I can have a site on the public internet and ban certain people from visiting it, then enforce that in court if they do?

That seems... strange.

The actual legal details may be different, but that's how I see this case.

So if you "shout" on a public square (blog, post, etc.) you can't tell which group of people can and can not hear what you say.

The bar example would be fit for websites that raise paywalls, or some sort of access control.

That's idiotic, it's just another case where the judge is 20 years behind current affairs, he is judging something he clearly doesn't understand.

Craigslist told a patron they couldn't come in any more. The patron put on a fake mustache and tried to come in the back door.

Would you support someone scraping a blog to repost it elsewhere? Do you support crawlers that don't respect robots.txt? I don't see a problem with Craigslist saying 'No, you can't scrape our users content to post on your website'.

The exact details of which laws and how the court case went may not be correct, but at a theoretical level the website as open-to-public bar/store/etc is a perfectly valid analogy.

An open bar to the public? At a bar you have a degree of physical contact which conveys info you can not have via internet, that's why the 'square' example fits better (imho). But example apart, I'm with you on this: the court case sets a dangerous precedent.

Isn't the ruling considering automated scraping in some way different from normal browsing?

They don't have any reason to, so they don't, but they could.

Fake mustaches for everyone!

It's actually pretty narrow. If you have received sufficient notice that you are no longer allowed to access a resource (in this case, the cease and desist letter), then you can't use technical measures to mask who you are and try to access the resource.

> It's actually pretty narrow. If you have received sufficient notice that you are no longer allowed to access a resource, then you can't access the resource.

I'm so tired of hearing this from hackers who have never taken a law class or picked up a book. Many hackers are abysmally ignorant of the law, and not all that good at critical thinking either. Some of those won't even listen to an explanation of how it does work, but double down on their ignorance and throw a tantrum instead.

If I have a house and certain people are visiting it against my will, then I have legal recourse to prevent them from doing so.

That it's digital doesn't really change the fact that, at the least, what 3taps was doing maps to trespassing. (Theft, at the worst, but I'm wary of invoking the 'copying isn't theft' mantra).

It's worth noting that this is different than just misconfiguration hacks, where somebody gains access to something completely private because the server allowed it. I agree that in those circumstances, no culpability should be found on the part of the 'hacker'. However, in this case, Amazon said "Hey you. What you're doing? Stop it."

Moreover, they did so with a letter written by their attorneys. Not legally binding, sure, but at the same time, a pretty clear illustration that the access wasn't wanted.

Legally, it isn't.

"You cannot have a house in a public space accessible worldwide, without doors or windows, and then randomly get to decide who can and can't visit, and have it enforced by courts. "

Completely and totally false. Trespass to land, in fact, doesn't even require that you intend to trespass, only that you voluntarily traveled to the location. You do not need to know it's someone else's property or that you are trespassing to be liable.

Getting injunctive relief is more difficult for other reasons, but you would at least get nominal damages.

I think you will find trespass to land doctrines are not in your favor in this argument. You may want to try to argue it isn't like land at all :)

If we're extrapolating from commercial property rights, then again, stores and merchants have the right to refuse entry to persons they choose as well, even though those buildings are in common areas, and their doors are commonly unlocked to allow free entry to all.

Further, it is not incumbent upon you to have doors, windows and locks to prevent entry from your property, as the property needn't be a house at all, but could simply be land. I have the right to expel trespassers from land I own, whether or not any dwellings or structures exist upon such property.

Even if you're assertion is just that I should have doors and locks to prevent them entering just my home, that is again a false claim. Whether or not my property is secure might be a matter of insurance liability, but does not obviate me from the expectation that others will respect my property rights. Even if I have no doors, windows, locks, or even walls, I have the right to expel others from my property.

We had this discussion here on HN some days back when the ruling came down. Just because something is possible doesn't give you the right to do it.

EDIT: I googled it because I could smell the wrong in my statement, it's not called copyright it's called "database right" because a compilation of facts is not a creative work. Still the right is real regardless of the distinction.

EDIT2: CraigsList is a US company and apparently if you read deeper into the WikiPedia article, US copyrights do not respect databases and so it's not a real thing. Sorry for muddying the waters, but it doesn't change that service providers can have terms of service irrespective of how strongly they work to identify and segregate their users.

And in most cases, in the areas I've lived in, you have no right to refuse service to "certain people". So, yes, this seems just as bad as a baker who would refuse a certain subset of people from even entering his shop.

I think it varies by state, but as long as the banning isn't because you're part of a protected class[1], a private establishment can refuse service for any reason it sees fit, including none at all.

[1]http://en.wikipedia.org/wiki/Protected_class

In any case, I was just correcting your analogy, not your premise.

Just because the door is open doesn't mean that everyone is welcome to go through it. The same holds true for websites just as it holds true for grocery stores.

The way that works is that someone entering a public shop has implied license to be on the property. But that implied license can be explicitly revoked to exclude specific people.

Then again, the Obama administration wants to make it a felony to stream compyrighted material, so maybe the conflation isn't so outrageous after all.

Presume they were scraping the data to /dev/null, would that still be an issue?

Further, aren't some things INTENDED to be scraped? Like their RSS feeds?

This was an over produced decision, that should have been left to dealing with ignoring the cease and desist letter, instead of setting a president for banning VPNs and proxies, potentially.

On the other hand, the fact that this punishment is a felony record is just a little bit pathetic (c.f. Aaron Swartz).

You don't get in that much trouble for trespassing IRL.

[1] http://en.wikipedia.org/wiki/Felony_disenfranchisement#Unite...

IMHO it rightfully should. Considering you can get felony sex offender (a double whammy) status for taking a leak in a dark alley, the word needs to lose all connotation that it means anything beyond "actions a bureaucrat, not necessarily a reasonable person, really doesn't like for whatever reason".

[1] http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.asp...

Point being that there are differences and pretending they don't exist doesn't help anyone. The metaphor is extremely useful, but it's a start for understanding and usefully engaging, not the end.

You're not faced with losing your ability to vote, no chances to acquire work, hundreds of millions of dollars of debt, decades of jail time, etc.

You know anything involving a jail sentence of over a year is a felony, right? You seem to think felony crimes all carry a life sentence or somesuch.

Actually, I did NOT know that... part of me thought it couldn't be right. But here you go: http://www.law.cornell.edu/uscode/text/18/3559 Thanks.

There is in fact no such thing as non-felony computer trespassing. Which was kind of my point, your snark aside.

The problem I have is that this decision as written is very poorly worded and therefore has no business being law.

You're welcome until someone tells you otherwise. You can't legally go back in just because you changed your shirt and put on a hat.

If you scroll past the first few pages, you can read the EFF explain in detail why this is a problem http://ia601209.us.archive.org/33/items/gov.uscourts.cand.25...

But this doesn't show a misapplication of the law as it's currently written, either.

It's more analogous to having something on your property you want everybody walking by the street to see. Then you put a tarp to block your annoying neighbor from viewing it but anyone else is still welcome to it.

Would the neighbor be trespassing every time he walks by the street and looks at it?

http://en.wikipedia.org/wiki/Denying_the_antecedent

"The case in question, Craigslist vs. 3Taps, revolved around a copyright infringement claim by Craigslist against data gathering company"

If Craiglists is claiming copyright on all content, wouldn't that make them solely responsible for all of that content? Wouldn't then the "safe harbor" that many online communities use not apply and wouldn't the illegal content that was/continues to be on Craigslist become Craigslist legal responsibility?

Yes, a million times yes. I've made this argument several times.

However, this is no longer a copyright issue. Now we're just talking about access to their servers.

I would disagree. The whole issue stems from a copyright issue. Without a copyright infringement claim you wouldn't get the cease & desist letter. Without that letter, you wouldn't have the specific situation which leads to this verdict.

(On an aside, doesn't their terms of use disqualify access with a browser, or really any piece of software?)

No, it's not. A C&D letter is a legal threat or warning. I could send you a C&D for sneezing too close to me.

Having received a C&D letter myself from CL, I can assure you there are multiple issues they claim. You can find this C&D letter at DocStock. CFAA violations are one claim, copyright violations are another.

http://www.docstoc.com/docs/76524735/Craigslist-Cease-and-De...

>3taps does not now scrape craigslist’s servers, and therefore, cannot be in violation of the CFAA

This was my understanding of how their system works. CL (for their own benefit) allows other sites to index their content. 3Taps indexes from the cache of these sites, thus never touching CL's servers.

Now as others have said, you got banned by walmart, now you're sending someone else to buy stuff for you...no more trespassing issues.

The IP ban was supplementary to a cease and desist. If 3Taps continued to attempt access via a non-banned IP after the cease and desist then they are in contempt of court. The attempt at bypassing the ban merely proves bad faith on 3Taps' part.

No. A cease and desist is a letter drafted by anyone asking someone to stop doing something. It's not a court order and the court is not involved in it, so you can't be held in contempt.

Doing so functionally leads to double jeopardy on all manner of civil and criminal cases and the opportunity for excessively punitive sentencing and sanctions that are basically optional to apply. IANAL, but this seems to introduce an unacceptable degree of discretion in the law.

