Using a VPN could become a criminal offence under new CFAA interpretation
I am surprised this is not discussed at all on Hackernews, but in the ongoing "hiQ Labs, Inc. v. LinkedIn" case, Linkedin is arguing that "intentionally and knowingly bypassing an IP block" is an exceed authorized access and qualify as a criminal offence.
That's because in their opinion they are allowed to put the "gate down" for some users on an otherwise publicly accessible website.
If the court follows this argument using a VPN to get access to content that is otherwise blocked in your country through an IP Block for example could become a criminal offence as well.
Hearing link: https://www.youtube.com/watch?v=tUkoHeiPGQw
97 comments
[ 6.0 ms ] story [ 202 ms ] threadAd blockers operate on your own equipment and network and don't involve accessing any other systems.
"Anonymous browsing" isn't clearly defined enough to analyze. If it was something like "We don't allow connections via Tor", and you used Tor to connect anyways, this concept would apply (especially if you attempted to bypass technical controls, or intentionally disguised the traffic).
Some pay/reg walls are implemented such that the site is sending the full content to you but directing your web browser not to display it (like using a `display: none` CSS property). I would say using a browser extension to direct the browser to display it anyways wouldn't be a violation. You were authorized to make the initial request for the otherwise public page and they choose to send the full content to you. You aren't making any other connections to their system that you aren't authorized to make.
On the other hand, if it is doing something to trick the server into sending you content that it wouldn't otherwise send you and you aren't authorized to access, I would tend towards seeing that as something closer to a violation.
An interesting point.
I, as a general rule, disable javascript in my daily driver browser (Firefox).
Doing so breaks the paywall on certain sites. I'm not specifically targeting those sites (e.g., with uBlock or noscript), as I've disabled javascript for all sites and don't use any extensions to bypass paywalls.
Where the use of javascript is required (and I find that out by visiting the site -- then decide whether I actually want to view/use it) I'll use a different browser altogether (in my case, Vivaldi).
I don't believe that disabling javascript is a "hacking" attempt, mostly because I don't do so to bypass anything -- rather, I don't want arbitrary javascript executing on my systems.
https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn
Yes. Accessing material that has been deemed illegal enough to be the subject of a country-wide block is generally going to be a criminal offense. We might all hate censorship, but the people who write the censorship laws are the same as the ones writing the criminal laws. If you are using technology to bypass blocks imposed by your local government, you are probably some sort of criminal in the eyes of that government.
This is why I don't like people who casually advise people facing a block to "just use a VPN". Doing so might put them in danger.
Beyond that this is CLEARLY a bad reading of CFAA, recent US Supreme Court rulings have shown they would prefer a narrow reading of the law instead of a broad one so I hope the lower court recognizes this and shots LinkedIn Down.
Hypothetical scenario: User outside the United States uses a VPN to access US Netflix content. In doing so, have circumvented Netflix access control mechanism and are accessing the Netflix's computer systems in an unauthorized manner. Unauthorized access to computer systems is a violation of the CFAA. Accordingly, the foreign user is potentially liable for felony criminal charges in the US, just the same as they had "hacked" any other computer system in the US.
>> If the court follows this argument the ...
Op is referring to precedent potentially being set, but I'm not sure it would actually apply in practice. (Different laws)
US law does not apply to non-US citizens. How could a foreigner possibly be liable for anything?
Being a foreigner is often enough to avoid the punishment, but it’s not enough to be exempt from the laws.
I just checked my country's laws. Looks like international drug trafficking is the only reason allowed for extradition. Good to see the people writing these things have some common sense.
https://www.zdnet.com/article/us-charges-greek-national-for-...
Just sayin'
User inside the United States uses a VPN to access foreign Netflix content.
That’s not the issue discussed here, I think. We’re not talking about someone circumventing censorship in their own country (which is obviously illegal in your own country).
What we’re talking about here are IP-based country filters imposed by websites such as Netflix or BBC iPlayer, restricting visitors from certain countries to access all or certain content. Circumventing that filter by using a VPN (thereby masquerading as someone in a “permitted visitor country”) is obviously going to be a breach of the terms & conditions of that website and/or license conditions of content made available. But the argument apparently raised by LinkedIn in this case is that this is also a criminal offence of gaining unauthorised access to systems (I.e. legalspeak for what’s colloquially referred to as “hacking”), which would likely lead to (more severe) prosecution and punishment.
This is basically saying there’s no point in testing software, ship every line to prod and see what happens.
This is exactly the kind of political ennui the system purposely tries to inculcate. Not fine grain mind control, but indifference.
Laws dictate acceptable social agency. One might think we’d take what ends up in them at least as seriously as rich man’s busy work.
> How would you feel if I said "<username> is a pedophile! What are you going to do to fight this? Maybe it's just not something worth pursuing?"
And then spend a bit of time explaining why this reasoning doesn't make sense to you. I'm a relative veteran of HN and even I had to do a double-take because I thought you were genuinely accusing the person of being a pedophile.
Of course I'm being overly optimistic, but I'd prefer to be naive and wrong than cynical and right.
I'm not trying to be the tone police, I don't really care, I was just explaining why you might have been downvoted. Take my statements with as large of a grain of salt as you would like.
There's literally zero context to suggest that I might be serious in accusing another poster of being a pedophile, even if they were it wouldn't make sense for me to randomly drop that.
If that guy and anyone who believes the masses kowtowing to politically insulated old men LARPing Alexander the Great is natural, we’re doomed.
This is what we are now; low effort taxonomists, defending syntactic hierarchy when we know there is no center of reality.
Maybe the neuro-typicals are the real problem? The ones who have hierarchical visuals put in front of them their whole lives, who can then only repeat “this is the way”. Seems like a sure fire way to improve the probability taxes won’t go up, which exactly why Cooperman was interviewed; reiterating the hierarchy.
I really want to play Lemmings for some reason.
Borrowing from Greer’s “code the perimeter, not the area” we need a new political perimeter. Humans know the value of technology now. We don’t need old geezers to confirm what we can all see and touch for ourselves.
Sure, but I think you're overestimating the integrity of the internet if you think that people don't just drop random pedophile accusations for folks that they disagree with. I'm not saying it's "fair", because I get that you were just trying to make a rhetorical point, but I'm saying that people on the internet are often douchebags, ruining a lot of the fun for us. I love edgy humor and sarcasm, between my wife and I we make a ton of off-color jokes, but I usually keep those offline because I don't want to group in with the awful people who misuse them.
With “there’s literally zero context to suggest…”, it’s not unreasonable for some to conclude that you were being serious (particularly in light of the general decline of “comments online always make sense in context, so if it doesn’t, you should read deeper”)
And I feel it's fair for someone like you on HN to accept fair criticism of their comments.
> English is a third language for me
I would expect you'd still understand the point being made and understand it's not about you, but about many others, and just because you understand sarcasm or irony, others might not who aren't as well skilled in English.
> There's literally zero context to suggest that I might be serious in accusing another poster of being a pedophile
Except for the fact that it's a serious accusation that one does not make lightly, and so it's fair to assume no one would simply drop that in civil conversation.
Basically, take the lessons and learn from it and stop arguing.
I'm happy to accept the criticism, and I acknowledge that people replying to me are mostly correct on the facts.
However, I think it would be a terrible shame to give into this feedback and refrain from using such literary devices out of fear that I might offend someone who doesn't understand the language.
What really bothers is that nobody would ever tell me this stuff if I had written the comment in some other language. Are we supposed to let the English language rot simply because many people are learning it as a second language?
>Except for the fact that it's a serious accusation that one does not make lightly, and so it's fair to assume no one would simply drop that in civil conversation.
You make my point, it's obvious that no one would simply drop that in civil conversation so there must be a deeper meaning to it (as was immediately acknowledged in the very same comment!)
It's really not irrelevant. It makes as much sense to campaign against my obviously nonsensical allegation as it makes sense to campaign against some random lawyers obviously nonsensical allegation.
It may not be so black and white but you didn’t really help readers lean the way you wanted.
The only takeaway for you here is, culture and language aside, the science of it is that to everyone else you are 1 of 7 billion; the internet as a network is not capable of distributing your emotional uniqueness and even then, we each have our own; why import yours?
I don’t think anything I wrote constrains public response to lobbying courts. We could lobby to legislate open access to privacy tech and encryption.
One of the big papers wrote today how state legislatures are effectively gerrymandered for one party or the other.
There’s a whole lot of political effort the public could participate in that would prevent ideas like this specific one from getting beyond a back room rant between elected officials.
And frankly it wouldn’t have to impact our real logistics at all; we could collectively take ownership of our own agency and refuse to login unless legal ownership is reassessed.
The internet community seems to have forgotten SOPA blackouts worked.
The political reality is not accepting the literal one; a real majority with nothing to lose is quickly losing patience with the real minority gaming everyone’s society.
The court will still decide based on what is actually written down.
If it needs to be changed that has to come from the politicians.
Which is the appropriate time to get scared. If you took half seriously the bogus theories that are floated in legal complaints, even restricting one to those penned by reputable lawyers, you'd swiftly conclude your car is a hippopotamus.
Ours courts are adversarial. Both sides are trying novel arguments. Through this, the law is actually strengthened--the court dismissing the argument leaves a precedent where, previously, there may not have been one.
But well, for the people too lazy to google: https://h2o.law.harvard.edu/text_blocks/30226 . The only mention of IP I could find was:
> The Ninth Circuit found a CFAA violation where “after receiving written notification from Facebook” Power Ventures “circumvented IP barriers” and continued to access Facebook servers. Id. at 1068. In short, Power Ventures accessed Facebook computers “without authorization.”
IANAL but I would only worry about a criminal offence after getting a written warning...
But trying to make illegal a way to bypass their security is a really dangerous way and if they win, then many, many, privacy tech would have a problem.
Hope the judge know how to use a computer and understand the implications…
We are headed for a more authoritarian future if those making law or making judgments only see privacy tech as fringe and criminal, or have little meaningful underatandiing of it.
It’s the job of the attorneys to make the case for or against using subject matter experts etc.
Take your example. I don’t know whether a web page is encrypted. I do however know whether the transmission of one request of some website contents to a specific web browser is. But that won’t yet tell me whether the communication between me and the website has stayed confidential between the intended parties (which is probably what you’re interested in).
Is the data in a TLS connection transformed in such a way that it would make it difficult for an intermediary to figure out the plain information being sent?
If so, the data is in fact encrypted. Where are you getting this idea that encryption is more than that? That is by definition what encryption is, and everything else is just approaches and security layers on top of it. You don't have to like the encryption method, you don't have to care who it's from, you don't have to care about anything else. Encryption is encryption even if it's as pointless as a caesar cipher.
And yeah, there's things like certificates and CAs with HTTPS, but that's totally secondary to the encryption part. No one would bother with HTTPS if it couldn't establish encrypted connections.
If a lawyer or a judge doesn't understand that they themselves are frequently using encryption when they use the internet, that's a problem. They don't need to care about the nitty gritty details that you and others bring up. If they view encryption as something that only bad guys use, why should they be a part of the judicial system in the year 2021?
I feel like you're overdefining encryption to make a point, when you don't need to at all.
Honestly, I haven't the faintest clue the point you are making or why you are nitpicking to this degree. I think I made it clear why legal and judicial professionals should have a rudimentary understanding and awareness of encryption for the purpose of making sound decisions that affect society. If your disagreement with my definition of encryption gets in the way of that for you, then I really don't know what to say. Look up what the word "encrypt" means, think of the etymology, and rethink what you've been saying.
You're asking for them to have a very strange understanding of encryption, that doesn't match how the term is normally used. The important part is the security, not that you need an algorithm to decode. It's not nitpicking to say you're asking for them to know something irrelevant that's adjacent to some important things they should understand.
The only thing worse than a judge who doesn't understand the first thing about computers would be a judge who thinks they understand computers but doesn't.
IIUC, there was no attempt to "bypass security." Rather, HiQ Labs was scraping unrestricted (i.e., not restricted by user ACLs) portions of Linkedin's web platform.
If any random user can access a particular web page, it's (IMHO) publicly available and using automated tools to scrape those pages is perfectly legal.
In fact, such scraping is done all the time on airline, hotel and other websites without issue.
As for VPNs, I'm guessing that LinkedIn blocked HiQ Labs' IP range, so they used a VPN to continue scraping the public pages. If my assumption isn't valid, please correct me. That
IP blocks (I'm thinking geo-blocks[0] for sites like Netflix) are sometimes necessary for the site to at least attempt to stay in contractual compliance with the content owners.
However, that doesn't seem to be the case here. If (again, this is my understanding) LinkedIn is just blocking HiQ Labs' IP range, but no one else's, that seems (as the 9th Circuit originally ruled[1]) like a targeted attempt to interfere with HiQ Labs' business:
Given that the issue here is publicly accessible content as compared to, say, geo-blocking of unlicensed (for that particular region) content, there is no basis to disallow such access.I say this because I (or HQ Labs) could manually enter all publicly accessible URLs at LinkedIn and copy-paste the returned contents.
While that would be an arduous process, it's not only perfectly legal, it's LinkedIn's intent to provide those pages without requiring a login -- validated by the fact they don't require logins to access those pages, while they do require logins to access others.
IANAL, but it seems to me that worrying about using VPNs becoming a criminal act is a tempest in a teapot.
I guess we'll just have to wait and see.
[0] https://en.wikipedia.org/wiki/Geo-blocking
[1] https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn
Edit: Corrected company name (HiQ vs. HiQ Labs).
The entire thing is a farce. There has never been any way to know where an endpoint device is
And VPNs are often necessary to prevent the service from detecting it wrong.
Suppose I'm currently near an international border and my phone picks up a tower on the other side of the border. Now the IP address my phone gets is listed as being in the wrong country.
A lot of companies route all their traffic through a head office somewhere so they can inspect the traffic in a central location. It's not always in the same country where the users are.
Suppose I'm using a VPN for privacy reasons, not to bypass geographic restrictions, but I want it to be in a different country to maximize the inconvenience to anyone trying to violate my privacy, so now the country listed is the wrong one. I would have to use another VPN to get it back to being where I actually am.
The obvious solution to all of this is to forget about trying to tie locations to IP addresses, since that has never worked, and just ask the user's device what country it's in. The user can set it to a different one but that's no different than the status quo.
A good point. Note that I said:
I never said that such blocks were a good idea, nor did I say that they work.I merely suggested that such geo-blocks could be a result of contractual requirements between the distributors and the content owners.
Personally, I think it's dumb too.
But I'm not a content distributor or content owner. As such, my opinion has no impact on the legal contracts between such entities.
>The obvious solution to all of this is to forget about trying to tie locations to IP addresses, since that has never worked, and just ask the user's device what country it's in. The user can set it to a different one but that's no different than the status quo.
You won't get any argument about that from me.
If you don't want people sending you letters, get rid of the mailbox. For tech, close your ports. If you don't want to send information out, stop responding to the letters (or packets).
I'm a little confused by that interpretation of the specific case in question (Hiq Labs v. LinkedIn).
IIUC, LinkedIn isn't doing GeoIP blocks (AFAIK, the San Francisco bay area is not being blocked by LinkedIn, just HiQ Labs' IP range).
What's more, HiQ Labs is scraping publicly available content. Most GeoIP blocking (such as Netflix/BBC, etc.) is done to keep subscribers from accessing content that the provider isn't licensed to provide in the location where the connection originates.
Even more, accessing such content even if you are in a location where that content is available requires a login (i.e., isn't publicly available) to access that content.
I don't see a parallel here.
As such, I'm not sure how the result here (either way) could impact the use of VPNs more broadly.
Then again, IANAL and may well be missing something.
If you'd expound on your reasoning around this, it would be greatly appreciated. Thanks!
Edit: Fixed typo.
If they want to, the only reasonable way is to inform the visitor they're not eligible to use the site unless they fulfill specific conditions. If the user knowingly ignores this information - this is reasonable to be interpreted as some sort of offense depending on the context.
IP-based segregation, however, is just bullshit.
Watching that hearing it seemed clear to me the court understands the dangers of letting tech companies use the threat of CFAA's criminal culpability against www users or competitors. One justice made the point that when the CFAA was passed there was no www. The court questioned how public web servers could be comparable to "private" government computers.
As another example, many websites block their customers when they are connected to a VPN but have no intention of prohibiting those people from access generally.
Just because one side is making an argument for that interpretation in a civil case means pretty much exactly nothing.
What's more, the Supreme Court in recent rulings has started to slap down overly broad interpretations of "hacking" under the CFAA. Notably, the court recently curtailed the definition of "unauthorized" use in van Buren [1], which to me was a welcome but somewhat unexpected ruling.
There's absolutely nothing to worry about here.
[1]: https://www.lawfareblog.com/supreme-court-reins-cfaa-van-bur...
EDIT: corrected van Buren characterization.
A pedantic point: van Buren decided the interpretation of "exceeds authorized access", not "without authorization". (There is no "unauthorized" in the statute--it says "accesses a computer without authorization or exceeds authorized access" as the operative part.)
That's an excellent point. And something folks should keep in mind.
That said, I'm not sure how the restrictions in CFAA could apply here, as LinkedIn explicitly grants authorization to everyone by making the web content in question publicly accessible.
What's more, other content on LinkedIn's web platform is not publicly accessible. If LinkedIn wants to make a claim that someone can exceed authorized access, then the content shouldn't be publicly available, as that explicitly allows access by anyone.
I suppose they could make the argument that such automated scraping is some sort of DOS attack based on increased usage of their bandwidth/CPU from such activity, but that's a very different argument, IMHO.
N.B.: IANAL
Edit: Fixed typo
For one, the court hasn't ruled yet. This is purely LinkedIn's argument, and they're allowed to argue anything they want. They could argue that hiQ isn't allowed to access their service because the company name doesn't start with a capital letter if they wanted to. They wouldn't win, but they could make the argument.
Secondly, if you read the context of the case, this is not a situation a normal person is at all likely to find themselves in. hiQ was specifically sent a cease and desist, which is why "bypassing an IP block" is couched in "intentionally and knowingly". IANAL, but a follower of the law, and my layman's reading of that is that LinkedIn is intentionally scoping this to only target subjects that have previously been sent a cease and desist.
And finally, even if they did do that, it's unlikely to impact VPNs for streaming. I severely doubt that any first world country would extradite one of their citizens to the US to face charges for bypassing an IP block.
Within the US, I still doubt the charges would be used like that even if they could. I don't think this is something the FBI is going to spend resources on proactively tracking, so it would be up to Netflix et al to push the cases. I really strongly doubt they would do that. "Paying Netflix customer sued by Netflix for watching content he wasn't supposed to" is a really bad PR headline, and it's mainstream-adjacent enough to get picked up by major news networks. That's a really hard story to spin, and I strongly suspect the bad PR would cost much, much more than people try to avoid region-locks (who are likely to just pirate it if VPNs become CFAA-able).
You’d have the largest tech companies in the world fighting it.
The better way to do this would be to write a blog post about your concerns surrounding this hearing, and take your chances submitting that.
What we should do here is make this post the Youtube link itself, and title it "hiQ Labs, Inc. v. LinkedIn Corporation hearing on IP blocks", or something similar, and demote the text of this submission to a comment. Hacker News submissions are community property; the submitter isn't entitled to provide a short editorial for the link to direct the discussion. That's what comments are for.
> So Microsoft chose a method of authorization that is unfit for the purpose of keeping people they don't want to have access out of their system. "But but but how else would they keep people off?" I don't know, but it doesn't matter. Make people sign a contract under supervision of a notary, or validate their drivers license, or whatever. The fact that Microsoft is too lazy to implement a solution that effectively implements their desired policy isn't material to what the actually implemented policy enables.
[0]: https://news.ycombinator.com/item?id=22738180
[1]: https://news.ycombinator.com/item?id=22745104
"under new CFAA interpretation"
There has been no 'new' interpretation, nor is it likely that there will be. This is merely one of a number of arguments put forward by LinkedIn's counsel during a civil case. All kinds of crazy poop gets put forward in those.