Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Take down my reverse-engineered Snapchat lib because they asked?
194 points by tlack on July 22, 2013 | hide | past | favorite | 133 comments
A few months ago, I spent a couple days reverse engineering the Snapchat protocol and wrote a quick and dirty library to use it in your own PHP apps:


Today Snapchat has written me requesting that I take it offline:

    Hi Thomas,
    I'm writing to ask that you remove Snaphax from github
    and no longer publish or distribute it. Snapchat does
    not permit third party software to access our API and
    we consider Snaphax to be an unlawful circumvention 
    device under 17 U.S.C. § 1201(a)(1).

    Please confirm that it has been removed by end of day
    Monday, July 22nd.

    Thank you,

    Micah Schaffer
    Snapchat, Inc.
I haven't had much time to really finish Snaphax (and I doubt I ever will) but I strongly support the idea that third party software should be able to interact with the services I use every day.

I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case? How should I respond, if at all?

One important distinction that I see missed here is that of an API vs. a service.

Snapchat provide a service, which I mentioned in another comment here that they have every right to enforce terms of service on, and restrict or allow usage as they see fit.

Snapchat also provide an API (which, in this scenario can also be considered a network protocol). This API can be used to access this service.

Now that I've had a look at the code, I've noticed that it includes the API keys which grant programs using this library the appropriate access permissions for the service. I think this is wrong, and that these keys should not be included in an open source library. The rest of the code however, is fine, as it simply implements a protocol.

If I were to develop something like this, I would leave out the API keys and have the user of the library fill them in. In principle, and as someone else has mentioned here, it would be possible to develop and operate your own service which uses this protocol/API. And I see nothing wrong with that.

Well, except of course that the whole notion of an app which presents information for a set period of time after which the user can no longer view it is inherently flawed, since eventually someone's going to figure out how to not erase/hide the information.

I've just forked it on Github, as have 25 others (as I write this).

As with file formats, the notion that network protocols & APIs should ever be granted any type of protection and that no-one other than the creators should be able to write software that conforms to these protocols is ridiculous.

Snapchat, in my view, have every right to restrict who uses their service and in what manner - via standard mechanisms like API keys and login credentials. But preventing third-party implementations of protocols or APIs is so 90s. Oracle had a bit of trouble with this recently.

One problem I'm personally trying to remedy is the proliferation of various APIs and protocols for accessing various online storage services (Dropbox, Google Drive, Box etc) by developing an SDK that supports all of them. We need more of this kind of these kinds of projects, not less.

Micah Schaffer, if you're reading this, you're welcome to send me a takedown request and discuss the issue with me. My email address is in my profile.

EDIT: It's at 62 now. I wouldn't be surprised if even Barbra Streisand has forked it.

I've actually amended my fork now to remove the API keys, adding the following instructions:

  /* Instructions for usage:
     1. Replace YOUR_SECRET_KEY and YOUR_STATIC_TOKEN in the code below with
        the values you have to access the service.
     2. Fill in SERVICE_URL with the appropriate endpoint. */
Not that it's going to stop anyone from going to any of the other forks or retrieving the previous revision of the file, but at least I've now only got up what I believe to be genuinely acceptable.

Forked from you. 162+.

Forked - at least startups should know how to behave. Truly shameful


Edit: Why not use some of these https://www.google.com/search?q=pro+bono+lawyer+advice

It always amazes me how often this lesson is taught and how often people fail to learn from it ;)

What's annoying is that SnapChat got lucky, real lucky, and now they're acting as if they have a secret sauce worth protecting. Jokers.

"But preventing third-party implementations of protocols or APIs is so 90s."

I think the impending 3Taps (padmapper.com) v/s Craigslist case[1] will shed more light on this. padmapper were using Craigslist data that is 'freely available' and Craigslist didn't like it.

[1] http://www.dmlp.org/threats/craigslist-v-3taps

I don't think that's relevant at all. A "protocol or API" as the GP mentions exists independently of the entity which created it. PadMapper, on the other hand, is actively accessing Craigslist against their service's TOS.

IANAL, but it seems to me like browsers are violating their terms of use, too:

Any access to or use of craigslist to design, develop, test, update, operate, modify, maintain, support, market, advertise, distribute or otherwise make available any program, application or service (including, without limitation, any device, technology, product, computer program, mobile device application, website, or mechanical or personal service) that enables or provides access to, use of, operation of or interoperation with craigslist (including, without limitation, to access content, post content, cross-post content, re-post content, respond or reply to content, verify content, transmit content, create accounts, verify accounts, use accounts, circumvent and/or automate technological security measures or restrictions, or flag content) is prohibited.

