Tuesday, August 20, 2013

Public websites can be blocked from specific parties, according to court ruling on CFAA

Electronic Frontier Foundation has a story about CFAA, the Computer Fraud and Abuse Act, about the authority of the owner of a website that is publicly available to block access from a specific other party or person.  It’s possible to do this technically by blocking IP addresses under “HTA Access” in Apache server, for example.
In a court case where Craigslist had sent 3Taps a cease-and-desist and then blocked its IP access, the court ruled that access to a public access can be revoked at the discretion of the website owner or publisher in this manner. 

“3Taps” has a statement about the matter that the visitor sees when accessing the site, here

But EFF argues that it should not be a crime to access the site from another IP address.  Parties often change IP addresses for a variety of legitimate reasons, or may have multiple telecommunications services, or may move.  Apparently the Court did rule that it's illegal for a user to "hide" an IP address or even manually disobey a cease-and-desist.  The EFF story by Hanni Fakhoury is here

It would sound possible for this case to matter in some unusual situations, such as stalking, building unauthorized fan sites, or possibly causing DOS or unusually high volumes against a site (enough to disrupt other users or increase costs) or advertisement fraud.   Some consultants in the ad business expect website operators to watch for such activity.  That goes against the usual courtesy in the physical publishing world, where a publisher has no right to know who has purchased his book or borrowed it at a public library.  But the government might try to claim such a right, and as we know from recent news stories, that can be a problem!

This ability (to block access to an entire user) is totally distinct from the idea of disabling or removing a specific user's account from a site requiring login, lke social media, a forum, etc. (as for a TOS issue). 

No comments: