When I was growing up you went by what the protocol allowed. If an http response came back you have access, if it prompted for credentials, then you didn’t have access.
The mere idea that a web server gives you info and then you have to check a TOS that you might not even know exists is foreign to me. But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.” They were unfamiliar with war drivers or even how early web crawlers started.
I also like to think that young people just don't really understand the full picture of how all of this actually works...they just think they do and that google/SO/wikipedia contains the answers they they don't have to know.
Our abstraction layers are that good. You can write code in a framework, ship and make millions and suddenly you're a tech genius!
In fairness to them though, when I was starting out 20 years ago, if you could sling a few lines of HTML and make things appear in a browser, people certainly treated you like one.
I don't think that it's as much a generation thing that is it a consequence of IT having grown to the point where it is no longer it's own semi-anarchic subculture.
I remember having this discussion with in HS and also at work with people who were convinced pirating a PSX game is same as stealing, while not realizing there is no evidence that suggests a pirated copy means a lost sale (people can't afford it in places like Brasil where they still play Sega Genesis).
The level of brainwashing of my generation is appalling, but I'm glad people like us realize the ridiculousness of claims like downloading an mp3 is stealing from an artist (they clearly have no idea how much the industry leeches off the artist in first place).
Also, now that I've monies I ended up buying most of the games I use to play as a kid on a mod chip, and warez sites on Steam and the dreaded Playstation Store.
2018 is off to a good start.
I don’t see how affordability (or lack of it) is justification to the game.
So basically if you are poor, you deserve not to gain from the same things rich people can, even when no loss of property or damage occurs by having someone who can't afford it in the first place be your loyal fan. This doesn't apply in cases where there is explicit loss of property and damage that occurs as a result.
Mozart also got his ass arrested because he transcribed music he liked onto a medium which he was not authorized to do so. But we all know how ridiculous that was.
I am interested, and I googled Mozart arrested, Mozart arrested for Copyright, Mozart arrested for Music, but couldn't find anything, could you please post a link/story about Mozart getting arrested?
Even the teachers copied software for us onto floppies that we’d “borrow” like library books.
Everyone pirated. Interestingly though most switched to Linux early on too.
And most of the members of our warez distribution BBS/IRC channels went on to great careers in technology, some becoming leading lights of the local and SV VC scene ;)
I think some of the early healthy disrespect for authority may have had a part in fostering our risk taking, questioning mindsets!
That's also wrong. What actually happened is that a database of password hashes was _copied_ not stolen. So yes your password wasn't stolen.
The problem is a security/privacy problem. If someone made a copy of your house keys, that's a problem, because now they can enter your house. But they didn't steal your keys, they copied them. Same with the password. They didn't steal your password, but they have a copy, so they can use it to log into your accounts.
Though in fact sometimes things can be stolen via identity theft; in particular if someone abuses your credit it can deny you future credit, so they have stolen the good-will or trust of creditors in that case. This would be an example of an intangible good being stolen.
A person who creates or owns a piece of information still has it after you "steal" it. That's the difference between a physical and a nonphysical good.
(I'm not saying distributing copies of copyrighted works is automatically OK, just that your justification for it not being OK doesn't hold water).
That's why there's a specific offence of "Taking Without Owner's Consent" when you steal a car to joyride in (and crash and burn, rather than sell on): otherwise it's too easy to claim you only "borrowed" the car and intended to give it back, at which point it's not a crime any more.
That doesn't mean that it is right. Piracy is still wrong even though it is not stealing.
And the GP seems morally confused. Sharing FLOSS software is very very different morally to pirating games.
Why would one want to take away the opium from the masses?
You obviously can't afford Final Fantasy 7 or Megaman Legends so by deriving pleasure from an unauthorized copy, you are a thief and lacking in moral fiber Sir!
Really? So they no longer have it, because I took theirs?
Or, do they still have their copy, and I have mine, and I didn't take anything that was owned by them?
If I make an exact copy of your car and drive off in it, are you gonna complain that I stole your car?
A very odd mindset, but one I encounter frequently.
They did this class in my kid’s 5th grade where someone came in and said making tapes was illegal. And asked about parents who copied stuff. I was so pissed but the school got a tv or DVD player or something stupid.
If I make a copy you may value that, but the copy doesn’t deprive you of anything. What if you whistle a tune and I think about it? I’ve deprived you of value you by paying nothing but thinking of your whistled tune over and over.
I don’t think it’s an accepted truth that just because someone creates something that they must be compensated. Especially if it costs money for society to enforce.
There’s tons of these mental exercises. If I add a TOS to this comment saying it’s worth $1k and by reading, you must pay; do you owe? Did you steal my value without my consent?
That’s why stealing is based on clear harm through depriving of property. And fair use was established to allow reasonable noncommercial use.
My biggest complaint is that IP maximalism is not something society as a whole agreed to. It seems that IP holders just decided for society.
By this definition every website you visit on the internet that you did not create yourself is stealing.
If I took your journal entries from your room, and copied them all, and put them on the internet - that's not stealing, because I returned the journal? No, that's still theft.
If someone stole bread, how would you feel about It? Screw that person right? What if they were stealing the bread from someone who would never notice the loss, and it was for their hungry kids? Suddenly it seems more reasonable.
So both of these examples show (pretty goddamn clearly) that the whole "it isn't depriving the original owner of a physical item" thing is total, and absolute, hogwash. Clearly that point is totally irrelevant to ownership.
No, that's merely duplication and proliferation of media and information into the public domain; information wants to be free & media calls for an audience. The sole concern at that point would be how you gained access to the media - did you cause any provable harm? In other words, let's say you're my friend. You come in to my room, I leave my journal entries open and you surreptitiously copy them while I'm getting coffee for us. You leave the journal undamaged and make your duplicates public. The only harm you did was cause me to not trust you personally and no longer allow you in my home. If, on the other hand, you broke into my home, causing real physical damage in some way, as well as making me fear for my own personal wellbeing, then yes, you have provably harmed me in a legally actionable way.
In either case, nothing was stolen. Emotional and in the latter case physical damages were done because you have duplicated personal information without my consent. A piece of released or published software is decidedly not personal information. In fact, the number of abstraction layers between a user and the creator(s) of a game usually mean that pirated copies cause no emotional harm whatsoever to the author(s).
> If someone stole bread, how would you feel about It? Screw that person right? What if they were stealing the bread from someone who would never notice the loss, and it was for their hungry kids? Suddenly it seems more reasonable.
If you are depriving someone of a basic foodstuff, and their only means of procurement and providence is legally labelled as theft, then you are perpetrating an unjust society. That's my opinion on that.
That's a nice bumper sticker, but also a bunch of shit.
So the nudes you take with your wife, demand to be free and an audience? The photos of your children in the tub demand to be free, and an...audience? Reality doesn't fit on a bumper sticker.
"If you are depriving someone of a basic foodstuff, and their only means of procurement and providence is legally labelled as theft, then you are perpetrating an unjust society."
Oh right, so every society that's ever existed. Gotcha. Glad that doesn't happen on whatever planet you live on.
If I have them stored via digital media and don't provide it with significant forms of security, then yes - and it's my own shame if something "goes wrong". Besides, why would I take pictures or video of that if I wasn't going to look at them later? That's part of why I never got up in arms about the Apple photo breach; people stored images on a remote server whose security they were unable to monitor.
> Oh right, so every society that's ever existed. Gotcha. Glad that doesn't happen on whatever planet you live on.
Never said there's been a just society so far.
That's not even remotely true (incidentally this would be illegal in the UK and a court would grant an injunction on publication under breach of confidence, precisely because it's such a shitty thing to do https://en.wikipedia.org/wiki/Breach_of_confidence_in_Englis...).
Yes but they would not charge you with theft. Which includes "the intention to permanently deprive"...
Copying someone's private data is not theft. That doesn't mean that it is morally or legally OK (it's not - it's another crime). It just means that theft is a specific crime based on taking fungible chattel with the intent to not give it back.
IANAL - but I don't think this would fly in any jurisdiction anywhere. Is this definition specific to a country whose laws I'm not familiar with?
Theft in law generally only applies to tangible personal property, not intangible personally property and not real property. That's not a redefinition, just the long-existigng definition.
I never said that copyright infringement or copying and publishing personal data is OK morally or legally. I just said that they are different crimes.
Yes, the original taking of the journal is literally depriving someone else of their object. A future return of the object clearly does not mean the original deprivation never happened. The point you're making about unauthorized distribution of private thoughts is about violation of privacy. Violating a person's privacy certainly is a bad thing. Theft is a different bad thing. (The analogy you're looking for is copying someone's paywalled blog)
"If someone stole bread, how would you feel about It? Screw that person right? What if they were stealing the bread from someone who would never notice the loss, and it was for their hungry kids? Suddenly it seems more reasonable."
You're trying to move the goalposts by conflating the literal deprivation of objects with copying information that all parties are trying to proliferate. The emotional appeal, besides not being as agreeable as you think, has nothing to do with the issue. A plentiful, though limited resource is just that. (Yes, one of the many reasons theft is bad is because it invariably angers the thieved and violates their sense of justice - the difference in argument is postulating the emotional impact of an action vs instructing the reader to feel a certain emotion).
Also, people are convinced by arguments they have an emotional connection to - not postulates. You're always instructing the reader how to feel - if the reader can't see what you're doing, and still consider your argument, they're uneducated. That's no sleight against them - as it is massively effective, and it is not permanent. Look at the last US election.
I have a rough understanding of human persuasion and decision making. Persuasion is not my goal. I am trying to engage with other people, read their knowledge and opinions, compare those to what I understand about reality, express my understanding, and when there are inconsistencies, attempt resolving them with some combination of verification of facts and revealing of core principles. Often times, this leads to me realize I had an incorrect thought about something, so I update my understanding of the world accordingly.
The gentleman doth protest too much?
How would you go about it?
So yeah, if I wanted to make money with games, I wouldn't. But if I really really wanted to, I would try to get popular, then start a kickstarter and open a patreon. Make sure people can support my art with as little as they can.
As just one example - consider game rentals. Consoles have incredibly low piracy rates, but a healthy (or at least used to be) game rental scene. If someone can only give me 5$ for my game, why should I snub that money? There's probably a million such people across South America alone. I don't see why I would spend time and energy trying to get money out of people who don't value my product instead of finding ways to let everyone who likes my product to support me.
> As just one example - consider game rentals. Consoles have incredibly low piracy rates, but a healthy (or at least used to be) game rental scene. If someone can only give me 5$ for my game, why should I snub that money?
There's no game rental scene. Like zero. And consoles have incredibly low piracy rates because they have very effective DRM and closed platforms, which a certain contingent of Hacker News likes to pretend is the cause of piracy.
Yeah, I'm a long time lurker and created an account just for that.
Since then and present day I still don't know a single console owning person that has not hardware modded it to work with pirated games.
I wouldn't have gone that far because I'm smart enough to tell that making money with a game is pretty damn hard (and it has nothing to do with piracy).
But if I had done stupid anyway, I would blame myself.
I could "want to make money" off of my turd too, and put hard effort into it, that doesn't mean I'm entitled to success.
Why try, if you are going to be surveilled and get your hand slapped at the slightest violation, and have every rough spot or sharp corner sanded down off of your personality. If you don't want to get classified as a threat and separated and sent to remediation therapy and special schooling and things like that, that is. In the name of security, the teachers derision for the weird kids was given sharp teeth, eventually perfected. The tunnel vision that develops during schooling, the one that leads kids to kill themselves or each other over simple school problems because they can't even see themselves as human beings with a life outside of the school environment, extends further now, well into college, and perhaps soon far beyond.
This is the one regulation that could save a nation from FB, Twitter, Instagram and their ilk. Any politician to run on this could shoot somebody in the middle of a crowded street without losing my support.
That might be a bit overdone, but I get your point.
If Twitter did not have an API key, they would spend 2x the money on absorbing & defending against DDoSes and security vulnerabilities. That cost would get passed on to us with frequent outages and many more ads in our feeds. Or a leak of someones DMs.
This is complete nonsense. Attackers aren't going to follow your TOS, so what possible benefit could asking your users to do it on little more than the honor system provide?
The best part with using an API is that, at least in theory, it is stable and will not have changes that breaks your integration with it
Even if you had the ultimate multi chat clients, noone cares about it. People use the official client that works just fine.
But if we know that the company is going to respond by changing the protocol. Then who wants to spend time reverse engineering it?
In looking for references to the miner, people seem to mention Rambox as an alternative. I can't say much about that as I just came across it, but it looks promising as well.
It's not meekness so much as the economics have changed and breaking rules isn't worth it for as many people anymore
These companies are pretty different than the old school put up an api.
If DNS was designed by Facebook or google it would make a dedicated client and refuse some people who used too much.
It seems the war of protocol vs systems is going poorly for protocols.
Generally n = 1 is not a good sample size.
This young generation, based on a study of history, prefers to be governed by agreed-upon rules, rather than "might is right".
Note that I, and probably the vast majority of every generation, agree with this court's decision that ToS are not enforceable.
But the reason is not the challenge to enforce such ToS through technical means. It is the fundamental unfairness of a process that would allow such one-sided contracts to be drawn.
As a counter-example: your philosophy of "I can do whatever I can do" would allow limitless collection, use, and sale of personal information. But I would hope that most people actually do see value in Facebook not being allowed to sell your private images and messages to the highest bidder if they ever choose to.
That's true, but it would be incorrect to infer that the Ninth Circuit's holding in this case means that such a cease and desist is ineffective to revoke notice for purposes of the CFAA. To the contrary, the Ninth Circuit has held that where a defendant, "after receiving the cease and desist letter from" the plaintiff, "intentionally accessed [plaintiff's] computers knowing that it was not authorized to do so," the defendant was "liable under the CFAA." Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016).
The cease-and-desist letter dropped out of this case, because Rimini was accessing Oracle's website under delegated authority from Oracle customers, who had a contractual right to access the site. Oracle chose not to press the argument that it could limit the delegated authority from the customers by virtue of the cease and desist, I suspect because the wording of the cease and desist did not actually revoke Rimini's authorization to access the files. Oracle thus was stuck arguing that violating the TOS, despite otherwise having authorization to access the data, was enough to violate state-law counterparts to the CFAA. That latter argument was a losing one in light of United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where the Ninth Circuit held that a terms of service provided insufficient notice to alleged offenders to create liability under the CFAA.
If a website operator wants to control if a user can access the website, then there are ways to do this without resorting to criminal prosecution.
Through server software, websites can control how fast HTTP requests can be made in succession or how many requests can be made in a single connection.
Websites can further control what IP addresses have their HTTP requests fulfilled.
But users can still utilize client software to make automated requests and comply with any of these restrictions.
The user might just send the requests slowly or from a different IP address.
Ultimately, no website can force a user to use a GUI, mice or touchcreens. The same as no website can force a user to use a particular browser.
If a website wants to control how a user accesses the website, there is no way to enforce this under the criminal law.
When you say "Ultimately, no website can force a user..." I wonder if you are actually considering the use of force there? A police officer or other agent with a firearm raiding the home or place of business of someone with a court order in hand is generally quite effective at compelling behavior, and that is what Oracle is aiming for. Whether there are technical means to make it easy or practical isn't at issue.
But maybe the actual loss caused by the automated downloads in this case wasn't high enough and they pushed the criminal angle to make some kind of point.
I suspect that too. I'm just surprised it got as far as a jury ruling in their favor in a criminal case, instead of being thrown out earlier on it's lack of merit.
And that's probably what determined the result. The courts are not run by stupid people, they don't like that the system is exploited.
But also, breach of contract can only occur if there is an actual contract. Speaking generally - if I purchase software then a contract would exist (offer/acceptance/money changing hands) and the terms would come into play.
If I was simply a visitor to a website then I think it would be harder to argue a contractual relationship exists.
They also, it may be worth noting, won on the copyright claims.
I don't see any reason why e.g. a website that prominently displays a notice saying that scrapping tools aren't welcome and that puts in place reasonable measures to prevent scrapping tools from being used, shouldn't be protected by the law of trespass from people that deliberately evade these preferences. Likewise, I don't see a banned HN poster that creates a new account shouldn't be considered a trespasser. Of course there are issues of prosecutorial discretion and limited law enforcement resources, but that's a separate question than what should or shouldn't be criminal.
As far as I know, the laws against trespass in the physical world derive from common law. It's a shame we don't have a similar common-sense starting point for computing law; but computing is so new (and to many people so esoteric) that few of us have had a chance to develop something like "common sense" about it.
The result is that the correct analogy for a situation isn't always obvious. For instance, we could go with the ever popular car analogy: Corporate players want their (public facing) servers to be treated under law not as stores open for business but as cars on a dealer's lot that you're welcome to test drive with permission but that it's illegal to just grab and take for a joyride.
Linkedin and Craigslist will finally get the competition they've been fending off with scary lawsuits.
I can't wait to see the look on Craig Newman's face when web scrapers all around the world will do what he feared all this time, bring innovation.
This is possibly one of the best things I've read on HN. I'm more curious as who are the people at EFF pulling this off, stroking the legal justice warrior within me....I think this is the part of the law that deeply interests me but I don't know what you call EFF's area of law.
Happy Scraping everybody!
Actually, it says that they don't violate particular California and Nevada state analogs of the federal CFAA; this was, in fact, a civil case under those laws, not a criminal case, though those laws also support criminal prosecution.
With out a valid two sided contract any website operator wanting to sue a user for misuse will have to resort to whatever laws is actually on the books.
And, even more strictly speaking, in a civil case (which this subthread is addressing) it's all up to the judge anyway, even in a jury trial, since (unlike in a criminal case, where this can only happen to the benefit of the defendant, as a judgement of acquittal), a decision for either party may be entered, after the jury verdict, as a judgement as a matter of law (aka judgement notwithstanding the verdict.) This makes nullification essentially a dead issue in civil trials.
A few people circumventing paywalls isn't going to register on the legal radar.
I just hope that this trend can continue and can sufficiently bury the idea that accessing public (as in without any kind of authentication method) information on the internet should not ever be a violation of any laws when done without malicious intent (a DoS attack should still obviously be illegal).
The CFAA and DMCA are written so that they can be applied to an extremely wide set of situations, and getting some concrete examples of things that aren't violations can help push back and contain what are.
Oh, the irony.
(For anyone unclear, I'm thinking of Oracle, which provides Red Hat clients with software support that competes with Red Hat's own services.)
In any case, I'm always happy to see Oracle lose a legal suit.
And what makes you think, that what comes after (there will sureley be a company that fills the void) would be better in any way? The problem is not so much the frivolous lawsuits of oracle and the likes, but the incentives to pursue this behavior.
1) Constitution - for countries that have one,
2b) Other executive orders
ToC is simply a contract. Breach of ToC/Contract is not necessarily a breach of law (unless a law is at the same time violated)
Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?
That...depends. It was a scraping case, but while the appeals court allowed the automated access that the lower court found violated various anti-hacking laws, it also let stand the copyright violation judgement for the actual use of the scraped content.
So, if content is protected by copyright, you don't have a license which covers your use, and no exception to copyright protection applies, that's still going to be a problem for scraping.
Note, however, that this is a Ninth Circuit decision. If you don't live within the bounds of the Ninth Circuit, this decision doesn't apply to you.
A simple action they could have taken was to block the scraper, the EFF post makes it looks like they didn't do this. Presumably they asked for the prosecution in order to deter other scrapers, but they could have done that AND ALSO blocked this scraper.
So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?
Rimini was a maintenance vendor acting on behalf of paid Oracle licensees with paid-for rights to access the files (which apparently are legally exercisable through a third-party vendor), and a vendor of maintenance services that competed with Oracle's first-party maintenance services, so doing so could be legally problematic.
Besides its not as if they can actually do anything about it. I probably don't even come up in their analytics.
A simple 403 FORBIDDEN probably covers it. Or 429 TOO MANY REQUESTS might be appropriate. More bluntly, 204 NO CONTENT exists to tell your client, "I heard you just fine and I have nothing to say to you." Or there's 509 BANDWIDTH LIMIT EXCEEDED.
In any case, the protocols exist to give your client some constructive information in your refusal.
If you promise something and fail to deliver on this and some party suffers harm based on your failure you might get sued. This is true both ways.
What you can't do is post a sign outside your business saying everyone coming in must do the macarena and accuse anyone not singing of ex post facto breaking and entering under the concept that they should have read the sign.