As an example, if I send an extortion message via post, I get in trouble for extortion. If I do it via email should that be a computer crime as well? I guess it's up for debate since most everything is, but I feel comfortable enough to say clearly not.

Commissioned? ITYM "committed". Yes?

The interpretation of the CFAA in this Order only applies to the facts of the 3Taps case, but assuming this case actually went to trial and in its decision the Court parroted what it has said already regarding the validity of CL's CFAA claims, then it one could at least argue that _any_ computer owner should be entitled to enjoy the protections of the CFAA against unauthorized access to that computer, in order to protect all information that through such access can be obtained.

I hope others besides you and I will give this idea some more thought.

The candidates are, make the Internet faster, make it more secure, improve the quality of the content, lower the costs, improve access to it, write laws about it, bring legal cases about it, and tax it.

May I have the envelope, please? The the winner is (drum roll), tax it. First runner up is write laws about it. And second runner up is bring legal cases about it.

The way of the world.

If a child has only a hammer, then each time they see something, they want to hit it. So, lawyers want to pass laws, raise taxes, and bring legal cases. Improve things? No. Be a leach on society? Yes.

Here's the most astounding, incongruous thing of all: How did the Internet get so far without lawyers?

Since the only tool they have is a hammer, they see everything as a nail. And, as legislators, judges, prosecutors, and litigators, they like to see 'problems' everywhere; like some English major, and many lawyers were, who looks at formula fiction and sees good against evil, white hats against black hats, where the point of the story is for good to defeat evil and get the girl.

Here as often elsewhere in our society, the lawyers should just go drink something sickening and just get the hack out of our lives, out of our way, and quit being dangerous, destructive leaches on the work of good and productive people.

Time for a lawyer joke:

Q. On the highway is a dead skunk and a dead lawyer. What is the difference?

A. There are tire tracks ahead of the dead skunk.

No one wants to run over a skunk; they are cute, sweet, harmless little animals and fun until threatened and turn and raise their tails. Lawyers, however, ....

Lawyers, just quit causing trouble for normal, harmless people. Stop it. Please, just stop it. Go do something else. I'm putting this nicely. However, if I win a big bundle in the lottery, maybe I'll fund the ACLU, EFF, and even more aggressive legal organizations to go after any lawyers making trouble for harmless people, e.g., Aaron Swartz.

Lawyers need some insight into people. Well, here's one: From grade school, high school, and college, it's not good to have everyone else in school think of you as worse than a rabid dog. And if people think of you this way, then there's nothing the school principal, teachers, and rules can do really to protect you. Instead, you can get hit in the back on the playground, on the way home find some tough, angry kids who don't like you, never get invited to parties, lose your homework and find it in the toilet, etc. Adults don't do such things, but the feelings can be the same and still you can be ostracized, rejected, hated, pushed out, scorned, avoided, friendless, etc. Really, you can be alone and learn what essentially every baby mammal knows from birth -- it's not good to be alone.

Net, again, once again, either be hated or just quit, stop it, hurting harmless people. Dutch uncle advice. Word to the wise.

I know; I know; in law school you were proud to be taught how to "think like a lawyer". Now, out in the real world with normal humans, you need to learn again how to think like a human. Again, yet again, just for you, quit hurting harmless people; this advice is good for both the harmless people and you. Are you getting this? Got it?

Right, you noticed that this is not a legal issue. Right; in strong contradiction to what you learned in law school, not everything in life is a legal issue. Beginning to understand now?

> if I win a big bundle in the lottery, maybe I'll fund the ACLU, EFF, and even more aggressive legal organizations to go after any lawyers making trouble for harmless people

By saying this, you're tacitly admitting that some lawyers are fighting the good fight. And above, there's plenty of non-lawyers proposing broken analogies with trespassing, even though one can't prevent access to their house with certainty nor easily mitigate damages.

So "lawyers" aren't the root problem, but the general dislike of them certainly points to it - legal complexity that grows without bounds. And while this is fueled by lawyers (and others) tending to want the world to work the way they already understand, channeling rage at them only obscures the actual problems.

First, for my remarks, I concentrated on asking lawyers -- legislators, prosecutors, judges, and litigators -- to quit hurting harmless people. Simple. Nothing about legal "complexity" can argue against this.

Second, for the Internet, lawyers should mostly just f'get about it. Just ignore it. Don't make or prosecute laws about it. Don't have civil suits about it. F'get about computer industry patents. Just go do something else. In particular, again, no problems with legal "complexity".

For "private property" and what's on Web sites, just f'get about it. It's simple, dirt simple:

(A) The Internet is new and different and nothing like much of anything before. It's not like a house, storefront, bookstore, front yard, newspaper, etc., and trying to force the Internet onto some such Procrustean bed is just destructive nonsense.

(B) If an owner of a Web site has some data they don't want spread around, then they should not put it on their Web site. Just don't do it.

If they do, then their ability to 'protect' their data is zip, zilch, and zero. Both technically, for reasons simple to deep and profound, and legally, in practice, they can't protect such data and likely never will be able to. So, don't put the data out there. If they do, then f'get about the lawyers and protecting that data.

Sorry 'bout that, but copyright laws were not designed for the Internet and digital data.

A Web site owner can try to be like the MPAA and RIAA and try to hold on to the past, but, for many reasons lawyers can't effectively stop, it won't work. That's just the way it is, no matter what laws get passed, no matter how many wacko, paranoid, OCD, Boston federal prosecutors grit their teeth and think that they see monsters in closets, how many confused, ill-informed SCOTUS decisions there are, etc. It's tilting against windmills.

In the meantime, lots of lawyers will be causing lots of damage and doing nearly no good, all for no good reason.

The Internet was just fine before the CFAA. And we don't need SOPA or PIPA.

Sure, a citizen should make his views known to Congress. Alas, Congress is full of lawyers, and it's tough to break through to them; could use 1000 board-feed of 2 x 4's to break over their heads to see if they are just resting or deep into some profound legal thinking. Gotta wake them up and have them get their hands off the Internet, and keep the NSA off the Internet.

I can't turn Congress, but I can guarantee Congress that via technical means the Internet can circumvent nearly any laws they pass. So, f'get about the Internet.

Every person generally thinks they're doing good in the world. They certainly don't think they're hurting harmless people for fun, they honestly think they're protecting other people. You need to understand this if you want to have any hope of getting to root causes.

> If an owner of a Web site has some data they don't want spread around, then they should not put it on their Web site. Just don't do it.

See, this is the exact opposite of the truth - it's quite possible to publish data online and employ access methods to control who can access it. By arguing your case this way, you are undermining yourself - the reason we have a legal system with laws etc because things like murder/robbery/etc are impossible to prevent, so the only thing we can do is punish transgressors. Computers give us the ability to implement absolute restrictions formally. The push to implement ambient-authority retributive laws comes from management types who don't devote want to spend the effort to implement formalized restrictions, and want to cry foul after the fact.

I think we mostly know who's harmless. We know for kitty cats and puppy dogs: In my neighborhood, cats are free to wander but dogs are not.

> See, this is the exact opposite of the truth - it's quite possible to publish data online and employ access methods to control who can access it.

Wrong, fundamentally technically and practically. I told you it can't be done, and you just didn't believe me.

Once that toothpaste is out of the tube, it can't be put back in.

Once a secret is out, can't pull it back.

Once some data is sent over the Internet, the person who receives it has it, all of it, and can technically can do essentially anything with it. E.g., when a Web site sends a Web page, it's gone, the whole thing, HTTP header lines, HTML mark-up 'elements', CSS 'properties' and values, software in JavaScript, text, files in JPG, PNG, GIF, MP3, WAV, etc. The computer receiving this data is free to store it on hard disk, manipulate it many ways, back it up, send it, etc. Net, that data's gone, out'a there, out in the public, beyond control, with no self destruct mechanism, no time out clock, no string to pull it back. Can't track it; mostly can't trace it; in practical terms can't say where it came from, can't claim ownership of it, in no practical terms can enforce copyright for it. Etc.

Sure, can embed a secret 'watermark' in a PNG file, but that doesn't do much good, e.g., as the file passes from person to person. Besides, such a watermark might get lost if the image is resized.

Yes, can put some carefully constructed errors in text and numerical data, but maybe only parts of the data get used or copied, and, again, after the data passed through many hands tough to say who originally 'stole' it, and for the rest they had no knowledge that the data was stolen.

Yes, can set up strong authentication for users and use strong encryption when sending the data, but eventually some user gets the data as 'plain text', that is, not encrypted, and now can redistribute it to friends, family, etc. It's just bits and can be stored, copied, transmitted, modified, etc. So, one 'authorized' user leaks the data and it's gone and essentially out to the public.

For a Web site trying to block a user, it is essentially impossible to know if the user returned -- with a different IP address, MAC address, ISP, Web browser string HTTP_USER_AGENT, etc. Searching the user's house or office also is unpromising since the data could be on DVD below the insulation on the floor of the attic, stored in the cloud, etc.

