Could Donald Trump Block Hillary Clinton's Campaign From Visiting His Website Via The CFAA?
from the who-the-hell-knows dept
In the past few weeks, we’ve written about two troubling rulings in the 9th Circuit appeals court concerning the CFAA, the Computer Fraud and Abuse Act. That law, that was literally written in response to Ronald Reagan being freaked out by the (fictional) movie War Games, was designed to go after hackers and make computer hacking into other people’s computers a crime. The law is woefully outdated and unfortunately vague, with terms like “unauthroized access” and “exceeds authorized access.” For years, many of us have been pushing for Congress to reform the law to make it not quite so broad, because in its current setup it’s the law the DOJ relies on when all else fails. That’s why the DOJ loves it. If you did something it doesn’t like on a computer, it’ll try to use the CFAA against you.
The two recent cases were not helpful. The first, called Nosal II (because it was the second CFAA case involving David Nosal trying to use data from his former employer), found that convincing a former colleague to share their password with you could violate the CFAA. The court tried to limit the impact of this, by adding some caveats, and insisting that mere password sharing wouldn’t qualify without some additional event that indicated a lack of authorization, but it does still seem like a vague standard that many will try to use going forward. The second case, Facebook v. Power, found that Power violated the CFAA by continuing to access Facebook accounts, with permission of those Facebook users, after Facebook had sent a cease-and-desist. The court found that the cease-and-desist acted as a clear point that said “you’re not allowed here.”
But it’s difficult to square that with the original Nosal ruling (Nosal 1) which found that merely violating a terms of service was not a CFAA violation. So ignoring a terms of service is not a CFAA violation, but ignoring a cease-and-desist letter is. It’s not clear why one has power over the other, though perhaps there’s an argument that a cease-and-desist is a proactive action towards an individual by a website, whereas a terms of service is broadly applicable. Still, it feels weak.
And, it raises tricky situations like the following, first raised by Andy Sellars, about a situation in which one individual alerts another that they can no longer visit a website. Let’s say this happened between two presidential candidates. Hypothetically.
If so, that?s devastating for critical speech. Imagine Trump sending a C&D to Clinton?s campaign, barring access to https://t.co/BFK7Ukdtpw.
— Andy Sellars (@andy_sellars) July 12, 2016
And, as Eriq Gardner at the Hollywood Reporter notes in response, the answer is totally unclear. And that seems really problematic. I had tossed out some hypotheticals in my original post on the Facebook v. Power ruling, but this is a good one as well, because you could absolutely see some political candidates issuing that kind of cease-and-desist. There may be arguments about whether then accessing such a website would create a loss necessary to qualify for the CFAA, but it’s still quite worrisome that the court has now put in place a vague standard that at least suggests that you can bar someone from a website by merely telling them not to go there. That’s going to create a bunch of messy litigation going forward.
Filed Under: cease and desist, cfaa, donald trump, hillary clinton, hypotheticals, public website
Comments on “Could Donald Trump Block Hillary Clinton's Campaign From Visiting His Website Via The CFAA?”
“Let’s say this happened between two presidential candidates”
What about Fox warning away all Democratic voters (they will know who from the leaked voter lists). Huffpo sending ‘cease & desists’ to all reegistered Republicans? MacDonald’s sending them to all Burger King customers? Walmart banning Costco staff from entering their stores? All of this will be possible with leaked information, huge databases and facial recognition/LPRs everywhere.
How often do presidential candidates look at each other’s websites? Are there any research studies? Does it matter? Surely everyone has people. So candidates have people, and now those people (if banned) will have people. And so on.
Now if we apply the three hops (or two hops) rule as with communications monitoring (surveillance) then we could really get somewhere. What should the hops number be to ensure that all people are banned from seeing all other people’s websites?
At least greedy ISPs will get what’s coming to them as traffic plummets while we all sit in our lonely ignorance and vote for the same people we would anyway.
Re: Re:
you mean aside from the recent scandal involving bernie sanders staffers and hillary clinton’s respective campaign websites?
Re: Re:
If Hillary was legally banned from doing something she would do it anyway, then lie about it, then attempt (and fail) to destroy all of the evidence, then get let off the hook — so I don’t see what the big deal is here. Now for everyone else who isn’t completely and utterly above the law then there might be a problem worth examining. But picking Hillary as your example of how terrible this law might be is a lot like picking Superman as your example of what gravity can do to a person. He is simply exempt from it.
TechDirt should test it out
You have a lot of trolls and other undesirables coming to your site and leaving unwanted comments. Why don’t you issue a few C&Ds to these folks and then if and when they come back, file a lawsuit. I would help fund such an experiment…
Re: TechDirt should test it out
Do they have your mailing address on file?
There's a law about this...
The answer is usually no.
authorized access vs. selective prosecution
The dischord between the states interest in corporate cyberterrorism against the Constitution, and it’s focus on jackass hackers penetrating systems that are insecure by design, is descriminatory.
In terms of the digitized relationship between the social elite and the average citizen, what part of the terabytes of data gleaned daily, isn’t accessed without authorization? Therefore using “authorized access” as a standard, is selective prosecution based on social class.
If the state neglects to criminally prosecute
one case, it invalidates any reasonable expectation of impartiality before the law when prosecuting another.
All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.
Re: Re:
All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.
Nope. Power.com specifically routed around it by changing IPs when Facebook blocked its original IP. Same would likely apply here.
Re: Re: Re:
But a VPN, with no logs, would make it all but impossible to trace, and using KillDisk, to wipe the evidence off your hard disk, would leave no evidence.
Re: Re: Re: Re:
If the attacker can log all packets into and out of the VPN, they have a good chance of figuring out who is using to connect to who, at least for a large number of packets over a connection, using statistical analysis of sources and destinations, allowing a maximum delay through the VPN. Using an add blocker makes it easier, by eliminating a lot of noise.
Re: Re: Re:
The better question:
If a minion of the HRC campaign goes to Trumps site (presumably to share recipes for eating babies and incanting pestilence), are the means that Trumps site used to determine the identity of the user legal? Certainly the user didn’t consent to having their activities monitored by their competitor?
So yes he can send them a cease and desist letter, but no, he shouldn’t really be able to know whether they did cease and desist or not. And if he can, then THAT is what needs to be investigated.
Re: Re: Re: Re:
Given there’s already been one judge who excused a malware infection by a government agency with the absolutely brilliant logic of ‘computers get hacked all the time, so it’s fine to hack/infect computers if you work for the government’, at least one other judge(perhaps several) who have ruled that even if you deliberately attempt to mask your identity online you don’t have any expectation of privacy…
Yeah, have fun with the ‘investigation’ in that hypothetical.
As if the Clintons were interested in following the law.
Archive
Would this theoretical also bar the viewing of the site on archive.org or a Google cache version? Or would the CFAA fall only on the access of the actual web server?
I would expect the access of the web server, but… now days, who knows:
“The content is the same, so it’s effectively the same thing!”
neither candidate seems to make choices based in reality so expecting any outcome based off of laws is random.
Already Proven
Wouldn’t the FBI’s attitude toward a certain email scandal by a certain candidate* for high office show that no candidate could do any wrong? The CFAA is a minor law compared with disseminating classified information, so it would get even less scrutiny.
*No I cannot say the names of either candidate…so disgusted.
Short answer NO
The short answer here is no, for a whole bunch of reasons.
First and foremost, the Trump 4 Ruler website is a public site. That is to say, it’s open to everyone without restriction. No password is required to access the site, you are not entering a secured area.
If those moved to bar them (say by issuing a cease and desist) it would likely not be valid on it’s face, as it could be considered discriminatory. Otherwise, Trump could also issue a general Muslim ban as well. Denying service (even a free service) in a discriminatory manner won’t fly and won’t hold water.
It’s a nice attempt to muddy the waters of the law. Reality sets in pretty quick when you realize the difference between an open website and a secured “employees only” server. Even a non-techie judge could catch that simple concept.
I assume agencies are immune?
Can I block the NSA, FBI, CIA, etc. from looking at my websites, email, etc. via a C&D?
It’d be swell if we could create a website to automate the process of filing them for anyone who wants to make their privacy official.
Nosal Was GUILTY of CFAA
While it’s true that “hard cases make bad law”, there’s no doubt whatsoever that Nosal was objectively guilty of CFAA violations AND was guilty of genuine crimes. This isn’t a “You’re going to jail for sharing your NetFlix password” case. Nosal was trying to steal client information from his previous employer by getting into his previous employer’s computer systems using credentials that he was not supposed to have.