
Court Holds That Circumventing IP Address Ban Is “Access Without Authorization” - maalyex
http://www.volokh.com/2013/08/18/district-court-holds-that-intentionally-circumventing-ip-address-block-is-unauthorized-access-under-the-cfaa/
======
cynicalkane
First, editorailized headlines are not allowed by site rules. (EDIT: The
headline is now changed. It previously read, "Change your IP, go to jail" or
something like that.)

Anyway, Craigslist told 3taps in a legal notice: "Don't abuse our website."
3taps did anyway. IANAL but this appears clear from the second and third
quoted paragraphs (and Orin Kerr, a noted expert on these things, seems to
agree):

 _The banned user has to follow only one, clear rule: do not access the
website. The notice issue becomes limited to how clearly the website owner
communicates the banning. Here, Craigslist affirmatively communicated its
decision to revoke 3Taps’ access through its cease-and-desist letter and IP
blocking efforts..._

You might as well say, "Enter a building, go to jail"... if the door is a side
entrance to a privately owned public space (such as a shop) which has banned
you from their property. That is how the judge sees it.

I personally have some sympathy for 3taps and I expect most of HN does also.
The open Internet is not like any old public space. But the ruling doesn't
threaten to ambiguously target people who just change an IP to get around an
ordinary IP ban.

~~~
anigbrowl
_I personally have some sympathy for 3taps and I expect most of HN does also._

I don't. Craigslist said 'stay off our site' and they refused. I do not
subscribe to this HN meme that 'if you can hack it, you should enjoy the
benefits.' All that has resulted in is a security arms race which doesn't
benefit anyone.

~~~
chacham15
I think where we have sympathy for them is in that they solve a problem / are
trying to provide value to people when craigslist has refused to do so. We
dont like that innovation is being thrown out because it isnt in the
controlling companies best interests. I understand that the right to control
your software/hardware comes first (and would not ever change that), but it
just sucks that this is the result in this case.

~~~
segmondy
well, they should solve the chicken and egg problem of getting customers, tech
problems are easy enough to solve, business problems are hard!

building your own social networking site that does everything facebook does
and better is easy, get user's to sign up is not. trying to mine facebook for
customers and data to jump start your site, well, that's not going to fly.

------
mapt
Hacker News implements permanent IP bans on anyone that performs tasks like
reloading Chrome after the 15th HN tab opened for the day's reading crashes
the core of the browser. When the browser reloads tabs, 15 concurrent
connections are made at once, and the IP gets banned.

This is such a trigger-happy approach that a great number of legitimate users
have found themselves IP banned, to the extent that a voluntary unban tool has
been created: 1) open Tor for a different IP, and 2) go to
[http://news.ycombinator.com/unban?ip=<original](http://news.ycombinator.com/unban?ip=<original)
ip address>.

By extending their argument from "IP block and C&D" (something I accept may be
valid here as a civil violation) to merely "IP block", the court may have just
found that 1) is a crime independent of any malice or damages, among other
things.

Criminal trespass is dealt with on a very limited basis by police officers
seeking to _uphold short-term civic order_ , correctively rather than
retributively. If it became a strict-liability crime about _pursuing criminals
and punishing them with decades of jailtime_ , we would have an unworkable
system where the harm of criminalization obviously outweighed the harm of
being in a place that was technically off-limits. That is basically the case
in most permutations of the CFAA. This happens to be a _corporate_ defendant
in a _civil_ suit with an _unambiguous C &D_... but beware any broader
interpretion of the thing while it still has criminal penalties attached.

~~~
bradleyjg
> By extending their argument from "IP block and C&D" (something I accept may
> be valid here as a civil violation) to merely "IP block", the court may have
> just found that 1) is a crime independent of any malice or damages, among
> other things.

I don't read the opinion to say that. In fact, I'd say that the court put more
weight on the C&D than the IP ban (contra Prof. Kerr who reads the statue as
giving primacy to the technological measure). Though admittedly the analysis
is rather short.

3taps doesn't argue it thought it got caught up in an over aggressive
automated filter. It knew Craigslist didn't want it to access its website and
did anyway. I don't see why slippery slope arguments ought to let them off the
hook. Though I agree a civil forum is generally the best for this sort of
thing.

------
bigiain
Meanwhile, here in Australia:

[http://www.abc.net.au/news/2013-07-29/geo-blocking-mps-
commi...](http://www.abc.net.au/news/2013-07-29/geo-blocking-mps-committee-
price-report-apple-adobe-microsoft/4850484)

"A federal parliamentary committee has recommended that consumers find ways to
lawfully evade technology that allows IT companies to charge up to twice as
much for their products in Australia."

" … said the report had made 10 recommendations to lower prices, included
educating Australian businesses on how to bypass geo-blocks."

~~~
chii
even if evading geo-blocking is lawful in australia (whether it is or not is
another question), services like Steam, if they detect that you did such a
thing, have the option of revoking access to your account, and you lose out.
And the amazing thing is, steam's revocation is completely legal (plus you
also agreed to it in the EULA).

This whole thing is completely anti-consumer. The law needs to catch up and
make sure that consumer has the same protection as physical goods.

~~~
bigiain
The optimist in me hopes this is a sign of "the law" doing its slow and steady
"catching up". This was the report of a parliamentary inquiry - this was asked
for and delivered to our lawmakers. If I were a business with a model
predicated on geo-blocking and intending to do business with Australians, I'd
be looking for a way to ensure by business model works _without_ that
artificial barrier. (I'd suggest that like many consumer laws, you will no
more be able to rely on click thru Eula clauses to enforce this than you can
evade "fit for purpose" requirements in physical goods)

~~~
chii
hehe, then you are much more optimistic than me!

I dont believe that current sellers of licenses of software (and other media
too) would like such consumer protection laws, because it means they no longer
control their consumer's collection - e.g., any law that does not enforce the
2nd sale doctrine for digital goods is bound to fail to protect consumers, but
media creators would not want to allow 2nd sale of their digital goods
(ever!).

------
icambron
IANAL, but I'd have guessed that the answer to Kerr's first question -- does
an IP address block constitute a "technological barrier?" \-- would be no. My
reasoning is this: IP addresses change all the time and so a normal,
unsophisticated user could, perhaps even unwittingly evade the barrier without
any sort of technological workaround. If you could accidentally do it in the
course of your day, it's doesn't pass muster as a "barrier".

Imagine you had a building complex with many roads leading to it and you want
to forbid motorcycles from entering it. You set up a blockade on one of those
roads, and have a security guard turn away motorcycles. But there are all
these other roads leading to the complex without blockades. Normal, every day
people roads just like the one that has a blockade, and anyone could use them
to drive in on a motorcycle. Does that constitute a barrier that's being
circumvented?

That's all all directed at that narrow question. For the record, I don't think
you should be allowed to use a website when the owners have asked you not to,
but I do see how it's pretty different than, say, brute forcing the SSH
password. And so that narrower question might have some impact on what charges
their guilty of.

~~~
pdonis
_IP addresses change all the time_

IP addresses assigned by ISPs do, yes. But as I understand it, the IP
addresses Craigslist banned in this case were the ones assigned to 3Taps'
domain name based on DNS records. That's a different situation.

~~~
icambron
That's a reasonable point.

------
teeja
Seems clear to me that banning _an IP address_ is nothing more than a ban on
that IP address. The user could conceivably go to a library and use their IP
to access the site. Since that's self-evidently a non-productive approach, the
only way to communicate the block of an individual user is to affirmatively
contact that user and obtain a signed recognition of that user's banning.

That may create a technical problem for the banner, but the method the judge
chose simply ignores the fact that an IP address (unlike a ham radio license
but exactly like a telephone number) is _never_ attached to an individual.

~~~
lotharbot
In this case, the user knew they'd been banned due to the Cease and Desist
letter they received.

~~~
graycat
Yes, but when that Web site gets traffic from the banned IP address, what is
the evidence that the person who got the C&D letter was the one responsible
for the traffic? The traffic could have been from any customer of the ISP used
by the banned user.

~~~
roel_v
While I think that your argument is flawed in its understanding of the law, a
technological approach could be: let x be the suspect IP address. When we
receive a request from x, we send them some messages that we don't send to
other users; or maybe we change messages slightly (like leave out some
footers, or with a different image link, whatever). When the fake/modified
messages show up on the suspect website, we can reasonably assume that they
accessed our website. At that point, it doesn't even matter any more whether
they did it through x or another.

~~~
graycat
Right. Now are beginning to make a little sense -- a big change from the OP.

So, the problem was not getting the data from Craigslist but publishing it
elsewhere.

But your point still will not make Craigslist at all happy: Craigslist has a
_lot_ of data. Maybe someone, Tom, wants to get a copy of a lot of that data
and do some things with it. The data at issue need not be in any meaningful
way subject to the _marking_ you describe. That is, what Craigslist sends is
HTTP, HTML, CSS, simple text, and maybe some files in JPG, PNG, GIF, etc. Tom
can grab just the text, put it into a database, analyze it, and republish
leaving the _marking_ far behind.

So, right, if Tom does something sufficiently stupid, then he can be slapped
down for violating the C&D letter. Otherwise, not stupid, it's essentially
impossible for the Web site to know if Tom honored the C&D letter. Then,
searching Tom's computer, etc. will be based on next to no go evidence and be
wildly unfair to Tom.

------
maalyex
Admittedly a sensationalistic headline on my part

The title of the linked article is "District Court Holds That Intentionally
Circumventing IP Address Ban Is “Access Without Authorization” Under the
CFAA".

Violating the CFAA is, of course, illegal. From the linked article: "During
the debate over the Aaron Swartz case, one of the legal issues was whether
Swartz had committed an unauthorized access under the CFAA when he changed his
IP address to circumvent IP address blocking"

This particular ruling relates to Craigslist.

[http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
dpeck
I may be remembering wrong, but I believe in the Swartz case it was about
spoofing his MAC address?

~~~
anigbrowl
It's not 'about' spoofing his MAC address. It's about respecting the rights of
property owners to set the terms of how other people may access their
property. You know, when someone is charged with burglary the issue is not
that they entered your place through the window rather than by ringing the
doorbell, but that they entered without your permission. Try to imagine the
outrage that would result if a judge said 'it's your fault for having an
insecure window, tough luck.'

EDIT: I might add that I don't care for JSTOR or the copyright system that
they derive such benefit from. But then I don't especially care for our laws
on taxation and related subjects - my disagreement with those doesn't give me
the right to opt out of taxes that I dislike, or to appropriate the
possessions of others whose wealth I might envy.

~~~
bigiain
As it turns out, judges _do_ say stuff like that. Where I live, they've made
it illegal to leave your car unlocked… "Car got stolen? Sorry, your fault, you
left the window open."

~~~
anigbrowl
[Citation needed]

~~~
eksith
Germany: [http://www.stripes.com/news/americans-learn-of-locked-car-
la...](http://www.stripes.com/news/americans-learn-of-locked-car-law-the-hard-
way-1.83372)

Australia: [http://news.drive.com.au/drive/motor-news/drivers-face-
fines...](http://news.drive.com.au/drive/motor-news/drivers-face-fines-for-
unlocked-cars-20100517-v7db.html)

~~~
anigbrowl
Thanks.

------
alan_cx
So, on a shared internet connection, where many people might well use that one
IP address, does this mean banning one person bans all?

~~~
dspillett
Basically yes.

Most sites that have found the need to implement bans by address consider this
collateral damage to be worth it - in fact to get around it being difficult to
IP-ban someone on an ISP that hands out variable addresses some will ban a
whole range (first banning one address, then another, then another, and after
several addresses in a range (something like a /20 or more - a /24 would not
cover all but the smallest ISP's dynamic address pool) are banned the whole
range gets the hammer, at least temporarily.

IPv6 will make a difference if its adoption means that the use of NAT drops
considerably, but even if every device really does have a unique address there
is still the problem of several users on the same device (implementing per-
user addresses on a single device is never going to happen as it is just too
much hassle for little or no gain).

------
andybak
Just trying to understand how far this could be pushed.

Would it be possible in a future case that a judge could deem 'not providing
an API' a technological barrier to programmatic access and therefore hold that
screen-scraping is in violation of the CFAA?

------
systemtrigger
I'm confused then because according to founder Greg Kidd 3taps does not get
its data by scraping Craigslist:

"...We didn't get the data from them anyways. We're finding it from other
sources which have already indexed it like Google, like Bing, like other
search engines that are out there."

[http://www.youtube.com/watch?v=6Rf6JrSYZ4U#t=27m32s](http://www.youtube.com/watch?v=6Rf6JrSYZ4U#t=27m32s)

~~~
pdonis
If you read the fine print (which is in various documents linked to on 3Taps'
website), you find that it's not quite as simple as that. 3Taps started out
getting the data from Google; but when Craigslist found out what they were
doing, they restricted Google's access in a way that made it necessary for
3Taps to scrape Craigslist's site directly.

It's notable that, in these documents (which are written by 3Taps), the fact
that Craigslist sent them a C&D letter is _never_ mentioned. So it's not clear
where, exactly, in the process the C&D letter came in.

------
graycat
An IP address does not for long accurately identify a computer or a person.
E.g., Internet service providers (ISP) make heavy use of _dynamic host
connection protocol_ (DHCP) which assigns a new IP address for each new
connection from a user. And, for a user permanently connected via a cable
modem, losing power to the modem commonly causes it to forget it's assigned IP
address and when power is on again to request a new IP address from the ISP.
Also, commonly ISPs change user IP addresses for whatever reasons without
notice. Really, a user often doesn't know what IP address he is using.

Fixed IP addresses are important for servers but not for users. And due to the
fact that with 32 bit IP addresses there are only about 4 billion IP addresses
to serve the whole Internet, ISPs commonly assign a new IP address for each
connection and may have fewer IP addresses than paying customers.

A Web site has no easy way to know that a specific IP address is from a
specific computer or a specific person. And, indeed, just by having electric
power go out, the user's computer will likely be using a new IP address.

So, for a Web site to block an IP address does not block a specific computer
or specific user. So, a user can just say,

"That you got some traffic from that IP address is no evidence that I accessed
your Web site. That traffic could have been from any customer of my ISP."

Next, there is a problem with _screen scraping_ : The way the Web works, with
HTTP, HTML, and CSS, when a Web site sends a Web page to a user, what is sent
is essentially just simple, plain text. Then _screen scraping_ is just keeping
what was sent. The Web site sent the text; the user just kept a copy; keeping
a copy at least until the original changes is a standard performance feature
of Web browsers. So, it's standard for a user to have and keep a copy of what
the Web site sent.

The Web site freely sent the data as just simple text; if the Web site doesn't
want people to have that data, then the Web site should not send that data to
people.

------
szuhanchang
How does the Citizens United ruling factor into this?

Basically, I'm wondering if a valid defense would be to say that although
3Taps as a company was banned from using Craigslist, individual employees and
separate companies were not.

As a result, the subsequent retrievals of information by individual employees
/ a separate company out of their own volition and not using company resources
constitute legal access of Craigslist.

The information legally gathered by the separate entities were then passed
back to the company, so 3Taps never actually accessed Craigslist after the
ban.

Would this work, and why / why not?

------
crb002
Craigslist asked 3taps not to use their IPs to connect. 3taps complied and
stopped using those IPs. What's the beef?

~~~
lotharbot
Craigslist asked 3taps not to use their _data_. 3taps continued to use CL's
data, even going so far as to circumvent a security measure (the IP block --
weak, but still technically a security measure).

The court decision, which is linked elsewhere in this discussion,
_consistently_ connects the IP ban to the C&D letter. They don't seem
particularly concerned with the details of how 3Taps accessed the data, only
that 3Taps intentionally accessed data whose owners had clearly revoked
access.

------
hmottestad
At college we discussed what an IP is. An IP has two parts, the identification
and the location.

If you change your IP to mask your identity, then you are telling the server
you are someone else, however if you change IP to mask your location you are
only saying you are somewhere else.

~~~
epo
Your college explanation was so skimpy as to be useless. An IP, at best,
identifies a particular endpoint at a particular point in time, consider
dynamically allocated IP addresses or virtual machines with externally visible
IPs.

Whoever allocated the IP may have records showing which telephone line was
allocated that IP at a particular time. That might narrow it down to a
residence, building or office.

But this is all irrelevant. As I understand it, there was a court order
forbidding 3taps to access a particular service. Additionally their IP was
blocked. Changing IP to try and circumvent the ban is the kind of thing a 13
year old thing might think was clever and 3taps should be slapped down very
hard for this it is, in effect, contempt of court.

------
graycat
Quite broadly, that the Web site got traffic from the banned IP address is not
solid evidence that the person who got the C&D letter accessed the Web site.
The Web site will need better evidence than traffic from the banned IP
address.

------
joshmn
So proxies are illegal too!?

~~~
dspillett
Not directly, but if they are used to get around legal limitations then yes.

There is no specific law covering this sort of thing which is why cases of
this nature are often grey areas: it all depends on how you
interpret/implement laws written to cover the physical world as you transcribe
them to operate online. For instance gaining access to money by pretending to
be in a country where you would qualify for a grant in, despite living
elsewhere, is fraud - gaining access to resources online the same way using a
proxy to pretend you come from somewhere else is the same thing.

As with many tools proxies themselves are not illegal (well, in most
territories!) and have a great many legal uses, but they _can_ be used as part
of an attempt to get away with breaking the law.

------
EtienneK
Does everyone in the States have a static IP address? Here where I live, every
time you reconnect to the internet you get a new IP.

~~~
pdonis
It depends on your ISP and what kind of service you have. Most providers of
high speed internet (meaning cable or fiber optic) these days don't change
your IP very often, so although it's technically not "static" (meaning, there
is no guarantee that it will stay the same), it ends up being more or less the
same thing in practical terms.

~~~
graycat
Not really: For whatever reason, my electric company commonly drops power for
a second or so about once a week. How do I know? Because then the clock on my
microwave oven just blinks not knowing what time it is.

Well, that one second power drop also causes my cable modem to forget the IP
address it was assigned via DHCP by my ISP.

So, the guy with the C&D letter can tell the Web site that traffic on the
banned IP address was no good evidence that the traffic was from him and,
instead, could have been from any customer of the relevant ISP.

Moreover, the ISP could assign the IP address the Web site banned to just any
customer not involved in the C&D letter, etc. Then the Web site would ban that
person; I hope that person would not get charged with a crime.

~~~
pdonis
_that one second power drop also causes my cable modem to forget the IP
address it was assigned via DHCP by my ISP._

Does the IP address actually change when this happens? Some ISPs have their
DHCP server assign IPs according to the MAC address of the cable modem, which
of course won't change if power is shut off and then turned on again.

 _the guy with the C &D letter can tell the Web site that traffic on the
banned IP address was no good evidence that the traffic was from him and,
instead, could have been from any customer of the relevant ISP._

If he was a private individual getting internet access from an ISP that did
that, sure. But in the particular case referred to in the OP, the "guy with
the C&D letter" was a company, not an individual, and as I understand it, the
IP addresses that were banned were the ones mapped to that company's domain
name based on DNS records. That's a different situation.

 _the ISP could assign the IP address the Web site banned to just any customer
not involved in the C &D letter, etc. Then the Web site would ban that person;
I hope that person would not get charged with a crime._

It's not clear how Craigslist found out that 3Taps had changed the IP
addresses it was using and resumed scraping the site. However, whatever means
it used to find that out was apparently accurate, since 3Taps admitted that it
had changed IP addresses and was still scraping the site. The court case was
based entirely on Craigslist saying that 3Taps was no longer authorized to
access their site; there was no dispute about whether they had actually done
so.

~~~
graycat
This case is stupidity piled higher and deeper!

> Does the IP address actually change when this happens? Some ISPs have their
> DHCP server assign IPs according to the MAC address of the cable modem,
> which of course won't change if power is shut off and then turned on again.

My ISP does this. I get a new IP address whenever I cycle power on my cable
modem. And sometimes my ISP gives me a new IP address for whatever reason.
Maybe their reason is that they want to charge a little more for a fixed IP
address. Or maybe they have more paying customers than IP addresses so must
dynamically assign IP addresses to users actually connected.

Yes, if 3taps was accessing Craigslist from a fixed IP address, then that can
be fair, although not really good, evidence that 3taps was continuing to
access Craigslist after the C&D letter.

If 3taps just admitted continuing to use Craigslist, then they were, just how
do I say it, s.t.u.p.i.d, or some such? Or, all a 3taps person had to do was
just go home and get the Craigslist data from a home computer with a different
IP address. I'm not up on mobile devices, but I have to believe that they also
use frequently changing, dynamically assigned IP addresses.

Also I don't like the idea that there is _screen scraping_ as something
different from ordinary usage; it's not. The Web site sends the data, and the
data is nearly always stored on disk by the Web browser. Also the Web browser
can write the data to an HTM file and a directory with the JS, CSS, JPG, PNG,
GIF, etc. files. Then the user has essentially all the data in simple, plain
unencrypted form. Nearly all the data is sent just as simple text. E.g.,
likely the Craigslist data is sent this way. Then if someone wants to make
some new use of that Craigslist data, they can easily remove the HTTP, HTML,
CSS, JS, etc. stuff, leave the simple text, analyze it, reformat it, combine
it with other data, format it with Word, TeX, PostScript, PDF, etc., wrap it
in some new HTML, CSS, and JS, and publish it again. Then it need not be the
least bit clear just where the data came from. In this case, with little good
evidence that the data came from Craigslist, it would not be fair to search
the facilities of 3taps for evidence.

Broadly, the Web site offers the data to all anonymous users, as mostly just
simple text. In that case, the Web site should basically just shut up about
what happens to the data they sent.

~~~
pdonis
_I 'm not up on mobile devices, but I have to believe that they also use
frequently changing, dynamically assigned IP addresses._

I believe that's correct, yes. If they are using wifi, they will appear to be
connecting using the wifi router's public IP address, which will certainly be
different for each wifi router. If they are using the cell phone network to
connect, I'm pretty sure they get assigned a public IP address based on which
cell tower they are using to connect, so that will change as well.

 _I don 't like the idea that there is screen scraping as something different
from ordinary usage; it's not._

In terms of the data itself, you're right, screen scraping is just pulling the
data, the same as a web browser does.

However, since screen scraping can be automated, it can potentially use a lot
more bandwidth, since it can request multiple pages from a site much faster
than a human driving a browser can. That's why sites are allowed to restrict
what automated search bots can do on their sites, for example with a
robots.txt file. A service like 3Taps would be expected to respect these types
of restrictions just like Google does.

That said, I don't think the issue in this case was the screen scraping per
se; I think the issue was that Craigslist asserted copyright over their data,
so that they had the right to say that 3Taps could not use the data the way
they were using it.

~~~
graycat
For screen scraping, it appears that some people want to say that, because
some software in effect provided the browser keystrokes or mouse clicks,
something was wrong.

Once I wrote a little program that gets Web pages from a Web site; if I
handled all the details correctly, then there is no way for the Web site to
know that it is sending the data to my program instead of a Web browser.
Indeed, essentially I wrote a Web browser. That my Web browser just wrote data
to files and did not provide a graphical user interface on my screen is none
of the business of the Web site. It can't be illegal to write a Web browser,
especially a very simple one.

For getting pages too fast, just write the software to get the pages more
slowly. Done. Or if want to use one computer to get 100 pages from each of
10,000 sites, then then get one page from each of the 10,000 sites, 100 times.
Done.

> I think the issue was that Craigslist asserted copyright over their data,

Fine. But there is an issue: Just how the heck is Craigslist to know who got
the data? Not from IP address -- that's terrible evidence. Then how's
Craigslist to know just what the heck the data was used for? Even it it's
clear that the data was from Craigslist originally, if the person using or
misusing the data might have gotten the data from someone else and not
directly from Craigslist.

So, to me, for Craigslist to run around with lawyers and C&D letters attacking
Internet users looks like a bummer. If a user does something obvious and
blatant with Craigslist data, or is dumb enough to admit getting the data
after a C&D letter, then okay. But mostly the legal effort is a loose cannon
on the deck that can hurt a lot of people based on really poor evidence.

~~~
pdonis
_there is no way for the Web site to know that it is sending the data to my
program instead of a Web browser._

Except through your User-Agent string. Which can, of course, be faked, but if
you are actually running a scraper or other automated tool, you're not
supposed to use a browser User-Agent string.

 _For getting pages too fast, just write the software to get the pages more
slowly. Done._

Yes, agreed; all search bots and other automated tools are supposed to do
this.

 _But there is an issue: Just how the heck is Craigslist to know who got the
data?_

I don't know how Craigslist found out in this specific case; but the point was
moot anyway because 3Taps admitted they had obtained the data; there was no
dispute about that. The dispute was entirely over whether what 3Taps was doing
with the data once they got it was "authorized".

 _how 's Craigslist to know just what the heck the data was used for?_

Because 3Taps admitted what they were using it for. There was no dispute about
that either, only about whether that use was authorized.

 _for Craigslist to run around with lawyers and C &D letters attacking
Internet users looks like a bummer._

Have they been doing that? In this particular case, as I said above, there was
no dispute at all about the facts, only about the legal rights involved. I
don't see any evidence that Craigslist is indiscriminately banning people and
then suing them based on disputed facts; the only dispute I see is over
whether Craigslist should be able to assert the rights it's asserting over its
data.

~~~
graycat
> your User-Agent string

Sure, my software sends a nice, simple, vanilla pure, good looking string for
the user agent string.

I agree with you about essentially all the details of this specific case.

As seemingly hinted in the OP, my concern is with the more general situation
-- could a Web site use lawyers, C&D letters, and IP addresses to make big
legal problems for Internet users who download an unusually large number of
Web pages? I hope not.

Then there's the suggestion that for a user to get a new IP address is somehow
nefarious -- it's not. And there's calling getting Web pages _screen scraping_
as if it is different, unusual, and nefarious -- it's not. Then there's the
suggestion that what the user did that was bad was getting the data when the
real problem was that the user republished the copyrighted data.

~~~
pdonis
I don't think* this case gives any basis for a site to take legal action
against someone just based on downloading a large number of web pages or
accessing the site with different IP addresses. There has to be quite a bit
more than that. I don't think the headline of the article really gets across
_all_ of the factors that had to be present for this ruling to go the way it
did (but the body of the article does a better job of that).

* - of course, IANAL.

------
zby
IRC ops must now be celebrating.

------
niels_olson
If this applies to IP addresses, it should seem reasonably short work to show
that it applies to physical addresses. In which case, patent trolls may
quickly be a thing of the past.

~~~
chii
pray tell, why is that?

------
aj700
I don't understand. Does the article say that changing your ip is wrong and
precedent-setting as such. Has Aaron, with all respect to him, left us
ironically with the tyranny of true names? Legal precedent nationally across
the US?

~~~
lotharbot
> _" Does the article say that changing your ip is wrong"_

No.

The article says that circumventing a measure which you know was put in place
to keep you out (in this case, an IP ban which followed a C&D letter) means
you are intentionally committing "unauthorized access". Changing IPs just
happened to be the method used to gain said unauthorized access.

If you tell me I'm banned from your store, and then I shave my beard and
change my shirt specifically so you won't recognize me when I sneak back in,
that would likewise be "unauthorized access". This doesn't mean shaving and
changing my shirt is wrong, just that doing it for the purpose of accessing
something the owners have told me not to access is illegal.

