Orin Kerr writes:
The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani, which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act, the decision is quite troubling. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.
Read more on Washington Post. As always, Orin provides a lot of food for thought.
By now, I’ve only read the opinion once, and oddly, perhaps, what caught my eye was fn4:
Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.
So someone going directly to a file on a server from search results – without going through the site’s or server’s front door – is not necessarily engaging in “unauthorized use” under CFAA without more? But what more would be needed in that situation to make criminal application of CFAA appropriate? And if that’s the case, think of the raid on Justin Shafer who accessed files on a Patterson FTP server when there was nothing he saw that would have suggested he didn’t have authorization.
The thought is too narrow as well. You need to think broader. What I mean is, block lists are effectively worthless. So is the thought that your block will be monitored and tracked. All it takes is some one to visit a college campus, coffee shop or other city location where there is free internet service. You then lack the proof that a blocked individual has attempted or accessed a network they were told not to visit.
Add in the fact that IP’s DO change. People change service providers on a whim. Some of these ISP’s have hundreds of different Ip ranges to hand out.
Add in the fact that its probably very simple for some one else to figure out what IP the punished one with the blocked IP address had, and with a little play time, spoof the address and continually attack the site. It looks like an attack from the person who is blocked, when its a third party attacking them.
As for unauthorized access, if it is NOT yours, and your intent is to find something that is not up to YOUR standards , then it shows you have intent. If someone contacts you that is an official representative of that domain space and tell you to keep out – its on the person to show integrity and know that even scanning to see if they fixed their junk is on them. Going back to peek is now deemed a federal crime – for those that should obey the law – not the crooks that continually ignore it.
The courts might have this backwards. I’d approach this not at an individual level but at the ISP level. The ISP provides a mechanism, and is a tool to aid in their probability to do harm.
These things need to be broad on occasion. Adding pinpoint accuracy to laws means that people would have to check all the boxes in order to be guilty on a tightly worded law. There’d be too much wiggle room to cast shadows of a doubt. Now, with the broad laws, you can bring in truckloads of evidence and it generically can fit in without issue. The courts then have to sift through it all to see whats relevant and ignore the possibility of “overwhelming evidence” until all the evidence that is legit is processed and understood.
The “researchers” need to refocus. The intent is to get them to FIX the issues at hand. Stand up a blog that gives pinpoint accuracy on how to FIX these issues.
Knocking on the doors and saying, HEY, I have been in your network, looked around and seen your junk. I’ve been trying to contact you and have had no luck, so I am going to go public and let others know that your company is vulnerable. Its NOT the researchers right to do what they do when scanning for vulnerabilities. Sorry – the crusade for doing it their way only aids in the crooks building a hit list and getting verification that something is wide open. They assume the system has NOT already been compromised. IF, IF a hacker has access to email or gets tipped off that the location is about to get notified that its vulnerable, the hacker simply dumps content and they win in the end anyway.
Reporting of issues is one thing. The ability to provide solutions to problems is far better. People do not want to hear a constant whine of breaches day after day. Like anything else, something that makes a constant noise will eventually be filtered out and ignored. Some people only visit sites to read about something that might “dramatically” affect them. Some are just drama kings /queens and until something else catches their attention, they will be focused on one item until bored or forgetful.
People who stood up businesses leave. Some times better people get in and make the place better. Sometimes a newly hired person lacks the understanding, or does not have the desire to make the organization safe and secure. In the end, its the company’s responsibility to perform due diligence and due care, trusting people who have been hired to work ethically and morally to keep the business sound.
If a “researcher” wants to bang on the door and tell a company that they are vulnerable, its almost like a slap in the face.The researchers assume that the company is going to believe what they say is gospel, and that the researcher is not looking for anything in return.
All it takes now is simple statement which indicates that outside scans or visitors that visit a location with the intent other than to purchase products from a company may be breaking federal law. It can be placed ANYWHERE on the website, and as an after effect be the downfall of all who attempt to be “researchers”.