A US court has ruled that simply changing one's IP address is enough to fall foul of the Computer Fraud and Abuse Act, if done to circumvent a deliberate block on accessing a site or service.
Introduced back in 1986 to replace 18 USC § 1030 - the snappily-titled Fraud and Related Activity in Connection with Computers
- the CFAA was designed to limit federal involvement in cases unless there was a particular nationwide interest, such as an attack on a major financial institution or that crosses multiple state lines. Despite numerous amendments - six so far, with the latest being the introduction of the Identity Theft Enforcement and Restitution Act in 2008 - there are still legal niggles that lawyers use in their arguments.
It's one of these niggles that has been ruled by a court to come down hard against those who make use of proxy servers, or even who just manually change their IP address, to access systems from which they have been blocked on a previous IP.
A ruling by Northern District of California Judge Breyer suggests that such activity constitutes 'unauthorised access
' as enshrined in the CFAA, and leaves the perpetrator open to potential legal action. Spotted by Orin Kerr of The Volokh Conspiracy
, the ruling could have serious consequences for some very common usage scenarios.
The details of the case are, naturally, complex: a company called 3taps had been scraping content from online classifieds specialist Craigslist in order to direct traffic to its own sites. Craigslist, naturally, was unhappy, and blocked 3taps' IP addresses from accessing its servers following the submission of a cease and desist notice - at which point 3taps started to use proxy servers and new IP addresses to continue to scrape the content.
Craigslist sued, arguing that the cease and desist coupled with the blocking of IP addresses assigned to the 3taps was a clear revocation of the company's right to access Craigslist servers. 3taps raised a counterargument that a given company has no right to revoke the general authorisation for an individual to access an otherwise publicly-available website.
On the face of it, it's clear that the judge's decision to back Craigslist is a positive: banning users from sites is a common way of dealing with abuse, from denial of service attacks and spam to forum users who flout the rules. Removing this ability and forcing sites to continue permitting access to all without restriction would be a terrible move.
But by stating outright that the simple changing of an IP address is abuse under the CFAA, it's possible the judge has opened the floodgates for common, everyday activities to be rendered illegal. Many users, for example, still have dynamic IP addresses that change every time a router is rebooted - which, if it allows them access to a previously-banned site, could be argued as circumvention. Using a service like Google Translate, too, will see a user's traffic originating from a different IP - and, again, could bypass blocks put in place to prevent access.
Kerr argues that an IP address block is so easily circumvented - even by accident, as with the above examples - that it should not be considered a technological barrier under the CFAA. The CFAA itself, meanwhile, is up for revision in response to the death of free data activist Aaron Swartz who committed suicide following his prosection under a particularly vaguely-worded passage.