing to use
Craigslist, then they were, just how do I
say it, s.t.u.p.i.d, or some such? Or,
all a 3taps person had to do was just
go home and get the Craigslist data
from a home computer with a different
IP address. I'm not up on mobile devices,
but I have to believe that they
also use frequently changing,
dynamically assigned IP addresses.
Also I don't like the idea that
there is screen scraping as something
different from ordinary usage;
it's not. The Web site sends the data,
and the data is nearly always stored
on disk by the Web browser. Also
the Web browser can write the data
to an HTM file and a directory with
the JS, CSS, JPG, PNG, GIF, etc. files.
Then the user has essentially all the
data in simple, plain unencrypted
form. Nearly all the data is sent
just as simple text. E.g., likely
the Craigslist data is sent this way.
Then if someone wants to make some
new use of that Craigslist data,
they can easily remove the HTTP, HTML,
CSS, JS, etc. stuff, leave the simple
text, analyze it, reformat it,
combine it with other data,
format it with Word, TeX,
PostScript, PDF, etc., wrap it in some
new HTML, CSS, and JS, and publish it
again. Then it need not be the least
bit clear just where the data came
from. In this case, with little
good evidence that the data came
from Craigslist,
it would not be
fair to search the facilities of
3taps for evidence.
Broadly, the Web site offers the data
to all anonymous users, as mostly just
simple text. In that case, the Web site
should basically just shut up about
what happens to the data they sent.
I'm not up on mobile devices, but I have to believe that they also use frequently changing, dynamically assigned IP addresses.
I believe that's correct, yes. If they are using wifi, they will appear to be connecting using the wifi router's public IP address, which will certainly be different for each wifi router. If they are using the cell phone network to connect, I'm pretty sure they get assigned a public IP address based on which cell tower they are using to connect, so that will change as well.
I don't like the idea that there is screen scraping as something different from ordinary usage; it's not.
In terms of the data itself, you're right, screen scraping is just pulling the data, the same as a web browser does.
However, since screen scraping can be automated, it can potentially use a lot more bandwidth, since it can request multiple pages from a site much faster than a human driving a browser can. That's why sites are allowed to restrict what automated search bots can do on their sites, for example with a robots.txt file. A service like 3Taps would be expected to respect these types of restrictions just like Google does.
That said, I don't think the issue in this case was the screen scraping per se; I think the issue was that Craigslist asserted copyright over their data, so that they had the right to say that 3Taps could not use the data the way they were using it.
For screen scraping, it appears that
some people want to say that, because
some software in effect provided the
browser keystrokes or mouse clicks,
something was wrong.
Once I wrote a little program that
gets Web pages from a Web site;
if I handled all the details correctly,
then there is no way for the Web site
to know that it is sending the data
to my program instead of a Web browser.
Indeed, essentially I wrote a Web
browser. That my Web browser just
wrote data to files and did not
provide a graphical user interface
on my screen is none of the business
of the Web site. It can't be illegal
to write a Web browser, especially
a very simple one.
For getting pages too fast, just write
the software to get the pages more slowly.
Done. Or if want to use one computer to
get 100 pages from each of 10,000 sites,
then then get one page from each of the
10,000 sites, 100 times. Done.
> I think the issue was that Craigslist asserted copyright over their data,
Fine. But there is an issue: Just how the heck
is Craigslist to know who got the data? Not from
IP address -- that's terrible evidence. Then
how's Craigslist to know just what the heck the
data was used for? Even it it's clear that the
data was from Craigslist originally, if the person
using or misusing the data might have gotten the
data from someone else and not directly from
Craigslist.
So, to me, for Craigslist to run
around with lawyers and C&D letters attacking
Internet users looks like a bummer. If a user
does something obvious and blatant with Craigslist
data, or is dumb enough to admit getting the data
after a C&D letter, then okay. But mostly the
legal effort is a loose cannon on the deck
that can hurt a lot of people
based on really poor evidence.
there is no way for the Web site to know that it is sending the data to my program instead of a Web browser.
Except through your User-Agent string. Which can, of course, be faked, but if you are actually running a scraper or other automated tool, you're not supposed to use a browser User-Agent string.
For getting pages too fast, just write the software to get the pages more slowly. Done.
Yes, agreed; all search bots and other automated tools are supposed to do this.
