

Court: Violating T.O.S Is Not a Crime, But Bypassing Technical Barriers Might Be - jaxc
http://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing

======
tptacek
I'm unclear on how people rationalize blowing past technical TOS enforcement
measures on a web app. Where, exactly, do you propose drawing the line?
Because I think I speak for everyone in the room that makes a living doing
application pentesting: there are very, very few technical countermeasures you
will come up with that a consulting-week or two won't blow past.

~~~
Natsu
> Where, exactly, do you propose drawing the line?

From TFA: "We welcome the court's rejection of terms of service violations as
triggers for criminal liability, but will continue to work to demonstrate to
courts that not all technological measures are created equal. If the measure
seeks to control access to or use of data, then evasion of it is almost
certainly criminal. But if the restriction merely seeks to impose owner
preferences or terms of service on otherwise authorized users, bypassing it
should not be a crime."

------
username3
Is violating TOS unethical? immoral? considered lying to something you agreed
to?

~~~
wjy
I think it's more like breach of contract. It's not necessarily unethical, but
if you violate the terms, they no longer are bound to provide the service.

EDIT: Although it's unclear whether a contract was really entered into. Real
contracts have signatures to indicate both parties know and agree to what's
contained. That's often not the case in web services.

~~~
flogic
I think EULA's are considered signed to some degree. I don't know how or if
that reasoning extends to online TOS. I wouldn't be surprised to learn the
courts are fairly liberal in what they consider a contract but don't give all
contracts the same strength.

------
TheAmazingIdiot
What I fail to understand is how a website knows if you have "agreed" to the
TOS. I mean, a contract is physically signed, sometimes with a notary. FAFSA
is "signed" by a multiple step process including a SSN, DOB, receiving mail
including a pin#, and entering all of it with "agree" in box to assert
information is true.

Where, and how can a website claim that an "agree" button is legally enough?
Or perhaps, the TOS is just nonexistent(ala 404). Or, what are these
"bypassing technical barriers"? Does that count reading the URL and changing
it? Greasemonkey? Filtering/data modifying router? Post injection?

This suggesting is creating more confusion than it solves.

~~~
wmf
That's not a problem, since almost all sites say that mere usage of the site
implies agreement with the TOS. I suppose this is akin to a "no shirt, no
shoes, no service" sign; it doesn't matter whether you have read or agreed it
— the sign is posted.

~~~
TheAmazingIdiot
Suppose you say that's true. Ok.

Under what "law" can you even load the site to begin with? That's right, they
accepted a connection. It's akin to knocking on someones door, and they let
you in. The website could always pop back "connection denied", 403, or just
not answering at all.

At most it's a gentlemens agreement, or in the class of "windshields not our
responsibility for our uncovered load".

Aside that, we know certain public AP's modify content to add theirs instead
(panera bread advert munges). Aside ssl'ing everything, how can they even be
sure we agreed to the same TOS, let alone agree at all?

