Well, in the video of the hearing you posted earlier hiQ's counsel said an IP block is not akin to a password. The court added that IP addresses do not identify people. As such IP blocks ban computers not people. There was also suggestion that the "access control" only relates to the manner of access; people can easily change IP addresses. The court seemed to agree with that argument. hiQ's counsel argued that a "gates up, gates down" analysis is not appropriate because in this case "there is no gate" (or at least, the gate was up from the beginning). Again, the court seemed to agree.

Watching that hearing it seemed clear to me the court understands the dangers of letting tech companies use the threat of CFAA's criminal culpability against www users or competitors. One justice made the point that when the CFAA was passed there was no www. The court questioned how public web servers could be comparable to "private" government computers.

I think a nice metaphor would be that linkedin banned my car from their property, then I keep coming back in by taxi.

Yes and Linked wants to argue that it's trying to lock you out but you keep coming back and so they want to throw you in jail.

I think that's a good metaphor. And that case the taxi or rental car would be the VPN.

> As such IP blocks ban computers not people.

As another example, many websites block their customers when they are connected to a VPN but have no intention of prohibiting those people from access generally.

With NAT and the rise of WFH, I wouldn't be surprised if a lot more legitimate users were under VPN without even knowing it.

It's not being talked about because there's no evidence of "new CFAA interpretation" until the court says something like that. It's very common for parties to try and argue all kinds of extreme interpretations of law that might favor their case, with the expectation that it most likely will be refused but hey, it's worth to try; but they are not newsworthy until/unless the court actually considers the argument as valid.

> This is like when Oracle argued that APIs can be copyrighted. Nobody was scared until the CAFC agreed.

Which is the appropriate time to get scared. If you took half seriously the bogus theories that are floated in legal complaints, even restricting one to those penned by reputable lawyers, you'd swiftly conclude your car is a hippopotamus.

Ours courts are adversarial. Both sides are trying novel arguments. Through this, the law is actually strengthened--the court dismissing the argument leaves a precedent where, previously, there may not have been one.

So only after it’s precedent and harder to undo then does it matter?

This is basically saying there’s no point in testing software, ship every line to prod and see what happens.

This is exactly the kind of political ennui the system purposely tries to inculcate. Not fine grain mind control, but indifference.

Laws dictate acceptable social agency. One might think we’d take what ends up in them at least as seriously as rich man’s busy work.

It would be appropriate to start such a discussion once a single court ever has accepted such an argument and it gets appealed and starts a years-long process where it might become precedent for some wider area; it would be absolutely ridiculous to consider every theory put forth by a litigating lawyer as worth of a public discussion - I mean, there are so many of them and usually the judges shoot many of them down without a discussion because it's not worth a discussion even for the people it directly affects, much less general public.

What do you think will happen if you start campaigning against a certain interpretation of the law now?

The court will still decide based on what is actually written down.

If it needs to be changed that has to come from the politicians.

Trial courts do not set precedent. The only way precedent will get set is if this arguement is taken up on appeal.

This is a good sensationalist title that could easily be changed to "Will using a VPN become illegal under the CFAA?" and like any such headlines, the answer is "no".

Just because one side is making an argument for that interpretation in a civil case means pretty much exactly nothing.

What's more, the Supreme Court in recent rulings has started to slap down overly broad interpretations of "hacking" under the CFAA. Notably, the court recently curtailed the definition of "unauthorized" use in van Buren [1], which to me was a welcome but somewhat unexpected ruling.

There's absolutely nothing to worry about here.

[1]: https://www.lawfareblog.com/supreme-court-reins-cfaa-van-bur...

EDIT: corrected van Buren characterization.

Any headline I see with a question in that manner I don't click on. I know they will conclude with either "we don't know" or "no". It's just not worth reading unless you are interested in two sides of an argument but generally these articles are cheap fluff.

“Is ‘Betteridge's law of headlines’ actually real?”

> Notably, the court recently curtailed the definition of "unauthorized" use in van Buren [1], which to me was a completely and somewhat unexpected ruling.

A pedantic point: van Buren decided the interpretation of "exceeds authorized access", not "without authorization". (There is no "unauthorized" in the statute--it says "accesses a computer without authorization or exceeds authorized access" as the operative part.)

>A pedantic point: van Buren decided the interpretation of "exceeds authorized access", not "without authorization". (There is no "unauthorized" in the statute--it says "accesses a computer without authorization or exceeds authorized access" as the operative part.)

That's an excellent point. And something folks should keep in mind.

That said, I'm not sure how the restrictions in CFAA could apply here, as LinkedIn explicitly grants authorization to everyone by making the web content in question publicly accessible.

What's more, other content on LinkedIn's web platform is not publicly accessible. If LinkedIn wants to make a claim that someone can exceed authorized access, then the content shouldn't be publicly available, as that explicitly allows access by anyone.

I suppose they could make the argument that such automated scraping is some sort of DOS attack based on increased usage of their bandwidth/CPU from such activity, but that's a very different argument, IMHO.

N.B.: IANAL

Edit: Fixed typo

It's just not that dire yet.

For one, the court hasn't ruled yet. This is purely LinkedIn's argument, and they're allowed to argue anything they want. They could argue that hiQ isn't allowed to access their service because the company name doesn't start with a capital letter if they wanted to. They wouldn't win, but they could make the argument.

Secondly, if you read the context of the case, this is not a situation a normal person is at all likely to find themselves in. hiQ was specifically sent a cease and desist, which is why "bypassing an IP block" is couched in "intentionally and knowingly". IANAL, but a follower of the law, and my layman's reading of that is that LinkedIn is intentionally scoping this to only target subjects that have previously been sent a cease and desist.

And finally, even if they did do that, it's unlikely to impact VPNs for streaming. I severely doubt that any first world country would extradite one of their citizens to the US to face charges for bypassing an IP block.

Within the US, I still doubt the charges would be used like that even if they could. I don't think this is something the FBI is going to spend resources on proactively tracking, so it would be up to Netflix et al to push the cases. I really strongly doubt they would do that. "Paying Netflix customer sued by Netflix for watching content he wasn't supposed to" is a really bad PR headline, and it's mainstream-adjacent enough to get picked up by major news networks. That's a really hard story to spin, and I strongly suspect the bad PR would cost much, much more than people try to avoid region-locks (who are likely to just pirate it if VPNs become CFAA-able).

Really, this is a post of the video of the hearing (Youtube links are just fine on Hacker News) that is somewhat abusing the "no URL" feature of submissions to dramatically editorialize. That's the reason links in no-URL posts aren't clickable!

The better way to do this would be to write a blog post about your concerns surrounding this hearing, and take your chances submitting that.

What we should do here is make this post the Youtube link itself, and title it "hiQ Labs, Inc. v. LinkedIn Corporation hearing on IP blocks", or something similar, and demote the text of this submission to a comment. Hacker News submissions are community property; the submitter isn't entitled to provide a short editorial for the link to direct the discussion. That's what comments are for.

https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-l... [2019]

https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn

Well… first it’s not a « public » website; like Facebook and Google, you connect to a privately owned server and, while the « path » is public, the server you contact isn’t. So they are well within their right to block anyone.

But trying to make illegal a way to bypass their security is a really dangerous way and if they win, then many, many, privacy tech would have a problem.

Hope the judge know how to use a computer and understand the implications…

I really wish that every legal professional and judicial administrator had some rudimentary computer science knowledge. Having friends whom are lawyers, I can tell you that most of them don't have any meaningful understanding of technology becauae they spend so many years of their career heads down on what is effecctively paperwork. They know enough to realize how bass ackwards their industry is when it comes to tech, but if you asked them if webpages are encrypted they would have no idea and would probably assume they are not.

We are headed for a more authoritarian future if those making law or making judgments only see privacy tech as fringe and criminal, or have little meaningful underatandiing of it.

It would start with us software engineers to be more exact in our communications. For an engineering discipline, we’re terrible at it.

Take your example. I don’t know whether a web page is encrypted. I do however know whether the transmission of one request of some website contents to a specific web browser is. But that won’t yet tell me whether the communication between me and the website has stayed confidential between the intended parties (which is probably what you’re interested in).

Whether data through an encrypted channel remains confidential isn't really relevant to my point. I didn't say "confidential", I said "encrypted". The distinction you are making with encryption and confidentiality seems conflated; if the channel is uses encryption, then the data is by virtue encrypted. It's another story if we are talking about data arriving from any channel with another layer of encryption for confidentiality.

It's basically meaningless to talk about whether something is encrypted without the "from who" factor. Otherwise you might as well rot-13 it. If you want to use such a narrow definition of 'encrypted', then it doesn't matter if the lawyer knows the answer.

No, the answer is way simpler than you are making it out to be.

Is the data in a TLS connection transformed in such a way that it would make it difficult for an intermediary to figure out the plain information being sent?

If so, the data is in fact encrypted. Where are you getting this idea that encryption is more than that? That is by definition what encryption is, and everything else is just approaches and security layers on top of it. You don't have to like the encryption method, you don't have to care who it's from, you don't have to care about anything else. Encryption is encryption even if it's as pointless as a caesar cipher.

And yeah, there's things like certificates and CAs with HTTPS, but that's totally secondary to the encryption part. No one would bother with HTTPS if it couldn't establish encrypted connections.

If a lawyer or a judge doesn't understand that they themselves are frequently using encryption when they use the internet, that's a problem. They don't need to care about the nitty gritty details that you and others bring up. If they view encryption as something that only bad guys use, why should they be a part of the judicial system in the year 2021?

'difficult' is uncomfortably vague here. Lots of transforms happen to the bits that might make them difficult to figure out even without encryption. Many of them don't intend to keep people out, despite them being more obscuring than a ceaser cipher!

I feel like you're overdefining encryption to make a point, when you don't need to at all.

I've made the definition as simple as it could possibly be. Technically speaking, yes, rot13 is a form of encryption; it's just a really bad one that has virtually no security features, only being a minuscule step above plain text. Rot13 even has a decryption key, but only ever one, which is the algorithm to decode it. (Of course it would not take long at all to reverse engineer) Besides, any encryption other than OTP can be broken in theory given enough time.

Honestly, I haven't the faintest clue the point you are making or why you are nitpicking to this degree. I think I made it clear why legal and judicial professionals should have a rudimentary understanding and awareness of encryption for the purpose of making sound decisions that affect society. If your disagreement with my definition of encryption gets in the way of that for you, then I really don't know what to say. Look up what the word "encrypt" means, think of the etymology, and rethink what you've been saying.

> Honestly, I haven't the faintest clue the point you are making or why you are nitpicking to this degree. I think I made it clear why legal and judicial professionals should have a rudimentary understanding and awareness of encryption for the purpose of making sound decisions that affect society.

You're asking for them to have a very strange understanding of encryption, that doesn't match how the term is normally used. The important part is the security, not that you need an algorithm to decode. It's not nitpicking to say you're asking for them to know something irrelevant that's adjacent to some important things they should understand.

I don't like this line of thinking at all. Legal professionals are supposed to know the law and to ask experts for other things. Just like a judge and jury in a murder case are unable to understand how DNA analysis works, they don't have to understand how computer systems work.

The only thing worse than a judge who doesn't understand the first thing about computers would be a judge who thinks they understand computers but doesn't.

The alternative to encryption really is totaltarian control of the internet. In order to have any level of confidence that the data is not tampered with you need strict security on every meter of cabling, every line of code, every transceiver, and every person involved with the design and fabrication of those things.

Hmm. You could also argue that not having understanding of the technology is a good thing. For instance, the judge can remove themselves from the details and look at it on a higher level.

It’s the job of the attorneys to make the case for or against using subject matter experts etc.

You could argue that. However, it means that people can basically lie to the judges, and the judges don't have the background to call them out on it.

If I mail you a letter and you send a letter back, have I hacked your house? Let's say you don't respond, and I send my letter with a different return address and then you respond. That's basically what is happening here.

If you don't want people sending you letters, get rid of the mailbox. For tech, close your ports. If you don't want to send information out, stop responding to the letters (or packets).

You are right, the actual wording they used was : "on an otherwise publicly accessible website". I've edited my submission accordingly. In law every word even every comma counts.

>But trying to make illegal a way to bypass their security is a really dangerous way and if they win, then many, many, privacy tech would have a problem.

IIUC, there was no attempt to "bypass security." Rather, HiQ Labs was scraping unrestricted (i.e., not restricted by user ACLs) portions of Linkedin's web platform.

If any random user can access a particular web page, it's (IMHO) publicly available and using automated tools to scrape those pages is perfectly legal.

In fact, such scraping is done all the time on airline, hotel and other websites without issue.

As for VPNs, I'm guessing that LinkedIn blocked HiQ Labs' IP range, so they used a VPN to continue scraping the public pages. If my assumption isn't valid, please correct me. That

IP blocks (I'm thinking geo-blocks[0] for sites like Netflix) are sometimes necessary for the site to at least attempt to stay in contractual compliance with the content owners.

However, that doesn't seem to be the case here. If (again, this is my understanding) LinkedIn is just blocking HiQ Labs' IP range, but no one else's, that seems (as the 9th Circuit originally ruled[1]) like a targeted attempt to interfere with HiQ Labs' business:

   The Ninth Circuit held that there was no abuse of 
   discretion by the district court where the court 
   had found that even if some LinkedIn users 
   retained their privacy despite their public 
   status, as they were not scraped, such privacy 
   interests did not outweigh hiQ's interest in 
   maintaining its business. 

Given that the issue here is publicly accessible content as compared to, say, geo-blocking of unlicensed (for that particular region) content, there is no basis to disallow such access.

I say this because I (or HQ Labs) could manually enter all publicly accessible URLs at LinkedIn and copy-paste the returned contents.

While that would be an arduous process, it's not only perfectly legal, it's LinkedIn's intent to provide those pages without requiring a login -- validated by the fact they don't require logins to access those pages, while they do require logins to access others.

IANAL, but it seems to me that worrying about using VPNs becoming a criminal act is a tempest in a teapot.

I guess we'll just have to wait and see.

[0] https://en.wikipedia.org/wiki/Geo-blocking

[1] https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn

Edit: Corrected company name (HiQ vs. HiQ Labs).

> IP blocks (I'm thinking geo-blocks[0] for sites like Netflix) are sometimes necessary for the site to at least attempt to stay in contractual compliance with the content owners.

The entire thing is a farce. There has never been any way to know where an endpoint device is

And VPNs are often necessary to prevent the service from detecting it wrong.

Suppose I'm currently near an international border and my phone picks up a tower on the other side of the border. Now the IP address my phone gets is listed as being in the wrong country.

A lot of companies route all their traffic through a head office somewhere so they can inspect the traffic in a central location. It's not always in the same country where the users are.

Suppose I'm using a VPN for privacy reasons, not to bypass geographic restrictions, but I want it to be in a different country to maximize the inconvenience to anyone trying to violate my privacy, so now the country listed is the wrong one. I would have to use another VPN to get it back to being where I actually am.

The obvious solution to all of this is to forget about trying to tie locations to IP addresses, since that has never worked, and just ask the user's device what country it's in. The user can set it to a different one but that's no different than the status quo.

>The entire thing is a farce. There has never been any way to know where an endpoint device is

A good point. Note that I said:

   IP blocks...are sometimes necessary for the site 
   to at least *attempt to stay in contractual 
   compliance* with the content owners.

I never said that such blocks were a good idea, nor did I say that they work.

I merely suggested that such geo-blocks could be a result of contractual requirements between the distributors and the content owners.

Personally, I think it's dumb too.

But I'm not a content distributor or content owner. As such, my opinion has no impact on the legal contracts between such entities.

>The obvious solution to all of this is to forget about trying to tie locations to IP addresses, since that has never worked, and just ask the user's device what country it's in. The user can set it to a different one but that's no different than the status quo.

You won't get any argument about that from me.

> in their opinion they are allowed to put the "gate down" for some users on a public website.

If they want to, the only reasonable way is to inform the visitor they're not eligible to use the site unless they fulfill specific conditions. If the user knowingly ignores this information - this is reasonable to be interpreted as some sort of offense depending on the context.

IP-based segregation, however, is just bullshit.

Wow this is the same case that came up two years ago, where LinkedIn tried to argue that a violation of the ToS was CFAA. "Court: Violating a site’s terms of service isn’t criminal hacking" [0]. I made a comment at the time [1]:

> So Microsoft chose a method of authorization that is unfit for the purpose of keeping people they don't want to have access out of their system. "But but but how else would they keep people off?" I don't know, but it doesn't matter. Make people sign a contract under supervision of a notary, or validate their drivers license, or whatever. The fact that Microsoft is too lazy to implement a solution that effectively implements their desired policy isn't material to what the actually implemented policy enables.

[0]: https://news.ycombinator.com/item?id=22738180

[1]: https://news.ycombinator.com/item?id=22745104

The biggest question would be what is my IP versus one that's not mine?

What a world we live in! Just read how shoplifting isn't worth prosecuting so it isn't a "crime" anymore. Now using a VPN is. Yeah!

Key mis-statement here:

"under new CFAA interpretation"

There has been no 'new' interpretation, nor is it likely that there will be. This is merely one of a number of arguments put forward by LinkedIn's counsel during a civil case. All kinds of crazy poop gets put forward in those.

Good luck with that.

You’d have the largest tech companies in the world fighting it.

could you provide links to the case please

Hearing here: https://www.youtube.com/watch?v=tUkoHeiPGQw

hiQ is based in California. What impact would the case have for machine learning companies that do not reside in the U.S.? Would those companies have an advantage over ML companies that operate in the U.S.?

Wouldn’t the nature of a vpn make this kind of difficult to enforce?

I'd think they'd block certain well known VPN services IPs, no?

They have the relief of whitelisting IP's. Have at it :)

couldn't the logic for anonymous browsing be similar? what about ad blockers?

The underlying issue is "accessing a computer system you know (or should know) you shouldn't be accessing".

Ad blockers operate on your own equipment and network and don't involve accessing any other systems.

"Anonymous browsing" isn't clearly defined enough to analyze. If it was something like "We don't allow connections via Tor", and you used Tor to connect anyways, this concept would apply (especially if you attempted to bypass technical controls, or intentionally disguised the traffic).

No, that's not the point: If a website states "you are not allowed to use this website with an ad blocker", then by accessing it anyway, you're suddenly a "hacker" before the law and could face severe legal consequences.

Ad blockers often include paywall/regwall bypasses, which does somewhat fit the description.

I would argue that it depends on how it is implemented.

Some pay/reg walls are implemented such that the site is sending the full content to you but directing your web browser not to display it (like using a `display: none` CSS property). I would say using a browser extension to direct the browser to display it anyways wouldn't be a violation. You were authorized to make the initial request for the otherwise public page and they choose to send the full content to you. You aren't making any other connections to their system that you aren't authorized to make.

On the other hand, if it is doing something to trick the server into sending you content that it wouldn't otherwise send you and you aren't authorized to access, I would tend towards seeing that as something closer to a violation.

>I would say using a browser extension to direct the browser to display it anyways wouldn't be a violation. You were authorized to make the initial request for the otherwise public page and they choose to send the full content to you. You aren't making any other connections to their system that you aren't authorized to make.

An interesting point.

I, as a general rule, disable javascript in my daily driver browser (Firefox).

Doing so breaks the paywall on certain sites. I'm not specifically targeting those sites (e.g., with uBlock or noscript), as I've disabled javascript for all sites and don't use any extensions to bypass paywalls.

Where the use of javascript is required (and I find that out by visiting the site -- then decide whether I actually want to view/use it) I'll use a different browser altogether (in my case, Vivaldi).

I don't believe that disabling javascript is a "hacking" attempt, mostly because I don't do so to bypass anything -- rather, I don't want arbitrary javascript executing on my systems.

The tone of your question is odd, "I'm surprised..." is usually followed by a mention of "MSM" and a hint of "They're censoring discussions!".

But well, for the people too lazy to google: https://h2o.law.harvard.edu/text_blocks/30226 . The only mention of IP I could find was:

> The Ninth Circuit found a CFAA violation where “after receiving written notification from Facebook” Power Ventures “circumvented IP barriers” and continued to access Facebook servers. Id. at 1068. In short, Power Ventures accessed Facebook computers “without authorization.”

IANAL but I would only worry about a criminal offence after getting a written warning...

People argue all kinds of dumb shit in litigation. Wake me up when a court agrees with them on this.

Title is bullshit

Unfortunately I cannot change the title, but this one would be the most accurate: "Using a VPN to bypass a GeoIp block could become a criminal offence under Linkedin's CFAA interpretation"

>Unfortunately I cannot change the title, but this one would be the most accurate: "Using a VPN to bypass a GeoIp block could become a criminal offence under Linkedin's CFAA interpretation"

I'm a little confused by that interpretation of the specific case in question (Hiq Labs v. LinkedIn).

IIUC, LinkedIn isn't doing GeoIP blocks (AFAIK, the San Francisco bay area is not being blocked by LinkedIn, just HiQ Labs' IP range).

What's more, HiQ Labs is scraping publicly available content. Most GeoIP blocking (such as Netflix/BBC, etc.) is done to keep subscribers from accessing content that the provider isn't licensed to provide in the location where the connection originates.

Even more, accessing such content even if you are in a location where that content is available requires a login (i.e., isn't publicly available) to access that content.

I don't see a parallel here.

As such, I'm not sure how the result here (either way) could impact the use of VPNs more broadly.

Then again, IANAL and may well be missing something.

If you'd expound on your reasoning around this, it would be greatly appreciated. Thanks!

Edit: Fixed typo.