
Courts: Violating a Website’s Terms of Service Is Not a Crime - uptown
https://www.eff.org/deeplinks/2018/01/ninth-circuit-doubles-down-violating-websites-terms-service-not-crime
======
prepend
This is positive news. It seems like the more liberal approach taken when
protocols were written is being challenged more by young users who grew up
under more stable rules that accepted terms of service as very strong.

When I was growing up you went by what the protocol allowed. If an http
response came back you have access, if it prompted for credentials, then you
didn’t have access.

The mere idea that a web server gives you info and then you have to check a
TOS that you might not even know exists is foreign to me. But when I talked
with a young programmer they kind of agreed with Oracle saying “otherwise you
could just request everything from every possible address.” They were
unfamiliar with war drivers or even how early web crawlers started.

~~~
saurik
I continue to be shocked that Twitter convinced an entire generation of
software developers that you need to obtain something called an "API
key"\--which can somehow be refused or even revoked once granted--in order to
write a client for their protocol. "Back in my day", we just reverse
engineered the official client and used whatever algorithm it used to talk to
the server and called the war won :/.

~~~
nothrabannosir
It should be illegal for companies like Twitter to forbid this. Users should
be free to access their data, and free to use any tool to do so. The revered
network effect is anti consumer and it must be broken.

This is the one regulation that could save a nation from FB, Twitter,
Instagram and their ilk. Any politician to run on this could shoot somebody in
the middle of a crowded street without losing my support.

~~~
tomsmeding
> Any politician to run on this could shoot somebody in the middle of a
> crowded street without losing my support.

That might be a bit overdone, but I get your point.

~~~
nerflad
It's a reference to a statement the current president made during his
campaign.

------
rayiner
The EFF write up requires a bit of a caveat. The EFF states: "Oracle sent
Rimini a cease and desist letter demanding that it stop using automated
scripts, but Oracle didn’t rescind Rimini’s authorization to access the files
outright."

That's true, but it would be incorrect to infer that the Ninth Circuit's
holding in this case means that such a cease and desist is ineffective to
revoke notice for purposes of the CFAA. To the contrary, the Ninth Circuit has
held that where a defendant, "after receiving the cease and desist letter
from" the plaintiff, "intentionally accessed [plaintiff's] computers knowing
that it was not authorized to do so," the defendant was "liable under the
CFAA." _Facebook, Inc. v. Power Ventures, Inc._ , 844 F.3d 1058, 1069 (9th
Cir. 2016).

The cease-and-desist letter dropped out of this case, because Rimini was
accessing Oracle's website under delegated authority from Oracle customers,
who had a contractual right to access the site. Oracle chose not to press the
argument that it could limit the delegated authority from the customers by
virtue of the cease and desist, I suspect because the wording of the cease and
desist did not actually revoke Rimini's authorization to access the files.
Oracle thus was stuck arguing that violating the TOS, despite otherwise having
authorization to access the data, was enough to violate state-law counterparts
to the CFAA. That latter argument was a losing one in light of _United States
v. Nosal_ , 676 F.3d 854 (9th Cir. 2012), where the Ninth Circuit held that a
terms of service provided insufficient notice to alleged offenders to create
liability under the CFAA.

~~~
IncRnd
It is always a crime to criminally commit a crime.

~~~
reacweb
Is it a problem to outlaw the fact of being smart ?

~~~
IncRnd
Only if the legislature doesn't understand the words they read.

------
aplorbust
"... the bounds of criminal law should not be defined by the preferences of
website operators. And private companies shouldn't be using criminal laws
meant to target malicious actors as tool to enforce their computer use
preferences or to interfere with competitors."

If a website operator wants to control _if_ a user can access the website,
then there are ways to do this without resorting to criminal prosecution.

Through server software, websites can control how fast HTTP requests can be
made in succession or how many requests can be made in a single connection.

Websites can further control what IP addresses have their HTTP requests
fulfilled.

But users can still utilize client software to make automated requests _and_
comply with any of these restrictions.

The user might just send the requests slowly or from a different IP address.

Ultimately, no website can force a user _to use_ a GUI, mice or touchcreens.
The same as no website can force a user _to use_ a particular browser.

If a website wants to control _how_ a user accesses the website, there is no
way to enforce this under the criminal law.

~~~
otakucode
I am certain that this ruling will be appealed, and we will hopefully see this
case before the Supreme Court (assuming they have the time and desire to hear
it.. if they don't, then this ruling will stand). Only then will we really be
able to speak with the certainty you display.

