EFF: Court Rules Accessing a Public Website Isn’t A Crime, But Hiding Your IP Address Could Be

This article, written by staff attorney Hanni Fakhoury, was originally published on August 20, 2013 by the Electronic Frontier Foundation.

In the ongoing legal battle between craigslist and 3taps, a new court opinion makes clear that people are “authorized” under the Computer Fraud and Abuse Act (CFAA) to access a public website. But what the court gave with one hand it took with the other, as it also ruled that sending a cease-and-desist letter and blocking an IP address is enough to “revoke” this authorization.

3taps collects real-estate data from craigslist and makes it available to other companies to use. One of those companies, Padmapper, republished craigslist apartment postings over a map to enable users to view apartment listings geographically, a feature then unavailable on the craigslist site. Craigslist’s terms of service prohibits people from “scraping” or copying data from craigslist’s site.

After learning about 3Taps and its clients, craigslist sent 3taps a cease-and-desist letter demanding they stop using craigslist data this way and then blocked 3taps’ IP address from accessing the craigslist site. Ultimately, craigslist sued 3taps in federal court, arguing that 3taps had violated the CFAA. 3taps moved to dismiss the case, arguing that under the Ninth Circuit Court of Appeals decision in United States v. Nosal, 3taps could not be liable under the CFAA for violating craigslist’s terms of service.

While the court agreed with 3taps on this point, it questioned whether the CFAA even protected information available on a publicly accessible website like craigslist in the first place. After the court agreed to accept additional briefing on this point, we along with a number of law professors, filed an amicus brief with the court urging it to rule that everyone is “authorized” to visit a public website under the CFAA.

Last week, the court ruled that this interpretation of the CFAA “makes sense,” meaning that everyone starts out as “authorized” to access a publicly accessible website. But it found that, with respect to 3taps, craigslist had used its “power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website” by sending the cease and desist letter and blocking 3taps’ IP address. The decision is certainly a mixed bag.

First the positive.

It is encouraging to see courts recognize that the CFAAwhich creates both civil and criminal liabilitydoesn’t criminalize accessing information from a publicly accessible website. The government used that precise theory to prosecute Andrew “Weev” Auernheimer for exposing an AT&T security flaw that publicly revealed thousands of customers’ email addresses. The possibility of imposing CFAA liability on someone from using information made freely available on the web posed a major threat on the openness and innovation of the Internet.

Moreover, by focusing on the IP blocking, the court essentially agreed with the basic principle we’ve suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have “accessed” information or data “without authorization.” In fact one proposal to reform the CFAA currently before Congress, “Aaron’s Law,” defines “access without authorization” to mean precisely that: “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” The court adopted this idea in principle when it found that craigslist’s CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.

Now for the troubling part of the court’s opinion.

We believe that the CFAA requires hackingdoing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection.

Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do. And there’s plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination. Plus, in the context of this case, craigslist’s IP address blocking and cease-and-desist letter combined to essentially act as a “use” restriction. In other words, craigslist relied on these two things to enforce its terms of service upon 3taps.

There’s a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to “revoke” and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.

Hopefully future courts thinking about these issues can use the good aspects of this decision to recognize that violating a technological measure is necessary. But they need to think more critically about whether IP address blocking, even if coupled with a cease and desist letter, is enough for a CFAA violation.

Accessing a public website isn’t a crime. Neither is hiding your online identity.

Electronic Frontier Foundation: The Three Pillars of Government Trust Have Fallen

The Electronic Frontier Foundation has reacted to Thursday’s Washington Post story on the National Security Agency’s eye-opening audit, which dismantled the fallacy that there are adequate oversight mechanisms built into the government’s program of domestic spying, with a timely column that explains just how far America’s leadership has fallen in abusing the public trust. Act now to join the growing number of Americans demanding an end to unConstitutional NSA spying.

 

By Cindy Cohn and Mark M. Jaycox

The Electronic Frontier Foundation

With each recent revelation about the NSA’s spying programs government officials have tried to reassure the American people that all three branches of government—the Executive branch, the Judiciary branch, and the Congress—knowingly approved these programs and exercised rigorous oversight over them. President Obama recited this talking point just last week, saying: “as President, I’ve taken steps to make sure they have strong oversight by all three branches of government and clear safeguards to prevent abuse and protect the rights of the American people.”  With these three pillars of oversight in place, the argument goes, how could the activities possibly be illegal or invasive of our privacy?

Today, the Washington Post confirmed that two of those oversight pillars—the Executive branch and the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA court)—don’t really exist. The third pillar came down slowly over the last few weeks, with Congressional revelations about the limitations on its oversight, including what Representative Sensennbrenner called “rope a dope” classified briefings. With this, the house of government trust has fallen, and it’s time to act. Join the over 500,000 people demanding an end to the unconstitutional NSA spying.

