I wish I was grossly misrepresenting the situation here. If I am, please do set me straight.
I wish I was grossly misrepresenting the situation here. If I am, please do set me straight.
You're not wrong, but getting the attention of a federal prosecutor would be easier for jaywalking in a National Park. It applies only to extreme situations.
Fred
On Mon, Aug 19, 2013 at 2:55 PM, Fred Bauder fredbaud@fairpoint.net wrote:
I wish I was grossly misrepresenting the situation here. If I am, please do set me straight.
You're not wrong, but getting the attention of a federal prosecutor would be easier for jaywalking in a National Park. It applies only to extreme situations.
Fred
I think you misread this, Fred. The case (Craigslist v. 3taps) is a private entity suing another[1] for relief from violations of the CFAA[2], and the article is about a recent ruling in that case.[3] The Wikimedia analog might be the WMF suing Grawp (or similar) for repeated violations of technological barriers (and other means) of revoking access to the site. The ruling seems to establish that Wikimedia is entitled to legally revoke access on a case by case basis, and that an IP ban is a sufficient technological barrier to meet the standard. At least that is the apparent state of the law in the Northern District of California, which incidentally includes San Francisco (and the WMF).
[1]: http://www.scribd.com/document_downloads/100933709?extension=pdf&from=em... [2]: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act [3]: http://www.volokh.com/wp-content/uploads/2013/08/Order-Denying-Renewed-Motio...
One comment on the original link is worth some eyeballs:
*"If IP address blocking is a legally binding way of banning a user, does that establish that an IP address must be considered 'personally identifying information' for privacy policies and related purposes?"*
The logic seems solid (although my sketch wording could be legally and logically tightened): -
Suppose a website blocks an IP which is used by the user known as "Alice". Also suppose there is no other communication by which the user might determine he/she (as an individual living person) has been forbidden to access the site. However one selects word definitions, one of two situations probably exists:
- *If the IP is "sufficiently clearly connected" to the individual behind the Alice account*, then one can't simultaneously argue it's not personal identifying data. The court logic is that by setting a specific IP as blocked, the website owner is banning a specific legally identifiable individual (even if they don't know which exact person). It's also saying that a given individual in the wider world should know from the status of a specific IP (blocked or unblocked), whether they personally are forbidden or not forbidden to access a website (since absent knowledge that they individually are banned as an implication of the IP being blocked), they cannot be said to be aware actually or constructively that authorization is withdrawn, nor can they be in breach of a law that refers to "unauthorized" access which the user then "circumvented" in any manner.
- *But if the IP is "insufficiently clearly connected" to the individual behind the "Alice" account*, then a block of the IP (absent other information) cannot be claimed to be a block for that user, since logically and legally, the user and website owner cannot have knowledge *from the existence of the block alone* (absent other data such as a letter or ban notice) that the block of that IP, is sufficiently clearly a block of a user, and is in fact also clearly a block of the operator of the "Alice" account. If the block is not clearly a block of the individual "Alice" operator, then changing IP cannot be wilfully evading a block of a person, since it's not determinable that the person was blocked.
- *Finally, severing the IP and user* seems problematic as well. That is to say, one can argue against the binary choice by saying that the *IPs*are blocked, but *individuals* aren't (and therefore the users are not identifiable but the IP blocks can be criminally circumvented even without any knowledge who they target). The problem is both commonsense and law. The law *doesn't*forbid circumventing a block where the individual is apparently authorized but the IP isn't. The law criminalizes specifically *"whoever . . . intentionally accesses a computer without authorization . . . and thereby obtains . . . information from any protected computer"* (see ruling) Does this legally mean *they* are unauthorized, or is it enough that *their means of access* is unauthorized even if they are allowed?
