Paper 3
A brief history of hacking
Legal tools
Felony prosecutions
Zero-day exploits: cisco, MBTA
Trust and SSL
Jurisdiction
Trusting software
Voting
Linking
Hacking
To some of you, hacking is clearly wrong
and there shouldn't even be a question here. If you're one of them,
just pay attention to the legal-strategies-against-hackers part.
However, is using a website in a manner contrary to the provider's
intentions always hacking?
Baase's "three phases of hacking"
1. Early years: "hacking" meant "clever programming"
2. ~1980-~1995:
hacking as a term for breakin
largely teenagers
"trophy" hacking
phone lines, BBSs, gov't systems
lots of social engineering to get passwords
1994 Kevin Mitnick Christmas Day attack on UCSD
(probably not carried out by Mitnick personally), launched from apollo.it.luc.edu. [!]
3. post-1995: hacking for money
early years / trophy
Phone phreaking: see Baase, p 256
Joe "The Whistler" Engressia
was born blind in 1949, with perfect pitch. He
discovered (apparently as a child) that, once a call was connected, if
you sent a 2600 Hz tone down the line, the phone system would now let
you dial a new call, while continuing to bill you for the old one.
Typically the first call would be local and the second long-distance,
thus allowing a long-distance call for the price (often zero) of a
local call. Engressia could whistle the 2600 Hz tone.
According to the wikipedia article on John Draper, Engressia also discovered that the free whistle in
"Cap'n Crunch" cereal could be modified to produce the tone; Engressia
shared this with Draper who popularized it. Draper took the nickname "Cap'n Crunch".
As an adult, Engressia wanted
to be known as "Joybubbles"; he died August 2007
Draper later developed
the "blue box" that would generate the 2600 Hz trunk-line-idle tone and
also other tones necessary for dialing.
How do we judge these people today? At the time, they were folk heroes. Everyone hated the Phone Company!
Is phone-phreaking like file sharing? Arguably, there's some public
understanding now that phone phreaking is wrong. Will there later be a
broad-based realization that file-sharing is wrong?
How wrong is what they did? Is there a role for exposing glitches in modern technology?
What about the Clifford Stoll "Cuckoo's Egg" case:
tracking down an
intruder at Berkeley & Livermore Labs; Markus Hess was a West
German citizen allegedly working for the KGB. Hess was arrested and
eventually convicted (1990). Berkeley culture at that
time was generally to tolerate such incidents.
Robert Tappan Morris (RTM) released his Internet worm in 1988; this was
the first large-scale internet exploit. Due to a software error, it
propagated much
more aggressively than had been intended, often consuming all the
available CPU. It was based on two vulnerabilities: (1) a buffer
overflow in the "finger" daemon, and (2) a feature [!] in many sendmail
versions that would give anyone connecting to port 25 a root shell if
they entered the secret password "wiz".
Were Morris's actions wrong? How wrong? Was there any part that was legitimate? RTM was most likely trying to gain fame for discovering a security vulnerability. There was no financial incentive.
The jury that convicted him spent several hours discussing Morris's argument that when a server listened on a port (eg an email server listening on port 25), anyone was implicitly authorized to send that port anything they wanted. That is, it is the server's responsibility to filter out bad data. The jury eventually rejected this argument.
Mitnick attack: how much of a problem was that, after all? There are
reports that many Mitnick attacks were part of personal vendettas.
(Most of these reports trace back to John Markoff's book on Mitnick;
Markoff is widely believed to have at a minimum tried to put a slant on
the facts that would drive book sales.)
Stage 3: even now, not all attacks are about money.
Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks
on US military computers as 'the most organized and systematic attack
the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried
them out."
What about the London attack of about the same era on air-traffic control?
2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If
you read the subject and opened the document, an MS-word macro launched
the payload.
MS-word macros were (and are) an appallingly bad idea. Should
people be punished for demonstrating this in such a public way? Was
there a time when such a demonstration might have been legitimate?
Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by bragging
about the attack pseudonymously on chatrooms. Alas for him, he'd
previously used his pseudonym "mafiaboy" in posts that contained
more-identifying information.
