Hacker News new | comments | show | ask | jobs | submit login
Courts: Violating a Website’s Terms of Service Is Not a Crime (eff.org)
689 points by uptown 11 months ago | hide | past | web | favorite | 161 comments



This is positive news. It seems like the more liberal approach taken when protocols were written is being challenged more by young users who grew up under more stable rules that accepted terms of service as very strong.

When I was growing up you went by what the protocol allowed. If an http response came back you have access, if it prompted for credentials, then you didn’t have access.

The mere idea that a web server gives you info and then you have to check a TOS that you might not even know exists is foreign to me. But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.” They were unfamiliar with war drivers or even how early web crawlers started.


It's not that young people grew up with stable rules. It's that young people grew up under the influence of industrial information warfare tactics and propaganda. As someone that was prevented from distributing Linux at high school because the administrators thought that any copying was piracy (thanks to the Software Publishers Association and the friendly local Microsoft rep), this conditioning to get kids (and less intelligent adults, sadly) to believe in the supremacy of illegitimate authority has been going on for a while now. Now those kids are starting to become adults. So, of course, you're starting to see bullshit like the CFAA1986 (and it's downright laughably broad definition of a 'protected computer') and the DMCA (likewise) starting to be abused like they are. The "don't copy that floppy" music video was the thin edge of a wedge that continues being driven into the heads of kids and adults alike, even today.


It might be that...

I also like to think that young people just don't really understand the full picture of how all of this actually works...they just think they do and that google/SO/wikipedia contains the answers they they don't have to know.

Our abstraction layers are that good. You can write code in a framework, ship and make millions and suddenly you're a tech genius!

In fairness to them though, when I was starting out 20 years ago, if you could sling a few lines of HTML and make things appear in a browser, people certainly treated you like one.


It's always been this way (at least, since the start of the 70s, according to my mother). Those who are capable of reading the user manual (or documentation, or stackoverflow, or...) will be regarded with superstitious awe by those who are not.


It's not just propaganda it's also an effect of formal vocational training being focused on teaching people procedures for doing a task rather then forcing them to learn by having to recover from failures the way most self taught people were, and lets not forget that doing the boom years practically everyone was self taught in an environment that haven't yet developed teachable procedures yet.

I don't think that it's as much a generation thing that is it a consequence of IT having grown to the point where it is no longer it's own semi-anarchic subculture.


> As someone that was prevented from distributing Linux at high school because the administrators thought that any copying was piracy

I remember having this discussion with in HS and also at work with people who were convinced pirating a PSX game is same as stealing, while not realizing there is no evidence that suggests a pirated copy means a lost sale (people can't afford it in places like Brasil where they still play Sega Genesis).

The level of brainwashing of my generation is appalling, but I'm glad people like us realize the ridiculousness of claims like downloading an mp3 is stealing from an artist (they clearly have no idea how much the industry leeches off the artist in first place).

Also, now that I've monies I ended up buying most of the games I use to play as a kid on a mod chip, and warez sites on Steam and the dreaded Playstation Store.

2018 is off to a good start.


Equating “fair use” of a website to pirating software is a stretch. In the first case the method of access is at issue (not whether you can or not). In the second the company has not given you any _legal_ right to access.

I don’t see how affordability (or lack of it) is justification to the game.


Stealing would mean the loss of property, but there are infinite copies of the digital good. Users for the most part do not read EULA agreements or Terms of Service of a website, the expectation is on the software company's side, it's not a a crime unless there is proof of damage (selling it for profit) from either copying that floppy disk or scraping a public website so hard you interfere with their operations.

So basically if you are poor, you deserve not to gain from the same things rich people can, even when no loss of property or damage occurs by having someone who can't afford it in the first place be your loyal fan. This doesn't apply in cases where there is explicit loss of property and damage that occurs as a result.

Mozart also got his ass arrested because he transcribed music he liked onto a medium which he was not authorized to do so. But we all know how ridiculous that was.


> Mozart...

I am interested, and I googled Mozart arrested, Mozart arrested for Copyright, Mozart arrested for Music, but couldn't find anything, could you please post a link/story about Mozart getting arrested?



Interesting... In my high school (third world country), buying software at US prices simply wasn’t an option for local incomes, while we were hungry to learn and use the software (especially compilers).

Even the teachers copied software for us onto floppies that we’d “borrow” like library books.

Everyone pirated. Interestingly though most switched to Linux early on too.

And most of the members of our warez distribution BBS/IRC channels went on to great careers in technology, some becoming leading lights of the local and SV VC scene ;)

I think some of the early healthy disrespect for authority may have had a part in fostering our risk taking, questioning mindsets!


A pirated copy doesn’t need to equate to a lost sale in order for it to be stealing. You took something of value that was created or owned by someone else. Whether it’s a physical or nonphysical good is completely beside the point.


English is certainly imprecise, but I would claim that if I commit some act X, and you have no less property than if I had not committed act X, then whatever else we can say about act X, I fell confident that it is not stealing.


And yet people get all worked up about "stolen" passwords. I still have my password. What's the problem?


> "stolen" passwords

That's also wrong. What actually happened is that a database of password hashes was _copied_ not stolen. So yes your password wasn't stolen.

The problem is a security/privacy problem. If someone made a copy of your house keys, that's a problem, because now they can enter your house. But they didn't steal your keys, they copied them. Same with the password. They didn't steal your password, but they have a copy, so they can use it to log into your accounts.


Identity "theft" is also one of those confusing terms. We already have a word for it: impersonation.

Though in fact sometimes things can be stolen via identity theft; in particular if someone abuses your credit it can deny you future credit, so they have stolen the good-will or trust of creditors in that case. This would be an example of an intangible good being stolen.


> You took something of value that was created or owned by someone else.

A person who creates or owns a piece of information still has it after you "steal" it. That's the difference between a physical and a nonphysical good.

(I'm not saying distributing copies of copyrighted works is automatically OK, just that your justification for it not being OK doesn't hold water).


Theft -- in UK law -- is the intentional taking of someone's property with the intent to deprive the owner of it permanently.

That's why there's a specific offence of "Taking Without Owner's Consent" when you steal a car to joyride in (and crash and burn, rather than sell on): otherwise it's too easy to claim you only "borrowed" the car and intended to give it back, at which point it's not a crime any more.


Look it's not stealing - stealing is a concept related to physical goods.

That doesn't mean that it is right. Piracy is still wrong even though it is not stealing.

And the GP seems morally confused. Sharing FLOSS software is very very different morally to pirating games.


If i look at the effects of piracy - which is a humanity happy and busy without environmental damage, and the damage which is one guy not getting to buy his third yacht- yes, thats a good trade. Its also one of the reasons why most governments of this world are in so lackluster pursuit of piracy.

Why would one want to take away the opium from the masses?


Are you asserting that the salient moral property of theft isn't a party removing a thing from another party, but rather a party gaining a thing made by someone else?


Unfortunately, this is what people who claim piracy is evil thinks.

You obviously can't afford Final Fantasy 7 or Megaman Legends so by deriving pleasure from an unauthorized copy, you are a thief and lacking in moral fiber Sir!


> You took something of value that was created or owned by someone else.

Really? So they no longer have it, because I took theirs?

Or, do they still have their copy, and I have mine, and I didn't take anything that was owned by them?

If I make an exact copy of your car and drive off in it, are you gonna complain that I stole your car?


They may not even know that you have it. So it’s like giving money a natural right and enforcing it.

A very odd mindset, but one I encounter frequently.

They did this class in my kid’s 5th grade where someone came in and said making tapes was illegal. And asked about parents who copied stuff. I was so pissed but the school got a tv or DVD player or something stupid.


This is an interesting philosophical point that I think needs to be debated and established in law. Stealing is based on natural law of depriving someone of a thing.

If I make a copy you may value that, but the copy doesn’t deprive you of anything. What if you whistle a tune and I think about it? I’ve deprived you of value you by paying nothing but thinking of your whistled tune over and over.

I don’t think it’s an accepted truth that just because someone creates something that they must be compensated. Especially if it costs money for society to enforce.

There’s tons of these mental exercises. If I add a TOS to this comment saying it’s worth $1k and by reading, you must pay; do you owe? Did you steal my value without my consent?

That’s why stealing is based on clear harm through depriving of property. And fair use was established to allow reasonable noncommercial use.

My biggest complaint is that IP maximalism is not something society as a whole agreed to. It seems that IP holders just decided for society.


>You took something of value that was created or owned by someone else.

By this definition every website you visit on the internet that you did not create yourself is stealing.


How dare him aquiring the same opportunitys and destroying the economic protectinon ring you errected around your kids.


#this I can't believe people here don't think it's piracy or stealing, just because it doesn't deprive someone else of their object (as in the case of a physical good).

If I took your journal entries from your room, and copied them all, and put them on the internet - that's not stealing, because I returned the journal? No, that's still theft.

If someone stole bread, how would you feel about It? Screw that person right? What if they were stealing the bread from someone who would never notice the loss, and it was for their hungry kids? Suddenly it seems more reasonable.

So both of these examples show (pretty goddamn clearly) that the whole "it isn't depriving the original owner of a physical item" thing is total, and absolute, hogwash. Clearly that point is totally irrelevant to ownership.


> If I took your journal entries from your room, and copied them all, and put them on the internet - that's not stealing, because I returned the journal? No, that's still theft.

No, that's merely duplication and proliferation of media and information into the public domain; information wants to be free & media calls for an audience. The sole concern at that point would be how you gained access to the media - did you cause any provable harm? In other words, let's say you're my friend. You come in to my room, I leave my journal entries open and you surreptitiously copy them while I'm getting coffee for us. You leave the journal undamaged and make your duplicates public. The only harm you did was cause me to not trust you personally and no longer allow you in my home. If, on the other hand, you broke into my home, causing real physical damage in some way, as well as making me fear for my own personal wellbeing, then yes, you have provably harmed me in a legally actionable way.

In either case, nothing was stolen. Emotional and in the latter case physical damages were done because you have duplicated personal information without my consent. A piece of released or published software is decidedly not personal information. In fact, the number of abstraction layers between a user and the creator(s) of a game usually mean that pirated copies cause no emotional harm whatsoever to the author(s).

> If someone stole bread, how would you feel about It? Screw that person right? What if they were stealing the bread from someone who would never notice the loss, and it was for their hungry kids? Suddenly it seems more reasonable.

If you are depriving someone of a basic foodstuff, and their only means of procurement and providence is legally labelled as theft, then you are perpetrating an unjust society. That's my opinion on that.


>information wants to be free & media calls for an audience

That's a nice bumper sticker, but also a bunch of shit.

So the nudes you take with your wife, demand to be free and an audience? The photos of your children in the tub demand to be free, and an...audience? Reality doesn't fit on a bumper sticker.

"If you are depriving someone of a basic foodstuff, and their only means of procurement and providence is legally labelled as theft, then you are perpetrating an unjust society."

Oh right, so every society that's ever existed. Gotcha. Glad that doesn't happen on whatever planet you live on.


> So the nudes you take with your wife, demand to be free and an audience? The photos of your children in the tub demand to be free, and an...audience? Reality doesn't fit on a bumper sticker.

If I have them stored via digital media and don't provide it with significant forms of security, then yes - and it's my own shame if something "goes wrong". Besides, why would I take pictures or video of that if I wasn't going to look at them later? That's part of why I never got up in arms about the Apple photo breach; people stored images on a remote server whose security they were unable to monitor.

> Oh right, so every society that's ever existed. Gotcha. Glad that doesn't happen on whatever planet you live on.

Never said there's been a just society so far.


> In other words, let's say you're my friend. You come in to my room, I leave my journal entries open and you surreptitiously copy them while I'm getting coffee for us. You leave the journal undamaged and make your duplicates public. The only harm you did was cause me to not trust you personally and no longer allow you in my home.

That's not even remotely true (incidentally this would be illegal in the UK and a court would grant an injunction on publication under breach of confidence, precisely because it's such a shitty thing to do https://en.wikipedia.org/wiki/Breach_of_confidence_in_Englis...).


> That's not even remotely true (incidentally this would be illegal in the UK and a court would grant an injunction on publication under breach of confidence, precisely because it's such a shitty thing to do https://en.wikipedia.org/wiki/Breach_of_confidence_in_Englis...).

Yes but they would not charge you with theft. Which includes "the intention to permanently deprive"...

Copying someone's private data is not theft. That doesn't mean that it is morally or legally OK (it's not - it's another crime). It just means that theft is a specific crime based on taking fungible chattel with the intent to not give it back.


So you narrowly redefine theft to not include intellectual property or any non-physical good.

IANAL - but I don't think this would fly in any jurisdiction anywhere. Is this definition specific to a country whose laws I'm not familiar with?


> So you narrowly redefine theft to not include intellectual property or any non-physical good.

Theft in law generally only applies to tangible personal property, not intangible personally property and not real property. That's not a redefinition, just the long-existigng definition.


Did you plug "intellectual property theft" into Google before you came to this conclusion?


Try it and look at laws vs non-laws.


No I apply the actual definition of theft....

I never said that copyright infringement or copying and publishing personal data is OK morally or legally. I just said that they are different crimes.


"If I took your journal entries from your room, and copied them all, and put them on the internet - that's not stealing, because I returned the journal? No, that's still theft."

Yes, the original taking of the journal is literally depriving someone else of their object. A future return of the object clearly does not mean the original deprivation never happened. The point you're making about unauthorized distribution of private thoughts is about violation of privacy. Violating a person's privacy certainly is a bad thing. Theft is a different bad thing. (The analogy you're looking for is copying someone's paywalled blog)

"If someone stole bread, how would you feel about It? Screw that person right? What if they were stealing the bread from someone who would never notice the loss, and it was for their hungry kids? Suddenly it seems more reasonable."

You're trying to move the goalposts by conflating the literal deprivation of objects with copying information that all parties are trying to proliferate. The emotional appeal, besides not being as agreeable as you think, has nothing to do with the issue. A plentiful, though limited resource is just that. (Yes, one of the many reasons theft is bad is because it invariably angers the thieved and violates their sense of justice - the difference in argument is postulating the emotional impact of an action vs instructing the reader to feel a certain emotion).


My arguments are based on ownership - you didn't create the (game, book, journal entries, code, artistic item, music, whatever), but somehow because you've decided to take advantage of content creators by belittling their ownership to declare theft a victimless crime.

Also, people are convinced by arguments they have an emotional connection to - not postulates. You're always instructing the reader how to feel - if the reader can't see what you're doing, and still consider your argument, they're uneducated. That's no sleight against them - as it is massively effective, and it is not permanent. Look at the last US election.


If you're going to reply to a comment, reply to the words written. My comment doesn't describe anything as victimless crimes.

I have a rough understanding of human persuasion and decision making. Persuasion is not my goal. I am trying to engage with other people, read their knowledge and opinions, compare those to what I understand about reality, express my understanding, and when there are inconsistencies, attempt resolving them with some combination of verification of facts and revealing of core principles. Often times, this leads to me realize I had an incorrect thought about something, so I update my understanding of the world accordingly.


Piracy isn't stealing... and besides, no one can afford the games anyway... besides, you should see what the industry does to the artists in the first place...

The gentleman doth protest too much?


Let's try to flip the perspectives. Let's say you created a game. Let's pretend you want to make money off of it, because you put quite some time into it. Time you could have used to make money by other means.

How would you go about it?


I know why people pirate, having pirated a lot of software and games in my time, so I won't really feel bad about it. Most people will buy the game if they can, but the world economics are such that for 90% of your potential user base, 60$ represent an insurmountable financial investment. Which is partly why Steam with its frequent discounts and region-specific pricing is so effective at combating piracy.

So yeah, if I wanted to make money with games, I wouldn't. But if I really really wanted to, I would try to get popular, then start a kickstarter and open a patreon. Make sure people can support my art with as little as they can.

As just one example - consider game rentals. Consoles have incredibly low piracy rates, but a healthy (or at least used to be) game rental scene. If someone can only give me 5$ for my game, why should I snub that money? There's probably a million such people across South America alone. I don't see why I would spend time and energy trying to get money out of people who don't value my product instead of finding ways to let everyone who likes my product to support me.


> Most people will buy the game if they can, but the world economics are such that for 90% of your potential user base, 60$ represent an insurmountable financial investment.

Bulllllllshiiiiiiiiit.

> As just one example - consider game rentals. Consoles have incredibly low piracy rates, but a healthy (or at least used to be) game rental scene. If someone can only give me 5$ for my game, why should I snub that money?

There's no game rental scene. Like zero. And consoles have incredibly low piracy rates because they have very effective DRM and closed platforms, which a certain contingent of Hacker News likes to pretend is the cause of piracy.


>Most people will buy the game if they can, but the world economics are such that for 90% of your potential user base, 60$ represent an insurmountable financial investment. >Bulllllllshiiiiiiiiit. The third world is numerically bigger than the first world. 60$ is a lot for places without a strong currency. Have you ever lived in a third world country with a wage that wasn't above the richest 5%?

Yeah, I'm a long time lurker and created an account just for that.


Back when I was a teen 60$ was about 25% of my household income.

Since then and present day I still don't know a single console owning person that has not hardware modded it to work with pirated games.


$60 in my local currency Indian Rupees is about ₹3800, my one person, single's monthly food groceries bill.


I'd put my Twitter handle in the game to build a following so even more people download my next free game. Make it up in volume.


∞ × 0 = 0


∞ × 0 is one of the most bog-standard indeterminate forms, not 0.

https://en.wikipedia.org/wiki/Indeterminate_form


No that's just ill-defined.


I think that's the joke, but yes.


> Let's try to flip the perspectives. Let's say you created a game. Let's pretend you want to make money off of it

I wouldn't have gone that far because I'm smart enough to tell that making money with a game is pretty damn hard (and it has nothing to do with piracy).

But if I had done stupid anyway, I would blame myself.

I could "want to make money" off of my turd too, and put hard effort into it, that doesn't mean I'm entitled to success.


I don't think that it warrants a name so grand-sounding as 'industrial information warfare tactics and propaganda'. I don't even believe it was done entirely intentionally. When I was going to school in the 90s, schools were locking down more and more each year. Eventually, that produced Columbine and several other school shootings, intensifying their efforts (they were blind to the fact that they were the cause). Eventually they reached a fairly steady state of today, where learned helplessness is inflicted either before or early in adolescence, resulting in things like a 40% drop in the number of 16 year olds who have a drivers license between 2005 and 2015, many fewer adolescents having jobs during school, etc.

Why try, if you are going to be surveilled and get your hand slapped at the slightest violation, and have every rough spot or sharp corner sanded down off of your personality. If you don't want to get classified as a threat and separated and sent to remediation therapy and special schooling and things like that, that is. In the name of security, the teachers derision for the weird kids was given sharp teeth, eventually perfected. The tunnel vision that develops during schooling, the one that leads kids to kill themselves or each other over simple school problems because they can't even see themselves as human beings with a life outside of the school environment, extends further now, well into college, and perhaps soon far beyond.


wow, so if you believe there is systemic 'infliction of learned helplessness' on pre-adolescent children, then it does warrant a 'grand-sounding name'.


[flagged]


Young people certainly have grown up with anti-abortion and anti-homosexuality propaganda, gradually shaking it off as it was revealed to be made of fear and nonsense.


I continue to be shocked that Twitter convinced an entire generation of software developers that you need to obtain something called an "API key"--which can somehow be refused or even revoked once granted--in order to write a client for their protocol. "Back in my day", we just reverse engineered the official client and used whatever algorithm it used to talk to the server and called the war won :/.


It should be illegal for companies like Twitter to forbid this. Users should be free to access their data, and free to use any tool to do so. The revered network effect is anti consumer and it must be broken.

This is the one regulation that could save a nation from FB, Twitter, Instagram and their ilk. Any politician to run on this could shoot somebody in the middle of a crowded street without losing my support.


> Any politician to run on this could shoot somebody in the middle of a crowded street without losing my support.

That might be a bit overdone, but I get your point.


It's a reference to a statement the current president made during his campaign.


I'd say it entirely depends on who they're shooting.


Its an (in)famous Trump line.


The one regulation that could save a nation from FB, Twitter and Instagram is to ban advertising. All of it. Ban all advertising anywhere for any reason.


You may not advertise this proposed regulation.


I dunno about that.. controlling access to your server is much more important today because tech is ubiquitous, and a big target for bad actors. In the old days very few people would know enough and care enough to reverse engineer your protocol.. when a service has billions of users and valuable data, that changes.

If Twitter did not have an API key, they would spend 2x the money on absorbing & defending against DDoSes and security vulnerabilities. That cost would get passed on to us with frequent outages and many more ads in our feeds. Or a leak of someones DMs.


