This is positive news. It seems like the more liberal approach taken when protocols were written is being challenged more by young users who grew up under more stable rules that accepted terms of service as very strong.
When I was growing up you went by what the protocol allowed. If an http response came back you have access, if it prompted for credentials, then you didn’t have access.
The mere idea that a web server gives you info and then you have to check a TOS that you might not even know exists is foreign to me. But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.” They were unfamiliar with war drivers or even how early web crawlers started.
It's not that young people grew up with stable rules. It's that young people grew up under the influence of industrial information warfare tactics and propaganda. As someone that was prevented from distributing Linux at high school because the administrators thought that any copying was piracy (thanks to the Software Publishers Association and the friendly local Microsoft rep), this conditioning to get kids (and less intelligent adults, sadly) to believe in the supremacy of illegitimate authority has been going on for a while now. Now those kids are starting to become adults. So, of course, you're starting to see bullshit like the CFAA1986 (and it's downright laughably broad definition of a 'protected computer') and the DMCA (likewise) starting to be abused like they are. The "don't copy that floppy" music video was the thin edge of a wedge that continues being driven into the heads of kids and adults alike, even today.
I continue to be shocked that Twitter convinced an entire generation of software developers that you need to obtain something called an "API key"--which can somehow be refused or even revoked once granted--in order to write a client for their protocol. "Back in my day", we just reverse engineered the official client and used whatever algorithm it used to talk to the server and called the war won :/.
What does young/old have anything to do with this? If anything, I'd put it the other way around: I'll bet it's primarily old and conservative people (who don't know how the internet thing operates and want to police digital assets like physical ones) who push for this kind of restriction/law, while so many young people have grown up in an era where they share everything.
Maybe web servers should come with a TOS that outlines that you can't control access to content via freeform text, but must do so via the technical access control means supported by the server itself.
> But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.”
Or, maybe, this young generation grew up with the internet being a tool with actual power. Where before, it was pure novelty, with no real-world consequences of destructive behaviour.
This young generation, based on a study of history, prefers to be governed by agreed-upon rules, rather than "might is right".
Note that I, and probably the vast majority of every generation, agree with this court's decision that ToS are not enforceable.
But the reason is not the challenge to enforce such ToS through technical means. It is the fundamental unfairness of a process that would allow such one-sided contracts to be drawn.
As a counter-example: your philosophy of "I can do whatever I can do" would allow limitless collection, use, and sale of personal information. But I would hope that most people actually do see value in Facebook not being allowed to sell your private images and messages to the highest bidder if they ever choose to.
The EFF write up requires a bit of a caveat. The EFF states: "Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright."
That's true, but it would be incorrect to infer that the Ninth Circuit's holding in this case means that such a cease and desist is ineffective to revoke notice for purposes of the CFAA. To the contrary, the Ninth Circuit has held that where a defendant, "after receiving the cease and desist letter from" the plaintiff, "intentionally accessed [plaintiff's] computers knowing that it was not authorized to do so," the defendant was "liable under the CFAA." Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016).
The cease-and-desist letter dropped out of this case, because Rimini was accessing Oracle's website under delegated authority from Oracle customers, who had a contractual right to access the site. Oracle chose not to press the argument that it could limit the delegated authority from the customers by virtue of the cease and desist, I suspect because the wording of the cease and desist did not actually revoke Rimini's authorization to access the files. Oracle thus was stuck arguing that violating the TOS, despite otherwise having authorization to access the data, was enough to violate state-law counterparts to the CFAA. That latter argument was a losing one in light of United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where the Ninth Circuit held that a terms of service provided insufficient notice to alleged offenders to create liability under the CFAA.
"... the bounds of criminal law should not be defined by the preferences of website operators. And private companies shouldn't be using criminal laws meant to target malicious actors as tool to enforce their computer use preferences or to interfere with competitors."
If a website operator wants to control if a user can access the website, then there are ways to do this without resorting to criminal prosecution.
Through server software, websites can control how fast HTTP requests can be made in succession or how many requests can be made in a single connection.
Websites can further control what IP addresses have their HTTP requests fulfilled.
But users can still utilize client software to make automated requests and comply with any of these restrictions.
The user might just send the requests slowly or from a different IP address.
Ultimately, no website can force a user to use a GUI, mice or touchcreens. The same as no website can force a user to use a particular browser.
If a website wants to control how a user accesses the website, there is no way to enforce this under the criminal law.
I am certain that this ruling will be appealed, and we will hopefully see this case before the Supreme Court (assuming they have the time and desire to hear it.. if they don't, then this ruling will stand). Only then will we really be able to speak with the certainty you display.
When you say "Ultimately, no website can force a user..." I wonder if you are actually considering the use of force there? A police officer or other agent with a firearm raiding the home or place of business of someone with a court order in hand is generally quite effective at compelling behavior, and that is what Oracle is aiming for. Whether there are technical means to make it easy or practical isn't at issue.
