
Violating Terms of Use Isn’t a Crime, EFF Tells Court - DiabloD3
https://www.eff.org/deeplinks/2017/02/violating-terms-use-isnt-crime-eff-tells-court-again
======
turc1656
"But last year, a federal district court in Nevada found a defendant guilty
under both the California and Nevada state computer crime statutes for nothing
more than that—violating Oracle’s website’s terms of use."

That's insane. The terms of service is essentially a contract that you are
agreeing to to use the website/software/service. Failure to adhere to it is a
breach of contract, not a violation of law.

If you break an NDA, for example, you don't wind up in jail or have a criminal
history. The other party takes you to court to enforce the penalty listed out
in the contract for the breach.

~~~
salted-fry
My understanding is that, under the CFAA, any unauthorized access to
commercial servers is a felony (more-or-less; there are some requirements
here, but as I recall they're so broad that they basically always apply).

The theory here is that, after breaking the TOS, if you continue to use the
service then that use is unauthorized and therefore felonious.

As the EFF notes, previous judges have refused to rule it this way, basically
on the basis of "that's insane, even if it is what the law says".

Edit: for reference, the relevant legal bits are here, in section (a.2.C),
with relevant definitions in (e.2.B):
[https://www.law.cornell.edu/uscode/text/18/1030](https://www.law.cornell.edu/uscode/text/18/1030)

~~~
turc1656
To me, that's kind of the equivalent of saying that if someone sends you the
direct link to a file on a site that normally prompts to accept an agreement,
and instead you bypass that with the direct link, you could be considered a
felon because you didn't agree to the ToS, which is required to access that
file. I think most people would say that anything publicly available that
easily isn't protected and it is considered fair access for anyone with an
internet connection. You would have to have some kind of protection to
restrict access for anything to be deemed "unauthorized".

For this particular case, they were just told to cease and desist with the
scripting/scraping of the data. Access was never revoked. Any decent lawyer
should be able to easily make a claim that a reasonable person thought they
still had authorized access because it had not been revoked. I don't think the
article makes clear whether or not they had a username/password login or
whether or not the files were available just with public URLs, but it doesn't
matter in my mind because the company had a business relationship with Oracle
to provide third party support for Oracle products. They would have to block
access, end the business agreement, or specifically notify them that continued
access is no longer allowed for the unauthorized access argument to hold up.

------
holtalanm
Just my opinion, but I think ToS were originally in place to define how a user
_should_ use the site, and how the site operators could act in response to
violation.

I don't think they should be held as even a contract, much less criminal law.

Truthfully, they are really only there to protect the company by outlining to
the user what might get them banned from the site and so on. Oracle is
overstepping its authority here imo. It is their own fault they didn't revoke
access to the site from that company.

~~~
jahewson
ToS is not a contract, it's a _license_. By default you don't get a free
licence to access and copy others' work, and so one has to be granted.

Much in the same way that you can't start using someone else's land without
their permission and you don't get to say "I never knew" or "I never agreed
not to use the land". By default, you are not allowed to and must have that
right granted to you and you are expected to know that.

Should an (otherwise non-criminal) violation of a software license be treated
as a criminal offence by the courts just because it involved a computer? Hell
no. Private citizens do not get to invent criminal law themselves and the EFF
should fight this hard but not for the reasons you give.

~~~
appleflaxen
why do you need a license to use something that is posted and publically
accessible? A license makes sense for a copyrighted work that you are copying,
but for a web service it's less clear.

If I had a physical analog of facebook (a bunch of photos, a travel journal,
and a list of my friends) and left it on a table, then do you need a license
to pick it up and review it? No. So why do you need one if I do the same thing
as a web site?

------
rayiner
The EFF is right, but the relevance of the TOS violation is more subtle than
the EFF's explanation makes it out to be. Using someone's property without
their consent is, of course, a crime. When that property is ordinarily
available for public use, consent is presumed, but can be revoked. It's can be
criminal trespass to remain in a store after you're kicked out (although
usually it's just civil trespass).

Here, "Oracle sent Rimini a cease and desist letter demanding that it stop
using automated scripts. It did not, however, rescind Rimini’s authorization
to access the files outright." So the question is, was the implied consent to
use Oracle's servers effectively revoked?

Arguably not. A public mall can get you kicked off the property for any
reason, and can press charges for criminal trespass if you don't leave. But it
can't press charges for criminal trespass for violating the sign on the door
that says "no hats." And it probably can't press charges for criminal trespass
if it sees you wearing a hat and tells you to take it off, but doesn't kick
you off the property.

------
vog
Here in Germany the law states that ToS are only applicable if they contain
"no surprising terms". Which is really nice! Although this doesn't give you
permission for everything, it protects you from any "cleverness" of a site's
operator. It ensures that indeed almost nobody needs to read ToS. Even lawyers
tell you this.

~~~
Tepix
No, what you mean are "AGB" (terms and conditions) that govern contractual
relations between companies and their customers. They are part of all
contracts.

The terms of service ("Nutzungsbedigungen") that Oracle posts on their website
that dictate how to use and access their website are invalid in Germany as
well.

------
rplst8
The fact that this has to even be argued is appalling. The erosion of the
difference between a tort and crime over the last few decades is very
concerning.

I think a lot of it started with the changing of copyright law into criminal
law.

~~~
nickff
This is part of a larger situation where everything is becoming criminal law.
The Yates and Bond cases illustrated the breadth of the government's use of
laws to punish undesirable behaviours, and tens of thousands of regulations
have criminal penalties with no mens rea requirement. The government is even
using criminal statutes against corporations (not the officers or employees),
which doesn't make any sense.

~~~
shados
Having recently had my first major experience with US law, Im starting to
understand (not agree with. Understand) why this happens.

The US civil laws really only apply to middle class suckers. Rich people can
use their lawyers to work around it. Poor people are "judgment proof". If you
don't have a house, you're working under the table, and your bank account is
empty, there's fuck all people can do against you. With criminal law on the
other hand...

There's only so many times you can hit someone who's judgement proof before
you start wishing you could get them tossed in jail.

I recently had someone who screwed me over from about a very large amount of
money. He was laughing at me in the face making sure I remembered that even if
I won a lawsuit against him, I'd never be able to collect. He was
unfortunately quite right.

------
codedokode
Isn't it nice if ToS is legally binding?

1\. Make a website and write somewhere in the middle of ToS that visitor must
pay $1000 (for example) for every page viewed or for every second spent on a
site

2\. Persuade him to press "I have read and agree to the ToS" and to stay as
long as possible

3\. Send a bill

~~~
jahewson
Unfortunately for your hypothetical website owner, this is extortion, which is
a real crime.

~~~
inetknght
How is that any different from any other ToS? How do you define extortion?

------
DarkKomunalec
It's about time corporations took out the government middle man and started
making laws themselves.

~~~
a3n
I'd like to read that book. cstross? Gibson?

~~~
falcor84
Max Barry's "Jennifer government" comes close.
[https://en.m.wikipedia.org/wiki/Jennifer_Government?wprov=sf...](https://en.m.wikipedia.org/wiki/Jennifer_Government?wprov=sfla1)

~~~
a3n
From the wikipedia article, wow, what a depressing story. It sounds
fascinating, but I'm not sure I can take it at the moment. Thanks for the tip.

------
pflats
"Oracle sent Rimini a cease and desist letter demanding that it stop using
automated scripts. It did not, however, rescind Rimini’s authorization to
access the files outright. Rimini continued to use automated scripts, and
Oracle sued. The jury found Rimini guilty under both the California and Nevada
computer crime statues, and the judge upheld that verdict—concluding that,
under both statutes, violating a website’s terms of service counts as using a
computer without authorization or permission."

I'm a little confused here. I'm with the EFF that violating the TOS shouldn't
be criminal. But if you're given a C&D that says "stop using automated
scripts" and you continue using automated scripts, why is the TOS relevant at
all? Isn't Rimini clearly exceeding their authorized access (left available
for manual downloads) based on the C&D?

~~~
wahern
The federal law at issue here isn't contingent on the owner delivering a Cease
& Desist letter or even taking any affirmative steps whatsoever. No court is
going to read that into the law. At best a C&D is evidence of the rescission
of authorization, but all the statute cares about is whether authorization
existed or not.

Importantly, Oracle didn't actually lock their account. And even more
importantly, AFAIU this guy was an employee.

For these and some other technical reasons (I haven't read the case but likely
part of it may be related to the jury instructions), the question to be
answered by the court really comes down to whether violation of Terms of
Service alone suffices to meet the "without authorization" prong of the
criminal statute.

If the answer is no then the case goes back to trial. The defendant doesn't
get a free pass, it's just that the prosecution will have a slightly higher
burden to overcome in showing lack of authorization. Higher in the sense that
the burden involves taking into consideration other factors than merely
boilerplate policies and notices.

Another way to look at it is, say your boss tells you that you must leave the
office at 5PM sharp, and that nobody is allowed to log into corporate accounts
after 5PM. This policy is also displayed from /etc/motd everytime you login.
You occasionally stay at work late some evenings, accessing the corporate
accounts in a typical fashion. One day you're accused of doing something
nefarious--maybe you were, maybe you weren't. Is your working after 5PM a
prima facie showing that your access was unauthorized? That is, do all they
have to show is that corporate policy was not to login at 5PM? Is it rebuttal?
Does it matter whether your boss communicated this to you personally?

The way these legal tests work, at least in common law countries, is that you
break the law down into predicates. For the law to apply, you must show that
each predicate holds. Each predicate is it's own little universe. You don't
take other predicates into account; there's often a separate predicate for
intent and other overarching context. The predicate here is "without
authorization". What does that mean? It's a tricker question than you'd think.
And it can't merely mean whatever your boss intended--it has to be an
objective standard that doesn't lead to absurd outcomes in the real world.
Especially in criminal law, a crime can't turn on someone's subjective intent,
except for the intent of the accused. Similarly, specifically in regards
"without authorization" not even the accused's intent matters.

~~~
pflats
>all the statute cares about is whether authorization existed or not.

No, that's not all the CFAA cares about.

>(a)(2)(C) Whoever intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains information from any protected
computer;

Thus my confusion. Why present the case as "without authorization" (based on
the TOS) in the first place, when "exceed[ing] authorized access" (based on
the C&D) seems like a much lower bar to clear and is less likely to provoke
nonprofits complaining about precedent?

[https://www.law.cornell.edu/uscode/text/18/1030#a_2](https://www.law.cornell.edu/uscode/text/18/1030#a_2)

------
snarfy
Popular websites should add an Oracle employee clause to their ToS so that
employees of Oracle corporation are not allowed to use it.

~~~
awinter-py
even more interesting case:

Recent case law has mostly struck down the CFAA criminal penalties for
violating TOS. But case law generally imposes a higher obligation on
_employees_ to comply with authorized use agreements that they've signed.

If you concretely enumerate the authorized uses of employee access and leave
out subpoenas, the first time you're served with a FISA letter you can keep
the court busy for weeks pending a ruling on the CFAA consequences.

This will never work long term and it will certainly piss off some judges &
FBI agents, but at least it can further defang the overzealous authorized use
language in the CFAA.

The fact that the FBI (or whoever drafted the natl security letter) is
inducing you to commit a felony may also trump the gag order. But YMMV with
that argument. Even if you win that one on appeal you'll spend some time in
jail in the interim.

------
peterclary
IANAL, but surely violating Terms of Use is essentially a breach of contract?
Making breach of contract a crime would be very foolish indeed.

~~~
elmigranto
> surely violating Terms of Use is essentially a breach of contract

Is it though? Not a lawyer and my layman's intuition makes it hard to see a
connection between ToS and contract.

Like, if I type `something.com` in my browser by accident and their ToS is
"you owe us $400 for each TCP packet, kindly do provide goverment issued ID".
So I have couple of questions:

\- How is that different from ToS on Facebook?

\- How marking a checkbox creates a contract between a person and entity
owning a site, same way as my signature or providing personal info, address
and money to Amazon in exchange for goods?

\- And who that person would even be in FB case (anyone can put my name into a
website from a public library computer)?

~~~
civiscolumbusum
your argument is valid but your tone is missing the point PP made. To reword
what he said "there is no way this is criminal law, this needs to be argued as
perhaps contract law with 'breach of contract' as the upper limit if it rises
to that level"

you proceeded to argue the case the way he said it should be argued, but by
quoting PP and challenging, you seem to be arguing with him, when in fact you
are agreeing with him.

if you edit your comment, I could even delete mine :)

------
josho
Going forward we should all have our minor children create accounts for us and
be the ones to accept the TOS.

Once you realize that is a reasonable workflow you've realized how
unenforceable TOS are for everything but corporate contracts where documents
are being signed and witnessed.

~~~
wire9
Something like this worked out in my favor maybe 10 years ago. ChaCha (the
search and get live answers site) was just started and wanting some extra
pocket money I signed up to be an operator. I was probably 15 at the time, of
course I just clicked 'yes I am 18' and ended up being accepted.

Well I found a few flaws in their system and started racking up money way
faster than should have been allowed. After a few days of this and hundreds in
my account I got a phone call during dinner. It was ChaCha, threatening to sue
me for 'hacking them'. The 180 they pulled when I casually mentioned I was
only 15 was amazing to witness. They completely dropped the matter on a verbal
agreement that I would not visit their site anymore.

~~~
tuna-piano
Care to elaborate on the flaw in their system that you exploited? I'm sure I'm
not the only one interested.

~~~
wire9
Sure. This was somewhere around 10 years ago so my memory is slightly fuzzy on
all the technical details but heres the gist of it:

As an operator your main interface to their system was a Java desktop
application. Basically you sit there waiting for it to go 'ding!', you read
the question, and accept if you think you're capable of answering. You would
research (they heavily pushed their sources but Google was better about 100%
of the time) and then communicate the answer back to the user using the
application.

Once it was accepted the application would make an HTTP request to ChaCha's
server to basically say 'A question was answered by this user'. This was
easily visible using normal tools like Wireshark, etc. For your efforts you
would be rewarded some very small amount of money, something like $.02.

I simply wrote a VB.NET application to hit this HTTP endpoint over and over
again which would add money to my account without me doing any work. They
didn't seem to be doing any verification that I had actually been given
questions to answer.

The reason they noticed me was because I left ~8 instances of this program
running for like 3 days straight which netted me hundreds of dollars ready to
be cashed out, way more than any operator would be even remotely capable of
normally given their pay scheme. So I was smart enough to figure this out but
dumb enough to get caught almost immediately. And I'm not a lawyer but my
guess is that this was considered fraud. Glad my morals eventually
straightened out before I got myself in real trouble, honestly this was a
decent lesson for 15 year old me.

~~~
TallGuyShort
>> honestly this was a decent lesson for 15 year old me

And not a bad lesson for the company, either :)

~~~
kefka
It honestly sounds like Cookie Clicker, but for money..

(If you don't know what that is, just stay away)

------
peeters
I think in a democracy there should be some group of state attorneys who are
not just allowed, but _mandated_ to prosecute the law to the fullest extent
possible.

For example, if Congress has a law making ToU violations crimes, then there
should be a select few DAs who are required to go out and prosecute people who
enable AdBlock and visit a certain site. And it should always start with
legislators if possible. See how fast stupid laws go away.

~~~
sportanova
It should be only for legislators. Turn the tables and make them live in fear
of what they do to other people

------
fpgadude
What would happen to foreigners entering the US with a "fake" facebook profile
as their social media ID? Straight to jail or straight back home?

~~~
realusername
Nothing? Facebook is not a passport, you can be called whoever you want on it.

~~~
rocqua
If you have a false facebook account, you broke facebooks ToS! That means you
accessed facebooks servers without authentication!! That is a crime under e.g.
the CFAA!!!

Criminals go to jail.

That is the argument at least.

~~~
gondo
how do you prove that i have a fake facebook account? obviously i would have
to log-out on my mobile and laptop

~~~
xyzzy4
If you don't have identification that matches the name of your Facebook
account.

~~~
gondo
but how would they find this "name of your facebook account"? yes they will
have my ID, real name, finger prints, etc. but how would they figure out that
I am using facebook account "puppy123"? And even if they would suspect it
somehow (someone would report it), I can simply deny and there is no evidence
that I am in fact owner of that account. or what am i missing?

~~~
xyzzy4
If you're logged into it on your phone/computer, it's evidence that you
created the account. Or else you logged into someone else's account which is
also a ToS violation.

~~~
gondo
thats why i wrote in my first comment: "obviously i would have to log-out on
my mobile and laptop"

------
stubish
Does anyone know the details of what was being automatically downloaded? I'm
aware of several Open Source projects doing this with things like Java, but
not if any of them have received cease and desist orders.

~~~
petee
The only mentions I can find refer to "support materials" for assisting
clients - That could broadly mean everything from documentation to firmware
(which they hold on to tightly with cold, dead hands). Rimini's website seems
to suggest they were probably accessing everything.

The fact that they were making money off it - and ignored a request to stop -
is probably the main difference between this and going after open-source
projects. Its essentially taking customers away from Oracle's own support
services.

~~~
gregmac
Shouldn't that be an issue of copyright then?

~~~
petee
Supposedly they had a contract for support purposes; but whether Oracle
intended for wholesale copying and redistribution (if that is even what
happened,) is an exercise for contract nitpicking - obviously this is all
speculation [[ stares longingly into the vacuum that was Groklaw... ]]

It could have come down to simply an aggressive/abusive crawler affecting
other customers?