When you say "Ultimately, no website can force a user..." I wonder if you are
actually considering the use of force there? A police officer or other agent
with a firearm raiding the home or place of business of someone with a court
order in hand is generally quite effective at compelling behavior, and that is
what Oracle is aiming for. Whether there are technical means to make it easy
or practical isn't at issue.

~~~
jopsen
Maybe politicians and voters in California fix their broken state laws, rather
than passing the chip to the Supreme Court.

------
danans
IANAL, but violation of terms of service seems like a breach of contract, not
a crime. For that sort of thing there is always the civil court system if the
plaintiff feels like their loss due to the violation is high enough to warrant
pursuing the legal case.

But maybe the actual loss caused by the automated downloads in this case
wasn't high enough and they pushed the criminal angle to make some kind of
point.

~~~
michaelmrose
There was no loss. They are attempting to missuse the law in order to provide
an oportunity to destroy a competitor because Oracle is run by bad people.

~~~
danans
> There was no loss.

I suspect that too. I'm just surprised it got as far as a jury ruling in their
favor in a criminal case, instead of being thrown out earlier on it's lack of
merit.

------
pwaai
YES! This is ecstatic news for those operating under the constant threat of
lawsuits from delusional folks who thinks their TOS is the fucking
constitution of United States of America.

Linkedin and Craigslist will finally get the competition they've been fending
off with scary lawsuits.

I can't wait to see the look on Craig Newman's face when web scrapers all
around the world will do what he feared all this time, bring innovation.

This is possibly one of the best things I've read on HN. I'm more curious as
who are the people at EFF pulling this off, stroking the legal justice warrior
within me....I think this is the part of the law that deeply interests me but
I don't know what you call EFF's area of law.

Happy Scraping everybody!

------
DrScump
Note that the decision says that violations are not _criminal_ acts, but that
doesn't mean that license violations can't result in _civil_ lawsuits and
encumbent financial damages.

~~~
tinco
If you use the website in a way that they would normally ask money for, like
circumventing a paywall, is that something they could claim damages as in
missed revenue for? I wonder if this ruling makes it legal to scrape for data
processing.

~~~
DrScump
What's "legal" would be up to a jury. Note, however, that a deep pocket could
bankrupt you simply through legal mechansims such as discovery.

~~~
dragonwriter
Strictly speaking, what is legal is up to a judge, and whether the evidence
shows that you've done what is legal may be up to either a jury or a judge
depending on whether it's a jury or bench trial.

~~~
DrScump
Strictly speaking, what evidence is _admissible_ is up to a judge. In a jury
trial, what is _legal_ is up to the jury. Juries can still nullify, as was
made clear in the Zárate verdicts.

~~~
dragonwriter
Strictly speaking, even when the jury nullifies, it does so by answering
questions of fact, not law (even though some or all of the jurors may be
substituting judgements of law for fact.)

And, even more strictly speaking, in a civil case (which this subthread is
addressing) it's _all_ up to the judge anyway, even in a jury trial, since
(unlike in a criminal case, where this can only happen to the benefit of the
defendant, as a judgement of acquittal), a decision for either party may be
entered, after the jury verdict, as a judgement as a matter of law (aka
judgement notwithstanding the verdict.) This makes nullification essentially a
dead issue in civil trials.

------
Klathmon
This is fantastic news, and a great step toward a more "sane" set of internet
laws.

I just hope that this trend can continue and can sufficiently bury the idea
that accessing public (as in without any kind of authentication method)
information on the internet should not ever be a violation of any laws when
done without malicious intent (a DoS attack should still obviously be
illegal).

~~~
sintaxi
This isn't a step toward anything. This is a ruling of laws as they exist
today - and an obvious one at that.

~~~
Klathmon
You say that, but the first time this exact case went to court it was ruled in
oracle's favor...

The CFAA and DMCA are written so that they can be applied to an extremely wide
set of situations, and getting some concrete examples of things that aren't
violations can help push back and contain what are.

------
jlgaddis
> _Rimini, which provides Oracle clients with software support that competes
> with Oracle’s own services, ..._

Oh, the irony.

(For anyone unclear, I'm thinking of Oracle, which provides Red Hat clients
with software support that competes with Red Hat's own services.)

In any case, I'm always happy to see Oracle lose a legal suit.

------
bactrian
Oracle is downright evil in the most corporate way. No one with other options
should be a customer or employee. Oracle needs to die with Comcast and the
rest.

~~~
maze-le
> Oracle needs to die with Comcast and the rest.

And what makes you think, that what comes after (there will sureley be a
company that fills the void) would be better in any way? The problem is not so
much the frivolous lawsuits of oracle and the likes, but the incentives to
pursue this behavior.

------
maze-le
It borders on a joke, that people think accessing a website in breach of TOS
is a crime, but storing passwords is plain text isn't.

------
HenryBemis
I keep telling friends/colleagues that the order is:

1) Constitution - for countries that have one,

2a) Laws/Regulations,

2b) Other executive orders

3) Contracts

ToC is simply a contract. Breach of ToC/Contract is not necessarily a breach
of law (unless a law is at the same time violated)

------
chrisshroba
Does anybody know how this pertains to data scraping? Like many
coders/tinkerers, I've been frustrated that TOS'es often forbid bots from
scraping data from many sites. There are lots of ways data can be better
visualized or synthesized than is currently done, but terms of service make
this impossible (unless you're just doing a small side project you never plan
to publish).

Does this mean that scraping is acceptable now, even if a site's TOS
explicitly forbid it?

~~~
dragonwriter
> Does this mean that scraping is acceptable now, even if a site's TOS
> explicitly forbid it?

That...depends. It was a scraping case, but while the appeals court _allowed_
the automated access that the lower court found violated various anti-hacking
laws, it also let stand the copyright violation judgement for the actual _use_
of the scraped content.

So, if content is protected by copyright, you don't have a license which
covers your use, and no exception to copyright protection applies, that's
still going to be a problem for scraping.

~~~
chatmasta
If you’re scraping from multiple sources and aggregating the data, you might
be able to make a fair use case.

~~~
amelius
But if it's personal data, e.g. from LinkedIn and Facebook, then aggregating
might be legally/morally unacceptable.

------
tzs
> Oracle sent Rimini a cease and desist letter demanding that it stop using
> automated scripts, but Oracle didn’t rescind Rimini’s authorization to
> access the files outright. Rimini still had authorization from Oracle to
> access the files, but Oracle wanted them to access them manually—which would
> have seriously slowed down Rimini’s ability to service customers.

So if Oracle had told Rimini outright that they were not allowed to access the
files at all, Oracle might have prevailed?

~~~
dragonwriter
> So if Oracle had told Rimini outright that they were not allowed to access
> the files at all, Oracle might have prevailed?

Rimini was a maintenance vendor acting on behalf of paid Oracle licensees with
paid-for rights to access the files (which apparently are legally exercisable
through a third-party vendor), and a vendor of maintenance services that
competed with Oracle's first-party maintenance services, so doing so could be
legally problematic.

------
blackflame7000
A website’s TOS is not law so why should the violation of a TOS be treated
like a violation of the law? Curious if anyone has any arguments

~~~
kazagistar
A a GPL license is not law, but violating it means you are violating the law,
because violations revoke your permission to access it. I am sure the
reasoning being used here is similar.

------
Feniks
Always amusing when a website disallows adblocker in their ToS. Its my
computer dipshits.

Besides its not as if they can actually do anything about it. I probably don't
even come up in their analytics.

------
jryan49
I feel like it's premature celebration? This seems like a very specific case,
and not just violation of a terms of service in general?

------
merb
they could just implement rate limit and oracle would've been fine. but
instead they actually tried to sue -_-

~~~
john2x
Their lawyers likely didn't know how to implement rate limiting :D

------
seannyg
This is great. However, I didn't see anything about whether it is a civil
violation and assume you could still be sued by a third party (you just
couldn't be thrown in not jail over it). Please correct me if I am mistaken.

------
theBobBob
This might be a somewhat unpopular opinion but I think that there should be
some way (definitely not through criminal prosecution) for a website or
similar to say "You can use my service for free, but only under the following
restrictions". Not sure what the "punishment" should be for breaking these
rules.

~~~
emptybits
If you don't like a user's request then don't service it and tell them why.
You owe them nothing.

A simple 403 FORBIDDEN probably covers it. Or 429 TOO MANY REQUESTS might be
appropriate. More bluntly, 204 NO CONTENT exists to tell your client, "I heard
you just fine and I have nothing to say to you." Or there's 509 BANDWIDTH
LIMIT EXCEEDED.

In any case, the protocols exist to give your client some constructive
information in your refusal.

e: sp

~~~
theBobBob
That only deals with types of requests, or the user making the request etc. It
doesn't do anything about how the requested data/info etc is used. I suppose
it is closer to a licence agreement. I don't think that there can be any
technical way to enforce it only some sort of legal way.

~~~
emptybits
Yes. Technology to restrict usage sounds a lot like DRM, which has many
downsides. Enforcement, ultimately, will rely on good old fashioned copyright
and licensing (contract) law.

------
mattbgates
Does this mean it is also reversed? If a person chooses to not acknowledge the
website's terms, does this mean a website doesn't have to abide by its own
terms and can make up its own rules as it goes along?

~~~
michaelmrose
The question is nonsense.

If you promise something and fail to deliver on this and some party suffers
harm based on your failure you might get sued. This is true both ways.

What you can't do is post a sign outside your business saying everyone coming
in must do the macarena and accuse anyone not singing of ex post facto
breaking and entering under the concept that they should have read the sign.

------
ringaroundthetx
People that hear about our software service always ask "hey whats to stop
people from doing this illegal thing on your platform" and I say "a sternly
worded Terms of Service"

