It's not 'about' spoofing his MAC address. It's about respecting the rights of property owners to set the terms of how other people may access their property. You know, when someone is charged with burglary the issue is not that they entered your place through the window rather than by ringing the doorbell, but that they entered without your permission. Try to imagine the outrage that would result if a judge said 'it's your fault for having an insecure window, tough luck.'
EDIT: I might add that I don't care for JSTOR or the copyright system that they derive such benefit from. But then I don't especially care for our laws on taxation and related subjects - my disagreement with those doesn't give me the right to opt out of taxes that I dislike, or to appropriate the possessions of others whose wealth I might envy.
I really hate analogies in law because it always seems to provide very little support for whether a law is a good idea or not. Your analogy is to breaking and entering a physical residence, but you skip over the fact that this is a publicly available website. I'd say it has more in common with photographing a public building. Lets say Dunkin' Donuts doesn't want me photographing their buildings and making a map of all their locations. They demand that I stop taking photo's from the street and put up a small tarp that covers the physical line of sight to their building that I used to photograph. I then come back and photograph their building from 2 feet to the right and they claim I bypassed their building security.
I don't think my analogy is any more correct than your, which is why I would rather we just decide what is best for society. Seems a lot more useful than trying to decide whether IP filtering is analogous to breaking a window.
Dunkin' Donuts could exclude you from their premises if they saw fit. Your analogy is equivalent to 3taps making a list of Craigslist URLs and getting a front page screenshot for each one. Scraping is qualitatively different - you have go on into the website to analyze the content, so I suggest it's more like walking into the DD kitchen and trying to document their customer transactions.
It is nothing like walking into the DD kitchen and trying to document it. It's quite a bizarre fantasy to think that physical property rights are anything like client-server interactions.
The Web site sent a Web page to a user.
What was sent was essentially just
simple text although maybe with
some JPG or PNG files. That's the way
HTTP, HTML, and CSS work -- mostly just simple text. The Web site voluntarily
sent this data, mostly just simple text.
Now the user has the data that the
Web site voluntarily
sent. Commonly the user
keeps the data; e.g., their
Web browser commonly keeps a
copy of this data to speed
future accesses to it.
Besides a Web browser is
perfectly willing to write the
data to files and a directory
so that the Web browser can
display the data again.
Maybe the user will
analyze the data, e.g., see what
colors were used for the fonts.
So what?
Besides, there is no way for the
Web site to tell what the user
does with the data unless maybe
the user republishes the data.
Screen scraping is just using the
data that the Web site freely sent.
If the data is not republished, etc.,
then tough to claim that the user
did anything wrong.
> The Web site voluntarily sent this data, mostly just simple text.
If you know of a way to configure Apache to deliver web data to everyone but a certain subset of users without having to force the authorized subset to use authentication then the whole world is all ears.
In fact, I'm sure HN could use this good news first so that they don't have to use such a non-specific ban system as IP bans...
But until then 3taps had no question that they knew the web site operator did not want them to access their website at all, and in fact had to go out of their way to get around the IP ban, so let's not pretend like the court decision here is setting some kind of general precedent.
IP is irrelevant and not good evidence of
anything. The IP address used by
3taps can be changed by the 3taps ISP
at any time for any reason.
IP can't be used for authentication.
With public key cryptography and
Kerberos, there are some excellent
means of authentication. If Craigslist
wants to use such authentication, fine,
and then they can effectively and accurately
block any given collection of users.
But usually a Web site, e.g., HN, offers
access to any IP address anonymously,
without authentication. In that case,
it's next absurd for the Web site to
complain about some person when they
have next to no good evidence on that
person.
Your "go out of their way" is wildly false;
all that had to happen was just their
electric company to drop power for
one second. My electric company does this
about once a week. Then the cable modem
will forget its assigned IP address
and, when electrical power is restored,
request a new IP address. The 3taps
people need not be aware of this at all.
Moreover, the ISP can have assigned the
banned IP address to someone else,
Joe, not involved. Then Joe's usage
of the Web site is no evidence against
3taps.
Maybe 3taps knew that the Web site did
not want them to use their site,
but more importantly the site had
no good evidence, at least not from IP address,
if 3taps was using
their site at all or not.
> Your "go out of their way" is wildly false; all that had to happen was just their electric company to drop power for one second.
So you're saying that business networks typically have completely random IPs setup by their ISP? I would hope not, as that means SSL sites could not have worked at all for most people prior to Windows Vista. Not to mention the certain problem of how Google DNS is setup for people (Hint: It uses a static IP).
In fact I think you might get even more disappointed if you consider the types of "proof" that are considered acceptable within the legal system, and commerce in general.
For instance, completing a contract by faxing over a document, having it signed, and faxing it back. That has all the same theoretical issues associated with it as blocking static IP address and yet you don't see the entire edifice of the justice system or commerce falling to bits, now do you?
> Moreover, the ISP can have assigned the banned IP address to someone else, Joe, not involved. Then Joe's usage of the Web site is no evidence against 3taps.
Why are you speaking in terms of "maybes"? 3taps themselves admitted to using a proxy to evade the ban. They knew they were blocked, and they knew why. QED
So while I would agree with you in general that an IP address is not a priori an identifier, that's not at issue in this specific case.
> So you're saying that business networks typically have completely random IPs setup by their ISP?
No. If 3taps was using a static IP address to
access Craigslist, then IP address is at least
somewhat meaningful as evidence, but mostly
Internet users do not have static IP addresses
and mostly only organizations that want to
operate Internet servers, or Web servers,
do. Why? Because mostly to get to a server,
a user uses a domain name which uses the
domain name system (DNS) which requires
a static IP address.
Yes, in the specific case 3taps asked for trouble
and got it.
But the article seems to suggest that this case
is a threat to ordinary Internet users who,
maybe, get an unusually large number of Web pages
from a Web site. So, there is also some interest
in the more general situation. There IP address
is poor evidence.
To me, in the general case, say, Web sites that
send data to anonymous users, without strong
authentication, etc., should just f'get
about the lawyers, suck it up, and f'get about
users downloading data. Else the Web site
can use strong authentication of users,
charge for access to the site, etc.
The article, and the court case it references, are about 3Taps. 3Taps had a static IP which was banned, and additionally received a Cease and Desist letter. The court case is very clear that the combination of these factors demonstrate that 3Taps' access had been revoked, and that therefore their continued access (through proxies) constituted an intentional, unauthorized access of a protected system.
If the article "seems to suggest" something other than that, either the article is wrong, or you're reading it wrong. This is only a threat to "ordinary" internet users if they're given clear indication that they are no longer allowed to use a site (something like a C&D letter to go along with an account or IP ban.)
The whole point is that it's not freely sent. Craigslist declined to send it to 3taps any more, blocked their IP address, and told them they were no longer welcome to use the site at all, in addition to adjuring them to stop republishing ads from CL. They were well within their rights to do so.
When your argument requires changing the facts, there's something wrong with it.
J - "You robbed a house."
V - "I broke a windowpane."
The law isn't some nomic built out of analogies. Suppose a free weekly paper sent someone a C&D and told them to quit taking one copy of the paper. Should that demand be enforced?
As it turns out, judges _do_ say stuff like that. Where I live, they've made it illegal to leave your car unlocked… "Car got stolen? Sorry, your fault, you left the window open."
You're missing the point. The question is about the legality of access without authorisation. Just because it's illegal to leave your car unlocked doesn't magically make it legal to steal from an unlocked car.
The penalty rather depends on why you were banned in the first place. If you deliberately violated the ban then it's equivalent to trespass, notwithstanding the publicly accessible nature of websites.
It's not that I love Craiglist particularly, but the fact is that their website remains their private property, same as any other commercial establishment. They have no obligation to serve people who don't respect their policies.
Look, I've avoided bans on many websites on purpose. You're saying this should be a criminal act? If I get banned from Hacker News, and I make a second account using a proxy, I should get prison time?
> Look, I've avoided bans on many websites on purpose. You're saying this should be a criminal act?
Yeah, I'd say so. They're not your servers. If the person who owns them tells you to stop using them, then stop. They don't owe you anything, so just quit using their stuff. Easy, no?
> If I get banned from Hacker News, and I make a second account using a proxy, I should get prison time?
Why didn't you just go all out and say "the death penalty"? :-) No, I'd think a fine or some community service would be more than adequate.
The only thing an IP ban alone conveys is that that IP is no longer allowed access. It does not by itself convey that that user or even that client is not allowed.
From the article: "There was significantly more to the CFAA charges than that, to be clear, including circumventing a subsequent MAC address block and (most significantly) entering an MIT storage closet to install his computer directly. But changing IP addresses to get around IP address blocking was at least one of the possible grounds of unauthorized access."
Using a workaround for buggy or misconfigured hardware is very different from "these guys told me to stop using their thing, but I can circumvent the measures they put in place to stop me."
EDIT: related quotes from the ruling
"Craigslist gave the world permission (i.e., “authorization”) to access the public information on its public website.... it rescinded that permission for 3Taps."
"3Taps had to circumvent Craigslist’s IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all."
"3Taps’ deliberate decision to bypass that barrier and continue accessing the website constituted access “without authorization”"
The court decision relied on the clarity of intent from 3taps. They had been both expressly told not to do something, and technically blocked from doing it. Their access to CL wasn't accidentally broken, they didn't misunderstand what they had been told in the C&D letter, and they didn't get caught by some surprising technicality. They had been clearly told to stop, and they circumvented the measures put in place to stop them.
I said elsewhere: this is more or less equivalent to a store telling me not to come back and distributing my photo to staff... and then me shaving my beard and changing my clothes in order to sneak back in. Shaving and changing my clothes are not illegal in and of themselves; trespassing is illegal, and shaving and changing my clothes are the tools I chose to use in my effort to trespass.
No. If you read the ruling at [0], you will find you are quite mistaken.
This decision was not about changing IPs; it was about "whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website" (in the analogy, whether the store can revoke my individual permission to enter.) The court agreed that CL has the power to revoke authorization to access its site.
The decision does not reference the IP ban for its own sake, but always as a part of a multi-step argument, best articulated on page 10. "3-Taps (1) received a personally-addressed cease-and-desist letter stating that it could not access Craigslist’s website “for any reason”; (2) discovered that it could no longer access the website at all from its IP addresses; and (3) was sued for continuing to access that website after circumventing the IP restrictions. A person of ordinary intelligence would understand Craigslist’s actions to be a revocation of authorization to access the website, and thus have
fair notice that further access was “without authorization.”" The decision is quite clear in its focus on the access being "without authorization".
In the analogy, the court would not reference shaving my beard in isolation, but in the context of my being personally told not to come back, discovering that security turned me away after recognizing my photograph, and then making a "deliberate decision" to enter the store through the mechanism of shaving my beard and changing my clothes in order to avoid being denied entry. The court would make it quite clear that the problem was my re-entry to the store.
> If you read the ruling at [0], you will find you are quite mistaken.
I hadn't read the ruling, just Kerr's post, and yeah I'm only more confused now, considering some of Kerr's comments. I'm just going to give up on it for today, no more time.
