[Wikimedia-l] Block evasion might be a federal offense
FT2
ft2.wiki at gmail.com
Wed Aug 21 05:14:39 UTC 2013
One comment on the original link is worth some eyeballs:
*"If IP address blocking is a legally binding way of banning a user, does
that establish that an IP address must be considered 'personally
identifying information' for privacy policies and related purposes?"*
The logic seems solid (although my sketch wording could be legally and
logically tightened): -
Suppose a website blocks an IP which is used by the user known as "Alice".
Also suppose there is no other communication by which the user might
determine he/she (as an individual living person) has been forbidden to
access the site. However one selects word definitions, one of two
situations probably exists:
- *If the IP is "sufficiently clearly connected" to the individual
behind the Alice account*, then one can't simultaneously argue it's not
personal identifying data. The court logic is that by setting a specific IP
as blocked, the website owner is banning a specific legally identifiable
individual (even if they don't know which exact person). It's also saying
that a given individual in the wider world should know from the status of a
specific IP (blocked or unblocked), whether they personally are forbidden
or not forbidden to access a website (since absent knowledge that
they individually are banned as an implication of the IP being blocked),
they cannot be said to be aware actually or constructively that
authorization is withdrawn, nor can they be in breach of a law that refers
to "unauthorized" access which the user then "circumvented" in any manner.
- *But if the IP is "insufficiently clearly connected" to the individual
behind the "Alice" account*, then a block of the IP (absent other
information) cannot be claimed to be a block for that user, since logically
and legally, the user and website owner cannot have knowledge *from the
existence of the block alone* (absent other data such as a letter or ban
notice) that the block of that IP, is sufficiently clearly a block of a
user, and is in fact also clearly a block of the operator of the "Alice"
account. If the block is not clearly a block of the individual "Alice"
operator, then changing IP cannot be wilfully evading a block of a person,
since it's not determinable that the person was blocked.
- *Finally, severing the IP and user* seems problematic as well. That is
to say, one can argue against the binary choice by saying that the
*IPs*are blocked, but
*individuals* aren't (and therefore the users are not identifiable but
the IP blocks can be criminally circumvented even without any knowledge who
they target). The problem is both commonsense and law. The law
*doesn't*forbid circumventing a block where the individual is
apparently authorized
but the IP isn't. The law criminalizes specifically *"whoever . . .
intentionally accesses a computer without authorization . . . and thereby
obtains . . . information from any protected computer"* (see ruling)
Does this legally mean *they* are unauthorized, or is it enough that *their
means of access* is unauthorized even if they are allowed?
*Example - *It's perfectly possible to be accessing a computer, fully
authorized, but from an unauthorized place or connection. If Wikimedia IP
blocks the entirety of my country to block some IP hopping vandal, and I
use a proxy to edit, I haven't "accessed Wikimedia's servers without
authorization". I would need to be unauthorized personally, not just
unauthorized because I'm using an connection route that bypasses a block.
A loose analogy might be that if my mother emails me from an IP range
reported on RBL blacklists as a spam range, or phones me from the office of
a spam phone call business, she isn't a "spammer" thereby. And if my
intention was to block a spammer, have I in fact notified my mother she is
"unauthorized" to call or email, merely by the act of blocking the route
that by chance she uses today? If she uses a different route (the phone in
the next building) is that "circumvention"?
So splitting IP from person seems to break commonsense.
However odd the route, she inherits no unauthority (as a person) to
communicate with me by her choice of communication route. It _would_ be
different if I'd told her "do not call me, you are not welcome", but the
question here is considering the effect of a block of one specific means
of communication (by anybody) without any other notice identifying a
specific person targeted. if that alone de-authorizes specific people but
not other people, it personally identifies them and we're back to #1
The problem is that you often *can't* determine (from an IP block alone)
that you have been de-authorized for a website, unless an IP block can also*
*identify or legally indicate a specific individual. I might be blocked on
a website for something I would never imagine to be a targeted block -
being the 5000th user, or using caps in my signature, and a particularly
hard-ass site admin. An intermediate router or DNS fault. Too many HTTP
requests in an hour. A browser agent string issue.
Rhetorical claims ("you'd know", "you ought to know") can't always
hold. Example:
Suppose without knowing it and without advising me, Wikimedia blocked all
versions of Internet Explorer 6 (a known old problematic version) and I
tear my hair out, then try IE9 or Firefox instead, have I "circumvented" a
block? Or was it my browser version and not me that was blocked? What if I
find my current IE10 browser is blocked, can I know if switching to Chrome
would be a crime? (What if I don't change my IP but I configure the user
agent so IE6 isn't blocked because it presents as IE8 or it's using
compatibility mode or strict mode?) There's little certainty of *having to
be *clear cut on what inability to reach a site means.
*Looking the other way at legal implications*, do internet users have a
specific legal obligation to ask why they cannot reach a website, when that
is the case, *in case by chance* it might be a block of a specific user,
and furthermore a block applying to themself specifically? Are they
negligent, wilful or reckless if they fail to do so, or if they just
rebooted their router to get a new IP ("because that's what the ISP says")?
FT2
On Tue, Aug 20, 2013 at 10:01 PM, Nathan <nawrich at gmail.com> wrote:
> On Mon, Aug 19, 2013 at 2:55 PM, Fred Bauder <fredbaud at fairpoint.net>
> wrote:
> >> http://feedly.com/k/14WeLcY
> >>
> >> I wish I was grossly misrepresenting the situation here. If I am, please
> >> do
> >> set me straight.
> >
> > You're not wrong, but getting the attention of a federal prosecutor would
> > be easier for jaywalking in a National Park. It applies only to extreme
> > situations.
> >
> > Fred
> >
> >
>
> I think you misread this, Fred. The case (Craigslist v. 3taps) is a
> private entity suing another[1] for relief from violations of the
> CFAA[2], and the article is about a recent ruling in that case.[3] The
> Wikimedia analog might be the WMF suing Grawp (or similar) for
> repeated violations of technological barriers (and other means) of
> revoking access to the site. The ruling seems to establish that
> Wikimedia is entitled to legally revoke access on a case by case
> basis, and that an IP ban is a sufficient technological barrier to
> meet the standard. At least that is the apparent state of the law in
> the Northern District of California, which incidentally includes San
> Francisco (and the WMF).
>
> [1]:
> http://www.scribd.com/document_downloads/100933709?extension=pdf&from=embed
> [2]: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
> [3]:
> http://www.volokh.com/wp-content/uploads/2013/08/Order-Denying-Renewed-Motion-to-Dismiss.pdf
>
> _______________________________________________
> Wikimedia-l mailing list
> Wikimedia-l at lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request at lists.wikimedia.org?subject=unsubscribe>
>
More information about the Wikimedia-l
mailing list