

It's Your Data, It's Your Bot: It's Not A Crime - there
http://www.eff.org/deeplinks/2010/06/its-your-data-its-your-bot-its-not-crime

======
jimbokun
It is past time to start awarding prodigious damages against corporations who
egregiously and willfully write unlawful provisions into their terms of use,
consumer contracts, etc. etc.

Parsing and correctly interpreting pages upon pages of legalese presents an
undue burden on a well functioning market economy. Corporations can slip
clauses into agreements that can give them vast power over their customers who
do not understand the full ramifications of what they are agreeing to. There
is very little cost involved to the corporation that tries to get away with
this. There is a very great cost to our society in tying up our court systems
with stupid crap such as this.

The only solution is to make the cost of writing illegal provisions into
contracts greater to the perpetrator than the potential reward. I know there
will be unintended consequences to what I propose. But surely there must be a
way to send a stronger signal to corporations who willfully push legal
boundaries and seek to obfuscate exactly what it is that consumers are
agreeing to?

~~~
motters
One relatively simple way to do this might be to pass legislation saying that
the terms and conditions can only be up to a maximum number of words which
must be from a standard dictionary, with no links or supplemental articles
permitted. This would encourage companies to be concise with their ToS, and
discourage the use of "hidden clauses".

~~~
bad_user
How about 140 chars ToS, Twitter style ...

    
    
         You give us the right to publish your data and you don't have access to 
         anything else other than what the Facebook UI and APIs provide.
    

There, problem solved. Of course, writing this in legalese isn't so
straightforward ... otherwise legions of lawyers and judges would be jobless.
And they wouldn't be able to ban crawlers, other than search-engines ... and
where's the fun in that?

------
riffer
I can't believe that Facebook is attempting to go after people through
criminal law, rather than civil law.

Wasn't the CTO of Facebook just saying less than a week ago that : "users have
complete control over their data, and as long as [the] user gives an
application explicit consent, Facebook doesn't get in the way of the user
using their data in your applications beyond basic protections like selling
data to ad networks and other sleazy data collectors?" [1]

I sure hope I'm missing something here.

[1] <http://news.ycombinator.com/item?id=1440154>

~~~
motters
Facebook shouldn't be attempting to go after anybody, with any kind of law, if
all they are doing is downloading their own data from the site.

------
ntoshev
We're making a tool for scraping websites, <http://siteparse.com>

As good web citizens we honor robots.txt, but these frivolous lawsuits make me
think we shouldn't form a US corporation just to leave a much higher barrier
to suing us. Which incidentally means no YC for us.

------
noonespecial
So they expect what? A sort of proxy for the legislative process? Laws
selected by the legislative branch of our representative government _ooorr_
anything we happen to put in our TOS. Same diff.

------
DanielBMarkham
So I'm an old guy who is hard of hearing and stubborn. But I'm also a
programmer.

Being who I am, I write a bot that scans my FB profile and checks for
birthdays in the family. If one is approaching, it flashes a light, yells at
me, and calls me names until I buy a present.

According to FB, I'm a thief, no?

What if I'm a blind guy who made his own browser-helper because the standard
tools don't work so well for me? Or I wrote a special FB access device that
helps people with ADHD? Or I just like the color blue and want to see
everything in the world in blue? Or what if i just write my automation on top
of a standard browser that highlights any text that has my friends' names and
downloads the surrounding paragraph to my desktop. Just because? Seemed like
fun? What if I filmed myself (or a trained monkey) accessing my Facebook
account? What if I took the film and extracted data from it?

I would argue that I am accessing FaceBook via HTTP and GET and POSTS. I use
standard nomenclature and the standard stack from the O/S outward. Anything
beyond that is none of their damn business. (Not trying to play to the crowd,
but this is preposterous. The entire purpose of HTML is to separate the data
from the way we access it)

~~~
megablast
Yes, you are are a criminal (not necessarily a thief), according to facebooks
terms of service.

Of course, facebook would not prosecute you, but this is not the point.
Facebook has been going after services that make it easier to delete your
account, or move information to another service. This is what FB does not
like.

Of course, what they are doing is completely disgusting, but facebook seems to
be able to do whatever they want, and their users do not mind, as long as they
don't change the profile screen too much. Then there is an uproar.

~~~
joe_the_user
Or... what if you use a different browser? What's not automated about a
browser? The line seems utterly absurd...

~~~
DanielBMarkham
Yes. Even assuming FB is correct, they would then have to create a list of
which browsers they consider "non-automating". Would GreaseMonkey installed on
FF count? How about some VBA on top of IE? If I travel outside of net range
and my browser caches up lots of FB pages overnight, does that count? Beats
me. We'd all have to use pre-approved tools to access our FB accounts -- or
face criminal prosecution.

It's not just that it is non-intuitive. Lots of legal things are non-
intuitive. It's not even that it completely breaks the idea of HTML, even
though that's pretty huge. It's not even that somehow by using FB I have given
up my right to purchase and use my own equipment to browse the web, thereby
limiting competition, although that is huge also. FB is actually trying to
reserve the right to criminally prosecute me unless I use tools that are on a
list that they preselect, and presumably update. So, logically, the first
thing I'd like to do is see this list and find out how it is created and
updated.

The entire purpose of software in this setting is to automate the retrieval
and display of HTML based on my particular preferences, and in the time and
configuration of my choosing. That's the way the web has worked ever since
there was a web. That's why the the web is structured the way it is. That's
why the web can continue to expand and grow.

I'm growing tired of attorneys on fishing expeditions.

------
Aaronontheweb
I normally like to play devil's advocate, but in this case I simply can't come
up with a decent argument to justify Facebook's position that they "own" your
data. They can own the expression of your data on a Facebook page, but they
can't own the data itself.

That's my understanding at least - am I in the wrong here?

~~~
gojomo
That's not Facebook's argument. Their argument is that a contract exists with
their user. In that contract, the user agreed not to use 'automated' means of
access.

Then, when the user has Power perform automated access, Facebook claims that a
criminal law violation has occurred, because that's unauthorized access under
their terms. They want that to be treated just like other California Penal
Code unauthorized access -- access like exploiting a bug or stealing someone's
password to view or change info never intended for you.

EFF says only a contractual violation has occurred; violating some arbitrary
company-chosen 'terms of use' shouldn't be enough to trigger criminal
enforcement.

It's an interesting and difficult distinction. So many of these systems and
terms are defined by the arbitrary choices of coders and lawyers. At one level
of abstraction, it's against the will of the system provider -- Facebook -- so
it could be seen like a break-in.

But at another level, it's just a contract, and Facebook has other contract-
enforcement options short of criminal prosecution: cancel the account, sue for
actual damages, and so forth. If Facebook can define what's a 'crime' via
arbitrary clickthrough terms, suddenly users and Power staff could wind up in
jail for a terms-of-use violation that had no other economic damages.

So the issues are tricky, but important.

~~~
what
I don't understand this bit about automated access. Isn't anything using their
"Open Graph" accessing it automatically then?

~~~
cookiecaper
The idea is that there is "unauthorized access" to Facebook's computers, that
is, the user accessed Facebook's systems in some way that Facebook didn't
like. Facebook wants absolute jurisdiction over who and what can see
information stored on their servers and they want the civil justice system to
enforce this will on their behalf after-the-fact.

Under Facebook's claims, people could get arrested for something as small as
using a browser or operating system that Facebook didn't like. If this idea is
accepted, then Facebook can pretty much say anything and if you violate that
thing and then access Facebook, Facebook would seek criminal penalties for
your violation. For instance, if Facebook says "no person that doesn't own a
pair of Nikes can access Facebook, under our new Nike sponsorship deal", and
someone who doesn't own Nikes still accesses Facebook, Facebook would consider
this "unauthorized access" and get mad. Or, if Facebook decides it doesn't
like born in Florida, and they write "No one born in Florida may access
Facebook", and you still access Facebook after being born in Florida, Facebook
will try to get the police to come and arrest you.

Open Graph API is not unauthorized access because Facebook allows people to
use it.

~~~
stcredzero
_Under Facebook's claims, people could get arrested for something as small as
using a browser or operating system that Facebook didn't like._

Under Facebook's terms, you could retrieve some Facebook pages from your
cache, write a parser to parse your data and use it to harvest your data to a
CSV file, and even this would be a violation.

------
techiferous
Please, somebody, create a facebook competitor! Don't wait for Diaspora; I
don't think their idea will work for the average user. This market desperately
needs competition!

~~~
ars
Facebook only works because everyone is on the same site.

A competitor would never gain enough traction to reach critical mass (defined
as when the average person has an account on both) without some help from
facebook in the form of a stupid business decision. Or if they managed to
think of some killer feature.

But simply a copy will never work.

And BTW, the main reason you hate facebook is because they are big. So adding
a competitor will not help you - eventually they will get big too, and you
will hate them as well.

~~~
jimbokun
"So adding a competitor will not help you - eventually they will get big too,
and you will hate them as well."

Two big competitors are much better than just one.

~~~
whatusername
not in this case. (Not for the users)

In one sense - facebook becomes a natural monopoly. Back in say 2007/8 I had
to log in to both facebook and myspace to see what my friends were up to. Now
I just have to use facebook. That is much simpler and easier for me as a user.

~~~
tomjen3
Maybe now, but a new competitor could do two things:

Be better in some way than facebook (not selling users private information
would be an easy one) Make it so that you could see what you friends were upto
on facebook, but without being a user yourself.

Suddenly you cracked the chicken and egg problem, which is exactly why
facebook goes after this with the force of the law.

A monopoly based on technology never lasts, but if you can build one on some
kind of legal issue, you are golden.

------
stcredzero
How about a business opportunity? Modify an open source browser so that it
lets someone navigate a website without being able to read anything on it or
look at any pictures. Set up a Mechanical Turk style application that lets
workers execute browsing sessions using the modified browser via VNC. The
modified browser will save off all of the pages, which can then be parsed for
information. The server will match up retrieved information with particular
users. No worker will ever see any actual user data.

------
stoney
I guess that this relates in some way to cases where newspapers complain about
companies like Google indexing their sites and effectively repackaging their
news stories - and where violating terms of service (civil issue) crosses into
unauthorised access (criminal issue).

It all comes down to what precisely am I allowed to do with a publicly
available web page? I'm allowed to use a web browser to access it
(presumably), but when does something stop being a web browser and start being
an automated tool? I'm not familiar with the tool in question here, but could
it be argued that in some ways it's no different than a web browser that pre-
fetches linked content?

------
adamc
I need to give the EFF some money.

------
stcredzero
Some outlaw hacker needs to make a name for him/herself by distributing a
Facebook scraper desktop application that perfectly simulates user browsing.

------
wheaties
Everyone keeps saying that Google will become the "evil next Microsoft." I'd
argue that Facebook is racing to that department a whole lot faster.

------
joe_the_user
I'm a gnu/eff booster most of the time. However, it's worth looking at more of
the details here: [http://www.niallkennedy.com/blog/2009/01/facebook-vs-
power-v...](http://www.niallkennedy.com/blog/2009/01/facebook-vs-power-
ventures.html)

 _"Collecting Facebook usernames and passwords is at the heart of the dispute.
Power.com impersonates a Facebook user after collecting their username and
password."_

I would still side with power BUT a TOS that says "you can't give your
password to third parties" is a bit different from "you can't use any
automated processes at all".

~~~
Joeboy
That's interesting, but:

a) They are going after the third party, not the people that gave them their
passwords, and

b) I believe Facebook also harvest passwords for other sites (hotmail etc)

c) In practice, there's not much difference between "Nobody can create a
service that uses user's passwords to automate their Facebook access" and "You
can't use any automated processes to access Facebook".

~~~
joe_the_user
Uh sh __t...

I forgot the _Facebook harvesting passwords_ thing...

NOW that's _rich_... my qualms are gone....