But there is an issue: Just how the heck is Craigslist to know who got the data?
I don't know how Craigslist found out in this specific case; but the point was moot anyway because 3Taps admitted they had obtained the data; there was no dispute about that. The dispute was entirely over whether what 3Taps was doing with the data once they got it was "authorized".
how's Craigslist to know just what the heck the data was used for?
Because 3Taps admitted what they were using it for. There was no dispute about that either, only about whether that use was authorized.
for Craigslist to run around with lawyers and C&D letters attacking Internet users looks like a bummer.
Have they been doing that? In this particular case, as I said above, there was no dispute at all about the facts, only about the legal rights involved. I don't see any evidence that Craigslist is indiscriminately banning people and then suing them based on disputed facts; the only dispute I see is over whether Craigslist should be able to assert the rights it's asserting over its data.
Sure, my software sends a nice,
simple, vanilla pure, good looking
string for the user agent string.
I agree with you about essentially all
the details of this specific case.
As seemingly hinted in the OP,
my concern is with the more general
situation -- could a Web site use lawyers,
C&D letters, and IP addresses to make
big legal problems for Internet users
who download an unusually large number
of Web pages? I hope not.
Then there's the suggestion that for a
user to get a new IP address is somehow
nefarious -- it's not. And there's
calling getting Web pages screen
scraping as if it is different, unusual,
and nefarious -- it's not. Then there's
the suggestion that what the user did
that was bad was getting the data
when the real problem was that the user
republished the copyrighted data.
I don't think* this case gives any basis for a site to take legal action against someone just based on downloading a large number of web pages or accessing the site with different IP addresses. There has to be quite a bit more than that. I don't think the headline of the article really gets across all of the factors that had to be present for this ruling to go the way it did (but the body of the article does a better job of that).
Be careful: The purpose of the agent string
is to tell the server how to treat the client.
That is, different Web browsers do different
things with the same HTML, JS, CSS, etc. So,
the agent string tells the Web site how the
browser wants to be treated.
In my little program to get Web pages, I just
tell the Web server how I want my program
treated -- like a certain Mozilla browser.
This is not "faking" anything. It would do
no good to tell the Web server that I
wrote my own Web browser because the Web
server would know nothing about my browser
and, thus, have no way to respond to it in
any special way. So, I just tell the
Web server to treat me like Mozilla.
No, but giving reasonably accurate information about what kind of user agent is being used is. If you write your own browser, yes, you're probably better off telling a website that it's, say, Firefox than telling it it's "Joe's Really Cool Browser v1.0". But if you're writing a program whose purpose is not to display pages to the user, but to do something else, your program shouldn't be telling web servers that it's a program whose purpose is to display pages to the user.
If this applies to IP addresses, it should seem reasonably short work to show that it applies to physical addresses. In which case, patent trolls may quickly be a thing of the past.
I don't understand. Does the article say that changing your ip is wrong and precedent-setting as such. Has Aaron, with all respect to him, left us ironically with the tyranny of true names? Legal precedent nationally across the US?
> "Does the article say that changing your ip is wrong"
No.
The article says that circumventing a measure which you know was put in place to keep you out (in this case, an IP ban which followed a C&D letter) means you are intentionally committing "unauthorized access". Changing IPs just happened to be the method used to gain said unauthorized access.
If you tell me I'm banned from your store, and then I shave my beard and change my shirt specifically so you won't recognize me when I sneak back in, that would likewise be "unauthorized access". This doesn't mean shaving and changing my shirt is wrong, just that doing it for the purpose of accessing something the owners have told me not to access is illegal.
Anyway, Craigslist told 3taps in a legal notice: "Don't abuse our website." 3taps did anyway. IANAL but this appears clear from the second and third quoted paragraphs (and Orin Kerr, a noted expert on these things, seems to agree):
The banned user has to follow only one, clear rule: do not access the website. The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Taps’ access through its cease-and-desist letter and IP blocking efforts...
You might as well say, "Enter a building, go to jail"... if the door is a side entrance to a privately owned public space (such as a shop) which has banned you from their property. That is how the judge sees it.
I personally have some sympathy for 3taps and I expect most of HN does also. The open Internet is not like any old public space. But the ruling doesn't threaten to ambiguously target people who just change an IP to get around an ordinary IP ban.