Conficker worm, April 1, 2009
Putting a dollar value on indirect attacks
This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?)
was facing damage claims from one of the Baby Bell companies in excess
of $100,000, when it was pointed out that the stolen document was in
fact for sale for under $25.
Calce & Mitnick now both work in computer security. Is this appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that appropriate?
If not, what could be done differently?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed to retain these at all.)
Boeing attack, Baase p 262: how much should Boeing pay to make sure no files were changed?
TJX attack: Baase p 87
40 million credit-card numbers stolen! And 400,000 SSNs
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building.
When attacks ARE about money, often the direct dollar value is huge.
And tracing what happened can be difficult. An entire bank account may
be gone. Thousands of dollars may be charged against EVERY stolen
credit-card number.
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were SUCCESSFUL, and that the Dept detected fewer than 1%"
Do we as citizens have an OBLIGATION to hack into our government's computers, to help demonstrate how insecure they are?
What about hacking into Loyola's computers? Are we obligated to do that? What about Loyola's wireless network?
Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly harmful to us?
Hactivism
In 2006, Kevin Mitnick's sites were defaced by a group. There's some irony there.
Other Baase cases:
several attacks against Chinese gov't sites, due to repressive policies
pro-Zapatista groups defacing mexican gov't sites
US DoJ site changed to read "Department of Injustice"
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs.
Trespassing?
"Trespass of Chattels": maybe. This is a legal doctrine in which one party intentionally interferes with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Courts reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dicate binding terms of use for publicly viewable pages (ie pages where a login is not required)?
Felony prosecutions: Kutztown 13, Randall Schwartz, Terry Childs
Kutztown 13
Students were issued 600 apple ibooks in 2004
admin password was part of school address, taped to the back!
passwordd was changed, but new one was cracked too.
kids got admin privileges and:
bypassed browser filtering
installed chat/IM software, maybe others
disabled monitoring software
The school's security model was hopelessly flawed.
Who is responsible for that?
The school simply did not have the resources to proceed properly.
The kids were warned repeatedly.
But why didn't the schools simply take the iBooks away?
Why were felony charges pursued?
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org: now gone
Wikipedia: Kutztown_Area_high_School
randall schwarz
http://www.lightlink.com/spacenka/fors
Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking a file without authorization was declared to be THEFT.
Schwartz faced three counts:
These he did as a former sysadmin, now assigned to other duties, but
still concerned about password security. All he did was to run the
"crack" program to guess passwords.
Appeals court argued that although "authorization" wasn't spelled out
in the law, Schwartz did things without authorization as narrowly
interpreted. The appellate court also upheld the trial court's
interpretation of "theft": taking anything without permission, even if
the thing is essentially useless or if the taking is implicitly
authorized.
The appellate court also seemed to believe that Schwartz might have
been looking for flaws to take credit for them, and that such personal
aggrandizement was inappropriate.
Schwartz and Kutztown 13 cases have in common the idea that sometimes
the law makes rather mundane things into felonies. For Schwartz, it is
very clear that he had no "criminal" intent in the usual sense,
although he did "intend" to do the actions he was charged with.
Terry Childs
Childs was a Cisco-certified Internetwork engineer (CCIE)
working for San Francisco; he was the only one with the router
passwords for the city's fiberWAN network.
He was suspended for insubordination on July 9, 2008,
apparently for refusing to turn over router passwords. There are GOOD
reasons for limiting access to such passwords on a need-to-know basis,
BUT refusing to turn them over might be going pretty far. (However,
there are some mitigating factors, including the fact that there was an
open speakerphone call in progress at the time Childs was asked for the
passwords). There is reasonable basis for believing that dismissal is
the only resort an employer should have when dealing with an
uncooperative employee.
Childs did nothing to damage the network, and the network was never down at any time.
He was arrested by SF police on Saturday, July 12, 2008 on four counts of computer tampering.
He is still [April 2009]in prison.
He refused to give the police valid passwords at his arrest
(such refusal is protected by the 5th Amendment).
He did give the passwords to the mayor of SF, on July 21, 2008.
Childs had some past history: he committed a burglary at age 17 and
spent 4 years in prison. This apparently has no bearing on the present
case.
The city's main claim is that Childs was arrested because he placed
the city systems in jeapordy. However:
The biggest concern to computing professionals is that San Francisco then created a
laundry list of criminal allegations against Childs that in fact are standard practices:
Childs seems to have been "security-conscious to the point of paranoia".