I don't believe they can (or perhaps "should be allowed to") stop people from accessing their site via http (which is a protocol or api). Either way, it feels the same to me; I think it's relevant.

Right, I'm not saying whether Craigslist is justified here; just that the situations are different.

THIS is why one "asks HN". Forked.

forked. 80+

Ignore 99% of the responses in this thread, particularly any that say "I think...", "It seems fair...", and so on. You're in a legal situation here, if you are worried, contact a lawyer.

Bunk. He spent 2 days on a hobby project with no hopes of ever making any money off of it. It makes no sense to spend time and money consulting a lawyer over this.

Then it also makes no sense to not comply with the request. "It was just a weekend project" is not a legal defense.

If I complied with every request like this, I wouldn't have made a single successful website. You shouldn't be so afraid to stand up for yourself. Entrepreneurs need to have thick skin and not buckle under every little bit of pressure.

Every website you made received requests like these? If you don't mind me asking, what kind of websites do you make? I've never received requests like these myself.

I have been asked to remove profiles, data, images, features, the entire website, the domain, links, the list goes on. Sometimes just a few, sometimes an amount that would cripple the business. Most of the claims are overreaching bullying or ignorance. Sometimes they are just completely out of their mind nut jobs that don't understand how stuff works.

They haven't spent money on a lawyer yet, so why should he?

Does this grant him legal immunity?

I'm writing to ask... we consider....

Assuming the posted letter is complete, a lawyer can't really do anything at this point. The letter (or is it actually an email?) doesn't invoke any requirements one is bound by law to obey. One might even say that it's careful not to do so, so I suspect that even though the "Director of Operations" signed it, it was originally written by a lawyer. This would actually be a useful form letter for people who have their underpants on a bit too tight: even if they send it five times a month, it doesn't create any sort of SLAPP liability or anything else that will damage Snapchat in a legal sense. Of course, giving someone 12 hours to comply with anything looks like amateur hour. tlack isn't the only party reluctant to run up billable hours.

IANAL. If I were, I would recommend you start paying me or one of my colleagues to talk with you immediately.

A lawyer can give you legal advice. That is a lawyer's job.

You do not need to wait until you are sued or prosecuted to get advice from a lawyer.

They say "we consider Snaphax to be an unlawful circumvention device under 17 U.S.C. § 1201(a)(1)."

They are implying he would be subject to lawsuit and/or criminal prosecution if he keeps distributing the software.

How likely is that to happen? How risky is it for the guy? How expensive might the defense be, and how much pain might this be for a weekend project?

I'm not really sure. But you know what class of people are expert at answering questions like that? Lawyers.

But, sure, if the poster want to keep it up anyway cause you think it's bullshit and are willing to see what they do next, certainly that's another option. It's potentially a brave and commendable one.

But I wouldn't do it because a bunch of people on HN who don't know what they're talking about told me that since they didn't use some special magic words in the letter, there's "nothing a lawyer can do", what?

> Assuming the posted letter is complete, a lawyer can't really do anything at this point.

A lawyer can analyze the facts of what you have done, and provide you with advice as to whether it is likely to be found to be an anti-circumvention device under the cited section of the DMCA and, if so, what the likely consequences of that are and what steps you can take to mitigate any exposure you might have in that regard (including, if there are any, steps short of taking down the existing offering.)

Of course, you could wait to see if they actually file a suit rather than having a lawyer look at the C&D, but if you do that, then there will be less, not more, that a lawyer can do for you.

...there will be less, not more, that a lawyer can do for you.

At this point in time, OP can take down the repo (but not the 115-and-counting forks thereof), or modify it (someone suggested removing keys issued by Snapchat), or not. How will this set of options change if Snapchat file suit? Of course one must respond to a suit, but couldn't one's response be "ok we've complied with all requests"?

If you're telling me that the suit could allege OP owes Snapchat money for his/her misdeeds, that's true, but it's always true, even after one complies with the sort of namby-pamby "C&D" we see here.

If Snapchat files suit, all of the options that might have avoided a lawsuit are now off-limits. Assuming that's a non-empty set, a strict subset of the choices currently available will be available at that point in time.

Snapchat will not have all of the options available to them until they send a valid C&D.

C&D's are usually courtesies to avoid prosecution, rather than legally required. (DMCA takedown notices have particular effect with regard to safe harbor, which -- because the DMCA is involved -- may be what you are thinking of, but this isn't a safe harbor issue; it would be if they were trying to get github to take it down, but that's not what is going on here.)

Which specific aspect of this package constitutes an "unlawful circumvention device"? If the Snaphax class instantiated a different low-level class from SnaphaxApi, that was written to a slightly different API, would it still circumvent? If so, why must the entire package be taken down? If the code here was used but pointed at a proxy, would the distribution of code itself still have limited commercial purpose and be designed or produced primarily for the purpose of circumvention? The actual USC section (Schaffer has the wrong subsub: it's (a)(2) (and maybe (b)(1)) not (a)(1) that governs "traffic in any... device") refers extensively to copyrighted works: what copyrighted works are referenced here? Do Snapchat claim copyright in their users' images? If not, what do they mean here?

Without specific answers to many of the foregoing questions, this message amounts to asking OP to forego all use and value of work that OP has personally performed, merely on Snapchat's say-so. So, actual meritorious C&D's require some actual work on the part of the sender. This letter took some knucklehead five minutes, so that's about what it's worth.

C&D's are usually courtesies to avoid...

...the expense of an actual lawsuit. In many cases a vague and overbroad (see above) message is mere bullying, attempting to imply threats that would be impossible to articulate or enforce. Papers filed in a court are held to a higher standard, and penalties are enforced. The fact that OP might be well-advised to retain counsel in response to this turd is an indictment of the USA legal system.

I don't think that is true. Plenty of companies are sued without notice for patent infringement. It's not generally the case that you have to notify the parties to a suit before initiating it.

Is that true? I thought it only applied to suing ISP if they failed to preserve their safe harbor status.

>12 hours to comply with anything looks like amateur hour.

For what it is worth, we were given a few days in a cease and desist letter recently and our $250/hr lawyer laughed at the idea of just a few days notice. 12 hours or even a few days now doesn't seems serious at all.

I think he's asking for moral, not legal advice.

Asking for moral advice when you need legal advice isn't a good idea. The two are often conflicting.

If the moral advice is punt it, the legal issue is moot.

Save the lecturing, you don't know if he needs legal advice. Maybe he has already gotten legal advice.

The quote below is decidedly "legal" in nature. The meta-question of whether the author is interested in moral guidance or legal advice is immaterial, as the framework within which Snapchat is operating is legal.

> I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case? How should I respond, if at all?

Speaking as someone who has been involved in an arduous civil matter for the last four years, matmaroon's advice would be well heeded.

I would also like to point out to tlack that prior to having been dragged in to a civil suit four years ago, there was no shortage of people (pseudo legal professionals and otherwise) that were all to happy to shout at me with a similar refrain:

"There's no way they can sue you for that."

"No way a judge will even allow this case."

"This case will be dismissed after the first hearing."

When someone sends you a letter like this, the first decision you have to make is "how much is this thing worth to me". Once you've decided that it's worth fighting for, your best counsel will come from a lawyer, who can help you determine the thing that really matters: how much it's going to cost you.

Agreed, talk to an attorney.

Agreed, never hesitate to drop $10K on an attorney for any request like this, even if it bankrupts you. Better safe than sorry.

What, really? $10k on an attorney for something like this? Seems a bit excessive... they haven't even got their lawyers involved yet.

That's only 20 hours of a good attorney's time, plus his/her expenses. One wouldn't want shoddy representation on such an important matter, right?

I guess that's what I'm confused about.. No legal action has been taken (or even threat of legal action), so isn't that overkill at this point? Seems like something that would require a few hours of advice at most. Perhaps I'm vastly underestimating the legal ramifications here.

Sorry, I'm being sarcastic. It's a pet peeve of mine that people say to lawyer up at such early point.

Can't give you legal advice, since you aren't my client and i can't ethically represent you.

In general, though, not taking it down will be a tough path for you.

If you really want to go down that path, get a lawyer (i'm happy to make recommendations for you), say nothing else here (or anywhere) about your motivations/goals/whatever, and go that way.

If you don't want to spend the time or the money, take it down .

I considered forking this, but how about doing the bastards one better?

You've already got a client library written--why not go ahead and post up a conforming backend as well? If you want, shoot me an email with your doc'ed API, and I'll shoot you back (gimme a week--things on fire right now) a simple Sinatra mockup.

Clean room all the things!


For an idea of a quick hack of this variety, see my work from last week -- https://news.ycombinator.com/item?id=6065652

There's no "fair use" defense because they aren't asserting a plain copyright violation -- they're asserting that using their API is a DMCA violation. I'm not a lawyer, but this seems laugh-out-loud crazy of them, and I'm not aware of anyone trying that claim before.

So if you want to resist, you could start there: by finding out (possibly by asking a lawyer to talk to them) how they think your tool is acting to "descramble a scrambled work, decrypt an encrypted work, (or equivalent actions)". If you want to do this, you might consider reaching out to the EFF for help.

Morally, I think you're in the clear for the reason you already gave.

It may be dumb, but it's not laugh-out-loud crazy. In fact, it's specifically one of the things that the DMCA does. Here's a whole ton of information about the law: http://chillingeffects.org/reverse/faq.cgi

And here's an article from the EFF with a few citations of cases where DMCA article 1201 has been used: https://www.eff.org/es/wp/unintended-consequences-under-dmca

> In fact, it's specifically one of the things that the DMCA does.

Well, the specific thing the DMCA does is to stop circumvention of an "effective technological protection measure". The crazy thing here is that there is no such measure: no use of encryption or scrambling -- or even passwords! -- that I can see, just simply using a network service's exposed command set. That makes it different to most (if not all) of the case law your link mentions.

A private (that is, not published) API Key sure sounds like a protection measure to me.

It doesn't sound like the published API key is the problem here. They can revoke the key, and other users of Snaphax can put their own in the code. I think the larger issue is the reverse engineering of their protocol.

So they can revoke the key.

If you're using their API (which they host) without consent then you may well find yourself on the wrong side of computer misuse acts.

So this is definitely one of those occasions that legal advice is required, not moral advice.

You have created a good Streisand effect here. I approve :) Even if a lawyer advises you to take it down it will be cloned more than enough times for the IP to be preserved.

I would take it down, not because of ethics or legalisms, but because you'll lose technically. They're making it clear that they don't want interoperable implementations. All you're doing is poking them in the eye with a stick. You probably don't have the resources (especially given your lack of interest) to keep your implementation working; they certainly have the resources to break your implementation. Why bother?

Snapchat probably does not want to break all of their deployed-and-delivered apps.

If they shipped the app/service without a "force the user to update" feature, they would risk leaving thousands of users in the dark.

And if they did modify their protocol, it would probably get reverse-engineered again, either by the OP or somebody else.

A lot of times when you use a product, you're required to agree to an EULA wherein you promise/commit to not reverse engineer a product or its protocols. If you did use snapchat as a registered user, this issue could affect you negatively.

Another alternative is to mail them back and ask them for clarification. Why do they consider it an infringement?

The law clearly states the following:

  (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
  (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
  (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
  (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
The way I interpret this is that if one is overcoming some encryption or authentication scheme, it may be disallowed under the law. If one is simply observing a protocol online, then one may be doing something bad as this says.

It depends on your location - in sane jurisdictions, EULAs aren't worth the paper they're not written on. But it looks like that USA is not one of them.

At least for me any EULAs that aren't signed before purchase (i.e., all shrinkwrap or clickthrough "agreements") aren't binding unless I choose to - B2B sales with explicit signed contracts would be binding; or if I want to do something that by law requires permission (i.e., redistribution instead of just using the software) then I might accept an 'EULA' such as GPL.

Law always depend on the local jurisdiction. You are spot on that observation.

EULA is regarded as a contract in "most" (or all?) jurisdictions, and as such, depend on contract law to define what is allow and what isn't. EULA's is also regulated under consumer protection laws. Since each state in the USA have slightly different kind of consumer protection and contract law, one would really need to dig down into the law books to decide if the EULA is at all legally binding in a specific state.

But I have one correction to mention. Copyright licenses are not viewed as contract in the USA. Copyright licenses like GPL are granted permissions, waiving the right to sue distributors under specific situation. If the distributor get sued for distributing GPL software, then it is she who must raise the license as protection. "I got right to distribute this copyrighted work, because I received this license who says I can". The license "terms" only specifies under what situation permission have been given.

In EU however, licenses are contract and under contract law. As such, the permission to distribute can be revoked if contract law has been violated.

Yeah, isn't that one of the things that ended up getting geohot in trouble with the PS3? They found an account where he had agreed to the TOS, thus putting him in violation of the same?

A few weeks ago I was halfway through the process of reverse engineering the Snapchat API myself, when I found your library. I just wanted to say thanks for saving me so much trouble.

> I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case?

Not insofar as the reverse engineering is used to produce an anti-circumvention device under the DMCA (that is, the reverse engineering itself is still just as protected as it used to be, but that protection does not extend to making the anti-circumvention device available.)

Note that there is still the issue of whether what you've actually is an anti-circumvention device.

> How should I respond, if at all?

If the project is worth the cost of consulting a lawyer, you very likely should do that so you understand better what your exposure here is and can make a more informed decision than you would be able to make based on lay advice you might get from HN. If its not, you should probably take it down.

At this point, I would just remove it. Since this is on the front page of HN, there's no way Snapchat can make the code disappear anyway.

If you need legal advice, I recommend seeing if SFLC (http://www.softwarefreedom.org/) will help you. In the past, I worked on a free software project where we willfully ignored a cease and desist notice and got sued by a large multinational corporation, and they were awesome.

I hate to play devil's advocate here (especially since I already have a post here) but I had a thought. For Snapchat some of the biggest selling points are the self destruct abilities of the media sent. So an unauthorized client puts a stake trough the heart of that claim (and the company). I see why they may be worried, but I think that they should have communicated their concerns more clearly and pleading, and not intimidating.

The product is untenable, as it is impossible to guarantee that the message is not copied when it is viewed. No amount of pleading or threatening will change that.

Exactly. "Self destructing" messages are an illusion. Publicizing this fact may be bad for Snapchat's business, but it's good for their users who have a false sense of security.

When I heard of snapchat I spent two seconds figuring out that turning off your data connection after receiving the photo allows you take as many screenshots/view the picture as many times as you want (I have no idea if this still works).

So why create the app using an API that makes it so easy to interface with via HTTP? I guess it's just a case of "when all you have is a hammer..." thinking. If the differentiating point of your app is the self destruct feature then a more closed communication channel should be utilized. The snapchat developers have nobody to blame but themselves.

If they rely on the client to determine when things are deleted from their service, they're doing something wrong. Never trust the client software! The only thing a rogue client should be able to do is surreptitiously send a copy of your pictures Somewhere Else (for storage). All the pictures sent to Snapchat should get deleted on schedule, regardless of who or what sent the pictures.

If they allow the client to display the image, they allow the client to do anything with the image. Of course they stop serving images on a particular schedule. (I sort of doubt they stick with that same schedule in deleting from their central storage, but whatever.) Since Snaphax is completely client-side, however, their server policies are irrelevant.

Like many others have said, it would be best to consult an attorney if you're concerned.

However, while you may not be able to distribute software which uses the API, I think many people would enjoy/benefit from a post describing how you reversed it and what steps you took to create the library.

"Written" as in sent you a registered letter? Or was this an email?

I don't know anything about the Snapchat API but if it's simply undocumented I don't see how that would be a "technological measure" of "effective control."

If you had to sniff or crack an API key of some sort, maybe that does.

In any event, it seems like a friendly enough request, maybe take it down as a courtesy pending their clarifying exactly what "technological measure" of "effective control" they think it "circumvents." Depending on their response and how much you think you want to push it, you can then decide what to do.

I'd consider it good-faith reverse engineering for the purposes of interoperability.

I'd ignore it. If they want to go hard-ball they'll threaten to sue/actually sue. Until then keep silent.

Morally, I would take it down.

It is all well and good to write these sorts of things as a demo, but distribution is something where I would defer to the actual owner of the API in question.

After all, how many of us would want someone creating an unauthorized library to a private API that we don't wish to have public?

As was ruled in the recent Oracle vs. Google case, APIs are not subject to copyright protection:


You're responding to a moral argument with a legal argument.

Snapchat developed the service and the API. They don't want alternative implementations of the API to access their service. Morally, publishing such an alternative implementation is questionable. At best, it is discourteous in the extreme.

If someone asks you not to copy the product of their creative work, what moral justification do you have for doing so?

I see this case as being different to copying someone's work. I do admit it's a bit morally questionable, in the sense that it's something that Snapchat doesn't want people doing. However, my view of the relationship between Internet services and client software which accesses those services is such that alternative implementations of both should be considered legitimate.

You have raised a very good point though, and it's certainly made me revisit my take on this. I've personally been the victim of others taking copies of my app and selling it under different names (which I obviously do have a problem with). However I've also seen other people implement similar features and a similar UI to my own app, and I don't have a problem with that - we only got to where we are today because of the spread of ideas through these means (see: Xerox PARC and all the companies that have used their work).

In this particular case there was no IP violation. It was simply an alternative implementation of a network protocol - and in fact it was just a library, not an application in and of itself. The only thing I think the author did wrong was to include the API keys.

This time is a little bit different since google copy the API but they used their own devices to run the API, in this case he copied the API but still uses snapchat service so he must build their own snapchat server to avoid copyright protection i think.

