Hacker News new | past | comments | ask | show | jobs | submit login

Is it though? The adblocker runs locally on your own computer; it certainly prevents the ads from doing what the designer intended, but it doesn't make the designer's computer (or any computer controlled by the ad network) do anything.

Versus tracking does actually do something on your computer (e.g. running JS to discover fonts). Arguably that is a circumvention of the intentions of the user on their own hardware.

The problem is that the phrase "exceeds authorized access" does not distinguish between the access increasing beyond the authorization and the authorization decreasing below the current access. Suppose I put in my Terms of Service the phrase "Access to this system is contingent on running the delivered webpage, including all first-party and third-party Javascript, without modification." Now, whether or not the HTTP request to the server is authorized depends on what you do with the payload.

This is why the CFAA is such a horribly written law. It takes the ToS, something that should be squarely under civil law, and elevates them to being a felony under federal law.

Some adblockers work outside the browser. They block the hosts with custom /etc/hosts or by using a local proxy that filters out requests to ad servers.

All the js code runs but it doesn't download anything.

Obviously the Terms of Service could prohibit that too.

> Access to this system is contingent on running the delivered webpage, including all first-party and third-party Javascript, without modification.

Refusing to fetch a particular resource would be non-access. You cannot punish non-access as unauthorised access, because no such crime of non-access exists.

I am very confused as to what you're trying to say with this.

What about the reverse of that. When I load a website, I expect it to load the normal information of the page in question (for an article about something, that article). I do _not_ want or grant permission for it to display ads. As such, their host sending ads to my machine is "exceeding authorized access".

I'm curious if it would be feasible to sue a company over sending ads. They have just as much information about what you want displayed on your computer as you have about how they want you to use their apis.

You can't look at the legality of it from the point of what the adblocker does. Software doesn't commit crimes; people do.

The possible crime (if it is one) would be if you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway.

> you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway

Meanwhile the website publisher knows that authorization to run javascript may not include performing surveillance, yet includes circumvention code to perform surveillance anyway. So everybody is violating the law, which is why the CFAA is terrible legislation - it relies completely on selective persecution.

Pontificating about abstract "intent" is not actually useful in the digital realm. Protocols [0] are what ultimately mediate between parties with different desires. The CFAA is merely a relic that gets invoked when some powerful entity gets upset at the outcome of a protocol.

[0] to be clear, I'm talking about de facto protocols as executed, not de jure protocols as written into RFC.

This is an extremely naïve, baseless argument- if you could even call it an argument at all.

So let us turn to the ‘proposed’ argument itself: “Software doesn’t commit crimes; people do” The first thing to notice is that the argument has no stated conclusion. What follows? That there should be no software regulation at all? That there should not be any more software regulation than there already is? That the increase in cybercrimes done with ‘software’ is irrelevant to whether or not there should be cyber regulations? Who knows? An argument without a conclusion is by technical basis, not an argument at all.

The statement under consideration clarifies that, when it comes to crimes committed with software , people are the ultimate cause and software is merely a proximate cause—the end of a causal chain that started with a person deciding to commit cyber crimes. But nothing follows from these facts about whether or not software should be regulated. Such facts are true for all criminal activity, and even noncriminal activity that harms others: The ultimate cause is found in some decision that a person made; the event, activity, or object that most directly did the harming was only a proximate cause. But this tells us nothing about whether or not the proximate cause in question should be regulated or made illegal. For example, consider the following argument:

"Bazookas don't kill people; people kill people."

Although it is obviously true that bazookas are only proximate causes, it clearly does not follow that bazookas should be legal. Yes, bazookas don't kill people, people do—but bazookas make it a lot easier for people to kill people, and in great numbers. Further, a bazooka would not be useful for much else besides mass murders. Bazookas clearly should be illegal and the fact that they would only be proximate causes to mass murders does not change this. In fact, it is totally irrelevant to the issue; it has nothing to do the fact that they should be illegal. Why? Because other things are proximate causes to people’s demise, but obviously shouldn’t be illegal. For example, consider this argument (given in the aftermath of a bad car accident):

"Cars don't kill people; people kill people."

Obviously cars should not be illegal, but notice that this has nothing to do with the fact that they are proximate causes. Of course, they should be regulated; I shouldn't be allowed to go onto the highway in a car with no brakes. But all of that has to do what cars are for (they are not made for killing people), what role they play in society (it couldn't function without them) and so on. It's a complicated issue—one to which pointing out that cars are merely proximate causes to some deaths contributes nothing.

In conclusion- people who make the feeble argument “software doesn’t commit crime; people do” have mistaken the relevance of proximate causation

You have missed the point of my comment. It isn't about what the law should be. Instead, I was discussing whether it is currently legal to use adblock.

As I interpreted it, someone said adblock may be illegal under existing law because you are accessing a server without authorization. Someone else seems to have argued that this isn't true because adblock doesn't cause anything to happen on the server; therefore, adblock must be legal because adblock only affects the client.

My comment was that this reasoning doesn't hold water. Perhaps the owner states that authorization is only granted to people who don't use adblock. (Maybe there's a splash page that informs the user they aren't authorized to proceed to the next page if they have adblock enabled.) What matters is the choices people make, not that the behavior of the software avoids interacting with the server. Your hands are not clean just because your software doesn't take an action.

You're accessing the other sites computer in a way they did not intend, which is with adblock.

If they track me they are accessing my computer in a way I did not intend. I even provided them with a DNT header to make my wishes clear.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact