bit-tech.net

US court rules proxies, IP switching illegal

US court rules proxies, IP switching illegal

Even using a service like Google Translate could translate to a criminal offence, thanks to a new ruling on the CFAA by a US court.

A US court has ruled that simply changing one's IP address is enough to fall foul of the Computer Fraud and Abuse Act, if done to circumvent a deliberate block on accessing a site or service.

Introduced back in 1986 to replace 18 USC ยง 1030 - the snappily-titled Fraud and Related Activity in Connection with Computers - the CFAA was designed to limit federal involvement in cases unless there was a particular nationwide interest, such as an attack on a major financial institution or that crosses multiple state lines. Despite numerous amendments - six so far, with the latest being the introduction of the Identity Theft Enforcement and Restitution Act in 2008 - there are still legal niggles that lawyers use in their arguments.

It's one of these niggles that has been ruled by a court to come down hard against those who make use of proxy servers, or even who just manually change their IP address, to access systems from which they have been blocked on a previous IP.

A ruling by Northern District of California Judge Breyer suggests that such activity constitutes 'unauthorised access' as enshrined in the CFAA, and leaves the perpetrator open to potential legal action. Spotted by Orin Kerr of The Volokh Conspiracy, the ruling could have serious consequences for some very common usage scenarios.

The details of the case are, naturally, complex: a company called 3taps had been scraping content from online classifieds specialist Craigslist in order to direct traffic to its own sites. Craigslist, naturally, was unhappy, and blocked 3taps' IP addresses from accessing its servers following the submission of a cease and desist notice - at which point 3taps started to use proxy servers and new IP addresses to continue to scrape the content.

Craigslist sued, arguing that the cease and desist coupled with the blocking of IP addresses assigned to the 3taps was a clear revocation of the company's right to access Craigslist servers. 3taps raised a counterargument that a given company has no right to revoke the general authorisation for an individual to access an otherwise publicly-available website.

On the face of it, it's clear that the judge's decision to back Craigslist is a positive: banning users from sites is a common way of dealing with abuse, from denial of service attacks and spam to forum users who flout the rules. Removing this ability and forcing sites to continue permitting access to all without restriction would be a terrible move.

But by stating outright that the simple changing of an IP address is abuse under the CFAA, it's possible the judge has opened the floodgates for common, everyday activities to be rendered illegal. Many users, for example, still have dynamic IP addresses that change every time a router is rebooted - which, if it allows them access to a previously-banned site, could be argued as circumvention. Using a service like Google Translate, too, will see a user's traffic originating from a different IP - and, again, could bypass blocks put in place to prevent access.

Kerr argues that an IP address block is so easily circumvented - even by accident, as with the above examples - that it should not be considered a technological barrier under the CFAA. The CFAA itself, meanwhile, is up for revision in response to the death of free data activist Aaron Swartz who committed suicide following his prosection under a particularly vaguely-worded passage.

35 Comments

Discuss in the forums Reply
Corky42 21st August 2013, 12:50 Quote
I guess this is what happens when technically illiterate people start to make laws and pass judgments on things they don't understand.
But saying that you would think the judge would seek the advise of people with knowledge on the subject he/she is making judgment on, much in the same way they receive advise from Doctors when dealing with medical cases.
Stanley Tweedle 21st August 2013, 13:20 Quote
A country run by retards. Wiping out bee populations and trying to control the internet. I begin to detest that country more each day.
RichCreedy 21st August 2013, 13:31 Quote
I doubt accidental ip address change is covered by the law, as it states to deliberately circumvent a block.
LordPyrinc 21st August 2013, 13:36 Quote
No doubt that there will be an appeal to this judgment. Perhaps a more informed judge will overturn the ruling. A ruling or interpretation of law is only as good as the enforcement of it going forward. The ruling in question sets a bad precedence, but will it be used in other cases? It's impossible to tell at this point.

The whole big brother watching is really getting annoying these days. No doubt many more people will start taking countermeasures not because they have anything to hide, but simply because they don't want the government snooping around in their daily business.

Besides, the more information you collect, the more time and resources it takes to process that information. At some point, its bound to be counterproductive.

An individual breaks the law and they are punished, but if a government agency breaks the law, they simply say they are reviewing policy and re-educating their staff properly. A few of the head staff may lose their jobs, but they will likely just hop back in bed with private industry as a subject matter expert and end up making more money as a result.

Just look how many individuals actually did prison time for their role in the banking crisis. If the government won't prosecute the private sector sufficiently, there is little hope that they will police themselves any better.
Deders 21st August 2013, 13:37 Quote
Wouldn't it be the IP address of the router and not the one designated behing the subnet mask?
Draksis 21st August 2013, 13:41 Quote
Quote:
Originally Posted by RichCreedy
I doubt accidental ip address change is covered by the law, as it states to deliberately circumvent a block.



The problem is this: A "block" is too vague, and could mean simply unable to access. thinking that way, "deliberately circumvent a block" is what a system admin does when dealing with two identical IPs on the same network. :(

And that was just off the top of my head. I'm sure there are many different ways this can be used.
RichCreedy 21st August 2013, 13:52 Quote
Quote:
Originally Posted by Draksis
The problem is this: A "block" is too vague, and could mean simply unable to access. thinking that way, "deliberately circumvent a block" is what a system admin does when dealing with two identical IPs on the same network. :(

And that was just off the top of my head. I'm sure there are many different ways this can be used.

do we need to spell everything out these days. a system admin in the above position has permission to deal with the problem, if an ip address of someone outside your network has been deliberately blocked, they no longer have permission to access that network, if they deliberately change their ip address to circumvent that block, they are breaking the law as outlined in the article.
atlas 21st August 2013, 13:55 Quote
Ha LOL just about every internet connection in South Africa is on a dynamic IP so all South Africans could now be breaking US law when they access certain sites
Stanley Tweedle 21st August 2013, 14:11 Quote
Quote:
Originally Posted by RichCreedy
Quote:
Originally Posted by Draksis
The problem is this: A "block" is too vague, and could mean simply unable to access. thinking that way, "deliberately circumvent a block" is what a system admin does when dealing with two identical IPs on the same network. :(

And that was just off the top of my head. I'm sure there are many different ways this can be used.

do we need to spell everything out these days. a system admin in the above position has permission to deal with the problem, if an ip address of someone outside your network has been deliberately blocked, they no longer have permission to access that network, if they deliberately change their ip address to circumvent that block, they are breaking the law as outlined in the article.

And if the US creates a law to allow it's citizens to be destroyed by drone strikes... if those citizens break the law... what then?
CarlT2001 21st August 2013, 14:36 Quote
I don't see the problem here. Yes, if someone not authorised to access a network then uses a proxy to access it, it's wrong.

I don't believe for a second accidental IP switching or harmless activity will end up in prosecution.

Seems like a load of nonsense.
MSHunter 21st August 2013, 14:45 Quote
this would make using a US netflix account outside the use illegal and not just against TOS.
(as an example)
Cthippo 21st August 2013, 14:58 Quote
Seems the ruling could have focused on the "what" (continuing to maliciously use CL data after being blocked and having a cease and desist order issued) than the particulars of how it was done.

This company was clearly doing something wrong, and probably illegal, and had circumvented both legal and technological attempts to get it to stop. I think what the judge is saying is that while using a proxy is not in itself illegal, using one in the commission of a crime shows intent and therefore may rise to the level of being covered under CFAA.

Bottom line, don't get your panties in a twist over this yet...
CarlT2001 21st August 2013, 15:02 Quote
Quote:
Originally Posted by MSHunter
this would make using a US netflix account outside the use illegal and not just against TOS.
(as an example)

In theory it would. But would Netflix do anything about it? Do they even care? The people doing this are paying customers after all.
schmidtbag 21st August 2013, 15:48 Quote
This law will have as much of an impact as the anti-piracy laws. Considering the sheer magnitude of users who accidentally, and deliberately change their IP addresses (which is considerably higher than the amount of users who are pirating something), the only time this law can actually be even slightly effective is if someone is directly aware of somebody else deliberately changing their IP so they avoid a ban. I don't expect life will change for anybody who isn't doing anything sneaky. If anything, this law probably does more good than bad, when you consider that it can't possibly affect the average person.
Corky42 21st August 2013, 15:59 Quote
From my understanding it wont affect your average user, you would need to receive a cease and desist letter before anything could be done, afaik.
adrock 21st August 2013, 16:01 Quote
more specific court cases being argued resulting in broad sweeping rulings that one party is happy with, a great way to make legislation.

it keeps the legal industry going mind, as a few months down the line they can argue the same thing over again but with a slightly different case and get a whole new heap of legal fees. Same as the patent 'industry', it's an area the legal industry has realised they can generate large amounts of work from, and work means payment, and that's the bottom line. Any justice done is a bonus.
Woodspoon 21st August 2013, 16:11 Quote
This won't end well.
It always starts off with small things like this and end's up getting silly because of abuse by dimwit's in power.
longweight 21st August 2013, 16:16 Quote
So this would render services such as unblock-us illegal in the UK?
Phil Rhodes 21st August 2013, 16:24 Quote
Does anyone actually object to the ruling in this case?

Ban avoidance is obviously wrong.

P
Corky42 21st August 2013, 16:55 Quote
Quote:
Originally Posted by longweight
So this would render services such as unblock-us illegal in the UK?

From my understanding, no it wouldn't.
It would only make it illegal if you received a cease and desist letter from the company running the site you are trying to access by changing your IP.
azazel1024 21st August 2013, 17:42 Quote
One of the additional things to consider in the case was that Craigslist sent a cease and desist demand to the scrapping service in question in ADDITION to the IP blocking.

At the very least if there ever actually were a suit/case over circumventing IP blocking, this existing opinion is likely not to weigh very heavily at all.
azazel1024 21st August 2013, 17:47 Quote
To add, both the Bittech and several others have rather hyped up coverage of it. If you read the decision and the language of the US CFAA it requires DELIBERATE circumvention. Simply having a dynamic IP isn't going to trigger that. Nor would changing your IP unless it is SPECIFICALLY aimed at avoiding IP blocking.

Granted, this could mean that the CFAA would apply to people using a proxie to access services not allowed within their country (deliberate circumvention), which many people do (and regional locking is generally pretty damned stupid).

As I mentioned in my other comment though, the additional fact of a C&A letter in this case is an additional consideration, not simply that the IP was blocked and proxies were then used to access Craigslist.
tad2008 21st August 2013, 19:32 Quote
Quote:
Originally Posted by Corky42
Quote:
Originally Posted by longweight
So this would render services such as unblock-us illegal in the UK?

From my understanding, no it wouldn't.
It would only make it illegal if you received a cease and desist letter from the company running the site you are trying to access by changing your IP.

It's a US law that has no jurisdiction in the UK at least for now until the UK end up following suit.
Corky42 21st August 2013, 20:22 Quote
Yea but being the UK we probably wont bother with having to have cease and desist letters.
We will just do something dumb like "nudging" ISP's into blocking access to anything that changes IP's, after all we don't want kids circumventing any filters their parents have setup.
longweight 21st August 2013, 21:33 Quote
As long as unblock-us stays legal for UK folks :)
chriscase 22nd August 2013, 05:18 Quote
My concern with this type of ruling isn't that it's going to be enforced across the board, but that it gives the federal government very broad discretion that it can use later in some specific case where they are clearly in the wrong. For example a whistleblower might easily slip up at some point and use a public network in a way that could be construed as bypass of a block.
Corky42 22nd August 2013, 10:55 Quote
Quote:
Originally Posted by chriscase
For example a whistleblower might easily slip up at some point and use a public network in a way that could be construed as bypass of a block.

It has been said by many people many times, you would need to have received a cease and desist letter, and you would only be breaking the law if you continued to circumvent the IP blocking after having received the notice telling you to stop.
Gareth Halfacree 22nd August 2013, 11:02 Quote
Quote:
Originally Posted by Corky42
It has been said by many people many times, you would need to have received a cease and desist letter [...]
It has. Unfortunately, it's not true. If you read the actual ruling - there's a PDF linked from the blog post - the judge clearly states that either of Craigslist's actions, the cease-and-desist and the IP blocking, were good enough for 3Taps to know it was forbidden to access the site. I quote:
Quote:
Originally Posted by The Ruling
Craigslist affirmatively communicated its decision to revoke 3Taps' access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Taps; indeed, 3Taps had to circumvent Craiglist's IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website at all.
The key, there, is 'indeed, 3Taps had to circumvent Craigslist's IP blocking measures to continue scraping, so it indisputably knew that Craigslist did not want it accessing the website.' The C&D was icing on the cake; here, the judge is saying that the block was enough to tell 3Taps that it was no longer welcome, and that by circumventing the block 3Taps had malice aforethought.

However, as for the risk of being arrested because your IP changed without your knowledge and you visited a site that you didn't know or had forgotten had banned you, the judge has the following words for those who follow his ruling:
Quote:
Originally Posted by The Ruling
Needless to say, the Court’s decision concerning 3Taps’ persistent scraping efforts undertaken after (1) receiving a cease-and-desist letter and (2) employing IP rotation technology to mask its identity and overcome Craigslist’s technological barriers does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.
MrJay 22nd August 2013, 11:42 Quote
This kind of ill thought out and frantic grasping for control of an increasingly disillusioned population isn't going to work.

It's just going to piss people off, the more control you employ the less you will ultimately have.

Analogy time: Grasping a live wet fish, the more you grip, the more it wriggles, the less control you have!
Corky42 22nd August 2013, 11:48 Quote
Yea i tried reading the PDF on the ruling, but it isn't worded very well.

And i think this maybe where the confusion comes in, the part you quote from the ruling first mentions the C&D letter and then the IP blocking. As sad as it sounds, i think the key here is the semicolon after the first statement..
Quote:
Originally Posted by Wiki
When a semicolon marks the right boundary of a constituent (e.g., a clause or a phrase), the left boundary is marked by punctuation of equal or greater strength.

So would this mean the first statement is equal or greater strength, is the wiki saying the left and right boundary is taken from the semicolon ?
Gareth Halfacree 22nd August 2013, 11:52 Quote
Quote:
Originally Posted by Corky42
So would this mean the first statement is equal or greater strength, is the wiki saying the left and right boundary is taken from the semicolon ?
That's talking about the punctuation being of equal or greater strength, not the statements.
Corky42 22nd August 2013, 13:34 Quote
Well putting the grammar and punctuation aside for a moment, as we could be here forever trying to work out if the semicolon is used with the intent of linking related clauses, if it was meant as introductory, or a joined coordinating conjunction.

In the same document the judge states "In contrast, the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter."

The key wording being IP block setup to enforce the C&D.
jrs77 22nd August 2013, 13:50 Quote
I couldn't care less tbh how people like to read these rulings. The way I see it, the US-rulings in general are often worded very badly and leave tons of room for interpretation.

Nevertheless, when I was a little boy in the 80's, I allways looked forward to travel to the US or maybe apply for a greencard. Nowadays I wouldn't set foot onto US-territories unless I'm forced to.

The US becomes more and more of a big-brother-state and is allmost as bad as Russia, China etc nowadays. Way to go for the so called "free world".
ferret141 23rd August 2013, 11:31 Quote
Quote:
Originally Posted by CarlT2001
In theory it would. But would Netflix do anything about it? Do they even care? The people doing this are paying customers after all.

Paying to Netflix but not contributing to the licence fee demanded by the media distributors. That is if they're charging Netflix per subscriber as opposed to a flat rate.
MSHunter 25th August 2013, 17:37 Quote
of course netflix would not sue, but the movie industry?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums