Cloak Your IP Address, Expose Yourself To Legal Jeopardy?

by on

One of the oldest networking tricks in the book may also be one of the newest digital crimes in it. And you may have to commit this particular trespass to get access to your online purchases.

On Friday, a district judge ruled that Craigslist could legally deny access to its site from a San Francisco Web-development shop called 3taps that helped others sites provide custom interfaces to Craigslist listings–and that 3taps had no right to circumvent that block with a proxy server that cloaked the Internet Protocol addresses of its computers.

The opinion in Craigslist, Inc. v. 3Taps, Inc. from Judge Charles R. Breyer of the U.S. District Court for the Northern District of California, turned on the Computer Fraud and Abuse Act.

The CFAA has been many people’s least-favorite Internet law–a prosecution under it apparently led Internet activist Aaron Swartz to hang himself last winter–for its absurdly generic definition of computer trespass.

In particular, subsection (a)(2) of this 1986 law targets anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains [….] information from any protected computer.”

Judge Breyer’s opinion essentially shrugs in agreement with phrasing that exhibits the regrettable combination of being overly broad and clearly written.

As he noted: “Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public vs. nonpublic distinction–but §1030(a)(2)(c) contains no such restrictions or modifiers.”

And since Craigslist named 3taps in a cease-and-desist letter before blocking its computers’ IP addresses, that settles it.

But what if a site doesn’t address people by name when telling them to go away?

Bring up the “Live Streaming” page of the news network Al Jazeera. Until Tuesday, you could watch real-time video of its English-language coverage. Now it tells would-be Web viewers that the feed “is no longer available in the U.S.,” thanks to its launch of a new, U.S.-market cable and satellite channel called Al Jazeera America.

That statement is, strictly speaking, false. The old feed is very much available in the U.S. to anybody who uses a proxy server. I installed one such program, AnchorFree’s Hotspot Shield, opted into a free trial of its “Elite” service, selected a United Kingdom IP address, and moments later was watching “AJE” live online.

Was it a CFAA violation to route around AJA’s decision to block U.S. Web streaming in favor of a smaller but possibly more lucrative pay-TV audience? By the text of this law, one could argue yes.

Now consider Georgetown University professor Jim O’Donnell, who encountered a glitchy update to an e-reader program on his iPad while traveling in Singapore. O’Donnell wrote on a mailing list that after this Google app had updated itself, “all of my books had un-downloaded and needed to be downloaded again.”

Except they wouldn’t in Singapore, because Google’s e-bookstore doesn’t do business there.

O’Donnell had the luck to have only lost free, public-domain titles, so he could visit the Internet Archive’s collection of out-of-copyright titles to download new copies.

But if this glitch had taken out purchased books, his easiest and fastest remedy would have been to jump on a proxy server that would give him a U.S. IP address.

It’s hard to think of an online retailer so stupid as to sue its own customers for using a simple workaround to recover access to their own purchases. But companies have been known to be dumb on the Internet.

And the CFAA doesn’t say you have to be an elite hacker to be guilty of computer trespass. It just says you have to connect to a server without permission or without sufficient permission; as crazy as that seems, it requires no special trickery or exploits on your behalf.

In other words, the CFAA–even more so than the unbalanced anti-cirumvention provisions of the Digital Millennium Copyright Act–is Congress’s gift to commercial control-freakery. It allows private actors to draw a line wherever they see fit, then bring the hammer of criminal prosecution down upon those who would step over it. Great business if you can get it, but I can think of many better uses for my tax dollars.

  • Jeff Yutzler


    This is not a ruling. It is a denial of a motion to dismiss. I agree that a final ruling in favor of the plaintiff would be bad for a number of reasons but this panic is premature. We aren’t there yet.

    Here are sample quotes from laywers on another board:

    “I don’t usually find 12(b)(6) denials all that interesting. Just means the complaint was drafted by a competent lawyer who was able to allege facts that, if proven, would result in a cause of action.”


    The judge merely denied the defendants’ Rule 12(b)(6) motion. Craigslist sued 3Taps Inc, et al., claiming that they violated the Computer
    Fraud and Abuse Act (CFAA) and Section 502 for the California Penal
    Code. The defendants moved to dismiss Causes of Action 13 and 14 from
    the plaintiff’s first amended complaint pursuant to Federal Rule of Civil
    Procedure 12(b)(6) based upon alleged “failure to state a claim upon which relief can be granted.”

    All the district judge did on Friday was to deny the defendants’ Rule 12(b)
    (6) motion. As the judge noted in his opinion:

    “A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of the
    claims alleged in a complaint….’Detailed factual allegations’ are not
    required, but the Rule does call for sufficient factual matter, accepted as
    true, to “state a claim to relief that is plausible on its face.’…’A claim has
    facial plausibility when the plaintiff pleads factual content that allows the
    court to draw the reasonable inference that the defendant is liable for the
    misconduct alleged.’…In determining facial plausibility, whether a
    complaint states a plausible claim is a ‘context-specific task that requires
    the reviewing court to draw on its judicial experience and common
    sense.’…Allegations of material fact are taken as true and construed in
    the light most favorable to the non-moving party.”

    As you can see from these standards, it is pretty rare for a judge to grant
    a defendant’s Rule 12(b)(6) motion, and a judge’s denial of such a motion
    tells us little about whether the plaintiff will ultimately be successful.
    Therefore, the judge did not find that there was a CFAA violation. Instead,
    he simply found that Craigslist stated a plausible claim that such a
    violation occurred.

    • Rob Pegoraro

      I didn’t call it a ruling; that word isn’t anywhere in the post. I did use the verb “ruled,” and you can call that usage sloppy (I’m one of the token non-lawyers on this blog). But: Do you disagree with Judge Breyer’s uncomfortable reading of the CFAA? Do you not see this as one of the more elastic tech-policy laws ever enacted?

      • Jeff Yutzler

        Honestly I have no idea how the law will be interpreted. There are a wide variety of uses for proxy servers ranging from benign to fraudulent. Where will they draw the line? Will it be reserved for egregious cases or used as a weapon like when the RIAA was suing grandmothers for using Napster? I will be anxiously awaiting to see what the judges ultimately decide.

  • adrianclose

    meanwhile, all the big players in the United Kingdom effectively cloak all their users and their devices by refusing to supply static IP addresses.

    service providers lease IP’s and dynamically (randomly) assign them to their users who can become in receipt of different IP’s every time they log onto the internet.

    IP addresses could be a most effective law enforcement tool, but in the UK, they have been rendered useless for this purpose.

    geoIP technology could be a most effective tool too, but again, the big boys deny this advantage to their customers.

    American websites which ban errant users by IP are doing themselves a disservice, by potentially banning thousands of prospects at a time

  • adrianclose

    continued.. i have lost track of the times i have been redirected to local services 200 miles away from my location.. because of geoIP.

    and recently i was urged by a review site to encourage users of my own services to post reviews on the site. but because many of those reviewers were on a campus, outside the US, they all had the same ip address.. so the site deleted those items. and google play did the same thing to reviews of my android app… so i have once loyal users who have been turned away from my social enterprise by the actions of a handful of idiots. none of whom allowed any right of reply/appeal.

    so whatever anyone in the US does in relation to the internet, they should think very carefully about the rest of us -especially if US companies want our business.