*Example - *It's perfectly possible to be accessing a computer, fully authorized, but from an unauthorized place or connection. If Wikimedia IP blocks the entirety of my country to block some IP hopping vandal, and I use a proxy to edit, I haven't "accessed Wikimedia's servers without authorization". I would need to be unauthorized personally, not just unauthorized because I'm using an connection route that bypasses a block. A loose analogy might be that if my mother emails me from an IP range reported on RBL blacklists as a spam range, or phones me from the office of a spam phone call business, she isn't a "spammer" thereby. And if my intention was to block a spammer, have I in fact notified my mother she is "unauthorized" to call or email, merely by the act of blocking the route that by chance she uses today? If she uses a different route (the phone in the next building) is that "circumvention"?
So splitting IP from person seems to break commonsense. However odd the route, she inherits no unauthority (as a person) to communicate with me by her choice of communication route. It _would_ be different if I'd told her "do not call me, you are not welcome", but the question here is considering the effect of a block of one specific means of communication (by anybody) without any other notice identifying a specific person targeted. if that alone de-authorizes specific people but not other people, it personally identifies them and we're back to #1
The problem is that you often *can't* determine (from an IP block alone) that you have been de-authorized for a website, unless an IP block can also* *identify or legally indicate a specific individual. I might be blocked on a website for something I would never imagine to be a targeted block - being the 5000th user, or using caps in my signature, and a particularly hard-ass site admin. An intermediate router or DNS fault. Too many HTTP requests in an hour. A browser agent string issue.
Rhetorical claims ("you'd know", "you ought to know") can't always hold. Example: Suppose without knowing it and without advising me, Wikimedia blocked all versions of Internet Explorer 6 (a known old problematic version) and I tear my hair out, then try IE9 or Firefox instead, have I "circumvented" a block? Or was it my browser version and not me that was blocked? What if I find my current IE10 browser is blocked, can I know if switching to Chrome would be a crime? (What if I don't change my IP but I configure the user agent so IE6 isn't blocked because it presents as IE8 or it's using compatibility mode or strict mode?) There's little certainty of *having to be *clear cut on what inability to reach a site means.
*Looking the other way at legal implications*, do internet users have a specific legal obligation to ask why they cannot reach a website, when that is the case, *in case by chance* it might be a block of a specific user, and furthermore a block applying to themself specifically? Are they negligent, wilful or reckless if they fail to do so, or if they just rebooted their router to get a new IP ("because that's what the ISP says")?
FT2
On Tue, Aug 20, 2013 at 10:01 PM, Nathan nawrich@gmail.com wrote:
On Mon, Aug 19, 2013 at 2:55 PM, Fred Bauder fredbaud@fairpoint.net wrote:
I wish I was grossly misrepresenting the situation here. If I am, please do set me straight.
You're not wrong, but getting the attention of a federal prosecutor would be easier for jaywalking in a National Park. It applies only to extreme situations.
Fred
I think you misread this, Fred. The case (Craigslist v. 3taps) is a private entity suing another[1] for relief from violations of the CFAA[2], and the article is about a recent ruling in that case.[3] The Wikimedia analog might be the WMF suing Grawp (or similar) for repeated violations of technological barriers (and other means) of revoking access to the site. The ruling seems to establish that Wikimedia is entitled to legally revoke access on a case by case basis, and that an IP ban is a sufficient technological barrier to meet the standard. At least that is the apparent state of the law in the Northern District of California, which incidentally includes San Francisco (and the WMF).
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
I am possibly failing to see the point of this part of the discussion.
On Wed, Aug 21, 2013 at 7:14 AM, FT2 ft2.wiki@gmail.com wrote:
- *If the IP is "sufficiently clearly connected" to the individual
behind the Alice account*,
It is not and possibly almost never will.
However I fail to see how people hanging around quite a long time mix up a banned user with a technical measure to _enforce_ a ban (namely, blocks). Everyone seem to talk about blocks while meaning to talk about bans.
IP based blocks almost never personally targeted since people do not have IP addresses: machines do. We (and everyone else) use IP based access control to mechanically enforce things on people not following the "rules" (eg stay away when instructed to). It is much more like putting metal bars on a window looking onto a street with troubled neighbourhood.
