One comment on the original link is worth some eyeballs: *"If IP address blocking is a legally binding way of banning a user, does that establish that an IP address must be considered 'personally identifying information' for privacy policies and related purposes?"*
The logic seems solid (although my sketch wording could be legally and logically tightened): - Suppose a website blocks an IP which is used by the user known as "Alice". Also suppose there is no other communication by which the user might determine he/she (as an individual living person) has been forbidden to access the site. However one selects word definitions, one of two situations probably exists: - *If the IP is "sufficiently clearly connected" to the individual behind the Alice account*, then one can't simultaneously argue it's not personal identifying data. The court logic is that by setting a specific IP as blocked, the website owner is banning a specific legally identifiable individual (even if they don't know which exact person). It's also saying that a given individual in the wider world should know from the status of a specific IP (blocked or unblocked), whether they personally are forbidden or not forbidden to access a website (since absent knowledge that they individually are banned as an implication of the IP being blocked), they cannot be said to be aware actually or constructively that authorization is withdrawn, nor can they be in breach of a law that refers to "unauthorized" access which the user then "circumvented" in any manner. - *But if the IP is "insufficiently clearly connected" to the individual behind the "Alice" account*, then a block of the IP (absent other information) cannot be claimed to be a block for that user, since logically and legally, the user and website owner cannot have knowledge *from the existence of the block alone* (absent other data such as a letter or ban notice) that the block of that IP, is sufficiently clearly a block of a user, and is in fact also clearly a block of the operator of the "Alice" account. If the block is not clearly a block of the individual "Alice" operator, then changing IP cannot be wilfully evading a block of a person, since it's not determinable that the person was blocked. - *Finally, severing the IP and user* seems problematic as well. That is to say, one can argue against the binary choice by saying that the *IPs*are blocked, but *individuals* aren't (and therefore the users are not identifiable but the IP blocks can be criminally circumvented even without any knowledge who they target). The problem is both commonsense and law. The law *doesn't*forbid circumventing a block where the individual is apparently authorized but the IP isn't. The law criminalizes specifically *"whoever . . . intentionally accesses a computer without authorization . . . and thereby obtains . . . information from any protected computer"* (see ruling) Does this legally mean *they* are unauthorized, or is it enough that *their means of access* is unauthorized even if they are allowed? *Example - *It's perfectly possible to be accessing a computer, fully authorized, but from an unauthorized place or connection. If Wikimedia IP blocks the entirety of my country to block some IP hopping vandal, and I use a proxy to edit, I haven't "accessed Wikimedia's servers without authorization". I would need to be unauthorized personally, not just unauthorized because I'm using an connection route that bypasses a block. A loose analogy might be that if my mother emails me from an IP range reported on RBL blacklists as a spam range, or phones me from the office of a spam phone call business, she isn't a "spammer" thereby. And if my intention was to block a spammer, have I in fact notified my mother she is "unauthorized" to call or email, merely by the act of blocking the route that by chance she uses today? If she uses a different route (the phone in the next building) is that "circumvention"? So splitting IP from person seems to break commonsense. However odd the route, she inherits no unauthority (as a person) to communicate with me by her choice of communication route. It _would_ be different if I'd told her "do not call me, you are not welcome", but the question here is considering the effect of a block of one specific means of communication (by anybody) without any other notice identifying a specific person targeted. if that alone de-authorizes specific people but not other people, it personally identifies them and we're back to #1 The problem is that you often *can't* determine (from an IP block alone) that you have been de-authorized for a website, unless an IP block can also* *identify or legally indicate a specific individual. I might be blocked on a website for something I would never imagine to be a targeted block - being the 5000th user, or using caps in my signature, and a particularly hard-ass site admin. An intermediate router or DNS fault. Too many HTTP requests in an hour. A browser agent string issue. Rhetorical claims ("you'd know", "you ought to know") can't always hold. Example: Suppose without knowing it and without advising me, Wikimedia blocked all versions of Internet Explorer 6 (a known old problematic version) and I tear my hair out, then try IE9 or Firefox instead, have I "circumvented" a block? Or was it my browser version and not me that was blocked? What if I find my current IE10 browser is blocked, can I know if switching to Chrome would be a crime? (What if I don't change my IP but I configure the user agent so IE6 isn't blocked because it presents as IE8 or it's using compatibility mode or strict mode?) There's little certainty of *having to be *clear cut on what inability to reach a site means. *Looking the other way at legal implications*, do internet users have a specific legal obligation to ask why they cannot reach a website, when that is the case, *in case by chance* it might be a block of a specific user, and furthermore a block applying to themself specifically? Are they negligent, wilful or reckless if they fail to do so, or if they just rebooted their router to get a new IP ("because that's what the ISP says")? FT2 On Tue, Aug 20, 2013 at 10:01 PM, Nathan <nawr...@gmail.com> wrote: > On Mon, Aug 19, 2013 at 2:55 PM, Fred Bauder <fredb...@fairpoint.net> > wrote: > >> http://feedly.com/k/14WeLcY > >> > >> I wish I was grossly misrepresenting the situation here. If I am, please > >> do > >> set me straight. > > > > You're not wrong, but getting the attention of a federal prosecutor would > > be easier for jaywalking in a National Park. It applies only to extreme > > situations. > > > > Fred > > > > > > I think you misread this, Fred. The case (Craigslist v. 3taps) is a > private entity suing another[1] for relief from violations of the > CFAA[2], and the article is about a recent ruling in that case.[3] The > Wikimedia analog might be the WMF suing Grawp (or similar) for > repeated violations of technological barriers (and other means) of > revoking access to the site. The ruling seems to establish that > Wikimedia is entitled to legally revoke access on a case by case > basis, and that an IP ban is a sufficient technological barrier to > meet the standard. At least that is the apparent state of the law in > the Northern District of California, which incidentally includes San > Francisco (and the WMF). > > [1]: > http://www.scribd.com/document_downloads/100933709?extension=pdf&from=embed > [2]: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act > [3]: > http://www.volokh.com/wp-content/uploads/2013/08/Order-Denying-Renewed-Motion-to-Dismiss.pdf > > _______________________________________________ > Wikimedia-l mailing list > Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>