IANAL, but violation of terms of service seems like a breach of contract, not a crime. For that sort of thing there is always the civil court system if the plaintiff feels like their loss due to the violation is high enough to warrant pursuing the legal case.
But maybe the actual loss caused by the automated downloads in this case wasn't high enough and they pushed the criminal angle to make some kind of point.
There was no loss. They are attempting to missuse the law in order to provide an oportunity to destroy a competitor because Oracle is run by bad people.
> but violation of terms of service seems like a breach of contract
I agree.
But also, breach of contract can only occur if there is an actual contract. Speaking generally - if I purchase software then a contract would exist (offer/acceptance/money changing hands) and the terms would come into play.
If I was simply a visitor to a website then I think it would be harder to argue a contractual relationship exists.
Oracle, not being the state government of either California or Nevada, could not and did not “push the criminal angle”, they filed a civil action charging violation of both federal copyright law and two. states anti-hacking laws; the latter allow both civil and criminal actions.
They also, it may be worth noting, won on the copyright claims.
The best analogy seems to be trespass. A store generally allows anyone to come in. Absent any kind of notice you can go into a store and take pictures. But if there is a big prominent sign on the door that says "no photos allowed" and you go in and take a picture, you aren't just subject to being thrown out. You are (depending on some nuances of state law) committing criminal trespass. Likewise, if for whatever reason, you've already been thrown out and told you are never welcome back then the minute you step in the door you are trespassing.
I don't see any reason why e.g. a website that prominently displays a notice saying that scrapping tools aren't welcome and that puts in place reasonable measures to prevent scrapping tools from being used, shouldn't be protected by the law of trespass from people that deliberately evade these preferences. Likewise, I don't see a banned HN poster that creates a new account shouldn't be considered a trespasser. Of course there are issues of prosecutorial discretion and limited law enforcement resources, but that's a separate question than what should or shouldn't be criminal.
YES! This is ecstatic news for those operating under the constant threat of lawsuits from delusional folks who thinks their TOS is the fucking constitution of United States of America.
Linkedin and Craigslist will finally get the competition they've been fending off with scary lawsuits.
I can't wait to see the look on Craig Newman's face when web scrapers all around the world will do what he feared all this time, bring innovation.
This is possibly one of the best things I've read on HN. I'm more curious as who are the people at EFF pulling this off, stroking the legal justice warrior within me....I think this is the part of the law that deeply interests me but I don't know what you call EFF's area of law.
Note that the decision says that violations are not criminal acts, but that doesn't mean that license violations can't result in civil lawsuits and encumbent financial damages.
> Note that the decision says that violations are not criminal acts
Actually, it says that they don't violate particular California and Nevada state analogs of the federal CFAA; this was, in fact, a civil case under those laws, not a criminal case, though those laws also support criminal prosecution.
In order for a license violation to to exist a valid contract need to exist. and for a contract to be valid both contracting parties must enter a contract on a informed and non coercive basis an bar practically no click wrap EULA/TOS page meats.
With out a valid two sided contract any website operator wanting to sue a user for misuse will have to resort to whatever laws is actually on the books.
If you use the website in a way that they would normally ask money for, like circumventing a paywall, is that something they could claim damages as in missed revenue for? I wonder if this ruling makes it legal to scrape for data processing.
This is fantastic news, and a great step toward a more "sane" set of internet laws.
I just hope that this trend can continue and can sufficiently bury the idea that accessing public (as in without any kind of authentication method) information on the internet should not ever be a violation of any laws when done without malicious intent (a DoS attack should still obviously be illegal).
Oracle is downright evil in the most corporate way. No one with other options should be a customer or employee. Oracle needs to die with Comcast and the rest.
Does anybody know how this pertains to data scraping? Like many coders/tinkerers, I've been frustrated that TOS'es often forbid bots from scraping data from many sites. There are lots of ways data can be better visualized or synthesized than is currently done, but terms of service make this impossible (unless you're just doing a small side project you never plan to publish).
Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?
> Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?
That...depends. It was a scraping case, but while the appeals court allowed the automated access that the lower court found violated various anti-hacking laws, it also let stand the copyright violation judgement for the actual use of the scraped content.
So, if content is protected by copyright, you don't have a license which covers your use, and no exception to copyright protection applies, that's still going to be a problem for scraping.
> Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually—which would have seriously slowed down Rimini’s ability to service customers.
So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?
> So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?
Rimini was a maintenance vendor acting on behalf of paid Oracle licensees with paid-for rights to access the files (which apparently are legally exercisable through a third-party vendor), and a vendor of maintenance services that competed with Oracle's first-party maintenance services, so doing so could be legally problematic.
A a GPL license is not law, but violating it means you are violating the law, because violations revoke your permission to access it. I am sure the reasoning being used here is similar.
This is great. However, I didn't see anything about whether it is a civil violation and assume you could still be sued by a third party (you just couldn't be thrown in not jail over it). Please correct me if I am mistaken.
This might be a somewhat unpopular opinion but I think that there should be some way (definitely not through criminal prosecution) for a website or similar to say "You can use my service for free, but only under the following restrictions". Not sure what the "punishment" should be for breaking these rules.
Does this mean it is also reversed? If a person chooses to not acknowledge the website's terms, does this mean a website doesn't have to abide by its own terms and can make up its own rules as it goes along?
If you promise something and fail to deliver on this and some party suffers harm based on your failure you might get sued. This is true both ways.
What you can't do is post a sign outside your business saying everyone coming in must do the macarena and accuse anyone not singing of ex post facto breaking and entering under the concept that they should have read the sign.
The problem is that non-compliance with a contract wasn't being dealt with by contract lawyers, but was being converted into a criminal offence and dealt with by police.
[+] [-] prepend|8 years ago|reply
When I was growing up you went by what the protocol allowed. If an http response came back you have access, if it prompted for credentials, then you didn’t have access.
The mere idea that a web server gives you info and then you have to check a TOS that you might not even know exists is foreign to me. But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.” They were unfamiliar with war drivers or even how early web crawlers started.
[+] [-] justinjlynn|8 years ago|reply
[+] [-] saurik|8 years ago|reply
[+] [-] eugenekolo2|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] askvictor|8 years ago|reply
[+] [-] Asooka|8 years ago|reply
[+] [-] joatmon-snoo|8 years ago|reply
Generally n = 1 is not a good sample size.
[+] [-] lurr|8 years ago|reply
[+] [-] trisimix|8 years ago|reply
[+] [-] matt4077|8 years ago|reply
This young generation, based on a study of history, prefers to be governed by agreed-upon rules, rather than "might is right".
Note that I, and probably the vast majority of every generation, agree with this court's decision that ToS are not enforceable.
But the reason is not the challenge to enforce such ToS through technical means. It is the fundamental unfairness of a process that would allow such one-sided contracts to be drawn.
As a counter-example: your philosophy of "I can do whatever I can do" would allow limitless collection, use, and sale of personal information. But I would hope that most people actually do see value in Facebook not being allowed to sell your private images and messages to the highest bidder if they ever choose to.
[+] [-] rayiner|8 years ago|reply
That's true, but it would be incorrect to infer that the Ninth Circuit's holding in this case means that such a cease and desist is ineffective to revoke notice for purposes of the CFAA. To the contrary, the Ninth Circuit has held that where a defendant, "after receiving the cease and desist letter from" the plaintiff, "intentionally accessed [plaintiff's] computers knowing that it was not authorized to do so," the defendant was "liable under the CFAA." Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016).
The cease-and-desist letter dropped out of this case, because Rimini was accessing Oracle's website under delegated authority from Oracle customers, who had a contractual right to access the site. Oracle chose not to press the argument that it could limit the delegated authority from the customers by virtue of the cease and desist, I suspect because the wording of the cease and desist did not actually revoke Rimini's authorization to access the files. Oracle thus was stuck arguing that violating the TOS, despite otherwise having authorization to access the data, was enough to violate state-law counterparts to the CFAA. That latter argument was a losing one in light of United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where the Ninth Circuit held that a terms of service provided insufficient notice to alleged offenders to create liability under the CFAA.
[+] [-] aplorbust|8 years ago|reply
If a website operator wants to control if a user can access the website, then there are ways to do this without resorting to criminal prosecution.
Through server software, websites can control how fast HTTP requests can be made in succession or how many requests can be made in a single connection.
Websites can further control what IP addresses have their HTTP requests fulfilled.
But users can still utilize client software to make automated requests and comply with any of these restrictions.
The user might just send the requests slowly or from a different IP address.
Ultimately, no website can force a user to use a GUI, mice or touchcreens. The same as no website can force a user to use a particular browser.
If a website wants to control how a user accesses the website, there is no way to enforce this under the criminal law.
[+] [-] otakucode|8 years ago|reply
When you say "Ultimately, no website can force a user..." I wonder if you are actually considering the use of force there? A police officer or other agent with a firearm raiding the home or place of business of someone with a court order in hand is generally quite effective at compelling behavior, and that is what Oracle is aiming for. Whether there are technical means to make it easy or practical isn't at issue.
[+] [-] alphaalpha101|8 years ago|reply
[deleted]
[+] [-] danans|8 years ago|reply
But maybe the actual loss caused by the automated downloads in this case wasn't high enough and they pushed the criminal angle to make some kind of point.
[+] [-] michaelmrose|8 years ago|reply
[+] [-] lysp|8 years ago|reply
I agree.
But also, breach of contract can only occur if there is an actual contract. Speaking generally - if I purchase software then a contract would exist (offer/acceptance/money changing hands) and the terms would come into play.
If I was simply a visitor to a website then I think it would be harder to argue a contractual relationship exists.
[+] [-] dragonwriter|8 years ago|reply
They also, it may be worth noting, won on the copyright claims.
[+] [-] bradleyjg|8 years ago|reply
I don't see any reason why e.g. a website that prominently displays a notice saying that scrapping tools aren't welcome and that puts in place reasonable measures to prevent scrapping tools from being used, shouldn't be protected by the law of trespass from people that deliberately evade these preferences. Likewise, I don't see a banned HN poster that creates a new account shouldn't be considered a trespasser. Of course there are issues of prosecutorial discretion and limited law enforcement resources, but that's a separate question than what should or shouldn't be criminal.
[+] [-] pwaai|8 years ago|reply
Linkedin and Craigslist will finally get the competition they've been fending off with scary lawsuits.
I can't wait to see the look on Craig Newman's face when web scrapers all around the world will do what he feared all this time, bring innovation.
This is possibly one of the best things I've read on HN. I'm more curious as who are the people at EFF pulling this off, stroking the legal justice warrior within me....I think this is the part of the law that deeply interests me but I don't know what you call EFF's area of law.
Happy Scraping everybody!
[+] [-] DrScump|8 years ago|reply
[+] [-] dragonwriter|8 years ago|reply
Actually, it says that they don't violate particular California and Nevada state analogs of the federal CFAA; this was, in fact, a civil case under those laws, not a criminal case, though those laws also support criminal prosecution.
[+] [-] Stranger43|8 years ago|reply
With out a valid two sided contract any website operator wanting to sue a user for misuse will have to resort to whatever laws is actually on the books.
[+] [-] tinco|8 years ago|reply
[+] [-] Klathmon|8 years ago|reply
I just hope that this trend can continue and can sufficiently bury the idea that accessing public (as in without any kind of authentication method) information on the internet should not ever be a violation of any laws when done without malicious intent (a DoS attack should still obviously be illegal).
[+] [-] sintaxi|8 years ago|reply
[+] [-] jlgaddis|8 years ago|reply
Oh, the irony.
(For anyone unclear, I'm thinking of Oracle, which provides Red Hat clients with software support that competes with Red Hat's own services.)
In any case, I'm always happy to see Oracle lose a legal suit.
[+] [-] bactrian|8 years ago|reply
[+] [-] maze-le|8 years ago|reply
[+] [-] HenryBemis|8 years ago|reply
1) Constitution - for countries that have one,
2a) Laws/Regulations,
2b) Other executive orders
3) Contracts
ToC is simply a contract. Breach of ToC/Contract is not necessarily a breach of law (unless a law is at the same time violated)
[+] [-] chrisshroba|8 years ago|reply
Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?
[+] [-] dragonwriter|8 years ago|reply
That...depends. It was a scraping case, but while the appeals court allowed the automated access that the lower court found violated various anti-hacking laws, it also let stand the copyright violation judgement for the actual use of the scraped content.
So, if content is protected by copyright, you don't have a license which covers your use, and no exception to copyright protection applies, that's still going to be a problem for scraping.
[+] [-] tzahola|8 years ago|reply
[+] [-] AnimalMuppet|8 years ago|reply
Note, however, that this is a Ninth Circuit decision. If you don't live within the bounds of the Ninth Circuit, this decision doesn't apply to you.
[+] [-] tzs|8 years ago|reply
So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?
[+] [-] dragonwriter|8 years ago|reply
Rimini was a maintenance vendor acting on behalf of paid Oracle licensees with paid-for rights to access the files (which apparently are legally exercisable through a third-party vendor), and a vendor of maintenance services that competed with Oracle's first-party maintenance services, so doing so could be legally problematic.
[+] [-] blackflame7000|8 years ago|reply
[+] [-] kazagistar|8 years ago|reply
[+] [-] IncRnd|8 years ago|reply
[+] [-] Feniks|8 years ago|reply
Besides its not as if they can actually do anything about it. I probably don't even come up in their analytics.
[+] [-] jryan49|8 years ago|reply
[+] [-] merb|8 years ago|reply
[+] [-] john2x|8 years ago|reply
[+] [-] seannyg|8 years ago|reply
[+] [-] theBobBob|8 years ago|reply
[+] [-] mattbgates|8 years ago|reply
[+] [-] michaelmrose|8 years ago|reply
If you promise something and fail to deliver on this and some party suffers harm based on your failure you might get sued. This is true both ways.
What you can't do is post a sign outside your business saying everyone coming in must do the macarena and accuse anyone not singing of ex post facto breaking and entering under the concept that they should have read the sign.
[+] [-] DanBC|8 years ago|reply