We reasonably expect ourselves to use IP bans to minimise collateral damage but it's guaranteed to be there; people may change IP address to evade the blocks (and therefore violate the bans); IP addresses may be reassigned to the innocent and obviosuly there are vast armies of NAT gateways, multiuser servers, proxies, TOR exit nodes and whatnot. The cases where we can 100% assure that one IP or range equals to a given person are practically nonexistant.
Because of that I fail to see any possible validity of "legally binding action against a person based on an IP address".
Peter
On Aug 21, 2013 8:56 AM, "Peter Gervai" grinapo@gmail.com wrote:
I am possibly failing to see the point of this part of the discussion.
On Wed, Aug 21, 2013 at 7:14 AM, FT2 ft2.wiki@gmail.com wrote:
- *If the IP is "sufficiently clearly connected" to the individual
behind the Alice account*,
It is not and possibly almost never will.
However I fail to see how people hanging around quite a long time mix up a banned user with a technical measure to _enforce_ a ban (namely, blocks). Everyone seem to talk about blocks while meaning to talk about bans.
IP based blocks almost never personally targeted since people do not have IP addresses: machines do. We (and everyone else) use IP based access control to mechanically enforce things on people not following the "rules" (eg stay away when instructed to). It is much more like putting metal bars on a window looking onto a street with troubled neighbourhood.
We reasonably expect ourselves to use IP bans to minimise collateral damage but it's guaranteed to be there; people may change IP address to evade the blocks (and therefore violate the bans); IP addresses may be reassigned to the innocent and obviosuly there are vast armies of NAT gateways, multiuser servers, proxies, TOR exit nodes and whatnot. The cases where we can 100% assure that one IP or range equals to a given person are practically nonexistant.
Because of that I fail to see any possible validity of "legally binding action against a person based on an IP address".
Peter
This kind of discussion does not need to go in to how theoretically IP addresses can be tied to individuals. We tell users to stop doing what they are doing, analogous to the cease and desist in this case. Obviously a warning to stop is not a cease and desist, but the court in this case didn't appeal to the legal weight if a cease and desist, but used it as a clear indication to tell the other party his actions are not allowed by the site. To that end the two messages to stop are identical.
The block then is also identical. The account and/or underlying IP is blocked. That is the technical impediment. The action that is now a federal offense, it seems, is to defy the warning, by circumventing the block by changing IP and/or account to do what you were told not to do on the warning.
This alligns perfectly with the blocking policy and definition of block evasion on at least the English Wikipedia, and probably other projects too. It is completely different from the discussed change of browser to make use of features not accessible to those browsers, and comparing that situation only obfuscated the issue.
There is still the issue of evidence that the possible suspect is indeed the person to whom the warning was sent. That however is a question of proofing that a person broke the law, which might be far harder to answer in the case of an individual editing Wikipedia on a residential IP allocation than it is in the linked case. The central issue though, that it seems block evasion is a federal offense, is not affected by the difficulty in proving evidence for it. It is the question whether the evasion is a crime that bothers me.
--Martijn
_______________________________________________
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
On Wed, Aug 21, 2013 at 9:37 AM, Martijn Hoekstra martijnhoekstra@gmail.com wrote:
On Aug 21, 2013 8:56 AM, "Peter Gervai" grinapo@gmail.com wrote:
The account and/or underlying IP is blocked. That is the technical impediment. The action that is now a federal offense, it seems, is to defy the warning, by circumventing the block by changing IP and/or account to do what you were told not to do on the warning.
Technicalities aside if I follow you right then it is a federal offense to edit Wikipedia when you were told not to (eg. banned but _not_ blocked). If that's the case the IP part of the discussion is mainly irrelevant as one does not have to evade a block to violate the ban.
The central issue though, that it seems block evasion is a federal offense, is not affected by the difficulty in proving evidence for it. It is the question whether the evasion is a crime that bothers me.
[insert meetoo here]
g
On Wed, Aug 21, 2013 at 10:09 AM, Peter Gervai grinapo@gmail.com wrote:
On Wed, Aug 21, 2013 at 9:37 AM, Martijn Hoekstra martijnhoekstra@gmail.com wrote:
On Aug 21, 2013 8:56 AM, "Peter Gervai" grinapo@gmail.com wrote:
The account and/or underlying IP is blocked. That is the technical impediment. The action that is now a
federal
offense, it seems, is to defy the warning, by circumventing the block by changing IP and/or account to do what you were told not to do on the warning.
Technicalities aside if I follow you right then it is a federal offense to edit Wikipedia when you were told not to (eg. banned but _not_ blocked). If that's the case the IP part of the discussion is mainly irrelevant as one does not have to evade a block to violate the ban.
[insert IANAL disclaimer here]
No, the linked case (and I apologize for posting a feedly link[0], it links to an ars article, I was on my phone at the time, but the link is good) demonstrates that if there is a ban to violate, the technical evasion of the block becomes a crime. Evading a block without an indication to stop seems to be not a violation, nor is editing in defiance of a ban while no block is present. It is quite possible that a final warning could be considered a ban, but that's straying a bit from the original case.
[0] the target for the original link was http://arstechnica.com/tech-policy/2013/08/changing-ip-address-to-access-pub...
The central issue though, that it seems block evasion is a federal offense, is not affected by the
difficulty
in proving evidence for it. It is the question whether the evasion is a crime that bothers me.
[insert meetoo here]
g
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
On Wed, Aug 21, 2013 at 4:09 AM, Peter Gervai grinapo@gmail.com wrote:
On Wed, Aug 21, 2013 at 9:37 AM, Martijn Hoekstra martijnhoekstra@gmail.com wrote:
On Aug 21, 2013 8:56 AM, "Peter Gervai" grinapo@gmail.com wrote:
The account and/or underlying IP is blocked. That is the technical impediment. The action that is now a federal offense, it seems, is to defy the warning, by circumventing the block by changing IP and/or account to do what you were told not to do on the warning.
Technicalities aside if I follow you right then it is a federal offense to edit Wikipedia when you were told not to (eg. banned but _not_ blocked). If that's the case the IP part of the discussion is mainly irrelevant as one does not have to evade a block to violate the ban.
The central issue though, that it seems block evasion is a federal offense, is not affected by the difficulty in proving evidence for it. It is the question whether the evasion is a crime that bothers me.
[insert meetoo here]
g
This is actually incorrect, as were some of your comments about the irrelevance of IP blocks in your prior post. Have a look at some of the links I posted earlier in the thread, I think the issues should become more clear.
To FT2's comments - it's not actually true that the IP ban, or a cease and desist, have to be specific to a person. In fact in the linked case, they are blanket to a company. I see no particular reason why the same reasoning can't be applied to a school, or a church. A geographic area is probably harder to support. Additionally, we generally give warnings, and block accounts. For the most egregious harassment, the only instances I can see this ever coming into play for Wikimedia, virtually every perpetrator has a long history of blocked user accounts. I think that makes the debate over the "personally identifying nature" of IPs irrelevant for this discussion.
On Wed, Aug 21, 2013 at 4:09 AM, Peter Gervai grinapo@gmail.com wrote:
On Wed, Aug 21, 2013 at 9:37 AM, Martijn Hoekstra martijnhoekstra@gmail.com wrote:
On Aug 21, 2013 8:56 AM, "Peter Gervai" grinapo@gmail.com wrote:
The account and/or underlying IP is blocked. That is the technical impediment. The action that is now a federal offense, it seems, is to defy the warning, by circumventing the block by changing IP and/or account to do what you were told not to do on the warning.
Technicalities aside if I follow you right then it is a federal offense to edit Wikipedia when you were told not to (eg. banned but _not_ blocked). If that's the case the IP part of the discussion is mainly irrelevant as one does not have to evade a block to violate the ban.
The central issue though, that it seems block evasion is a federal offense, is not affected by the difficulty in proving evidence for it. It is the question whether the evasion is a crime that bothers me.
[insert meetoo here]
g
This is actually incorrect, as were some of your comments about the irrelevance of IP blocks in your prior post. Have a look at some of the links I posted earlier in the thread, I think the issues should become more clear.
To FT2's comments - it's not actually true that the IP ban, or a cease and desist, have to be specific to a person. In fact in the linked case, they are blanket to a company. I see no particular reason why the same reasoning can't be applied to a school, or a church. A geographic area is probably harder to support. Additionally, we generally give warnings, and block accounts. For the most egregious harassment, the only instances I can see this ever coming into play for Wikimedia, virtually every perpetrator has a long history of blocked user accounts. I think that makes the debate over the "personally identifying nature" of IPs irrelevant for this discussion.
Although I don't think it rose to the level that a federal court would take it seriously the Scientology socks are an example. There, ips were usually irrelevant as was the individual identity of users; although we knew a few.
Fred
Discussed several times with no clear outcome. http://lists.wikimedia.org/pipermail/wikimedia-l/2013-January/123678.html
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-10-06#WSJ_Op-Ed_.22Should_Faking_a_Name_on_Facebook_Be_a_Felony.3F.22 https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-11-08#Is_this_enforceable.3F https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-12-13#Criminal_liability_for_breaching_the_TOU
Nemo
On Tue, Aug 20, 2013 at 5:59 PM, Federico Leva (Nemo) nemowiki@gmail.com wrote:
Discussed several times with no clear outcome. http://lists.wikimedia.org/pipermail/wikimedia-l/2013-January/123678.html
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-10-06#WSJ_Op-Ed_.22Should_Faking_a_Name_on_Facebook_Be_a_Felony.3F.22 https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-11-08#Is_this_enforceable.3F https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-12-13#Criminal_liability_for_breaching_the_TOU
Nemo
That is, frankly, a very different issue (in fact, other than implicating the CFAA, could hardly be more different).
An additional issue, if we're still talking CFAA's private right of action, is where would the minimum damage requirements come from?
-Dan
Dan Rosenthal
On Tue, Aug 20, 2013 at 8:22 PM, Nathan nawrich@gmail.com wrote:
On Tue, Aug 20, 2013 at 5:59 PM, Federico Leva (Nemo) nemowiki@gmail.com wrote:
Discussed several times with no clear outcome.
http://lists.wikimedia.org/pipermail/wikimedia-l/2013-January/123678.html
<
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-10-06#WSJ_Op...
<
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-11-08#Is_thi...
<
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-12-13#Crimin...
Nemo
That is, frankly, a very different issue (in fact, other than implicating the CFAA, could hardly be more different).
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
We could hire expert staff to deal with serious socking by dangerous or highly disruptive users. Their wages would be the damage.
Fred
An additional issue, if we're still talking CFAA's private right of action, is where would the minimum damage requirements come from?
-Dan
Dan Rosenthal
On Tue, Aug 20, 2013 at 8:22 PM, Nathan nawrich@gmail.com wrote:
On Tue, Aug 20, 2013 at 5:59 PM, Federico Leva (Nemo) nemowiki@gmail.com wrote:
Discussed several times with no clear outcome.
http://lists.wikimedia.org/pipermail/wikimedia-l/2013-January/123678.html
<
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-10-06#WSJ_Op...
<
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-11-08#Is_thi...
<
https://meta.wikimedia.org/wiki/Talk:Terms_of_use/Archives/2011-12-13#Crimin...
Nemo
That is, frankly, a very different issue (in fact, other than implicating the CFAA, could hardly be more different).
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
wikimedia-l@lists.wikimedia.org