
Until Today, If You Were 17, It Could Have Been Illegal To Read Seventeen.com - leephillips
https://www.eff.org/deeplinks/2013/04/until-today-if-you-were-17-it-could-have-been-illegal-read-seventeencom-under-cfaa
======
hmottestad
I wish someone would take the HTTP codes literally:

"200 OK" = You just gave me irrevocable permission.

Or you know, if anyone sues you for copyright infringement, you should sue
them back for hacking, since you obviously put the following in your terms of
service "you may not access this site if you sue me in the future".

~~~
jessedhillon
HTTP statuses are not a semantic description. `200 OK` means only that the
transfer of a document can take place -- the legality of the request is a
different matter. This would be like holding DOT engineers responsible for
making it possible to drive drunk, since the roads have no features to prevent
offenders from entering the highway.

~~~
AnthonyMouse
>`200 OK` means only that the transfer of a document can take place -- the
legality of the request is a different matter. This would be like holding DOT
engineers responsible for making it possible to drive drunk, since the roads
have no features to prevent offenders from entering the highway.

You're confusing violating _a_ law with violating _the_ law. If getting "200
OK" means you were authorized and can't be convicted of unauthorized access to
a computer, but you proceed to purloin credit card numbers and make fraudulent
charges to them, you're still going to jail for credit card fraud.

The real issue is that "unauthorized access" is hopelessly ambiguous if you
_don't_ use the likes of protocol status codes, and totally redundant if you
do.

If you get "200 OK" then you haven't made unauthorized access because _you
were authorized_. If you get "403 FORBIDDEN" then you haven't made
unauthorized access because _you were denied access_. That interpretation
makes "unauthorized access" impossible to achieve, because if access is denied
then there is no access to be unauthorized and if access is granted then it is
authorized access.

The trouble is that the alternative interpretation is even worse: If you can't
rely on what the machine tells you, how do you know when you're authorized?
Some cases are really obvious (e.g. you are not authorized to places orders
against just any random customer's credit card), but those situations are
pretty much always separately illegal regardless of unauthorized access. What
that leaves is the hopelessly ambiguous cases, which is what allows
prosecutors to argue that violating terms of service or downloading too many
journal articles is a federal felony. I'm still not convinced that those cases
need to be illegal at all -- and if you can articulate a specific one that
ought to be then by all means prohibit it explicitly and stop with the blanket
prohibitions on whatever "unauthorized access" is supposed to mean if it
doesn't mean what the machine allows you to do.

------
gamblor956
Every time I think about opening up my wallet and donating to the EFF for
their various successful efforts, they turn around and post something stupid
like this.

They should stop letting 1st year law students write these ridiculous rants.
Courts have almost all _rejected_ attempts to criminalize website TOS
violations. Indeed, courts have generally held that TOS is binding only
against the company, since the company by the terms of the TOS is free to
change the terms at will without prior notification to visitors.

~~~
CamperBob2
Fellow named Aaron Swartz might disagree with you there. A big part of the
charges against him centered on violation of the JSTOR ToS.

Relying on courts to interpret a law the way that _you_ happen to like seems,
well, pretty goddamned stupid. Let's fix the law.

~~~
Zimahl
The bulk of the Aaaron Swartz case was around distribution of copyrighted
material which he was allowed access to but not distribution of. This is not
merely a ToS issue as there are laws against distribution of copyrighted
material.

~~~
cowsandmilk
Not a single violation in Aaron Swartz's indictment [1] is about copyright
law. In fact, they nearly all refer to US Code 1030, which is the CFAA you are
claiming the Aaron Swartz case was not about.

In fact, you are incorrect that "he was allowed access" in that the wire fraud
counts in the indictment (page 10) is based on the idea that he should not
have been given access to JSTOR in the first place. (I'm not claiming that
Aaron's access to JSTOR was illegal, but rather that the case against Aaron
argued his access was not allowed, while the parent argues that Aaron's case
was based on the idea that he was allowed access, but was not permitted to
distribute)

Your description of what the Aaron Swartz case is about is completely
incongruous with the charges filed by the prosecutor.

[1]
[http://www.wired.com/images_blogs/threatlevel/2012/09/swartz...](http://www.wired.com/images_blogs/threatlevel/2012/09/swartzsuperseding.pdf)

~~~
mpyne
As far as I understood, Aaron Swartz was also not given access to the MIT
network.

I.e. he was kicked off of _two_ different nets, MIT's and JSTOR's.

~~~
lawnchair_larry
Everyone has access to the MIT network. There is an open guest wifi network,
with a captive portal asking you to provide a name/email to register. He put a
fake name (Gary Host) and a throwaway mailinator address (and was charged with
wire fraud for doing so).

JSTOR provides unlimited access to MIT and many other schools. Anyone on the
MIT network had access to JSTOR. He was not on a JSTOR network.

When JSTOR saw that one user was requesting _a lot_ of files, they assumed a
bad motive, and banned the IP address. After he got a new IP address, JSTOR
contacted MIT about it, and they banned the MAC address from their wifi
network.

~~~
mpyne
> Everyone has access to the MIT network. There is an open guest wifi network,
> with a captive portal asking you to provide a name/email to register. He put
> a fake name (Gary Host) and a throwaway mailinator address (and was charged
> with wire fraud for doing so).

That's just it though, that's not correct. What you might have meant was:

Everyone _starts off_ with access to the MIT network. It is not MIT's
obligation to continue to provide network services to anyone that they have a
previous contract for. And even for those with contracts, it would almost
certainly include boilerplate to the effect that services will be terminated
for abuse of the network.

> When JSTOR saw that one user was requesting a lot of files, they assumed a
> bad motive, and banned the IP address.

> After he got a new IP address, JSTOR contacted MIT about it, and they banned
> the MAC address from their wifi network.

So you yourself admit: aaronsw started off with access to both JSTOR and MIT
networks, and was explicitly kicked off of them both.

What steps did Aaron take to ensure that he was welcome on the networks again
when he later tried to connect?

------
aethertap
Perhaps it's time for a new SOPA blackout style campaign based on changing
terms of service. If a large number of popular sites modified their terms of
service so that it became illegal to view those sites for anyone in public
office, maybe the absurdity of the whole thing would become evident to the
people behind this.

~~~
erichocean
That's actually an interesting idea:

Would a ToS hold up in court that specifically denied access to the company's
service by government employees?

If a company had that in their ToS, and they discovered that a government
employee had used their service, could they sue for damages?

Are businesses in the US _obligated_ to provide service to government
employees?

~~~
aethertap
I don't think that government employees hold any special privilege in terms of
private contracts, but I don't know. At the very least, it would be
interesting to find out.

I know that recently there have been some gun shops that have been refusing to
serve government employees, so there is at least a small amount of precedent.

------
DanBC
Why isn't this being used to aggressively prosecute spammers?

Sending unsolicited bulk email has been against the ToS of many service
providers for very many years. There's real financial harm done. And spam is
disliked by very many people.

~~~
snowwrestler
Because courts have ruled that it's not actually illegal to violate terms of
service.

Note how the headline says it "could" have been illegal-- _if_ the Justice
Dept. had decided to prosecute a teenager on these grounds (never heard of
that happening), and _if_ a federal judge had handed down a conviction on
those grounds (the 9th Circuit actually ruled the opposite).

~~~
DanBC
As explained in the article the Justice Department uses fierce interpretation
of the law.

While the law stands in its current unclear state people are still at risk of
prosecution. Conviction might be improbable, but it's still an unpleasant
situation to be in.

Courts show that judges are not unanimous about this.
(<https://www.eff.org/cases/u-s-v-nosal>)

Note that the Nosal case was a person who was permitted to access to computer,
but who then misused information got from it, and not someone who was
prevented from accessing the computer.

([https://www.eff.org/deeplinks/2013/01/rebooting-computer-
cri...](https://www.eff.org/deeplinks/2013/01/rebooting-computer-crime-law-
part-1-no-prison-time-for-violating-terms-of-service))

------
TazeTSchnitzel
As a seventeen-year-old myself, I am now even more glad that I do not reside
in the United States.

I wonder if anyone reads T&Cs, though. Perhaps I should prohibit over-18s from
using my websites.

~~~
peterwwillis
It would be great to see access log statistics of big websites' terms of
service pages.

------
Digit-Al
The law seems to be fundamentally broken when it comes to minors. This is
basically saying "we don't think you are mature enough to look at this
content, but if you do look at it we will consider you mature enough to take
criminal responsibility.", which is absolute bull __ __. Surely we should
either say that they are responsible or that they are not.

------
zaroth
The law should be changed, or overturned as unconstitutional, but that is a
higly uncertain and lengthy process.

In the meantime, could we start a grassroots campaign to get companies to
explicitly state at the top of their ToS that a violation of the ToS may be
arbitrated only and does not constitute a 'unauthorized access' under CFAA?

Obviously the EFF would have to draft the exact clause, so that actual
destructive hacking can still be prosecuted.

This sounds tricky, but if the EFF can't write something we could put in the
ToS to protect users from the Feds trying to extort cooperation from users by
abusing CFAA (a la Aaron) then how can we expect legislators to get it right?

Specifically some things the ToS should define is how "damages" will be
defined, proper ways to disclose vulnerabilities, things which are NOT
considered subverting access control, and a lower standard for trespass of
online chattel which required actual damage or dissemination.

------
dromidas
It's a good thing nobody actually reads seventeen.com... except advertisers
who are trying to figure out what people much younger than them are supposed
to like. Which of course is all wrong because it's created by older people.

~~~
GHFigs
_Which of course is all wrong because it's created by older people._

I wouldn't be so sure of that. The demographic for many magazines are people
aspiring to be something they're not and actively seeking to know what they
_should_ like.

e.g. The demographic for Seventeen is 10 to 16 year old girls that want to
feel older and more mature; the demographic for GQ is mostly men that can't
afford most of the things on display in GQ.

------
larrys
"But the real problem is the CFAA, which allows prosecutors to use these silly
terms to manufacture computer crimes."

This is all ridiculous. While I understand the point of the post, and it makes
for great mainstream media play, it's total hyperbole. The fact that
prosecutors can do something and what they would reasonably do are two
different things. To wit exceeding the speed limit by 1mph _could_ get you a
ticket but almost _never_ gets you a speeding ticket.

~~~
unimpressive
Yes, but heres the thing, on a bad day, if the police decide to single you
out, you _can_ get a traffic ticket for being 1mph over the speed limit.

Usually it doesn't make the news because the consequences are something
between having to stand up to the police in court and a 300 dollar fine.
Nobody cares if you get a speeding ticket over nothing.

The way that the CFAA is written, you can levy felony charges against
basically any internet user with impunity. So if the Department of Justice
decides to single you out, they can hit you with crazy multi-decade felony
charges for the lulz.

And then you end up on the front page of the New York times for killing
yourself.

~~~
diminoten
Police don't enforce laws, judges do.

A judge would throw this out (this being either the 1mph over ticket or the
17-year-old reading Seventeen), and the prosecutor who brought it forward
would end his career.

~~~
unimpressive
Yes, the literal example of a 17 year old reading seventeen is highly
implausible. I think their fear is that by using a more complex example they
have to try and argue that the complex example did the right thing in the
first place. (Like say, Aaron Schwartz) This way they get to use a simple
reductio ad absurdum argument that pretty much anybody can understand.

Weather this is an insult to the intelligence of their readers, or carefully
calculated propaganda probably depends on who you ask.

~~~
mpyne
His name is Aaron _Swartz_.

But either way, Aaron is actually a bad example as what he was charged with
was still wrong to do (even if you agree with the end result he was trying to
bring about). Not "felony" wrong perhaps, but even weev would have been a
better example for what you're talking about.

~~~
diminoten
In any event, 'charged with' is not synonymous with 'convicted of'.

~~~
mpyne
Absolutely.

On the other hand, "convicted of" is something that matters to the government,
not to the rest of us. I'm not going to pretend that someone _didn't_ do
something just because a jury never returned a conviction, if there's enough
evidence to support the claim in question. Likewise it's possible for a jury
to convict people of crimes they've never committed; I won't deign to consider
someone "guilty" of something they obviously didn't do just because a jury and
legal process said otherwise. I'll leave the splitting of fine hairs to the
legal process.

~~~
lawnchair_larry
What is it that you think he did that was wrong? It recently came out that his
project was not to dump it in a torrent like everyone assumed, but to do an
analysis on who was funding research. If that's actually true, no laws, in
spirit or in letter, were actually broken.

~~~
mpyne
> If that's actually true, no laws, in spirit or in letter, were actually
> broken.

If you think that, it's because you have latched onto the idea that Aaron was
being prosecuted only for thoughtcrime, which is incorrect.

To put it quite simply, Aaron decided to gain access to networks he was quite
clearly ejected from. Aaron had access to JSTOR from his own Harvard campus
account, so Aaron's own actions (going so far out of his way to do so from
MIT's net) indicate he thought he was doing something at least a little bit
wrong.

I don't think that evading network bans by itself is necessarily a horrible
offense, but I certainly don't think it's completely OK and as far as I know
the law doesn't either. In fact the CFAA could apply based merely on the cost
of the MIT techs' time it took to track him down, even if he never intended to
copy documents.

Where intent _did_ play a role is that it made the existing charges he could
have received _just for his actions_ more severe. But he could have wanted to
donate to charity and his acts alone would have been illegal.

And, I also think they would have been morally wrong, just as I wouldn't
trespass on someone's property if they asked me to leave, no matter how
innocuous my purposes are otherwise.

Don't just take my word for it, even Dr. Lessig agreed with that much (that
Aaron's actions could be construed as wrong): "...if what the government
alleged was true — and I say “if” because I am not revealing what Aaron said
to me then — then what he did was wrong. And if not legally wrong, then at
least morally wrong." [http://lessig.tumblr.com/post/40347463044/prosecutor-
as-bull...](http://lessig.tumblr.com/post/40347463044/prosecutor-as-bully)

------
apg
With the right case, I don't see how this would withstand Supreme Court
review. The Ninth Circuit doesn't seem to like it (Drew/Duval). My guess is
the the SCOTUS wouldn't approve of private parties drafting their own criminal
laws.

~~~
kefka
Do you want to run foul on multiple felonies (1 per day per ToS violation)
along with dozens of other "felonies" that you undoubtedly commit without
knowledge.....

Just so you can petition the Supreme Court to take your case, knowing that
they can just sit back instead and do nothing?

Wasn't there this Aaron kid that got hit by that very tactic? Hmm. He didn't
take the "decades in prison" so well, did he?

~~~
mpyne
> He didn't take the "decades in prison" so well, did he?

So the example you take from what happened to Aaron Swartz is to apply yet
more propaganda from the other side, instead of facts?

It's not even something you have to mislead about; 2-3 years in prison as an
upper-end estimate is bad enough to make your point without being evasive, and
even the ~6 months upper limit that the prosecution had offered in a plea
bargain is said to be serious enough to make your point.

You could even mention that Aaron would have been a "felon" should he have
been convicted or plea guilty on those charges and you'd have been accurate.

And yet you choose the only outcome that _wasn't_ actually possible to push
your point forward...

------
_kst_
I wonder if particularly serious violators would be tried as adults.

------
axusgrad
This law seems analogous to allowing arbitrary code execution; a public
website can write it's own law for anyone visiting the site, and hit them with
a felony.

------
tenpoundhammer
What do you get when combine horrible lawmakers with horrible corporations?

    
    
                    ▲
                    |

------
squozzer
TOS violations can be analogized into one of several types of real-world
crimes -- trespassing, vandalism, or theft. Generally all of these crimes
require the victim to press charges. Except they occur through that lovely
Internet, so the feds involve themselves and who knows under what
circumstances they would disengage? Certainly Hearst did not intend to keep
teen girls away from Seventeen -- who else would read it? The option to press
charges is probably all that's needed.

------
fyi80
How can a TOS tell someone (a minor) that the person is forbidden to accept an
agreement, while simultaneously holding that person subject to that agreement?

It's a paradox in the space-time continuum.

Has any court tested the theory that a minor can be held in violation of a
TOS? Contracts entered into by minors are void on their face.

This seems a lot like having a "NO Trespassing" sign in the bathroom of a
coffee shop, and then prosecutors charging people who walk in the front door.

~~~
TazeTSchnitzel
Hmm, it's an interesting problem. Does the ToS cover the ToS page? Am I
breaking the ToS by viewing the ToS?

~~~
Digit-Al
Good point. If you put a final clause on your ToS that said "Reading these
terms of service is a criminal offence" could you make criminals out of
everyone who reads your ToS? :-)

~~~
rmc
Well if you're in a real country with real laws (like, y'know everywhere),
only governments can make criminal offences, not private individuals.

You can put that "Reading this sentence makes the sky yellow" in your ToS if
you want as well. Doesn't make it true.

~~~
thedufer
The point of this article is that breaking a ToS is illegal, so ToS's
themselves are de facto laws.