But most good computer-security people are!
In opposing bail reduction for Childs, the city's attorneys wrote in July 2008:
The final four charges (pretty close to the original, but none of the
tantalizing allegations of the bail-reduction motion making it in): one
of "disrupting or denying computer services" (by not revealing the
passwords) and three of "providing a means of accessing a computer,
computer system, or computer network" (one for each of the three modems).
Note that in the first "disrupting or denying computer services"
charge, no computer services were actually disrupted. The only thing
denied was the password.
There are no charges (as filed in
February 2009) of network tampering; these appeared in court documents in
July and August 2008 but were dropped. ("Network tampering" appears to have been
replaced by the three modem charges.)
The modems were all apparently legitimate: the first was to dial Childs' pager if there was a problem (through the What's Up Gold monitoring package),
the second was to allow immediate dialin access to some SF networks
(not apparently the FiberWAN), and in addition was apparently installed
before Childs was hired, and the third was to provide an alternative
communications paths to emergency services across the San Andreas
fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate purpose, it does not appear to be documented anywhere in any filings to date.
zero-day exploits
Should they be tolerated? Encouraged?
Consensus seems to be that zero-day exploits are still a bad idea; that
one has some responsibility to let vendors know about an exploit so a
patch can be developed.
Patch Tuesday is now followed by Exploit Wednesday.
Cisco 2005 case involving Michael Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
Hacking
What legal responses are appropriate?
Should we criminalize having hacking tools?
What about c compilers?
what is it? What can be done?
And WHO IS RESPONSIBLE??
Trust
With all the concern about online theft, why do we trust online
merchants at all? For that matter, why do we trust people we've met on
facebook, etc?
Why we trust online sites:
Technological issues & trust: can we at least trust that we're talking to the person we think we're talking to?
Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the
person). Otherwise you can get a bad key, write to them using it, and
be victim of a man-in-the-middle attack.
(public key crypto: each person has a public key and a private key. If
someone encrypts a message to you with your public key, you can decrypt
it with your private key. Similarly, if you encrypt something with your
private key, anyone can decrypt it with your public key, and in the process verify that it was encrypted with your private key. That last bit means that the message can act as your DIGITAL SIGNITURE.)
How can we be able to TRUST our keys?
Alice needs Bob's key.
SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name
Any pair of entities can negotiate a session key:
BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key?
What does this have to do with TRUST?
Do you trust the CAs listed in your browser? Huh?
Edit => Preferences => Advanced => Encryption => View Certs
Note this is powerless against phishing attacks
Although the new Extended Valuation SSL Certs might. *Might*.
Back to why we trust online vendors:
Overall, it seems that lack of bad past experience has the most to do with why we trust.
What about personal sites? (Not necessarily dating, but those too.) How
do we form online friendships (eg at discussion sites)? What makes us
think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????
Jurisdiction online
jurisdictional issues: where did the sale take place? This one is very important for e-commerce.
Traditional three rules for lawsuit jurisdiction:
eHarmony lawsuits, for alleged discrimination against homosexuals
eHarmony is headquartered in California
New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007
How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?
trademarks
libel/defamation
criminal law
laws governing sales: seller can sue in his home state/country
This is more or less universal.
Trademark scope
The Blue Note Cafe was located in NYC
The Blue Note, St Louis
(actually Columbia, MO) was a club, sued for trademark infringement by
Blue Note New York because they had a web site.
The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was
a lack of jurisdiction. Before that, however, note that the Missouri
club began using the name in 1980, and the NYC club did not register
the trademark until 1985. Note that, generally speaking, in this sort of situation the Missouri club retains the right to continue to use the name locally, while non-local use is reserved to the federal trademark-holder.
The district court did look at the "long-arm statute" of the "forum state", that is, New York. The New York law provides that
The State-court interpretation of this was that the act had to be committed in New York State, and the federal court deferred to this interpretation.
Another part of the NY state law did provide for jurisdiction when the other party was outside the state. However, the law also
The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.
Blue Note St Louis had a mostly passive web site, although they did
advertise tickets online, to performances at the club itself. These
tickets had to be picked up at the Missouri box office; they were never mailed. Does this matter? Does it matter that the tickets were technically not sold over the internet, but instead you had to call a phone number?
This case was decided on jurisdictional grounds: NY State did not have jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.
Domain names
zippo v zippo, 1997
See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
zippo lighters v zippo.com
trademark infringement filed under PA state law, but filed in federal district court.
PA "long arm" statute
zippo.com was a news service. They had email customers in PA, and two ISP customers.
(1) the defendant must have sufficient "minimum contacts" with the forum state,
(2) the claim asserted against the defendant must arise out of those contacts, and
(3) the exercise of jurisdiction must be reasonable.
Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction
Note the gray area between a completely passive website, just an
"electronic billboard", and “the knowing and repeated transmission of
computer files over the Internet”. Usually the latter means
subscriber-specific information.
What about google.com? Should Illinois courts have jurisdiction?
Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").
Suppose your bank makes an error. Where do you sue them? What if their only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank.
SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB
online. Some money disappeared. Soma lost their lawsuit in Utah
[Michael Shamos]
NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions about whether US patent law extends to other countries.
Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's
minor son ordered beer, and it was delivered to him despite rules that
required an adult signature. Butler sued BAA under an Alabama law that
makes it illegal to sell alcohol to minors. In this case, Butler lost
her bid to get Alabama jurisdiction, though the case was transferred by
the Alabama court to Illinois.
Cybersquatting:
This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.
See http://www.networksolutions.com/legal/dispute-policy.jsp
Uniform Domain Name Dispute Resolution Policy -- ICANN
========
Also AntiCybersquatting Consumer Protection Act.
Some form of bad faith is usually necessary. But not always, if the
effect is to resemble a famous trademark and if you have good lawyers.
Sometimes the only "bad faith" or "intent to profit" is the offer of
the domain holder to settle the case by selling the domain to the
plaintiff.
All this is really about trademarks, not about jurisdiction. But the
"flat" namespace of the web makes all trademark disputes national, or
even global.
vw.net: virtual works
http://www.news.com/2100-1023-238287.html
Peculiarity: vw.net, a one-man company with James Anderson as
principle, offered to sell the name to volkswagen in 1998, and
threatened to auction the name off if volkswagen did not buy. This
triggers a presumption of domain-name squatting.
See http://vwx.com. Oops, I guess not; that site is now for sale. At one point, it was about Anderson's side of the case.
A possibly important point was that virtual works never used the abbreviation "vw" except in the domain name.
They (vw.net) lost.
Is this about cybersquatting? Or is it about the (lack of) rights of the Little Guy to use their trademark in good faith?
american.com: formerly owned by cisco, now a private 'zine (the airline is aa.com)
gateway 2000 v gateway.com
gateway.com was a computer consulting firm, run by
Alan Clegg. There was absolutely no evidence that Clegg foresaw that in
the year 2000 the name gateway2000.com would become obsolete, and
reserved gateway.com in anticipation of a domain sale.
yahoo.com v yahooka.com [which see]
Case was actually never filed
state-law libel and jurisdiction
A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del.
April 23, 1998), found that Delaware's long arm statute did NOT reach
the defendant, who posted allegedly libelous and slanderous false
statements about the plaintiff on his Internet site. The statute
provided for jurisdiction over tortious activity outside of Delaware
ONLY if defendant regularly conducted business in the state. The court
found that access in Delaware to defendant's Internet posting did not
constitute sufficient contact to support the exercise of personal
jurisdiction.
****** Decided on JURISDICTIONAL grounds
DE did not have jurisdiction
Laws governing libel:
Truth is a defense, but can be expensive to prove. If you say something
false about a public figure, they have to prove actual malice. If you
say something false about anyone else, all they have to prove is that
you were negligent.
We've seen Batzel v Cremers.
Cremers lost on the jurisdiction issue.
But what if the legal climate in the Netherlands was different for
libel lawsuits? What if in the Netherlands the burden of proof lay with
the plaintiff to prove something false, and Cremers was sued in a
jurisdiction (eg England, which still has pro-plaintiff libel laws)
where the burden of proof lay with the defendant?
Trusting software: how do we do this? What responsibility do vendors have?
is there an obligation for software to work on our behalf?
a "fiduciary obligation"?
Trusting your email software; trusting your browser
See http://stopbadware.org
What about DRM? What about Windows?
Most is spyware or viruses or some inappropriate "control" software (eg Sony's)
stopbadware.org definition
1. If the application acts deceptively or irreversibly.
2. If the application engages in potentially objectionable behavior without:
See also stopbadware.org/home/guidelines
Also see http://stopbadware.org/home/alerts:
RealPlayer had been here (Spr 2008?) (still in stopbadware.org/home/alertsarchive)
KaZaa had been here in (Spr 2008?)
Spyware Striker Pro (Spring 2009)
(ironically, this is NOT "fake" spyware-removal software!)
We've seen that people form trust relationships based on a fairly
limited set of positive experiences (though a limited set of negatives,
as well). Sometimes it seems that software has a lot to live up to, in
that we trust it because we don't see bad experiences, but it is so easy for software to take advantage of us.
* collecting personal information
* sony "rootkit" cd driver
Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed the email?
The images issue has been around for almost a decade; many email
vendors (and many freemail providers) have been reluctant to support
image-blocking until ~2006 or later. (There may be
non-conflict-of-interest reasons for that: it may be perceived as a
hard-to-understand option.)
Browsers: browsers do all sorts of identification of themselves when
they connect. Some of that is important; some is questionable. Most
browsers do not leak "private" information.
Try http://www.jms1.net/ie.shtml, with internet explorer.
What about cookies?
Many browser PLUGINS do leak
some degree of private information. When you register a plugin, you
connect some personal information to that plugin. Also, some plugins
contact the mothership at regular intervals.
See spywareremove.com/remove-BrowserPlugins
SEVERAL media players (plugin or otherwise) may do some checking of
licenses or with mothership before allowing play. Perhaps most players
from media companies behave this way.
What about compatibility lock-in?
To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
locks you out of lots of things.
Trusted side: can't be reached by debuggers or viruses
Problem: machine now is autonomous; vendor has complete control.
Software updates, file compatibility,
SONY case has the rights of users front and center.
Sony's 2005 copy-protection scheme : that installs a private CD driver
AND a hidden "r00tkit" that conceals itself and hides some registry
keys.
Is this legit?
How does it compare with Palladium (secure-computing platform)?
Users do click on a license agreement. Were they sufficiently warned?
(Software may have been installed before the EULA came up; and in any event clearly the EULA did not explain just what was going on.)
Note from Mark Russinovich, via wikipedia:
There is now a virus/worm out that takes advantage of the sony kit.
Sony issued an uninstall utility that didn't actually uninstall the
software, but did make it visible. However, users had to supply an
email address, which by Sony's privacy policy was eligible for spamming.
This or a later removal kit allegedly ADDED a bad ActiveX control.
Trusting voting machines
If we trust our phones and calculators, why on earth shouldn't we trust voting machines?
Because nobody will gain from secretly having our phones and calculators give incorrect results.
(And there are now phone viruses)
Look at the video at http://itpolicy.princeton.edu/voting/videos.html
Question to think about and for discussion:
Who are we trusting when we use these machines in an election?
How is this trust different with paper ballots?
Why did they make the video (versus just writing a paper)?
Notes: just booting with a clean memory card does NOT necessarily
clear the machine! The bootloader in flash memory may have been
corrupted. The machine loads a new bootloader from every card with a
file fboot.nb0
Seals (which Diebold recommends) are often ignored, and if not then breaking them constitutes an effective DoS attack.
What about linking?
Is a link to a defamatory site a form of defamation?
(It probably depends on the context)
Is a link to "illegal" software forbidden?
2600 case:
Is linking to a site a form of using that site without authorization? Possibly leading to a claim of trespass-of-chattels?
What about linking to other sites:
bandwidth
trademark
avoidance of advertising
cussedness/control
search engines do this CONSTANTLY.
For a while this was a serious issue, but it seems to be flaming out. Lots of sites still have bizarre linking policies, though.
dontlink.com
Universal v Reimerdes:
from wikipedia:
In particular the Second Circuit ruled that linking on the Internet
happened so fast that it could be restrained in ways that might not be
constitutional for traditional media.