First, the Executive. After a review of internal NSA audits of the spying programs provided by Edward Snowden, the Post lays out—in stark detail—that the claims of oversight inside the Executive Branch are empty. The article reveals that an internal NSA audit not shown to Congress, the President, or the FISA Court detailed thousands of violations where the NSA collected, stored, and accessed American’s communications content and other information. In one story, NSA analysts searched for all communications containing the Swedish manufacturer Ericsson and “radio” or “radar.” What’s worse: the thousands of violations only include the NSA’s main office in Maryland—not the other—potentially hundreds—of other NSA offices across the country. And even more importantly, the documents published by the Post reveal violations increasing every year. The news reports and documents are in direct contrast to the repeated assertions by President Obama (video), General James Clapper (video), and General Keith Alexander (video) that the US government does not listen to or look at Americans’ phone calls or emails. So much for official pronouncements that oversight by the Executive was “extensive” and “robust.

Second, the FISA Court. The Post presents a second article in which the Chief Judge of the FISA Court admits that the court is unable to act as a watchdog or stop the NSA’s abuses: “The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, US District Judge Reggie B. Walton, said in a written statement. “The FISC does not have the capacity to investigate issues of noncompliance.”  Civil liberties and privacy advocates have long said that the FISA Court is a rubber stamp when it comes to the spying, but this is worse—this is the Court admitting that it cannot conduct the oversight the President and others have claimed it is doing. So much for claims by officials from the White House (video), NSA, DOJ, and Intelligence Committee members of Congress that the FISA Court is another strong pillar of oversight.

Third, the Congress. Last week, Representative Sensenbrenner complained that “the practice of classified briefings are a ‘rope-a-dope operation’ in which lawmakers are given information and then forbidden from speaking out about it.” Members of Congress who do not serve on the Intelligence Committees in the both the House and Senate have had difficulty in obtaining documents about the NSA spying. Last week, it was even uncovered that the Chairman of the House Intelligence Committee, Rep. Mike Rogers, failed to provide freshmen members of Congress vital documents about the NSA’s activities during a key vote to reapprove the spying. Senators Wyden and Udall have been desperately trying to tell the American people what is going on, but this year the House Intelligence committee’s Subcommittee on Oversight has not met once and the Senate Intelligence committee has met publicly only twice.

One, two, three pillars of government, all cited repeatedly as the justification for our trust and all now obviously nonexistent or failing miserably. It’s no surprise Americans are turning against the government’s explanations.

The pattern is now clear and it’s getting old. With each new revelation the government comes out with a new story for why things are really just fine, only to have that assertion demolished by the next revelation. It’s time for those in government who want to rebuild the trust of the American people and others all over the world to come clean and take some actual steps to rein in the NSA. And if they don’t, the American people and the public, adversarial courts, must force change upon it.

We still think the first step ought to be a truly independent investigatory body that is assigned to look into the unconstitutional spying. It must be empowered to search, read and compel documents and testimony, must be required to give a public report that only redacts sensitive operational details, and must suggest specific legislation and regulatory changes to fix the problem—something like the Church Committee or maybe even the 9/11 Commission. The President made a mockery of this idea recently, by initially handing control of the “independent” investigation he announced in his press conference to the man who most famously lied to Congress and the American people about the spying, the Director of National Intelligence James Clapper.

The three pillars of American trust have fallen. It’s time to get a full reckoning and build a new house from the wreckage, but it has to start with some honesty.

EFF: Multiple New Polls Show Americans Reject Wholesale NSA Domestic Spying

This article, published Tuesday by the Electronic Frontier Foundation (EFF), demonstrates Americans’ growing mistrust of the Federal government’s Orwellian and secretive programs that enable law enforcement agencies to spy on U.S. citizens without warrants, probable cause or informing us we’re being targeted. Follow the link at the end to add your voice to the growing number of people who demand the government come clean about its domestic surveillance operations, and to urge Congress to reform our Nation’s broad, permissive laws that have nurtured the expansion of Federal spy programs.

By Mark M. Jaycox  and Trevor Timm

Polls further confirm that Americans are deeply concerned with the unconstitutional NSA spying programs. In a July 10 poll by Quinnipiac University, voters were asked whether the government’s efforts “go too far in restricting the average person’s civil liberties” or “not far enough to adequately protect the country.” The poll revealed that Americans largely believe that the government has gone too far by a margin of 45% to 40%. This is a clear reversal from a January 2010 survey in which the same question found that 63% of voters believed the government didn’t “go far enough to adequately protect the country.”

Polls further reveal Americans as highly skeptical of the programs. In an Economist/YouGov poll, 56% of Americans do not think the NSA is telling the truth about the unconstitutional spying. The same poll found that 59% of people disapprove of the spying, while only 35% approve of it. These numbers are not outliers and are supported by a recent Fox News poll (.pdf) finding 62% of Americans think the collection of phone records is “an unacceptable and alarming invasion of privacy rights.”

The latest poll, performed by Pew, affirms every one of these conclusions. Not only are Americans skeptical about the program, but they also believe the government has gone too far—the same exact conclusion found in the Quinnipiac poll. In a series of questions, Pew asked Americans whether they supported or opposed the program with different phrasings. As Pew reports: “Under every condition in this experiment more respondents oppose than favor the program.” The Pew poll is full of evidence supporting the fact that Americans oppose the unconstitutional spying, are skeptical of government claims about the unconstitutional NSA spying, and are increasingly concerned about their privacy rights.

In the 1950s and 60s, the NSA spied on all telegrams entering and exiting the country. The egregious actions were only uncovered after Congress set up an independent investigation called the Church Committee in the 1970s after Watergate. When the American public learned about NSA’s actions, they demanded change. And the Church Committee delivered it by providing more information about the programs and by curtailing the spying.

Just like the American public in the 1970s, Americans in the 2010s know that when the government amasses dossiers on citizens, it’s neither good for security nor for privacy. And a wide range of polls this week show widespread concern among the American people over the new revelations about NSA domestic spying.

Yesterday, the Guardian released a comprehensive poll showing widespread concern about NSA spying. Two-thirds of Americans think the NSA’s role should be reviewed. The poll also showed Americans demanding accountability and more information from public officials—two key points of our recently launched stopwatching.us campaign.

But there’s more. So far, Gallup has one of the better-worded questions, finding that 53% of Americans disapprove of the NSA spying. A CBS poll also showed that a majority—at 58%—of Americans disapprove of the government “collecting phone records of ordinary Americans.” And Rasmussen—though sometimes known for push polling—also recently conducted a poll showing that 59% of Americans are opposed to the current NSA spying.

The only poll showing less than a majority on the side of government overreach was Pew Research Center, which asked Americans whether it was acceptable that the NSA obtained “secret court orders to track the calls of millions of Americans to investigate terrorism.” Pew reported that 56% of Americans said it was “acceptable.” But the question is poorly worded. It doesn’t mention the widespread, dragnet nature of the spying. It also neglects to describe the “information” being given—metadata, which is far more sensitive and can provide far more information than just the ability to “track the calls” of Americans. And it was conducted early on in the scandal, before it was revealed that the NSA doesn’t even have to obtain court orders to search already collected information.

Despite the aggregate numbers, many of the polls took place at the same time Americans were finding out new facts about the program. More questions must be asked. And if history is any indication, the American people will be finding out much more. Indeed, just today the Guardian reported that its working on a whole new series with even more NSA revelations about spying.

One thing is definitely clear: the American public is demanding answers and needs more information. That’s why Congress must create a special investigatory committee to reveal the full extent of the programs. Democracy demands it.

Head over to the Electronic Frontier Foundation to take action by signing the organization’s letter to Congress demanding a full accounting of the NSA’s U.S. citizen surveillance activities.

Judge Grants Preliminary Injunction To Protect Free Speech After EFF Challenge

This post, written by senior staff attorney Matt Zimmerman, was originally published on August 9, 2013 by the Electronic Frontier Foundation.

Newark, NJ – A New Jersey federal district court judge granted motions for a preliminary injunction today, blocking the enforcement of a dangerous state law that would put online service providers at risk by, among other things, creating liability based on “indirect” publication of content by speech platforms.

The Electronic Frontier Foundation (EFF) argued for the injunction in court on behalf of the Internet Archive, as the statute conflicts directly with federal law and threatens service providers who enable third party speech online.

“The Constitution does not permit states to pass overbroad and vague statutes that threaten protected speech. The New Jersey statute created that threat and the court was right to block it,” said EFF Senior Staff Attorney Matt Zimmerman. “Similarly, Section 230 of the Communications Decency Act prohibits the state from threatening to throw online providers in jail for what their users do and the statute violated that rule as well. We are grateful that the court recognized the importance of these bedrock principles to online libraries and other platforms that make the Internet the vital and robust tool it is today.”

The New Jersey law at issue is an almost carbon-copy of a Washington state law successfully blocked by EFF and the Internet Archive last year. While aimed at combatting online ads for underage sex workers, it instead imposes stiff criminal penalties on ISPs, Internet cafes, and libraries that “indirectly” cause the publication or display of content that might contain even an “implicit” offer of a commercial sex act if the content includes an image of a minor. The penalties – up to 20 years in prison and steep fines – would put enormous pressure on service providers to block access to broad swaths of otherwise protected material in order to avoid the vague threat of prosecution.

“Within the past month, we’ve seen a coalition of state attorneys general ask Congress to gut CDA 230 to make way for harmful laws like New Jersey’s,” said Zimmerman. “This misguided proposal puts speech platforms at risk, which in turn threatens online speech itself. Law enforcement can and must pursue criminals vigorously, but attacking the platforms where people exercise their right to free speech is the wrong strategy.”

Backpage.com separately filed suit against this law, represented by the law firm of Davis Wright Tremaine, who also joined today’s argument.

For more on this case:
https://www.eff.org/cases/internet-archive-v-hoffman