> If Twitter did not have an API key, they would spend 2x the money on absorbing & defending against DDoSes and security vulnerabilities. That cost would get passed on to us with frequent outages and many more ads in our feeds. Or a leak of someones DMs.

This is complete nonsense. Attackers aren't going to follow your TOS, so what possible benefit could asking your users to do it on little more than the honor system provide?


Stopping a DOS is easier if you can tie whatever expensive operations that are happening to a single user.


Except you can't actually figure out which user it is.


API key != TOS


The TOS is the reason that people use API keys instead of just reverse engineering the protocol (which is what an attacker will do).


No, CSFR tokens, validating API keys, restricting the origin of request, etc is how to restrict access to the API. TOS is only text to keep the honest honest, the security layer is to keep the attackers and others without access out. A TOS is the web-site telling how it want you to behave, and all it can do if you don't behave that way is to do its best to not let you in. Nothing of this stops you from trying to reverse engineer the protocol.

The best part with using an API is that, at least in theory, it is stable and will not have changes that breaks your integration with it


Is this system of "API keys" why Pidgin doesn't handle all these new IM protocols, and why there's no other good old-fashioned multi-protocol clients for them (that I'm aware of)?


Because reverse engineering some IM protocols is far from trivial. Skype, in particular, is a nightmare of obfuscation, as I understand (second hand knowledge from having wanted to replace it with Pidgin in the past, I haven't tried reverse engineering it myself).


Skype I know is infamously hard, but I'm wondering about the more general case -- are the problems there similar to the problems with Skype, or are they due to something else?


As far as I know, they're a combination of it being hard work and there just not being enough of a qualified developer community around Pidgin etc. to put in the effort required. I think people generally underestimate the sheer amount of work involved in reverse engineering an IM protocol, even one that's not particularly well obfuscated.


But what about other projects? Back in the day there were multiple multi-protocol clients. Pidgin (or rather Gaim back then), Trillian, and others; now there's... maybe Franz, as cosmie mentions? Simply saying "Pidgin kind of died off" doesn't seem like enough of an explanation here; why aren't there more such projects popping up?


They never worked properly. It takes years to develop and it's broken anytime the owner will change anything in their implementation.

Even if you had the ultimate multi chat clients, noone cares about it. People use the official client that works just fine.


And you've hit the nail on the head: there's just a lot less _demand_ for multi-protocol clients these days. Official clients are much better than they were in the 1990s. Like piracy: undesired use of a protocol is a service problem, one that modern IM clients are actually addressing.


Back in the day when protocols ran over HTTP it was also a lot easier for amateurs to pick up wireshark.

But if we know that the company is going to respond by changing the protocol. Then who wants to spend time reverse engineering it?


That hardly seems like much of an explanation. Look at the old protocols Pidgin and other clients of the time (e.g. Trillian) spoke -- AOL, MSN, Yahoo... those didn't run over HTTP. More importantly, the companies did respond by changing the protocols; the client-writers kept up all the same. So that's not something that's different between then and now.


Franz[1] is the closest thing I’ve found to a client around newer IM protocols.

[1] https://meetfranz.com/


Includes a Monero miner.


Interesting. I hadn't realized that before. In the Windows version, there's no reference to it anywhere. And I no longer have a Mac to check that out (although it did trigger the dedicated GPU in the MBP, I attributed that to the FB Messenger plugin).

In looking for references to the miner, people seem to mention Rambox[1] as an alternative. I can't say much about that as I just came across it, but it looks promising as well.

[1] http://rambox.pro/


Huh, interesting. Its website isn't very informative though. I can't find a list of protocols, annoyingly.


It has a plugin architecture. Most of the core services it supports are listed in the Franz Plugin repo[1]. Note that it's not just about IM protocols, but rather a one-stop messaging app in general (so supports things like Gmail). And there are quite a few third-party plugins floating around, as well. And a good number that haven't been ported from Franz 4 to Franz 5.

[1] https://github.com/meetfranz/plugins#example-recipes


Huh? Based on the code, it looks like this thing just embeds stock web clients in some kind of webview and uses a little bit of JS injection to extract message counts. It's nowhere close to actually reverse engineering any protocol.


Right. I've definitely noticed a certain technical meekness lately, and honestly, I'm worried that it's connected to the broader cultural trend toward deference to authorities. Break some rules!


In the past you could break rules on the internet and people would treat it as a joke or cool implementation of a technique at best and annoyance at worst. Now if you break those rules the system breaks you.

It's not meekness so much as the economics have changed and breaking rules isn't worth it for as many people anymore


I write bots for various purposes all the time. For the exact reasons you mention, I rarely bother even looking at APIs anymore and go straight to mimicking HTTP headers from a web browser for the functions I need.


It's still common to reverse engineer clients. Unless you're planning to build a legit business and can't have the liability, there is no reason to not use private APIs.


It’s quite lame. Think about how there aren’t even Facebook 3rd party clients and they actively block any scraping. Google also isn’t developer friendly for using the stuff they don’t want you to. Few APIs to their sites.

These companies are pretty different than the old school put up an api.

If DNS was designed by Facebook or google it would make a dedicated client and refuse some people who used too much.

It seems the war of protocol vs systems is going poorly for protocols.


I don't think it has anything to do w/ age. I believe that most people just see rules and laws as very firm, and unquestionable.


