Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Internet Caldera Government The Courts News

Internet Access and Computer Fraud Laws 171

DrJimbo writes "Groklaw has an explanatory article covering the Computer Fraud and Abuse Act (CFAA) in layman's terms. The article discusses legal precedents that might make it illegal to access much of the internet. The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."
This discussion has been archived. No new comments can be posted.

Internet Access and Computer Fraud Laws

Comments Filter:
  • It's just as well. The internet sucks anyway. Go outside and lay touch football or something.
  • WTF? (Score:3, Insightful)

    by afstanton ( 822402 ) on Friday December 17, 2004 @02:23PM (#11118748) Homepage
    This sounds just completely insane. Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud? It sounds like entrapment, or bait and switch, to me.
    • This sounds just completely insane. Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud? It sounds like entrapment, or bait and switch, to me.

      Actually from my limited understanding of the essay, SCO is trying to say that they weren't really allowing you to download the GPL software and that IBM's access to it was unauthorized.

      Basically IBM hacked SCO.
      • Re:WTF? (Score:3, Insightful)

        by cayenne8 ( 626475 )
        The part where the court said that assumptions that openly up for display on the web/internet was not assumed to be free and public?!?!?

        From the Article:

        "The court felt the need to further explain its rationale. It wanted to be clear that the basis for the rejection of "reasonable expectations" test is not "as some have urged, that there is a "presumption" of open access to Internet information". There is not. (Some might call that astounding and disturbing news.)"

        So, if they put it out there, in a publ

        • I think this speaks volumes about the level of technical understanding that current SCO executives have. They seem completely unaware that they are distributing what they claim to be illegal, having only pulled it from their website but not the FTP site. I guess most PHBs haven't ever heard of FTP, much less know how to use it.
          • I think this speaks volumes about the level of technical understanding that current SCO executives have.

            The problem is that the quoted text was not from SCO, it was from a judge in a spam case, which set precedent that just because something is viewable on a website doesn't mean you automatically have authority to view it, and simply viewing it can violate the CFAA.

            While this may have been useful for nailing the spammer, the implication of this previous ruling is far more reaching as we are seeing now.

        • So, if they put it out there, in a public format...it still can't be presumed as public access?
          How do you, in language that will stand up to the specificity rule define "public format"? Here's a link to my other posting on the topic: http://yro.slashdot.org/comments.pl?sid=133147&cid =11121354 [slashdot.org]
      • The plantiff would like to introduce Exhibit 153, an excerpt from the SCO webserver log:
        workstation.ibm.com - - "GET /downloads/sco_software.tar.gz HTTP/1.1" 200 334525
        Clearly this is an illegal hacking attempt.
        • The point of the article was that, under current US case law, such a GET from a publicly-accessible web/ftp site may well be illegal. It seems that all SCO needs is a notice anywhere on their site denying access, for it to fall under the CFAA.

          For a hypothetical example, consider the goatse.cx site, but with a link at the top of the main page to a TOS page, and a sentence saying you shouldn't look at the picture until you've agreed to the TOS. Some prosecutor decides to take them to court on an obscenity
    • Re:WTF? (Score:4, Insightful)

      by ReelOddeeo ( 115880 ) on Friday December 17, 2004 @02:41PM (#11118953)
      Fraud by downloading GPL software? Why would SCO post it if they were just going to claim fraud?

      It is not Fraud because the software is GPL. It is Fraud because, as SCO has claimed in their recent court filing, IBM hacked into SCO's anonymous ftp server, in order to obtain the GPL software.

      Even worse, evil IBM earlier admitted doing the dastardly deed.... In an earlier court declaration by an IBM employee, "I supervised while a member of my team..." logged into SCO's anonymous ftp server and downloaded the kernel sources, which include source code copyrighted by IBM, and which SCO is distributing in violation of the GPL.


      It sounds like entrapment, or bait and switch, to me

      I would be careful of making such libelous statements that could tarnish the valuable unblemished reputation of a paragon of virtue such as The SCO Group.



      Don't forget to pay your $699 license fee to SCO for your Linux kernel which includes SCO's copyrighted <errno.h> file.
    • Re:WTF? (Score:2, Informative)

      by MindStalker ( 22827 )
      Their claim is that IBM violated their websites Terms of Service when they downloded the source code. Problem is noone is quite sure exactly what they mean by this argument as it was downloaded through an anonymous ftp site publically assessable.
      • by v1 ( 525388 )
        Although the site was anonymous, meaning anyone can LOG IN, the SCO may still have ground to stand on if they displayed a terms of use when you login, and say something like "if you don't agree to these terms, you are not permitted to download and must log out immediately." If IBM then did not agree to the terms (was in violation of the terms) and proceeded to stay logged in and download files, SCO just might have a case?

        I know, I hate EULAs and soforth the same as most other ppl, but right now they have
        • Re:WTF? (Score:3, Funny)

          by cosmo7 ( 325616 )
          Although the site was anonymous, meaning anyone can LOG IN, the SCO may still have ground to stand on if they displayed a terms of use when you login, and say something like "if you don't agree to these terms, you are not permitted to download and must log out immediately."

          Here is the agreement from SCO's ftp site:

          Welcome to SCO's UnixWarez Site

          All downloads are for BACK-UP only. If you are from a law enforcement agency then you are not allowed to log on. No kiddie pr0n. Upload to download. No leeching
          • Re:WTF? (Score:3, Insightful)

            by jp10558 ( 748604 )
            So... this means that many warez sites are now protected?? I never really thought those disclaimers would be worth anything, but I guess they might just be...
    • Re:WTF? (Score:4, Funny)

      by ReelOddeeo ( 115880 ) on Friday December 17, 2004 @02:43PM (#11118978)
      This sounds just completely insane.

      Did you mean it sounds like typical SCO behavior? Or am I misunderstanding you?
    • Something unfortunately can be insane, but found by a court to be "true".

      Look at the DMCA cases.
    • In the original documents about Zefer, I would concur with the written statement except for the following:

      Any company which publicly exposes its information, under standard brick and mortar rules, loses its right to keep anyone else from using that information once it has been released to the public. Although it is true that there are reasonable expectations (such as no one person can take all of the candy which someone might put out to help attract customers) implied - the use of scrapers should not be d
  • by ParadoxicalPostulate ( 729766 ) <saapad@gma i l .com> on Friday December 17, 2004 @02:26PM (#11118782) Journal
    I guess that means we can no longer blame people for not RTFA - hey, it could be illegal!
  • Heh (Score:5, Insightful)

    by NetNifty ( 796376 ) on Friday December 17, 2004 @02:27PM (#11118803) Homepage
    "The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."

    And this is a perfect example of why nobody takes SCO seriously.
    • Re:Heh (Score:3, Informative)

      by itzfritz ( 822208 )
      Acc. to TFA:
      "SCO provided its customers who purchased SCO Server 4.O with a password to enter at a log-in screen so that only they could access source code via the internet. Sontag Decl. 17-19. After news of a bug in the website's security system was reported on internet websites, IBM exploited the bug to bypass SCO's security system, hack into SCO's computers, and download the very files IBM has now attached to its motion."
      If this is true, SCO has a legitimate beef. Dammit.
      • Re:Heh (Score:3, Funny)

        by NetNifty ( 796376 )
        Hmm, don't know whats stranger, SCO being right, or IBM admitting to hacking in to SCO's servers.
        • Re:Heh (Score:3, Informative)

          by rewt66 ( 738525 )
          IBM didn't admit to any such thing. They said that they downloaded the source to Linux from SCO's server. They didn't say that they hacked to do it; they said that it was freely, publicly available.

          SCO says that IBM hacked, but provides no evidence (not even a sworn deposition!) that IBM did so.

          Take the SCO claim with several pounds of salt...
      • Re:Heh (Score:3, Informative)

        by MattT ( 130844 )
        The "bug" was that they didn't turn off anonymous FTP, and the "hack" was:

        Userid: anonymous
        Password: Nazgul@ibm.com
        • by pjrc ( 134994 )
          Anon ftp is only hearsay and suspicion at this point.

          IBM has not yet said to the court how, exactly, they accessed the material on SCO's site.

        • So if you forget to lock your front door, and I waltz in your living room, but don't take or damage anything, just look around, take a few pictures and leave quietly while you are out, I'm legally in the clear?

          I think not. (unless I work for Homeland Security :)

          I am not saying that is what IBM did, but that is something that SCO will try to make it seem like IBM did.
          • Yeah, your house isn't an FTP server. There's a difference.
            • They are both property, with exclusive rights recognized by law.

              Heck, you have more property rights with your FTP server than your house.

              If the government wants to build a freeway or a train line and your house is in the way - they can take it from you.
          • So if you forget to lock your front door, and I waltz in your living room, but don't take or damage anything, just look around, take a few pictures and leave quietly while you are out, I'm legally in the clear?

            If that is the norm in your culture, then yes, it is legal, because it is commonly accepted that on the Internet any ftp site that allows an anonymous login is there to serve files to the public.
          • So if you forget to lock your front door, and I waltz in your living room, but don't take or damage anything, just look around, take a few pictures and leave quietly while you are out, I'm legally in the clear?

            Incorrect analogy. Entering the house through the front door is tresspass, even if the door happened to be unlocked at the time. Besides, I've seen doors that do not lock (or open) properly - a defective lock does not mean public access.

            Setting up public anonymous FTP access is a different case.

      • "IBM exploited a bug...."

        Please. Forgetting to turn off anonymous logins to a PUBLICLY AVAILABLE http/ftp server is just stupid. Thats like me sending a link to someone... and putting secret stuff on the webpage.. then suing whoever looks at it becuase I forgot to turn on htaccess.

        Who the hell would use an operating system from these people?
      • And that stands about the same chance of being true, as a snowball would have if it were suddenly teleported to a point nominally 50k miles beneath the visible surface of the sun. Aka, somewhere between 0.000000000excrement and zip.

        What scares me though, is that some non-tecnical minded judge might actually believe the bovine excrement thats coming out of Lyndon UT.

        Now thats SCARY

        Cheers, Gene. Who hopes he is on duty beside Gabriel when they show up so he can really tell them where to go.
    • And it's neat that they can put 6 acronyms into one sentence.
  • SCO accusing IBM of "unclean hands"... priceless.

  • by Anonymous Coward
    We just declare the whole jorld a jail, and all people imates. Then there will be no problem with any kind of violations ...
  • Accessing SCO ftp server...

    Login: anonymous
    Password: sco_sucks@ibm.com

    Access authorized for downloading. Have a good day!
    • by Anonymous Coward on Friday December 17, 2004 @02:52PM (#11119068)
      The entire problem here is that SCO is claiming IBM committed fraud by doing exactly what you just did-- that is, typing Login: anonymous Password: somepassword into the ftp login box.

      In other words:

      POST #11118838 CIRCUMVENTS A MECHANISM THAT EFFECTIVELY CONTROLS ACCESS TO A COPYRIGHTED WORK, MEANING SLASHDOT.ORG IS NOW AN ILLEGAL CIRCUMVENTION DEVICE UNDER THE DIGITAL MILLENIUM COPYRIGHT ACT.

      Well, it's been a nice run for slashdot.org. Too bad it'll be shut down soon. Thanks for everything, everyone!
  • is a big attention whore. hey look at me!!

    they are going to get nothing done to help their business model because they are just trying to chase other companies down
    • "Of the things we think, say or do:

      1. Is it the TRUTH?
      2. Is it FAIR to all concerned?
      3. Will it build GOODWILL and BETTER FRIENDSHIPS?
      4. Will it be BENEFICIAL to all concerned?"

      From Rotary International. Simple, but effective.

      Too bad they fail all four tests.
    • in the "Firefox NYT ad" /. story. One said that Firefox should talk more about IE's vulnerabilities, and another one said:

      "The moment you stop speaking about yourself to speak about others, you're politically dead".

      Nothing could be more true for SCO.
  • by The Cisco Kid ( 31490 ) * on Friday December 17, 2004 @02:36PM (#11118898)
    Here is an example of how a violation might occur:

    1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my "access" to be "authorized".

    2. Then I violate this instrument's conditions, and my access, is, at the very moment of the violation, "unauthorized".

    3. And since, given that I'm probably staring at the screen, I am therefore "obtaining"... (viewing) "information from a protected computer..."

    4. In theory, we have, a violation of the CFAA.



    I would suggest that you are only violating it if you are not authorized to access the computer you are accessing *by the owner/operator* of that computer, regardless of wether or not you may be authorized by a network provider to use their network.

    That you may not be allowed to use your employers internet connection for personal use may get you fired by your employer, but does not constitute a violation against the websites you might have accessed.
    • The implecation is that your employer, after he fires you, could then logically claim that you were in violation of the contract which authorized you to connect to the internet in the first place using his network.

      Therefore you obviously hacked the network. No wonder he fired you. You deserve jail time.

    • Precisely. The issue is one that comes up in different forms in YRO articles and Ask Slashdot questions from irate students -- are you necessarily "allowed" to view or download something because you have access to it? Network administrators frequently rule that such is not the case; the CFAA has been interpreted similarly in the screen-scraping decisions.

      Jon Stanley's scenario, on the other hand, is simply imbecilic -- it sounds like the kind of wild-ass analogy the IANALs usually post in the aforementioned

      • are you necessarily "allowed" to view or download something because you have access to it? Network administrators frequently rule that such is not the case; the CFAA has been interpreted similarly in the screen-scraping decisions.

        It amazes me how convoluted and screwed up the law surrounding the net can get when there are many perfectly reasonable analogies to well understood areas of law.

        How hard is it to figure out that an anonymous FTP or web server is an explicit invitation to the information it p

    • Use of the network (which is made of computers, and routers, which are, in esscene, computers) beyond authorization is illegal.

      In your examples, the ISP and the employer could have criminal charges pressed against the user.

      You are accessing every computer between yours and the final destination, inclusively, both from a technical and legal standpoint.

      Making the law state otherwise would be unjustified. It would make using someone's network without their permission legal as long as you accessed only sites
      • I didnt say it wasnt.

        But if you arent allowed to use the Internet at work for non-work activities, and you do so, you are only culpable to your work.

        The way the article was making it sound, if you access google from work to look up something personal, then because your workplace didnt authorize you to use the Internet for personal use, then somehow you are culpable to *google*, which from the exceprts of the law itself, is not the case.
  • by gr8_phk ( 621180 ) on Friday December 17, 2004 @02:41PM (#11118960)
    The courts had said that you are unauthorized by default. If that's so, you can't even go to a web site and read the terms of service or whatever they claim grants you permission. Hey judge, did you ever read yahoo, groklaw, or used google? Did you obtain authorization before going to the site? Hopefully this judge will overturn that stupidity.
    • Which would be like a badly configured .htaccess file blocking the error page as user doesn't have access... you are not authorised to access this page plus an addition error occured - access denied.
  • Yes, I did RTFA. Unless I am completely reading this wrong, a summary of this [findlaw.com] is that the CFAA uses the term "reasonable expectations", and the court believes this is not sufficient; that sites must post in explicit terms what its users are and are not allowed to do - otherwise it is open season. OTOH, passwords are an example of a site or system clearly stating its intentions:
    We agree with the district court that lack of authorization may be implicit, rather than explicit. After all, password protection itself normally limits authorization by implication (and technology), even without express terms.
    In short, the court found that sites on the Internet implicitly allow open access unless they explicitly state otherwise.
    • Windows NT/2K/XP/2003 have two registry entries for a popup box called legal notice. When you do the cntl-alt-del thing and these registry entries exist you get a dialog box that has a legal message of your choice. Then you click on ok, the you get the username and password box. The understanding is that you can state what authorized/legitimate access is and I can state that you saw the message.

      Apparently there have been cases where a defendant used the 'it said welcome, please login' defense and w
    • In short, the court found that sites on the Internet implicitly allow open access unless they explicitly state otherwise.

      Does this judegement have any effect on deep linking, I wonder? Maybe not for the person that posts the link, but what about the person who follows that link, which may be against the explicit rules of the website?.

      That said, if I connect to a ftp server and ask to log in, that to me is an explicit request for access. If the ftp server says okay, then isn't that granting explicit permis

  • Auto-Summarize (Score:2, Informative)

    by Anonymous Coward
    A scraper is basically a robot that goes through one's site and grabs content. Apparently, it was a suped up scraper since it used knowledge from former employees. Like someone at google tm who knows how to decipher the google tm page rank hash code. Quote "The panel held that the use of the scraper tool exceeded the defendants' authorized access to ef's website because (according to the district court's findings for the preliminary injunction) access was facilitated by use of confidential information obta
  • by augustz ( 18082 ) on Friday December 17, 2004 @03:02PM (#11119164)
    The amount of analysis Groklaw reviews SCO's claims with is like taking a jackhammer to a microbe.

    3,000 words, 100 comments. Yes you destroy the microbe, but...

    SCO is always good for a laugh, but I have to smile at groklaw too.

    • >> The amount of analysis Groklaw reviews SCO's claims with is like taking a jackhammer to a microbe.

      I disagree. In the legal world, the playing field is leveled, because both sides must be given the opportunity to prove their case (regardless of how nonsensical it may seem outside the courtroom, and assuming of course that the argument has legal grounds to be made) -- you absolutely cannot leave anything to chance or assume anything. If you leave something implied or overlooked, there's a good c
  • SCO's strategy (Score:4, Interesting)

    by vlad_petric ( 94134 ) on Friday December 17, 2004 @03:02PM (#11119168) Homepage
    ... is what I call the spreadshit approach. Pretty much like a student who has no idea what to write on an exam, and out of desperation writes whatever he/she can think of (and prays to the God of Partial Credit), so does SCO try every possible judicial technicality (no matter how preposterous it is) to delay the final judgement.

    Just keep in mind that they're not here to win. Their purpose is to drag Linux through legal mud for as long as they can, allowing their overlords MS to spread even more FUD.

  • by Ashtead ( 654610 ) on Friday December 17, 2004 @03:22PM (#11119381) Journal

    Now, the purpose of setting up a http server is to distribute some kind of information to the world at large. And maybe accept some information, like Slashdot and a lot of other sites do.

    Similarly, if someone sets up an anonymous ftp server they would also be perceived as doing this in order to distribute and maybe also receive information, to and from the world at large. Same thing really.

    Now since SCO did just that, how can they then expect to be able to come afterwards and say that IBM shouldn't have looked at their site and downloaded the stuff they had to offer?

    Makes no sense to me. One would expect a minimum of "due diligence", such as maybe using a locked-down ftp server with access to only authorized users, if their information was not to be made public and available to world+dog..

    But what SCO is on about looks to me like posting a notice with tear-off tabs on a wall somewhere public, where everyone and anyone go by, and then claim some kind of infringement ("unclean hands") from certain people reading this posted text and tearing off a tab.

    IANAL, YMMV etc...

    • You said "maybe using a locked-down ftp server". Thing is, SCO has a history of not being the most competent at administering their own web site. So they put on some "technical access controls" that don't actually work. Then they claim that IBM "hacked" because they "bypassed" the technical access controls...
    • One might suppose that SCO's internal IT
      staff (or contractors) MIGHT arguably have
      mistakenly posted confidential information
      on THE internet, as opposed to THEIR intranet.

      The public, visiting this site and reading
      confidential information, or perhaps D/Ling
      F/OSS packages from their FTP site, would
      have absolutely NO WAY to have prior knowledge
      of the difference. The responsibility (IANAL)
      would/should fall upon SCO for due diligence
      of their(?) IP, and not upon the public at
      large.

      While I did not RTFA (yet), it
    • Now, the purpose of setting up a http server is to distribute some kind of information to the world at large.

      This is the most common purpose, but certainly not the only one.

      It's also quite common to use a http server to distribute information only to customers who have paid. For example, most online porn is distributed this way.

      One would expect a minimum of "due diligence", such as maybe using a locked-down ftp server with access to only authorized users, if their information was not to be made publi

      • True enough, there are plenty of http-based systems that allow only approved customers to download data or code.

        However, that would also imply some kind of record-keeping on behalf of the code's owner, that they would need to record who did download what, and when, in order to issue correct bills for that service, or at least have some kind of idea as to how popular their software is.

        To me, an empty dialog-box which lets anyone and everyone past doesn't seem to be much different than anonymous FTP where

  • by IgLou ( 732042 ) on Friday December 17, 2004 @03:42PM (#11119593)
    Ok, so I have files open to the public on my website but since you downloaded them I change my mind and say you're in violation of the CFAA?? Then why did you have them up in the first place??

    Isn't that entrapment to put someone into a situation that could cause them to break the law? Don't we tell law enforcement that this is exactly the type of thing you're not allowed to do.

    I sincerely hope this gets thrown out. Because I'm really wondering if I made the best choice in procreating.
  • The judge's precedent in the linked opinion (assuming I read it right. IANAL) is really restrictive because it requires that somebody read the terms of use for every website to be sure that they're not running afoul of the CFAA. This makes it impossible to use any sort of tool to crawl the web and extract information unless you've read the terms of service on all the sites before you crawl them. With the so-called "semantic web" finally coming around, this would be a gigantic setback.
  • This is an interesting question ...

    How is connecting to an FTP server, performing a valid anonymous login, and retrieiving a file, qualitatively different than r00t-kitting someone's server and slurping whatever you can find?

    Sure - it seems clear as night or day to you or I, but say it in a way that will stand up to judicial review, and keep in mind that the SCOTUS takes a dim view of statutes that include "Go ask Slashdot"...

    Now, run the following gray-area test-cases against that statute, and see

    • I agree with you, but may I add that if the Supreme Court did spend some time on Slashdot (or back in school, learning to understand the vitally important technological underpinnings of industrial civilization) they might be better prepared to make judgements regarding the technologies we're always discussing here. If at least one Supreme Court judge were required to be an engineer or hard scientist, issues about file-sharing, encryption, or any other {insert favorite disruptive technology here} would more
    • They're both authorised, since there is no access-control mechanism, or a statement saying that you can't. If you were to put a thing on your site saying no deep linking, then that would be unauthorised access, but if not, then it's authorised.
    • How is connecting to an FTP server, performing a valid anonymous login, and retrieiving a file, qualitatively different than r00t-kitting someone's server and slurping whatever you can find?

      Intent. If you intended to leave this FTP site open to the public, it's assumed that anything which is on it is fair game to download.

      Let this be a lesson: Don't open an ftp site and then upload naked pictures of your girlfriend to it and then bitch about it when people log into your public site and download them. ;)
  • By reading any portion of this comment, including its title, you agree to the following Terms of Service (TOS):
    1. You will exercise due respect for the posted comment and the posting author:
      • You will only exercise moderation powers upon this comment in ways that enhance the author's karma. Funny, Troll, Overrated and other non-karma-enhancing moderations are a violation of the TOS.
      • You will only post replies to this comment that are supportive, complimentary, and/or friendly. Comments that contradict, r

Keep up the good work! But please don't ask me to help.

Working...