Again, yet again, as a practical matter, now and over the horizon, if a Web site doesn't want their data out in the public and usable by every Tom, Dick, and Harry for whatever, then they should just never have their Web site send that data. And, really, there's nothing laws or lawyers can do about this except cause a lot of trouble.

Again, more generally, lawyers should just f'get about the Internet.

Although I feel Craigslist had a reasonable complaint, I do not like the precedence that this could set for further cases. This could set the stage for all kinds frivolous lawsuits.

I hope Craig figures out how to unwind this. It would be a terrible legacy to have your good fame traded for bad.

Who wants to be the big company that fought a startup so hard that it created new internet restrictions for the rest of us? I wish they had just bought 3taps and added the functionality.

The Court vociferously rips through 3Taps' arguments for dismissing the CFAA claims.

Anyone who is net savvy who has ever encountered the CFAA has no doubt pondered the problems in its vague, non-technical language and then in its (to no one's surprise) capricious application. The 3Taps case stands to be yet another example of the CFAA's flaws on parade.

Do the Courts see gross deficiencies in the CFAA's language and how this can affect the CFAA's application? If yes, would they rather deal with them now or just leave them for another day?

Consider what this Court says when faced with the question of what constitutes "without authorization" under the CFAA. Note this is when the computer in question is otherwise open to the public and lacks any access controls such as password protection or approved originating IP addresses:

"To be sure, later cases may confront difficult questions concerning the precise contours of an effective 'revocation' of authorization to access a generally public website. This Court cannot and does not wade into that thicket, except to say that under the facts here, which include the use of a technological barrier to ban all access, 3Taps' deliberate decision to bypass that barrier and continue accessing the website constituted access 'without authorization' under the CFAA."

A "thicket" indeed. And we shall let it grow. I often see the word thicket used to describe the problems with patents. And we all see how those problems have played out so far.

Since access authorization and its revocation are apparently difficult standards to pin down in the computer context, just for fun, if you'll join me for a small thought experiment, I invite you to take a different angle and look at the CFAA in a "new" light.

The second sentence of the Order defines the applicability of the CFAA in no uncertain terms: "The CFAA imposes civil and criminal liability on 'whoever... intentionally accesses a computer without authorization... and thereby obtains... information from any protected computer. 18 USC S.1030(a)(2)(c)."

This is quite broad in scope. Anyone with an ounce of computer network savvy can see that.

It's also very general in terms of who it protects. There's no mention of who the presumed victim might be.

What if the protected party is an individual consumer? Might the CFAA protect individual persons, and not just entities like governments and companies?

Let's assume the consumer has a computer. Let's further assume the computer stores information. Sound plausible so far? Let's further assume the consumer tries to protect the information on the computer. Still with me? OK, now let's assume that information has value to some third party. I don't want to limit the reaches of this thought experiment by giving examples (with which you might find fault), but in the case you just cannot fathom a scenario where a person wants to protect information stored on her computer: assume that some companies want access to her email address book or web browsing history and she would rather keep that information private. Finally, let's assume that the consumer wants to revoke the authorization of certain of these third parties to access the information, but the determined engineers employed by these third parties opt to bypass the barriers that the consumer puts up and obtain the information, perhaps by stealth.[1]

Hopefully, if I've done a decent job, you can see the CFAA could, at least in theory, under this Court's very general statement of the law, be used by an individual to protect her information stored on her computer from companies who proceed to access it without her authorization, in addition to, as in the 3Taps case, protecting information of a company like Craigslist from competitors who wish to access CL's information without CL's authorization.[2][3] If not, pay no mind and resume your usual train of thought. Who wants to bet this case gets settled out of court?

1. You might ask how the consumer would go about revoking authorization. Does she need to send cease and desist letters? Maybe. Maybe not. I'd argue whatever she does it needs to be clear.

2. CL's protected information is of course information submitted by individual users. And see 3.

3. The weakness of CL's case, from a copyright infringement perspective, is, according to some commentators, that the information CL is seeking to protect is not created by CL but by users, who may or may not have transferred enforcement rights to CL. Here is another issue to consider: Did the drafters of the CFAA care whether the complainant has any rights to the protected information?

If the data is central to someone's business (e.g. Ticketmaster, airlines, or anything you had pay to access), I'd tread real carefully.

have i run afoul of the law?

It like saying you are banning me from taking a nissan sentra to your business. If I come back in a toyota corolla I've broken your law.

What you really meant to say is that I am banned, not the car. Since you don't know who I am, you can't ban me...only the car.

This law is stupid.