Could Donald Trump Block Hillary Clinton's Campaign From Visiting His Website Via The CFAA?

from the who-the-hell-knows dept

In the past few weeks, we’ve written about two troubling rulings in the 9th Circuit appeals court concerning the CFAA, the Computer Fraud and Abuse Act. That law, that was literally written in response to Ronald Reagan being freaked out by the (fictional) movie War Games, was designed to go after hackers and make computer hacking into other people’s computers a crime. The law is woefully outdated and unfortunately vague, with terms like “unauthroized access” and “exceeds authorized access.” For years, many of us have been pushing for Congress to reform the law to make it not quite so broad, because in its current setup it’s the law the DOJ relies on when all else fails. That’s why the DOJ loves it. If you did something it doesn’t like on a computer, it’ll try to use the CFAA against you.

The two recent cases were not helpful. The first, called Nosal II (because it was the second CFAA case involving David Nosal trying to use data from his former employer), found that convincing a former colleague to share their password with you could violate the CFAA. The court tried to limit the impact of this, by adding some caveats, and insisting that mere password sharing wouldn’t qualify without some additional event that indicated a lack of authorization, but it does still seem like a vague standard that many will try to use going forward. The second case, Facebook v. Power, found that Power violated the CFAA by continuing to access Facebook accounts, with permission of those Facebook users, after Facebook had sent a cease-and-desist. The court found that the cease-and-desist acted as a clear point that said “you’re not allowed here.”

But it’s difficult to square that with the original Nosal ruling (Nosal 1) which found that merely violating a terms of service was not a CFAA violation. So ignoring a terms of service is not a CFAA violation, but ignoring a cease-and-desist letter is. It’s not clear why one has power over the other, though perhaps there’s an argument that a cease-and-desist is a proactive action towards an individual by a website, whereas a terms of service is broadly applicable. Still, it feels weak.

And, it raises tricky situations like the following, first raised by Andy Sellars, about a situation in which one individual alerts another that they can no longer visit a website. Let’s say this happened between two presidential candidates. Hypothetically.

And, as Eriq Gardner at the Hollywood Reporter notes in response, the answer is totally unclear. And that seems really problematic. I had tossed out some hypotheticals in my original post on the Facebook v. Power ruling, but this is a good one as well, because you could absolutely see some political candidates issuing that kind of cease-and-desist. There may be arguments about whether then accessing such a website would create a loss necessary to qualify for the CFAA, but it’s still quite worrisome that the court has now put in place a vague standard that at least suggests that you can bar someone from a website by merely telling them not to go there. That’s going to create a bunch of messy litigation going forward.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Could Donald Trump Block Hillary Clinton's Campaign From Visiting His Website Via The CFAA?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

“Let’s say this happened between two presidential candidates”

What about Fox warning away all Democratic voters (they will know who from the leaked voter lists). Huffpo sending ‘cease & desists’ to all reegistered Republicans? MacDonald’s sending them to all Burger King customers? Walmart banning Costco staff from entering their stores? All of this will be possible with leaked information, huge databases and facial recognition/LPRs everywhere.

How often do presidential candidates look at each other’s websites? Are there any research studies? Does it matter? Surely everyone has people. So candidates have people, and now those people (if banned) will have people. And so on.

Now if we apply the three hops (or two hops) rule as with communications monitoring (surveillance) then we could really get somewhere. What should the hops number be to ensure that all people are banned from seeing all other people’s websites?

At least greedy ISPs will get what’s coming to them as traffic plummets while we all sit in our lonely ignorance and vote for the same people we would anyway.

Anonymous Coward says:

Re: Re:

If Hillary was legally banned from doing something she would do it anyway, then lie about it, then attempt (and fail) to destroy all of the evidence, then get let off the hook — so I don’t see what the big deal is here. Now for everyone else who isn’t completely and utterly above the law then there might be a problem worth examining. But picking Hillary as your example of how terrible this law might be is a lot like picking Superman as your example of what gravity can do to a person. He is simply exempt from it.

Anonymous Coward says:

authorized access vs. selective prosecution

The dischord between the states interest in corporate cyberterrorism against the Constitution, and it’s focus on jackass hackers penetrating systems that are insecure by design, is descriminatory.

In terms of the digitized relationship between the social elite and the average citizen, what part of the terabytes of data gleaned daily, isn’t accessed without authorization? Therefore using “authorized access” as a standard, is selective prosecution based on social class.

If the state neglects to criminally prosecute
one case, it invalidates any reasonable expectation of impartiality before the law when prosecuting another.

Mike Masnick (profile) says:

Re: Re:

All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.

Nope. specifically routed around it by changing IPs when Facebook blocked its original IP. Same would likely apply here.

Anonymous Coward says:

Re: Re: Re: Re:

If the attacker can log all packets into and out of the VPN, they have a good chance of figuring out who is using to connect to who, at least for a large number of packets over a connection, using statistical analysis of sources and destinations, allowing a maximum delay through the VPN. Using an add blocker makes it easier, by eliminating a lot of noise.

Anonymous Coward says:

Re: Re: Re:

The better question:

If a minion of the HRC campaign goes to Trumps site (presumably to share recipes for eating babies and incanting pestilence), are the means that Trumps site used to determine the identity of the user legal? Certainly the user didn’t consent to having their activities monitored by their competitor?

So yes he can send them a cease and desist letter, but no, he shouldn’t really be able to know whether they did cease and desist or not. And if he can, then THAT is what needs to be investigated.

That One Guy (profile) says:

Re: Re: Re: Re:

Given there’s already been one judge who excused a malware infection by a government agency with the absolutely brilliant logic of ‘computers get hacked all the time, so it’s fine to hack/infect computers if you work for the government’, at least one other judge(perhaps several) who have ruled that even if you deliberately attempt to mask your identity online you don’t have any expectation of privacy…

Yeah, have fun with the ‘investigation’ in that hypothetical.

Whatever says:

Short answer NO

The short answer here is no, for a whole bunch of reasons.

First and foremost, the Trump 4 Ruler website is a public site. That is to say, it’s open to everyone without restriction. No password is required to access the site, you are not entering a secured area.

If those moved to bar them (say by issuing a cease and desist) it would likely not be valid on it’s face, as it could be considered discriminatory. Otherwise, Trump could also issue a general Muslim ban as well. Denying service (even a free service) in a discriminatory manner won’t fly and won’t hold water.

It’s a nice attempt to muddy the waters of the law. Reality sets in pretty quick when you realize the difference between an open website and a secured “employees only” server. Even a non-techie judge could catch that simple concept.

Ken Mitchell (profile) says:

Nosal Was GUILTY of CFAA

While it’s true that “hard cases make bad law”, there’s no doubt whatsoever that Nosal was objectively guilty of CFAA violations AND was guilty of genuine crimes. This isn’t a “You’re going to jail for sharing your NetFlix password” case. Nosal was trying to steal client information from his previous employer by getting into his previous employer’s computer systems using credentials that he was not supposed to have.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...