Yes, I agree, and in fact after looking at the code I realised he's included API keys which I think is wrong. As I received your response I was just finishing up another comment on this (https://news.ycombinator.com/item?id=6084802).

Personally, I think the idea of purposely trying to maintain private an API designed to be used by code running on others' computers to be morally dubious.

I would agree with your position if this was some internal service of theirs.

Here's what I'd do if I were you.

First, I'd ask myself how much I care about this. Do I care enough to pay legal fees to defend myself if Snapchat decides to come after me? If yes, consult an attorney and find out what you're looking at. Ignore any legal advice you get here. Unless it's from an actual attorney on your payroll (and attorneys you aren't paying won't give you much beyond an initial consultation)

If no, you've got an easy choice: take it down.

Book a session for today with Lior on LiveNinja. He specializes in this kind of stuff and can help you out for sure: https://www.liveninja.com/liorleser/

If they really had any standing, wouldn't they have sent the DMCA takedown request to github instead? Or are they just afraid it would be negative on their part to be permanently in https://github.com/github/dmca?

If you want to keep it up, you should contact a lawyer.

It _may_ indeed be illegal under the DMCA to distribute. Or it may be legal, as there are some exceptions for reverse engineering etc.

Nobody here knows. Heck, even a lawyer might not know, but a laywer will know your level of legal risk and possible expense.

Whatever you decide to do, don't make posts like this that could potentially be used against you.

Just how can this post be used against him?

Anything you say can be used against you by a creative lawyer. Hence Miranda for criminal suspects. In civil cases you don't get that warning, but it's generally best to keep your mouth shut except when talking to your own attorney.

Simple things like being able to prove that OP received the request can be useful to an attorney.

This is completely off-topic, but I'm curious. How does one go about "reverse engineering" a protocol like what Snapchat uses? Do you just listen in on the bits that the phone sends (say, with Wireshark) and kind of guess and poke at it to see what each part does?

Edit: after some research (like reading TFRepo), I found some links mentioned that give some info in case anyone else is curious too.



I suspect packet sniffing to see what is being sent and when.

Schaffer: "... we consider Snaphax to be unlawful circumvention device under ..."

Lackner: Mr. Schaffer, are you a lawyer? Please elaborate on why you consider Snaphax to be unlawful circumvention. I will assess the merits of your argument and then make a decision.

While people in this thread all give the customary knee-jerk "get a lawyer" response, consider that:

1. The request did not come from Snapchat's lawyers, if they have any retained for the purpose of DMCA claims. Surely they must, right?

2. It does not state what happens if Lackner does not comply. There's no threat of legal action. It just asks Lackner to remove the code from Github.

As such, there's no reason not to ask Schaffer to clarify why he thinks there is a problem.

If lawyers are not involved yet, then asking questions is free.

If this was a clear DMCA violation, then why didn't Schaffer send this to Snapchat's lawyers to handle?

Maybe because he might not get the answer he wanted: that it's a clear DMCA violation and an easy win for Snapchat.

Any lawyer can be asked to send a threatening DMCA violation letter. They will almost always say, "Yes, we can do that for you."

But sending a threatening letter does not mean it's a slam dunk win if the recipient does not comply with the demands in the letter. Sometimes threats are hollow. The sender may have no intention of pursuing litigation any further than sending demand letters. It simply might not be worth the money to pursue litigation over something like Snaphax. If this bit of PHP was that big of a deal to Snapchat, why didn't the request to remove it from Github come from Snapchat's lawyers? Where's the line about purusing all legal remedies?

Not to mention that by sending a threatening letter with no details on why the sender thinks the code at issue is a DMCA violation, there's a risk that the recipient might post a link to the code on HN and set off a "Github fork bomb". Ouch.

Yes, you've got it exactly. I speculate that the reason lawyers aren't involved is lawyers cost money, and the Snapchat board has already decided that Schaffer flies off the handle at innocuous bullshit too often. That's why he's allowed to send out this special form letter, and not allowed to approve legal invoices.

I don't see your moral high ground here. Snapchat never opened their service and then closed it on you leaving you stranded. They have a service that you reverse engineered knowing it was a closed service and they sent you a pretty nice letter asking you to stop. Should they have made their service more secure? Yes. Does that give you the moral high ground? Hell no.

But, I personally wouldn't worry about it. If they really felt strongly they would send something to GitHub asking to have your project removed. If GitHub takes it down that means they are either being douchey and covering their butts, or they believe the request has legal merit.

17 U.S.C. § 1201(a)(1) claim is BS. Terms of Service and/or "Company Policy" is not a copyright protection mechanism.


There's the statute, for you armchair quarterback-lawyers out there.

Sounds like the streisand effect for these guys http://en.wikipedia.org/wiki/Streisand_effect

Not a lawyer or in US.

If you reverse engineered rather than copied from Docs or header files I don't believe it should be copyright infringement. Note that the Google Oracle case currently being appealed seems wrong to me as I think copyright on complicated API's are reasonable (many disagree with me) although fair use and antitrust arguments should in many cases allow reimplementation. Anyway in statutory terms I don't see a problem. However...

It is likely that you agreed to Snapchat's terms of service at some point and it is also likely (I haven't read them) that they contain clauses forbidding permission to reverse engineer and/or access the service without using official clients. This opens up possibilities for breach of contract legal action and more worryingly computer crimes prosecution for unauthorized access. This conversion of minor contract breaches into computer hacking crimes is horrible law but it seems to be current reality. Be careful.

I don't know if you are in a better or worse position if you use the software without agreeing to the terms and conditions.

While this does technically violate 17 U.S.C. section 1201 (a)(1) according to other case law, I feel the responsibility is upon Snapchat, Inc. to make sufficient attempts to prevent such subversion. RE is always a sticky area, and because it appears you needed to pull some form of cryptographic keys out of that process, you are likely in an unenforceable region of a DMCA violation.

Which cases have found support here?

Chamberlain v. Skylink http://en.wikipedia.org/wiki/The_Chamberlain_Group,_Inc._v._....

actually went the other way, but Chamberlain's argument was an interesting one: the copyright-able "work" was the code that ran in the garage door opener that actually opened the door. That code was protected against running (access in 1201 a) by the remote's code system.

The judge got access to the code v. access to the customer's garage mixed up and ruled against Chamberlain because it seemed silly. The DMCA is that silly, though and extreme unintended effects cases like this are the way to get support to re-write digital-age copyright.

Here, there are two access controls (control over access to running (accessing) copyrighted code on Snapchat's server) in question: the API key and use of that key. Is supplying one part of a circumvention device (the library) without the other (the API key) still a 1201 a violation? Patent law has provisions against "independent" manufacturers supplying parts that together violate a patent, but alone do not. MGM v. Grokster already tried to bring some of that reasoning into copyright (case) law. http://en.wikipedia.org/wiki/Inducement_rule

The less interesting, but more dangerous to the O.P. question is the T.O.S. violation. Pure reverse engineering is done without access to documentation about the thing reversed. Purest has two teams: one to analyze and write an expression-independent specification and another to implement that spec.

So, no caselaw actually touches 1201(a)(1) in this way, contrary to GP's assertion?

One thing I'd like to note is this line from Snapchat's email:

> Please confirm that it has been removed by end of day Monday, July 22nd.

Essentially, they're giving the poster less than a full day to act on this. That strikes me as a high pressure tactic on Snapchat's part designed to get the poster into pulling that library before taking the time to consult with an attorney.

130 forks and counting.

I highly doubt this has anything to do with stifling innovation. Given Snapchat's popularity, it would make a lot more sense that they are trying to restrict 3rd party access to cut down on spam. Nothing will be more destructive to their service than bots churning out huge amounts of spam, undermining the trust they have built with their users.

The issue with their claim, I believe, is that the software isn't really circumventing any protections in place. It is simply using the existing publicly facing API. If the software made clear attempts to prevent this API from detecting or locking it out, then that would be an absolute violation, but I don't believe pulling crypto keys and reimplementing the API after REing it is necessarily a DMCA violation. Certainly it violates some other things, considering it is difficult to prove a clean-room situation when it was all done by one person. Seriously though, Snapchat should be focusing on hardening their API rather than trying to shut down imposter APIs.

Agreed. They should definitely lock it down for their internal use (and eventually provide a public API). I would imagine that in a young company that is moving fast, there is a high potential to overreact or to appear to because of canned responses.

They give you less than 12 hours to respond? Really?

I would seek a lawyer if you can afford one and if not, then you can't afford a lawsuit either, so in this case, pull it offline. If you do the latter, you should post the results of your research somewhere, this can't be taken down as it is sharing information and not an API tool.

It very much depends where you are and what you can afford in legal fees.

When you signed up you will have agreed not to do this sort of thing in the terms and conditions - whether that is legally enforceable or not could be expensive to prove either way. Though the worst they can do you for here is breach of contract.

With regard to "copyright circumvention": un-rot13 has been classed as an encryption circumvention device before now, so don't bank on the law having any common sense here.

My advice:

1. If it is just a weekend project it isn't worth the hassle, drop it as requested.

2. If you really care about it, lawyer up and prepare to fight.

In either case post to HN and as many other places as you can that are relevant to make sure their status as litigious wankers is recorded as far and wide as possible ;-)

> In either case post to HN and as many other places as you can that are relevant to make sure their status as litigious wankers is recorded as far and wide as possible ;-)

While the idea of getting the word out there that these people are idiots is amiable, it's not the best idea legally. Now they can prove that you saw their original email and probably have scumbag lawyers who can use this post in other ridiculous ways (claim it proves malicious intent, for instance... no idea what they'd actually do).

Uhm well ElcomSoft was found not guilty in the end, and the case against Dmitry Sklyarov was dropped, so I don't think you can claim un-rot13 to be classed as an encryption circumvention device...


un-rot13 is encryption circumvention? Source?

I used Snaphax to make a website of mine,SnapSave.me! You did a great job. Please don't take Snaphax offline. There's no other library on the internet like it. I don't know what the legal ramifications are but your work is making a difference.

I would seriously question whether 17 U.S.C. § 1201(a)(1) is relevant at all. This law is specifically for "Circumvention of copyright protection systems". Does Snapchat own the copyright of pictures distributed using its software? or rather do the users own the copyright? I suspect the answer to this is the latter -- that users own the copyright to the works distributed, and this would render the law irrelevant. Moreover, I would argue that the software protections put in place by Snapchat are for reasons of privacy not for reasons to enforce copyright.

Why creative people don't leave US? There's a whole world out there where you could respond to such message with simple obscenity and never think of it again.

I spent the last couple of hours making a ruby clone if anyone is interested in taking a look or wants to help. For some reason, The decryption has stopped working in the past half hour. They couldn't have changed they key or anything, so I'm not sure what went wrong.


IMNAL, but if they aren't filing off a DMCA notice (but asserting it's a DMCA violation), why care?

I persume they can't file a lawsuit without filing DMCA takedown notice first?

If so, when they'll file the notice, GitHub'll take it down (as they usually do). Then you may consider filing counter-notice (if you can afford legal action) or, I guess (IMNAL!) ignore the whole affair.

Anyway, you'd better consult a lawyer.

> IMNAL, but if they aren't filing off a DMCA notice (but asserting it's a DMCA violation), why care?

DMCA notices -- by which, presumably, you mean takedown notices -- are only required to a third-party that is otherwise within the DMCA safe harbor protecting hosts of allegedly-copyright-infringing user-submitted content to choose either to take the content down or forfeit the protection of the safe harbor. They have nothing to do with actions against direct violators of either the main body of copyright law or the anti-circumvention provisions of the DMCA.

> I persume they can't file a lawsuit without filing DMCA takedown notice first?

You presume incorrectly; even if the alleged violation was of the type to which a DMCA takedown was relevant, they can sue the offending party (though not a third-party host within the safe harbor) without a takedown notice.

IANAL, but I don't think a DMCA takedown is required to sue the infringing party, just to sue the ISP that may happen to be distributing a copy without a valid license.

Just spitballing here, but couldn't you just remove the hardcoded URLs and let users paste in the Snapchat URL so they'd be breaking the TOS, not you?

Technically, it wouldn't be utilizing their API, it would just be a PHP library for accessing APIs that happen to use their exact API call structure.

I know it's a long shot, and it may not hold up, but I think it's better than just taking it down.

And...... cloned. Sure go ahead and take it down XD.

It looks like the law is written to prevent people from writing code to decrypt or descrambler signals (like cable TV or payperview). But I'm not a lawyer. Is there a place someone could post the code anonymously? My guess is this is a threat which wouldn't hold up / but they also have cash and lawyers, which is most of the legal game anyway. Good luck.

I wouldn't recommend going toe to toe with a technology company when there is nothing worthwhile to gain (If there is something worthwhile, then see a lawyer). Morally I think the project should be able to stay up. However, I would avoid the legal system at all costs. The stress isn't worth it.

...aaaaand cloned :)

Streisand effect

I've duplicated it into a private repository. Reference, if you will.

I'd take it down if I were you. It's not worth it. If you do feel really strongly about keeping it up for moral reasons, then contact a lawyer.

Quick, everyone fork.

Where's Snapchat? Don't they read HN? What do they have to say for themselves? Have they finally spoken with an attorney?

Forked and I don't even like PHP :) United we stand.

The request might be unfair, but I wouldn't risk it.

fork snapchat, I'm forking this repo.

I got the 100th fork!

The outcry! The injustice! Sigh

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact