Could Donald Trump Block Hillary Clinton's Campaign From Visiting His Website Via The CFAA?

from the who-the-hell-knows dept

In the past few weeks, we've written about two troubling rulings in the 9th Circuit appeals court concerning the CFAA, the Computer Fraud and Abuse Act. That law, that was literally written in response to Ronald Reagan being freaked out by the (fictional) movie War Games, was designed to go after hackers and make computer hacking into other people's computers a crime. The law is woefully outdated and unfortunately vague, with terms like "unauthroized access" and "exceeds authorized access." For years, many of us have been pushing for Congress to reform the law to make it not quite so broad, because in its current setup it's the law the DOJ relies on when all else fails. That's why the DOJ loves it. If you did something it doesn't like on a computer, it'll try to use the CFAA against you.

The two recent cases were not helpful. The first, called Nosal II (because it was the second CFAA case involving David Nosal trying to use data from his former employer), found that convincing a former colleague to share their password with you could violate the CFAA. The court tried to limit the impact of this, by adding some caveats, and insisting that mere password sharing wouldn't qualify without some additional event that indicated a lack of authorization, but it does still seem like a vague standard that many will try to use going forward. The second case, Facebook v. Power, found that Power violated the CFAA by continuing to access Facebook accounts, with permission of those Facebook users, after Facebook had sent a cease-and-desist. The court found that the cease-and-desist acted as a clear point that said "you're not allowed here."

But it's difficult to square that with the original Nosal ruling (Nosal 1) which found that merely violating a terms of service was not a CFAA violation. So ignoring a terms of service is not a CFAA violation, but ignoring a cease-and-desist letter is. It's not clear why one has power over the other, though perhaps there's an argument that a cease-and-desist is a proactive action towards an individual by a website, whereas a terms of service is broadly applicable. Still, it feels weak.

And, it raises tricky situations like the following, first raised by Andy Sellars, about a situation in which one individual alerts another that they can no longer visit a website. Let's say this happened between two presidential candidates. Hypothetically.
And, as Eriq Gardner at the Hollywood Reporter notes in response, the answer is totally unclear. And that seems really problematic. I had tossed out some hypotheticals in my original post on the Facebook v. Power ruling, but this is a good one as well, because you could absolutely see some political candidates issuing that kind of cease-and-desist. There may be arguments about whether then accessing such a website would create a loss necessary to qualify for the CFAA, but it's still quite worrisome that the court has now put in place a vague standard that at least suggests that you can bar someone from a website by merely telling them not to go there. That's going to create a bunch of messy litigation going forward.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 15 Jul 2016 @ 3:09pm

    "Let's say this happened between two presidential candidates"

    What about Fox warning away all Democratic voters (they will know who from the leaked voter lists). Huffpo sending 'cease & desists' to all reegistered Republicans? MacDonald's sending them to all Burger King customers? Walmart banning Costco staff from entering their stores? All of this will be possible with leaked information, huge databases and facial recognition/LPRs everywhere.

    How often do presidential candidates look at each other's websites? Are there any research studies? Does it matter? Surely everyone has people. So candidates have people, and now those people (if banned) will have people. And so on.

    Now if we apply the three hops (or two hops) rule as with communications monitoring (surveillance) then we could really get somewhere. What should the hops number be to ensure that all people are banned from seeing all other people's websites?

    At least greedy ISPs will get what's coming to them as traffic plummets while we all sit in our lonely ignorance and vote for the same people we would anyway.

    reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 15 Jul 2016 @ 4:04pm

      Re:

      you mean aside from the recent scandal involving bernie sanders staffers and hillary clinton's respective campaign websites?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jul 2016 @ 1:29pm

      Re:

      If Hillary was legally banned from doing something she would do it anyway, then lie about it, then attempt (and fail) to destroy all of the evidence, then get let off the hook --- so I don't see what the big deal is here. Now for everyone else who isn't completely and utterly above the law then there might be a problem worth examining. But picking Hillary as your example of how terrible this law might be is a lot like picking Superman as your example of what gravity can do to a person. He is simply exempt from it.

      reply to this | link to this | view in chronology ]

  • icon
    Dave Cortright (profile), 15 Jul 2016 @ 3:24pm

    TechDirt should test it out

    You have a lot of trolls and other undesirables coming to your site and leaving unwanted comments. Why don't you issue a few C&Ds to these folks and then if and when they come back, file a lawsuit. I would help fund such an experiment...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2016 @ 3:25pm

    There's a law about this...

    The answer is usually no.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2016 @ 3:38pm

    authorized access vs. selective prosecution

    The dischord between the states interest in corporate cyberterrorism against the Constitution, and it's focus on jackass hackers penetrating systems that are insecure by design, is descriminatory.

    In terms of the digitized relationship between the social elite and the average citizen, what part of the terabytes of data gleaned daily, isn't accessed without authorization? Therefore using "authorized access" as a standard, is selective prosecution based on social class.

    If the state neglects to criminally prosecute
    one case, it invalidates any reasonable expectation of impartiality before the law when prosecuting another.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2016 @ 3:46pm

    All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 15 Jul 2016 @ 3:51pm

      Re:

      All anyone in Hillarys campaign would have to do is use a VPN when accessing the trump campaign website, problem solved. Just use a VPN that keeps no logs, then just run KillDisk on the hard disk of that computer to erase any evidence of what happened.

      Nope. Power.com specifically routed around it by changing IPs when Facebook blocked its original IP. Same would likely apply here.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Jul 2016 @ 6:28pm

        Re: Re:

        But a VPN, with no logs, would make it all but impossible to trace, and using KillDisk, to wipe the evidence off your hard disk, would leave no evidence.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Jul 2016 @ 9:37am

          Re: Re: Re:

          If the attacker can log all packets into and out of the VPN, they have a good chance of figuring out who is using to connect to who, at least for a large number of packets over a connection, using statistical analysis of sources and destinations, allowing a maximum delay through the VPN. Using an add blocker makes it easier, by eliminating a lot of noise.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Jul 2016 @ 5:12am

        Re: Re:

        The better question:

        If a minion of the HRC campaign goes to Trumps site (presumably to share recipes for eating babies and incanting pestilence), are the means that Trumps site used to determine the identity of the user legal? Certainly the user didn't consent to having their activities monitored by their competitor?

        So yes he can send them a cease and desist letter, but no, he shouldn't really be able to know whether they did cease and desist or not. And if he can, then THAT is what needs to be investigated.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 17 Jul 2016 @ 2:57pm

          Re: Re: Re:

          Given there's already been one judge who excused a malware infection by a government agency with the absolutely brilliant logic of 'computers get hacked all the time, so it's fine to hack/infect computers if you work for the government', at least one other judge(perhaps several) who have ruled that even if you deliberately attempt to mask your identity online you don't have any expectation of privacy...

          Yeah, have fun with the 'investigation' in that hypothetical.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2016 @ 3:50pm

    As if the Clintons were interested in following the law.

    reply to this | link to this | view in chronology ]

  • icon
    jms (profile), 15 Jul 2016 @ 3:55pm

    Archive

    Would this theoretical also bar the viewing of the site on archive.org or a Google cache version? Or would the CFAA fall only on the access of the actual web server?

    I would expect the access of the web server, but... now days, who knows:
    "The content is the same, so it's effectively the same thing!"

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 15 Jul 2016 @ 4:02pm

    neither candidate seems to make choices based in reality so expecting any outcome based off of laws is random.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 15 Jul 2016 @ 4:37pm

    Already Proven

    Wouldn't the FBI's attitude toward a certain email scandal by a certain candidate* for high office show that no candidate could do any wrong? The CFAA is a minor law compared with disseminating classified information, so it would get even less scrutiny.


    *No I cannot say the names of either candidate...so disgusted.

    reply to this | link to this | view in chronology ]

  • icon
    Whatever (profile), 16 Jul 2016 @ 10:12am

    Short answer NO

    The short answer here is no, for a whole bunch of reasons.

    First and foremost, the Trump 4 Ruler website is a public site. That is to say, it's open to everyone without restriction. No password is required to access the site, you are not entering a secured area.

    If those moved to bar them (say by issuing a cease and desist) it would likely not be valid on it's face, as it could be considered discriminatory. Otherwise, Trump could also issue a general Muslim ban as well. Denying service (even a free service) in a discriminatory manner won't fly and won't hold water.

    It's a nice attempt to muddy the waters of the law. Reality sets in pretty quick when you realize the difference between an open website and a secured "employees only" server. Even a non-techie judge could catch that simple concept.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 16 Jul 2016 @ 10:33am

    I assume agencies are immune?

    Can I block the NSA, FBI, CIA, etc. from looking at my websites, email, etc. via a C&D?

    It'd be swell if we could create a website to automate the process of filing them for anyone who wants to make their privacy official.

    reply to this | link to this | view in chronology ]

  • identicon
    Ken Mitchell, 18 Jul 2016 @ 10:51am

    Nosal Was GUILTY of CFAA

    While it's true that "hard cases make bad law", there's no doubt whatsoever that Nosal was objectively guilty of CFAA violations AND was guilty of genuine crimes. This isn't a "You're going to jail for sharing your NetFlix password" case. Nosal was trying to steal client information from his previous employer by getting into his previous employer's computer systems using credentials that he was not supposed to have.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.