What does young/old have anything to do with this? If anything, I'd put it the other way around: I'll bet it's primarily old and conservative people (who don't know how the internet thing operates and want to police digital assets like physical ones) who push for this kind of restriction/law, while so many young people have grown up in an era where they share everything.


Maybe web servers should come with a TOS that outlines that you can't control access to content via freeform text, but must do so via the technical access control means supported by the server itself.


> But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.”

Generally n = 1 is not a good sample size.


yes, we young people are a completely uniform group. Thanks.


Dude most young people pirate like, everything.


Or, maybe, this young generation grew up with the internet being a tool with actual power. Where before, it was pure novelty, with no real-world consequences of destructive behaviour.

This young generation, based on a study of history, prefers to be governed by agreed-upon rules, rather than "might is right".

Note that I, and probably the vast majority of every generation, agree with this court's decision that ToS are not enforceable.

But the reason is not the challenge to enforce such ToS through technical means. It is the fundamental unfairness of a process that would allow such one-sided contracts to be drawn.

As a counter-example: your philosophy of "I can do whatever I can do" would allow limitless collection, use, and sale of personal information. But I would hope that most people actually do see value in Facebook not being allowed to sell your private images and messages to the highest bidder if they ever choose to.


The EFF write up requires a bit of a caveat. The EFF states: "Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright."

That's true, but it would be incorrect to infer that the Ninth Circuit's holding in this case means that such a cease and desist is ineffective to revoke notice for purposes of the CFAA. To the contrary, the Ninth Circuit has held that where a defendant, "after receiving the cease and desist letter from" the plaintiff, "intentionally accessed [plaintiff's] computers knowing that it was not authorized to do so," the defendant was "liable under the CFAA." Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016).

The cease-and-desist letter dropped out of this case, because Rimini was accessing Oracle's website under delegated authority from Oracle customers, who had a contractual right to access the site. Oracle chose not to press the argument that it could limit the delegated authority from the customers by virtue of the cease and desist, I suspect because the wording of the cease and desist did not actually revoke Rimini's authorization to access the files. Oracle thus was stuck arguing that violating the TOS, despite otherwise having authorization to access the data, was enough to violate state-law counterparts to the CFAA. That latter argument was a losing one in light of United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where the Ninth Circuit held that a terms of service provided insufficient notice to alleged offenders to create liability under the CFAA.


It is always a crime to criminally commit a crime.


Is it a problem to outlaw the fact of being smart ?


Only if the legislature doesn't understand the words they read.


"... the bounds of criminal law should not be defined by the preferences of website operators. And private companies shouldn't be using criminal laws meant to target malicious actors as tool to enforce their computer use preferences or to interfere with competitors."

If a website operator wants to control if a user can access the website, then there are ways to do this without resorting to criminal prosecution.

Through server software, websites can control how fast HTTP requests can be made in succession or how many requests can be made in a single connection.

Websites can further control what IP addresses have their HTTP requests fulfilled.

But users can still utilize client software to make automated requests and comply with any of these restrictions.

The user might just send the requests slowly or from a different IP address.

Ultimately, no website can force a user to use a GUI, mice or touchcreens. The same as no website can force a user to use a particular browser.

If a website wants to control how a user accesses the website, there is no way to enforce this under the criminal law.


I am certain that this ruling will be appealed, and we will hopefully see this case before the Supreme Court (assuming they have the time and desire to hear it.. if they don't, then this ruling will stand). Only then will we really be able to speak with the certainty you display.

When you say "Ultimately, no website can force a user..." I wonder if you are actually considering the use of force there? A police officer or other agent with a firearm raiding the home or place of business of someone with a court order in hand is generally quite effective at compelling behavior, and that is what Oracle is aiming for. Whether there are technical means to make it easy or practical isn't at issue.


Maybe politicians and voters in California fix their broken state laws, rather than passing the chip to the Supreme Court.


IANAL, but violation of terms of service seems like a breach of contract, not a crime. For that sort of thing there is always the civil court system if the plaintiff feels like their loss due to the violation is high enough to warrant pursuing the legal case.

But maybe the actual loss caused by the automated downloads in this case wasn't high enough and they pushed the criminal angle to make some kind of point.


There was no loss. They are attempting to missuse the law in order to provide an oportunity to destroy a competitor because Oracle is run by bad people.


> There was no loss.

I suspect that too. I'm just surprised it got as far as a jury ruling in their favor in a criminal case, instead of being thrown out earlier on it's lack of merit.


> There was no loss.

And that's probably what determined the result. The courts are not run by stupid people, they don't like that the system is exploited.


There's a loss now. I bet Oracle's legal team was not cheap.


> but violation of terms of service seems like a breach of contract

I agree.

But also, breach of contract can only occur if there is an actual contract. Speaking generally - if I purchase software then a contract would exist (offer/acceptance/money changing hands) and the terms would come into play.

If I was simply a visitor to a website then I think it would be harder to argue a contractual relationship exists.


Oracle, not being the state government of either California or Nevada, could not and did not “push the criminal angle”, they filed a civil action charging violation of both federal copyright law and two. states anti-hacking laws; the latter allow both civil and criminal actions.

They also, it may be worth noting, won on the copyright claims.


The best analogy seems to be trespass. A store generally allows anyone to come in. Absent any kind of notice you can go into a store and take pictures. But if there is a big prominent sign on the door that says "no photos allowed" and you go in and take a picture, you aren't just subject to being thrown out. You are (depending on some nuances of state law) committing criminal trespass. Likewise, if for whatever reason, you've already been thrown out and told you are never welcome back then the minute you step in the door you are trespassing.

I don't see any reason why e.g. a website that prominently displays a notice saying that scrapping tools aren't welcome and that puts in place reasonable measures to prevent scrapping tools from being used, shouldn't be protected by the law of trespass from people that deliberately evade these preferences. Likewise, I don't see a banned HN poster that creates a new account shouldn't be considered a trespasser. Of course there are issues of prosecutorial discretion and limited law enforcement resources, but that's a separate question than what should or shouldn't be criminal.


Of course, trespass laws don't apply directly, but I think that's an excellent analogy and could be an appropriate basis for future laws about web use.

As far as I know, the laws against trespass in the physical world derive from common law. It's a shame we don't have a similar common-sense starting point for computing law; but computing is so new (and to many people so esoteric) that few of us have had a chance to develop something like "common sense" about it.

The result is that the correct analogy for a situation isn't always obvious. For instance, we could go with the ever popular car analogy: Corporate players want their (public facing) servers to be treated under law not as stores open for business but as cars on a dealer's lot that you're welcome to test drive with permission but that it's illegal to just grab and take for a joyride.


YES! This is ecstatic news for those operating under the constant threat of lawsuits from delusional folks who thinks their TOS is the fucking constitution of United States of America.

Linkedin and Craigslist will finally get the competition they've been fending off with scary lawsuits.

I can't wait to see the look on Craig Newman's face when web scrapers all around the world will do what he feared all this time, bring innovation.

This is possibly one of the best things I've read on HN. I'm more curious as who are the people at EFF pulling this off, stroking the legal justice warrior within me....I think this is the part of the law that deeply interests me but I don't know what you call EFF's area of law.

Happy Scraping everybody!


Note that the decision says that violations are not criminal acts, but that doesn't mean that license violations can't result in civil lawsuits and encumbent financial damages.


> Note that the decision says that violations are not criminal acts

Actually, it says that they don't violate particular California and Nevada state analogs of the federal CFAA; this was, in fact, a civil case under those laws, not a criminal case, though those laws also support criminal prosecution.


In order for a license violation to to exist a valid contract need to exist. and for a contract to be valid both contracting parties must enter a contract on a informed and non coercive basis an bar practically no click wrap EULA/TOS page meats.

With out a valid two sided contract any website operator wanting to sue a user for misuse will have to resort to whatever laws is actually on the books.


If you use the website in a way that they would normally ask money for, like circumventing a paywall, is that something they could claim damages as in missed revenue for? I wonder if this ruling makes it legal to scrape for data processing.


What's "legal" would be up to a jury. Note, however, that a deep pocket could bankrupt you simply through legal mechansims such as discovery.


Strictly speaking, what is legal is up to a judge, and whether the evidence shows that you've done what is legal may be up to either a jury or a judge depending on whether it's a jury or bench trial.


Strictly speaking, what evidence is admissible is up to a judge. In a jury trial, what is legal is up to the jury. Juries can still nullify, as was made clear in the Zárate verdicts.


Strictly speaking, even when the jury nullifies, it does so by answering questions of fact, not law (even though some or all of the jurors may be substituting judgements of law for fact.)

And, even more strictly speaking, in a civil case (which this subthread is addressing) it's all up to the judge anyway, even in a jury trial, since (unlike in a criminal case, where this can only happen to the benefit of the defendant, as a judgement of acquittal), a decision for either party may be entered, after the jury verdict, as a judgement as a matter of law (aka judgement notwithstanding the verdict.) This makes nullification essentially a dead issue in civil trials.


You are incorrect, sir. The judge decides all questions of law, and the jury may not do so. That is why juries are given jury instructions by the judge. Jury nullification in a criminal case is an oddity, but that is not a decision about the law (and is not binding in future cases), nor is it applicable in the civil context we are discussing.


If you paid for the access, sure you could scrape. Now if you want to further distribute that data you scraped you might run into problems depending upon the terms of the license you agreed to when you purchased access...


Sure, but they are only likely to pursue civil action if competitors scraped in a manner that resulted in meaningful losses, i.e by scraping a competitor's data in violation of the TOS and then selling or representing it as your own.

A few people circumventing paywalls isn't going to register on the legal radar.


This is fantastic news, and a great step toward a more "sane" set of internet laws.

I just hope that this trend can continue and can sufficiently bury the idea that accessing public (as in without any kind of authentication method) information on the internet should not ever be a violation of any laws when done without malicious intent (a DoS attack should still obviously be illegal).


This isn't a step toward anything. This is a ruling of laws as they exist today - and an obvious one at that.


You say that, but the first time this exact case went to court it was ruled in oracle's favor...

The CFAA and DMCA are written so that they can be applied to an extremely wide set of situations, and getting some concrete examples of things that aren't violations can help push back and contain what are.


> Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, ...

Oh, the irony.

(For anyone unclear, I'm thinking of Oracle, which provides Red Hat clients with software support that competes with Red Hat's own services.)

In any case, I'm always happy to see Oracle lose a legal suit.


Oracle is downright evil in the most corporate way. No one with other options should be a customer or employee. Oracle needs to die with Comcast and the rest.


> Oracle needs to die with Comcast and the rest.

And what makes you think, that what comes after (there will sureley be a company that fills the void) would be better in any way? The problem is not so much the frivolous lawsuits of oracle and the likes, but the incentives to pursue this behavior.


It borders on a joke, that people think accessing a website in breach of TOS is a crime, but storing passwords is plain text isn't.


I keep telling friends/colleagues that the order is:

1) Constitution - for countries that have one,

2a) Laws/Regulations,

2b) Other executive orders

3) Contracts

ToC is simply a contract. Breach of ToC/Contract is not necessarily a breach of law (unless a law is at the same time violated)


Does anybody know how this pertains to data scraping? Like many coders/tinkerers, I've been frustrated that TOS'es often forbid bots from scraping data from many sites. There are lots of ways data can be better visualized or synthesized than is currently done, but terms of service make this impossible (unless you're just doing a small side project you never plan to publish).

Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?


> Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?

That...depends. It was a scraping case, but while the appeals court allowed the automated access that the lower court found violated various anti-hacking laws, it also let stand the copyright violation judgement for the actual use of the scraped content.

So, if content is protected by copyright, you don't have a license which covers your use, and no exception to copyright protection applies, that's still going to be a problem for scraping.


If you’re scraping from multiple sources and aggregating the data, you might be able to make a fair use case.


But if it's personal data, e.g. from LinkedIn and Facebook, then aggregating might be legally/morally unacceptable.


Just tell them that you’re using mturk.


This case is explicitly about data scraping. If the site's TOS forbids scraping, but allows access, this decision says "scrape away".

Note, however, that this is a Ninth Circuit decision. If you don't live within the bounds of the Ninth Circuit, this decision doesn't apply to you.


No, it doesn't say scrape away. It says the scraping doesn't violate state computer crime statues (and the court has ruled similarly about Federal ones in the past). Oracle could still take actions other than gunning for a criminal prosecution.

A simple action they could have taken was to block the scraper, the EFF post makes it looks like they didn't do this. Presumably they asked for the prosecution in order to deter other scrapers, but they could have done that AND ALSO blocked this scraper.


> Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually—which would have seriously slowed down Rimini’s ability to service customers.

So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?


> So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?

Rimini was a maintenance vendor acting on behalf of paid Oracle licensees with paid-for rights to access the files (which apparently are legally exercisable through a third-party vendor), and a vendor of maintenance services that competed with Oracle's first-party maintenance services, so doing so could be legally problematic.


A website’s TOS is not law so why should the violation of a TOS be treated like a violation of the law? Curious if anyone has any arguments


A a GPL license is not law, but violating it means you are violating the law, because violations revoke your permission to access it. I am sure the reasoning being used here is similar.


A TOS isn't really legally enforceable. A TOS can determine when a company will push for enforcement.


Always amusing when a website disallows adblocker in their ToS. Its my computer dipshits.

Besides its not as if they can actually do anything about it. I probably don't even come up in their analytics.


I feel like it's premature celebration? This seems like a very specific case, and not just violation of a terms of service in general?


they could just implement rate limit and oracle would've been fine. but instead they actually tried to sue -_-


Their lawyers likely didn't know how to implement rate limiting :D


This is great. However, I didn't see anything about whether it is a civil violation and assume you could still be sued by a third party (you just couldn't be thrown in not jail over it). Please correct me if I am mistaken.


This might be a somewhat unpopular opinion but I think that there should be some way (definitely not through criminal prosecution) for a website or similar to say "You can use my service for free, but only under the following restrictions". Not sure what the "punishment" should be for breaking these rules.


If you don't like a user's request then don't service it and tell them why. You owe them nothing.

A simple 403 FORBIDDEN probably covers it. Or 429 TOO MANY REQUESTS might be appropriate. More bluntly, 204 NO CONTENT exists to tell your client, "I heard you just fine and I have nothing to say to you." Or there's 509 BANDWIDTH LIMIT EXCEEDED.

In any case, the protocols exist to give your client some constructive information in your refusal.

e: sp


That only deals with types of requests, or the user making the request etc. It doesn't do anything about how the requested data/info etc is used. I suppose it is closer to a licence agreement. I don't think that there can be any technical way to enforce it only some sort of legal way.


Yes. Technology to restrict usage sounds a lot like DRM, which has many downsides. Enforcement, ultimately, will rely on good old fashioned copyright and licensing (contract) law.


That is how it works but punishment under civil law is based on damages so there is no punishment if there are no damages even if found guilty of breaching the TOS.


Does this mean it is also reversed? If a person chooses to not acknowledge the website's terms, does this mean a website doesn't have to abide by its own terms and can make up its own rules as it goes along?


The question is nonsense.

If you promise something and fail to deliver on this and some party suffers harm based on your failure you might get sued. This is true both ways.

What you can't do is post a sign outside your business saying everyone coming in must do the macarena and accuse anyone not singing of ex post facto breaking and entering under the concept that they should have read the sign.


The problem is that non-compliance with a contract wasn't being dealt with by contract lawyers, but was being converted into a criminal offence and dealt with by police.


People that hear about our software service always ask "hey whats to stop people from doing this illegal thing on your platform" and I say "a sternly worded Terms of Service"




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: