[HN Gopher] Using a VPN could become a criminal offence under ne...
___________________________________________________________________
Using a VPN could become a criminal offence under new CFAA
interpretation
I am surprised this is not discussed at all on Hackernews, but in
the ongoing "hiQ Labs, Inc. v. LinkedIn" case, Linkedin is arguing
that "intentionally and knowingly bypassing an IP block" is an
exceed authorized access and qualify as a criminal offence. That's
because in their opinion they are allowed to put the "gate down"
for some users on an otherwise publicly accessible website. If the
court follows this argument using a VPN to get access to content
that is otherwise blocked in your country through an IP Block for
example could become a criminal offence as well. Hearing link:
https://www.youtube.com/watch?v=tUkoHeiPGQw
Author : janmo
Score : 293 points
Date : 2021-11-01 11:42 UTC (11 hours ago)
| suifbwish wrote:
| Wouldn't the nature of a vpn make this kind of difficult to
| enforce?
| iamthirsty wrote:
| I'd think they'd block certain well known VPN services IPs, no?
| sharemywin wrote:
| The biggest question would be what is my IP versus one that's not
| mine?
| LanceH wrote:
| They have the relief of whitelisting IP's. Have at it :)
| infogulch wrote:
| Wow this is the same case that came up two years ago, where
| LinkedIn tried to argue that a violation of the ToS was CFAA.
| "Court: Violating a site's terms of service isn't criminal
| hacking" [0]. I made a comment at the time [1]:
|
| > So Microsoft chose a method of authorization that is unfit for
| the purpose of keeping people they don't want to have access out
| of their system. "But but but how else would they keep people
| off?" I don't know, but it doesn't matter. Make people sign a
| contract under supervision of a notary, or validate their drivers
| license, or whatever. _The fact that Microsoft is too lazy to
| implement a solution that effectively implements their desired
| policy isn 't material to what the actually implemented policy
| enables._
|
| [0]: https://news.ycombinator.com/item?id=22738180
|
| [1]: https://news.ycombinator.com/item?id=22745104
| rolph wrote:
| https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-l...
| [2019]
|
| https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn
| newshorts wrote:
| Good luck with that.
|
| You'd have the largest tech companies in the world fighting it.
| arnmac wrote:
| What a world we live in! Just read how shoplifting isn't worth
| prosecuting so it isn't a "crime" anymore. Now using a VPN is.
| Yeah!
| em-bee wrote:
| could you provide links to the case please
| janmo wrote:
| Hearing here: https://www.youtube.com/watch?v=tUkoHeiPGQw
| sandworm101 wrote:
| >> VPN to get access to content that is otherwise blocked in your
| country through an IP Block for example could become a criminal
| offence as well.
|
| Yes. Accessing material that has been deemed illegal enough to be
| the subject of a country-wide block is generally going to be a
| criminal offense. We might all hate censorship, but the people
| who write the censorship laws are the same as the ones writing
| the criminal laws. If you are using technology to bypass blocks
| imposed by your local government, you are probably some sort of
| criminal in the eyes of that government.
|
| This is why I don't like people who casually advise people facing
| a block to "just use a VPN". Doing so might put them in danger.
| FateOfNations wrote:
| From the context, (CFAA, a US law) "VPN to get access to
| content that is otherwise blocked in your country through an IP
| Block" wouldn't be referring to using a VPN to bypass blocks
| imposed by "your local government" or censorship-related
| issues, but rather circumventing blocks imposed by US-based
| content providers.
|
| Hypothetical scenario: User outside the United States uses a
| VPN to access US Netflix content. In doing so, have
| circumvented Netflix access control mechanism and are accessing
| the Netflix's computer systems in an unauthorized manner.
| Unauthorized access to computer systems is a violation of the
| CFAA. Accordingly, the foreign user is potentially liable for
| felony criminal charges in the US, just the same as they had
| "hacked" any other computer system in the US.
| lugged wrote:
| Read OP quote again, parent missed the part that shows this
| is what they are talking about.
|
| >> If the court follows this argument the ...
|
| Op is referring to precedent potentially being set, but I'm
| not sure it would actually apply in practice. (Different
| laws)
| paul_f wrote:
| Felony obstruction of Netflix's business model? :-)
| matheusmoreira wrote:
| > the foreign user is potentially liable for felony criminal
| charges in the US
|
| US law does not apply to non-US citizens. How could a
| foreigner possibly be liable for anything?
| falcolas wrote:
| So long as you don't set foot on US soil, or piss off
| someone enough to get extradited.
|
| Being a foreigner is often enough to avoid the punishment,
| but it's not enough to be exempt from the laws.
| matheusmoreira wrote:
| What the hell? You're telling me some foreign national
| could actually be extradited to the US over VPN IP
| nonsense? As if this was as bad as drug trafficking?
|
| I just checked my country's laws. Looks like
| international drug trafficking is the only reason allowed
| for extradition. Good to see the people writing these
| things have some common sense.
| falcolas wrote:
| It's worth remembering that Mega's founder, Kim Dotcom,
| is still fighting off extradition attempts for Copyright
| infringement from New Zealand.
| mellavora wrote:
| The F it doesn't. You are correct that it can be nebulous
| to apply it to people not currently physically present in
| the US due to jurisdictional limitations, but there are
| numerous exceptions.
| jmcs wrote:
| The UK already deported one of their citizens to the US
| over hacking (https://www.theguardian.com/technology/2006/j
| ul/07/news.usne...), so it depends on how much of a
| backbone your country has.
| popotamonga wrote:
| What? Law applies to the country.
| Dracophoenix wrote:
| Here's one example:
|
| https://www.zdnet.com/article/us-charges-greek-national-
| for-...
| thomastjeffery wrote:
| Better hypothetical scenario:
|
| User _inside_ the United States uses a VPN to access foreign
| Netflix content.
| OliverJones wrote:
| Country-based IP blocks at content providers (Netflix, other
| streaming services) relate to their content licensing. They
| may have purchased the rights to distribute the film in
| question in the US, but not in Spain, for example. Sure,
| information wants to be free. But films cost real money to
| create, and the streaming services have a duty to the people
| who provide their content.
|
| Just sayin'
| pieno wrote:
| > Accessing material that has been deemed illegal enough to be
| the subject of a country-wide block is generally going to be a
| criminal offense.
|
| That's not the issue discussed here, I think. We're not talking
| about someone circumventing censorship in their own country
| (which is obviously illegal in your own country).
|
| What we're talking about here are IP-based country filters
| imposed by websites such as Netflix or BBC iPlayer, restricting
| visitors from certain countries to access all or certain
| content. Circumventing that filter by using a VPN (thereby
| masquerading as someone in a "permitted visitor country") is
| obviously going to be a breach of the terms & conditions of
| that website and/or license conditions of content made
| available. But the argument apparently raised by LinkedIn in
| this case is that this is also a criminal offence of gaining
| unauthorised access to systems (I.e. legalspeak for what's
| colloquially referred to as "hacking"), which would likely lead
| to (more severe) prosecution and punishment.
| lifeslikethis wrote:
| It's always good to do research about VPNs before using/buying
| them, especially if you're not in the US.
| syshum wrote:
| Well in the case in question is a US case, based on US Law, and
| using CFAA to get around the 1st amendment is indeed scary and
| should be given more weight than a causal dimssial of "well we
| hate censorship but...." which calls in the question if you
| really even hate censorship... I have my doubts
|
| Beyond that this is CLEARLY a bad reading of CFAA, recent US
| Supreme Court rulings have shown they would prefer a narrow
| reading of the law instead of a broad one so I hope the lower
| court recognizes this and shots LinkedIn Down.
| nextlevelwizard wrote:
| Title is bullshit
| janmo wrote:
| Unfortunately I cannot change the title, but this one would be
| the most accurate: "Using a VPN to bypass a GeoIp block could
| become a criminal offence under Linkedin's CFAA interpretation"
| nobody9999 wrote:
| >Unfortunately I cannot change the title, but this one would
| be the most accurate: "Using a VPN to bypass a GeoIp block
| could become a criminal offence under Linkedin's CFAA
| interpretation"
|
| I'm a little confused by that interpretation of the specific
| case in question (Hiq Labs v. LinkedIn).
|
| IIUC, LinkedIn isn't doing GeoIP blocks (AFAIK, the San
| Francisco bay area is not being blocked by LinkedIn, just HiQ
| Labs' IP range).
|
| What's more, HiQ Labs is scraping _publicly available_
| content. Most GeoIP blocking (such as Netflix /BBC, etc.) is
| done to keep _subscribers_ from accessing content that the
| provider isn 't licensed to provide in the location where the
| connection originates.
|
| Even more, accessing such content even if you are in a
| location where that content is available requires a login
| (i.e., isn't _publicly available_ ) to access that content.
|
| I don't see a parallel here.
|
| As such, I'm not sure how the result here (either way) could
| impact the use of VPNs more broadly.
|
| Then again, IANAL and may well be missing something.
|
| If you'd expound on your reasoning around this, it would be
| greatly appreciated. Thanks!
|
| Edit: Fixed typo.
| PeterisP wrote:
| It's not being talked about because there's no evidence of "new
| CFAA interpretation" until _the court_ says something like that.
| It 's very common for parties to try and argue all kinds of
| extreme interpretations of law that might favor their case, with
| the expectation that it most likely will be refused but hey, it's
| worth to try; but they are not newsworthy until/unless the court
| actually considers the argument as valid.
| bitwize wrote:
| This is like when Oracle argued that APIs can be copyrighted.
| Nobody was scared until the CAFC agreed.
| JumpCrisscross wrote:
| > _This is like when Oracle argued that APIs can be
| copyrighted. Nobody was scared until the CAFC agreed._
|
| Which is the appropriate time to get scared. If you took half
| seriously the bogus theories that are floated in legal
| complaints, even restricting one to those penned by reputable
| lawyers, you'd swiftly conclude your car is a hippopotamus.
|
| Ours courts are adversarial. Both sides are trying novel
| arguments. Through this, the law is actually strengthened--
| the court dismissing the argument leaves a precedent where,
| previously, there may not have been one.
| notTheAuth wrote:
| So only after it's precedent and harder to undo then does it
| matter?
|
| This is basically saying there's no point in testing software,
| ship every line to prod and see what happens.
|
| This is exactly the kind of political ennui the system
| purposely tries to inculcate. Not fine grain mind control, but
| indifference.
|
| Laws dictate acceptable social agency. One might think we'd
| take what ends up in them at least as seriously as rich man's
| busy work.
| PeterisP wrote:
| It would be appropriate to start such a discussion once a
| single court ever has accepted such an argument and it gets
| appealed and starts a years-long process where it _might_
| become precedent for some wider area; it would be absolutely
| ridiculous to consider every theory put forth by a litigating
| lawyer as worth of a public discussion - I mean, there are so
| many of them and usually the judges shoot many of them down
| without a discussion because it 's not worth a discussion
| even for the people it directly affects, much less general
| public.
| notTheAuth wrote:
| Replies seems to be of the perspective I was suggesting we
| target courts proactively.
|
| I don't think anything I wrote constrains public response
| to lobbying courts. We could lobby to legislate open access
| to privacy tech and encryption.
|
| One of the big papers wrote today how state legislatures
| are effectively gerrymandered for one party or the other.
|
| There's a whole lot of political effort the public could
| participate in that would prevent ideas like this specific
| one from getting beyond a back room rant between elected
| officials.
|
| And frankly it wouldn't have to impact our real logistics
| at all; we could collectively take ownership of our own
| agency and refuse to login unless legal ownership is
| reassessed.
|
| The internet community seems to have forgotten SOPA
| blackouts worked.
|
| The political reality is not accepting the literal one; a
| real majority with nothing to lose is quickly losing
| patience with the real minority gaming everyone's society.
| Aeolun wrote:
| What do you think will happen if you start campaigning
| against a certain interpretation of the law now?
|
| The court will still decide based on what is actually written
| down.
|
| If it needs to be changed that has to come from the
| politicians.
| FDSGSG wrote:
| notTheAuth is a pedophile! What are you going to do to fight
| this? Maybe it's just not something worth pursuing?
| tombert wrote:
| I understand the point you're trying to make (e.g. making a
| hyperbolic claim and leaving the onus on the accused to
| disprove it), but I think if you wanted to avoid downvotes
| while making the same point, you might have better luck
| saying something like:
|
| > How would you feel if I said "<username> is a pedophile!
| What are you going to do to fight this? Maybe it's just not
| something worth pursuing?"
|
| And then spend a bit of time explaining why this reasoning
| doesn't make sense to you. I'm a relative veteran of HN and
| even I had to do a double-take because I thought you were
| genuinely accusing the person of being a pedophile.
| FDSGSG wrote:
| Honestly, I really hope that I don't need to explain the
| logic behind my comment. It should be obvious to anyone
| willing to spend more than a couple of seconds thinking
| about it. I would hope that on HN we'd actually try to
| read and understand the comment we're voting on.
|
| Of course I'm being overly optimistic, but I'd prefer to
| be naive and wrong than cynical and right.
| tombert wrote:
| Sure, and as someone who grew up on Something Awful and
| 4chan I'm not familiar with the concept of hyperbole and
| sarcasm, but keep in mind that a lot of people on HN
| speak English as a second language, or just have more
| trouble picking up on sarcasm in general, and as such it
| might come off as a legitimate accusation.
|
| I'm not trying to be the tone police, I don't really
| care, I was just explaining why you might have been
| downvoted. Take my statements with as large of a grain of
| salt as you would like.
| FDSGSG wrote:
| English is a third language for me, I would expect that
| regardless of language _everyone_ can understand the
| concepts of sarcasm and irony if they 're willing to
| spend any time thinking about what they are reading.
|
| There's literally zero context to suggest that I might be
| serious in accusing another poster of being a pedophile,
| even if they were it wouldn't make sense for me to
| randomly drop that.
| tombert wrote:
| > There's literally zero context to suggest that I might
| be serious in accusing another poster of being a
| pedophile, even if they were it wouldn't make sense for
| me to randomly drop that.
|
| Sure, but I think you're overestimating the integrity of
| the internet if you think that people don't just drop
| random pedophile accusations for folks that they disagree
| with. I'm not saying it's "fair", because I get that you
| were just trying to make a rhetorical point, but I'm
| saying that people on the internet are often douchebags,
| ruining a lot of the fun for us. I love edgy humor and
| sarcasm, between my wife and I we make a ton of off-color
| jokes, but I usually keep those offline because I don't
| want to group in with the awful people who misuse them.
| splistud wrote:
| Whether or not you're serious, and forgetting the
| salaciousness of your satire, there's the point about how
| completely irrelevant it is as an analogy to what is in
| question
| tphyahoo2 wrote:
| I think it's common for non-neurotypical folks to
| struggle with sarcasm and irony. Even for neurotypicals,
| it can go over your head because it's hard to tell tone
| from a text.
| notTheAuth wrote:
| Leon Cooperman was quoted today as saying if people don't
| follow along with billionaires they'll deviate into
| unnatural behavior.
|
| If that guy and anyone who believes the masses kowtowing
| to politically insulated old men LARPing Alexander the
| Great is natural, we're doomed.
|
| This is what we are now; low effort taxonomists,
| defending syntactic hierarchy when we know there is no
| center of reality.
|
| Maybe the neuro-typicals are the real problem? The ones
| who have hierarchical visuals put in front of them their
| whole lives, who can then only repeat "this is the way".
| Seems like a sure fire way to improve the probability
| taxes won't go up, which exactly why Cooperman was
| interviewed; reiterating the hierarchy.
|
| I really want to play Lemmings for some reason.
|
| Borrowing from Greer's "code the perimeter, not the area"
| we need a new political perimeter. Humans know the value
| of technology now. We don't need old geezers to confirm
| what we can all see and touch for ourselves.
| sokoloff wrote:
| The _default_ interpretation of written language is
| direct rather than ironic or sarcastic.
|
| With "there's literally zero context to suggest...", it's
| not unreasonable for some to conclude that you were being
| serious (particularly in light of the general decline of
| "comments online always make sense in context, so if it
| doesn't, you should read deeper")
| notTheAuth wrote:
| There's little context to say the opposite either, which
| is really the whole problem.
|
| It may not be so black and white but you didn't really
| help readers lean the way you wanted.
|
| The only takeaway for you here is, culture and language
| aside, the science of it is that to everyone else you are
| 1 of 7 billion; the internet as a network is not capable
| of distributing your emotional uniqueness and even then,
| we each have our own; why import yours?
| jasonlotito wrote:
| > I would expect that regardless of language everyone can
| understand the concepts of sarcasm and irony
|
| And I feel it's fair for someone like you on HN to accept
| fair criticism of their comments.
|
| > English is a third language for me
|
| I would expect you'd still understand the point being
| made and understand it's not about you, but about many
| others, and just because you understand sarcasm or irony,
| others might not who aren't as well skilled in English.
|
| > There's literally zero context to suggest that I might
| be serious in accusing another poster of being a
| pedophile
|
| Except for the fact that it's a serious accusation that
| one does not make lightly, and so it's fair to assume no
| one would simply drop that in civil conversation.
|
| Basically, take the lessons and learn from it and stop
| arguing.
| gizmo686 wrote:
| Trial courts do not set precedent. The only way precedent
| will get set is if this arguement is taken up on appeal.
| curryst wrote:
| It's just not that dire yet.
|
| For one, the court hasn't ruled yet. This is purely LinkedIn's
| argument, and they're allowed to argue anything they want. They
| could argue that hiQ isn't allowed to access their service
| because the company name doesn't start with a capital letter if
| they wanted to. They wouldn't win, but they could make the
| argument.
|
| Secondly, if you read the context of the case, this is not a
| situation a normal person is at all likely to find themselves in.
| hiQ was specifically sent a cease and desist, which is why
| "bypassing an IP block" is couched in "intentionally and
| knowingly". IANAL, but a follower of the law, and my layman's
| reading of that is that LinkedIn is intentionally scoping this to
| only target subjects that have previously been sent a cease and
| desist.
|
| And finally, even if they did do that, it's unlikely to impact
| VPNs for streaming. I severely doubt that any first world country
| would extradite one of their citizens to the US to face charges
| for bypassing an IP block.
|
| Within the US, I still doubt the charges would be used like that
| even if they could. I don't think this is something the FBI is
| going to spend resources on proactively tracking, so it would be
| up to Netflix et al to push the cases. I really strongly doubt
| they would do that. "Paying Netflix customer sued by Netflix for
| watching content he wasn't supposed to" is a really bad PR
| headline, and it's mainstream-adjacent enough to get picked up by
| major news networks. That's a really hard story to spin, and I
| strongly suspect the bad PR would cost much, much more than
| people try to avoid region-locks (who are likely to just pirate
| it if VPNs become CFAA-able).
| bellyfullofbac wrote:
| The tone of your question is odd, "I'm surprised..." is usually
| followed by a mention of "MSM" and a hint of "They're censoring
| discussions!".
|
| But well, for the people too lazy to google:
| https://h2o.law.harvard.edu/text_blocks/30226 . The only mention
| of IP I could find was:
|
| > The Ninth Circuit found a CFAA violation where "after receiving
| written notification from Facebook" Power Ventures "circumvented
| IP barriers" and continued to access Facebook servers. Id. at
| 1068. In short, Power Ventures accessed Facebook computers
| "without authorization."
|
| IANAL but I would only worry about a criminal offence after
| getting a written warning...
| dfstorm wrote:
| Well... first it's not a << public >> website; like Facebook and
| Google, you connect to a privately owned server and, while the <<
| path >> is public, the server you contact isn't. So they are well
| within their right to block anyone.
|
| But trying to make illegal a way to bypass their security is a
| really dangerous way and if they win, then many, many, privacy
| tech would have a problem.
|
| Hope the judge know how to use a computer and understand the
| implications...
| grumple wrote:
| If I mail you a letter and you send a letter back, have I
| hacked your house? Let's say you don't respond, and I send my
| letter with a different return address and then you respond.
| That's basically what is happening here.
|
| If you don't want people sending you letters, get rid of the
| mailbox. For tech, close your ports. If you don't want to send
| information out, stop responding to the letters (or packets).
| ravenstine wrote:
| I really wish that every legal professional and judicial
| administrator had some rudimentary computer science knowledge.
| Having friends whom are lawyers, I can tell you that most of
| them don't have any meaningful understanding of technology
| becauae they spend so many years of their career heads down on
| what is effecctively paperwork. They know enough to realize how
| bass ackwards their industry is when it comes to tech, but if
| you asked them if webpages are encrypted they would have no
| idea and would probably assume they are not.
|
| We are headed for a more authoritarian future if those making
| law or making judgments only see privacy tech as fringe and
| criminal, or have little meaningful underatandiing of it.
| edejong wrote:
| It would start with us software engineers to be more exact in
| our communications. For an engineering discipline, we're
| terrible at it.
|
| Take your example. I don't know whether a web page is
| encrypted. I do however know whether the transmission of one
| request of some website contents to a specific web browser
| is. But that won't yet tell me whether the communication
| between me and the website has stayed confidential between
| the intended parties (which is probably what you're
| interested in).
| ravenstine wrote:
| Whether data through an encrypted channel remains
| confidential isn't really relevant to my point. I didn't
| say "confidential", I said "encrypted". The distinction you
| are making with encryption and confidentiality seems
| conflated; if the channel is uses encryption, then the data
| is by virtue encrypted. It's another story if we are
| talking about data arriving from any channel with another
| layer of encryption for confidentiality.
| Dylan16807 wrote:
| It's basically meaningless to talk about whether
| something is encrypted without the "from who" factor.
| Otherwise you might as well rot-13 it. If you want to use
| such a narrow definition of 'encrypted', then it doesn't
| matter if the lawyer knows the answer.
| ravenstine wrote:
| No, the answer is way simpler than you are making it out
| to be.
|
| Is the data in a TLS connection transformed in such a way
| that it would make it difficult for an intermediary to
| figure out the plain information being sent?
|
| If so, the data is in fact _encrypted_. Where are you
| getting this idea that encryption is more than that? That
| is by definition what encryption is, and everything else
| is just approaches and security layers on top of it. You
| don 't have to like the encryption method, you don't have
| to care who it's from, you don't have to care about
| anything else. Encryption is encryption even if it's as
| pointless as a caesar cipher.
|
| And yeah, there's things like certificates and CAs with
| HTTPS, but that's totally secondary to the encryption
| part. No one would bother with HTTPS if it couldn't
| establish encrypted connections.
|
| If a lawyer or a judge doesn't understand that they
| themselves are frequently using encryption when they use
| the internet, that's a problem. They don't need to care
| about the nitty gritty details that you and others bring
| up. If they view encryption as something that only bad
| guys use, why should they be a part of the judicial
| system in the year 2021?
| Dylan16807 wrote:
| 'difficult' is uncomfortably vague here. Lots of
| transforms happen to the bits that might make them
| difficult to figure out even without encryption. Many of
| them don't _intend_ to keep people out, despite them
| being _more_ obscuring than a ceaser cipher!
|
| I feel like you're overdefining encryption to make a
| point, when you don't need to at all.
| tsimionescu wrote:
| I don't like this line of thinking at all. Legal
| professionals are supposed to know the law and to ask experts
| for other things. Just like a judge and jury in a murder case
| are unable to understand how DNA analysis works, they don't
| have to understand how computer systems work.
|
| The only thing worse than a judge who doesn't understand the
| first thing about computers would be a judge who _thinks_
| they understand computers but doesn 't.
| baktubi wrote:
| Hmm. You could also argue that not having understanding of
| the technology is a good thing. For instance, the judge can
| remove themselves from the details and look at it on a higher
| level.
|
| It's the job of the attorneys to make the case for or against
| using subject matter experts etc.
| wizzwizz4 wrote:
| You could argue that. However, it means that people can
| basically lie to the judges, and the judges don't have the
| background to call them out on it.
| willis936 wrote:
| The alternative to encryption really is totaltarian control
| of the internet. In order to have any level of confidence
| that the data is not tampered with you need strict security
| on every meter of cabling, every line of code, every
| transceiver, and every person involved with the design and
| fabrication of those things.
| janmo wrote:
| You are right, the actual wording they used was : "on an
| otherwise publicly accessible website". I've edited my
| submission accordingly. In law every word even every comma
| counts.
| nobody9999 wrote:
| >But trying to make illegal a way to bypass their security is a
| really dangerous way and if they win, then many, many, privacy
| tech would have a problem.
|
| IIUC, there was no attempt to "bypass security." Rather, HiQ
| Labs was scraping _unrestricted_ (i.e., not restricted by user
| ACLs) portions of Linkedin 's web platform.
|
| If any random user can access a particular web page, it's
| (IMHO) publicly available and using automated tools to scrape
| those pages is perfectly legal.
|
| In fact, such scraping is done all the time on airline, hotel
| and other websites without issue.
|
| As for VPNs, I'm guessing that LinkedIn blocked HiQ Labs' IP
| range, so they used a VPN to continue scraping the public
| pages. If my assumption isn't valid, please correct me. That
|
| IP blocks (I'm thinking geo-blocks[0] for sites like Netflix)
| are sometimes necessary for the site to at least _attempt_ to
| stay in contractual compliance with the content owners.
|
| However, that doesn't seem to be the case here. If (again, this
| is my understanding) LinkedIn is just blocking HiQ Labs' IP
| range, but no one else's, that seems (as the 9th Circuit
| originally ruled[1]) like a targeted attempt to interfere with
| HiQ Labs' business: The Ninth Circuit held
| that there was no abuse of discretion by the district
| court where the court had found that even if some
| LinkedIn users retained their privacy despite their
| public status, as they were not scraped, such privacy
| interests did not outweigh hiQ's interest in
| maintaining its business.
|
| Given that the issue here is _publicly accessible_ content as
| compared to, say, geo-blocking of unlicensed (for that
| particular region) content, there is no basis to disallow such
| access.
|
| I say this because I (or HQ Labs) could _manually_ enter all
| publicly accessible URLs at LinkedIn and copy-paste the
| returned contents.
|
| While that would be an arduous process, it's not only perfectly
| legal, it's LinkedIn's _intent_ to provide those pages without
| requiring a login -- validated by the fact they don 't require
| logins to access those pages, while they do require logins to
| access others.
|
| IANAL, but it seems to me that worrying about using VPNs
| becoming a criminal act is a tempest in a teapot.
|
| I guess we'll just have to wait and see.
|
| [0] https://en.wikipedia.org/wiki/Geo-blocking
|
| [1] https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn
|
| Edit: Corrected company name (HiQ vs. HiQ Labs).
| AnthonyMouse wrote:
| > IP blocks (I'm thinking geo-blocks[0] for sites like
| Netflix) are sometimes necessary for the site to at least
| _attempt_ to stay in contractual compliance with the content
| owners.
|
| The entire thing is a farce. There has never been any way to
| know where an endpoint device is
|
| And VPNs are often necessary to prevent the service from
| detecting it _wrong_.
|
| Suppose I'm currently near an international border and my
| phone picks up a tower on the other side of the border. Now
| the IP address my phone gets is listed as being in the wrong
| country.
|
| A lot of companies route all their traffic through a head
| office somewhere so they can inspect the traffic in a central
| location. It's not always in the same country where the users
| are.
|
| Suppose I'm using a VPN for privacy reasons, not to bypass
| geographic restrictions, but I want it to be in a different
| country to maximize the inconvenience to anyone trying to
| violate my privacy, so now the country listed is the wrong
| one. I would have to use another VPN to get it back to being
| where I actually am.
|
| The obvious solution to all of this is to forget about trying
| to tie locations to IP addresses, since that has never
| worked, and just ask the user's device what country it's in.
| The user can set it to a different one but that's no
| different than the status quo.
| nobody9999 wrote:
| >The entire thing is a farce. There has never been any way
| to know where an endpoint device is
|
| A good point. Note that I said: IP
| blocks...are sometimes necessary for the site to at
| least *attempt to stay in contractual compliance*
| with the content owners.
|
| I never said that such blocks were a good idea, nor did I
| say that they work.
|
| I merely suggested that such geo-blocks could be a result
| of _contractual requirements_ between the distributors and
| the content owners.
|
| Personally, I think it's dumb too.
|
| But I'm not a content distributor or content owner. As
| such, my opinion has no impact on the _legal contracts_
| between such entities.
|
| >The obvious solution to all of this is to forget about
| trying to tie locations to IP addresses, since that has
| never worked, and just ask the user's device what country
| it's in. The user can set it to a different one but that's
| no different than the status quo.
|
| You won't get any argument about that from me.
| cletus wrote:
| This is a good sensationalist title that could easily be changed
| to "Will using a VPN become illegal under the CFAA?" and like any
| such headlines, the answer is "no".
|
| Just because one side is making an argument for that
| interpretation in a civil case means pretty much exactly nothing.
|
| What's more, the Supreme Court in recent rulings has started to
| slap down overly broad interpretations of "hacking" under the
| CFAA. Notably, the court recently curtailed the definition of
| "unauthorized" use in van Buren [1], which to me was a welcome
| but somewhat unexpected ruling.
|
| There's absolutely nothing to worry about here.
|
| [1]: https://www.lawfareblog.com/supreme-court-reins-cfaa-van-
| bur...
|
| EDIT: corrected van Buren characterization.
| jcranmer wrote:
| > Notably, the court recently curtailed the definition of
| "unauthorized" use in van Buren [1], which to me was a
| completely and somewhat unexpected ruling.
|
| A pedantic point: van Buren decided the interpretation of
| "exceeds authorized access", not "without authorization".
| (There is no "unauthorized" in the statute--it says "accesses a
| computer without authorization or exceeds authorized access" as
| the operative part.)
| nobody9999 wrote:
| >A pedantic point: van Buren decided the interpretation of
| "exceeds authorized access", not "without authorization".
| (There is no "unauthorized" in the statute--it says "accesses
| a computer without authorization or exceeds authorized
| access" as the operative part.)
|
| That's an excellent point. And something folks should keep in
| mind.
|
| That said, I'm not sure how the restrictions in CFAA could
| apply here, as LinkedIn _explicitly_ grants authorization to
| _everyone_ by making the web content in question publicly
| accessible.
|
| What's more, other content on LinkedIn's web platform is
| _not_ publicly accessible. If LinkedIn wants to make a claim
| that someone can _exceed authorized access_ , then the
| content shouldn't be publicly available, as that explicitly
| allows access by anyone.
|
| I suppose they could make the argument that such automated
| scraping is some sort of DOS attack based on increased usage
| of their bandwidth/CPU from such activity, but that's a very
| different argument, IMHO.
|
| N.B.: IANAL
|
| Edit: Fixed typo
| monkeynotes wrote:
| Any headline I see with a question in that manner I don't click
| on. I know they will conclude with either "we don't know" or
| "no". It's just not worth reading unless you are interested in
| two sides of an argument but generally these articles are cheap
| fluff.
| wgx wrote:
| https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline.
| ..
| colejohnson66 wrote:
| "Is 'Betteridge's law of headlines' actually real?"
| tptacek wrote:
| Really, this is a post of the video of the hearing (Youtube links
| are just fine on Hacker News) that is somewhat abusing the "no
| URL" feature of submissions to dramatically editorialize. That's
| the reason links in no-URL posts aren't clickable!
|
| The better way to do this would be to write a blog post about
| your concerns surrounding this hearing, and take your chances
| submitting that.
|
| What we should do here is make this post the Youtube link itself,
| and title it "hiQ Labs, Inc. v. LinkedIn Corporation hearing on
| IP blocks", or something similar, and demote the text of this
| submission to a comment. Hacker News submissions are community
| property; the submitter isn't entitled to provide a short
| editorial for the link to direct the discussion. That's what
| comments are for.
| djrogers wrote:
| Key mis-statement here:
|
| "under new CFAA interpretation"
|
| There has been no 'new' interpretation, nor is it likely that
| there will be. This is merely one of a number of arguments put
| forward by LinkedIn's counsel during a civil case. All kinds of
| crazy poop gets put forward in those.
| LinuxBender wrote:
| hiQ is based in California. What impact would the case have for
| machine learning companies that do not reside in the U.S.? Would
| those companies have an advantage over ML companies that operate
| in the U.S.?
| qwerty456127 wrote:
| > in their opinion they are allowed to put the "gate down" for
| some users on a public website.
|
| If they want to, the only reasonable way is to inform the visitor
| they're not eligible to use the site unless they fulfill specific
| conditions. If the user knowingly ignores this information - this
| is reasonable to be interpreted as some sort of offense depending
| on the context.
|
| IP-based segregation, however, is just bullshit.
| 1vuio0pswjnm7 wrote:
| Well, in the video of the hearing you posted earlier hiQ's
| counsel said an IP block is not akin to a password. The court
| added that IP addresses do not identify people. As such IP blocks
| ban computers not people. There was also suggestion that the
| "access control" only relates to the manner of access; people can
| easily change IP addresses. The court seemed to agree with that
| argument. hiQ's counsel argued that a "gates up, gates down"
| analysis is not appropriate because in this case "there is no
| gate" (or at least, the gate was up from the beginning). Again,
| the court seemed to agree.
|
| Watching that hearing it seemed clear to me the court understands
| the dangers of letting tech companies use the threat of CFAA's
| criminal culpability against www users or competitors. One
| justice made the point that when the CFAA was passed there was no
| www. The court questioned how public web servers could be
| comparable to "private" government computers.
| winkeltripel wrote:
| I think a nice metaphor would be that linkedin banned my car
| from their property, then I keep coming back in by taxi.
| janmo wrote:
| I think that's a good metaphor. And that case the taxi or
| rental car would be the VPN.
| morpheuskafka wrote:
| > As such IP blocks ban computers not people.
|
| As another example, many websites block their customers when
| they are connected to a VPN but have no intention of
| prohibiting those people from access generally.
| 908B64B197 wrote:
| With NAT and the rise of WFH, I wouldn't be surprised if a lot
| more legitimate users were under VPN without even knowing it.
| beervirus wrote:
| People argue all kinds of dumb shit in litigation. Wake me up
| when a court agrees with them on this.
| sharemywin wrote:
| couldn't the logic for anonymous browsing be similar? what about
| ad blockers?
| FateOfNations wrote:
| The underlying issue is "accessing a computer system you know
| (or should know) you shouldn't be accessing".
|
| Ad blockers operate on your own equipment and network and don't
| involve accessing any other systems.
|
| "Anonymous browsing" isn't clearly defined enough to analyze.
| If it was something like "We don't allow connections via Tor",
| and you used Tor to connect anyways, this concept would apply
| (especially if you attempted to bypass technical controls, or
| intentionally disguised the traffic).
| DarkWiiPlayer wrote:
| No, that's not the point: If a website states "you are not
| allowed to use this website with an ad blocker", then by
| accessing it anyway, you're suddenly a "hacker" before the
| law and could face severe legal consequences.
| tyingq wrote:
| Ad blockers often include paywall/regwall bypasses, which
| does somewhat fit the description.
| FateOfNations wrote:
| I would argue that it depends on how it is implemented.
|
| Some pay/reg walls are implemented such that the site is
| sending the full content to you but directing your web
| browser not to display it (like using a `display: none` CSS
| property). I would say using a browser extension to direct
| the browser to display it anyways wouldn't be a violation.
| You were authorized to make the initial request for the
| otherwise public page and they choose to send the full
| content to you. You aren't making any other connections to
| their system that you aren't authorized to make.
|
| On the other hand, if it is doing something to trick the
| server into sending you content that it wouldn't otherwise
| send you and you aren't authorized to access, I would tend
| towards seeing that as something closer to a violation.
| nobody9999 wrote:
| >I would say using a browser extension to direct the
| browser to display it anyways wouldn't be a violation.
| You were authorized to make the initial request for the
| otherwise public page and they choose to send the full
| content to you. You aren't making any other connections
| to their system that you aren't authorized to make.
|
| An interesting point.
|
| I, as a general rule, disable javascript in my daily
| driver browser (Firefox).
|
| Doing so breaks the paywall on certain sites. I'm not
| _specifically_ targeting those sites (e.g., with uBlock
| or noscript), as I 've disabled javascript for _all_
| sites and don 't use any extensions to bypass paywalls.
|
| Where the use of javascript is required (and I find that
| out by visiting the site -- then decide whether I
| actually want to view/use it) I'll use a different
| browser altogether (in my case, Vivaldi).
|
| I don't believe that disabling javascript is a "hacking"
| attempt, mostly because I don't do so to bypass anything
| -- rather, I don't want arbitrary javascript executing on
| my systems.
___________________________________________________________________
(page generated 2021-11-01 23:02 UTC)