Ask HN: Take down my reverse-engineered Snapchat lib because they asked?

One important distinction that I see missed here is that of an API vs. a service.

Snapchat provide a service, which I mentioned in another comment here that they have every right to enforce terms of service on, and restrict or allow usage as they see fit.

Snapchat also provide an API (which, in this scenario can also be considered a network protocol). This API can be used to access this service.

Now that I've had a look at the code, I've noticed that it includes the API keys which grant programs using this library the appropriate access permissions for the service. I think this is wrong, and that these keys should not be included in an open source library. The rest of the code however, is fine, as it simply implements a protocol.

If I were to develop something like this, I would leave out the API keys and have the user of the library fill them in. In principle, and as someone else has mentioned here, it would be possible to develop and operate your own service which uses this protocol/API. And I see nothing wrong with that.

Well, except of course that the whole notion of an app which presents information for a set period of time after which the user can no longer view it is inherently flawed, since eventually someone's going to figure out how to not erase/hide the information.

I've just forked it on Github, as have 25 others (as I write this).

As with file formats, the notion that network protocols & APIs should ever be granted any type of protection and that no-one other than the creators should be able to write software that conforms to these protocols is ridiculous.

Snapchat, in my view, have every right to restrict who uses their service and in what manner - via standard mechanisms like API keys and login credentials. But preventing third-party implementations of protocols or APIs is so 90s. Oracle had a bit of trouble with this recently.

One problem I'm personally trying to remedy is the proliferation of various APIs and protocols for accessing various online storage services (Dropbox, Google Drive, Box etc) by developing an SDK that supports all of them. We need more of this kind of these kinds of projects, not less.

Micah Schaffer, if you're reading this, you're welcome to send me a takedown request and discuss the issue with me. My email address is in my profile.

EDIT: It's at 62 now. I wouldn't be surprised if even Barbra Streisand has forked it.

  /* Instructions for usage:
     1. Replace YOUR_SECRET_KEY and YOUR_STATIC_TOKEN in the code below with
        the values you have to access the service.
     2. Fill in SERVICE_URL with the appropriate endpoint. */

Ignore 99% of the responses in this thread, particularly any that say "I think...", "It seems fair...", and so on. You're in a legal situation here, if you are worried, contact a lawyer.

Can't give you legal advice, since you aren't my client and i can't ethically represent you.

In general, though, not taking it down will be a tough path for you.

If you really want to go down that path, get a lawyer (i'm happy to make recommendations for you), say nothing else here (or anywhere) about your motivations/goals/whatever, and go that way.

If you don't want to spend the time or the money, take it down .

There's no "fair use" defense because they aren't asserting a plain copyright violation -- they're asserting that using their API is a DMCA violation. I'm not a lawyer, but this seems laugh-out-loud crazy of them, and I'm not aware of anyone trying that claim before.

So if you want to resist, you could start there: by finding out (possibly by asking a lawyer to talk to them) how they think your tool is acting to "descramble a scrambled work, decrypt an encrypted work, (or equivalent actions)". If you want to do this, you might consider reaching out to the EFF for help.

Morally, I think you're in the clear for the reason you already gave.

I would take it down, not because of ethics or legalisms, but because you'll lose technically. They're making it clear that they don't want interoperable implementations. All you're doing is poking them in the eye with a stick. You probably don't have the resources (especially given your lack of interest) to keep your implementation working; they certainly have the resources to break your implementation. Why bother?

A lot of times when you use a product, you're required to agree to an EULA wherein you promise/commit to not reverse engineer a product or its protocols. If you did use snapchat as a registered user, this issue could affect you negatively.

Another alternative is to mail them back and ask them for clarification. Why do they consider it an infringement?

The law clearly states the following:

  (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
  (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
  (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
  (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

The way I interpret this is that if one is overcoming some encryption or authentication scheme, it may be disallowed under the law. If one is simply observing a protocol online, then one may be doing something bad as this says.

A few weeks ago I was halfway through the process of reverse engineering the Snapchat API myself, when I found your library. I just wanted to say thanks for saving me so much trouble.

> I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case?

Not insofar as the reverse engineering is used to produce an anti-circumvention device under the DMCA (that is, the reverse engineering itself is still just as protected as it used to be, but that protection does not extend to making the anti-circumvention device available.)

Note that there is still the issue of whether what you've actually is an anti-circumvention device.

> How should I respond, if at all?

If the project is worth the cost of consulting a lawyer, you very likely should do that so you understand better what your exposure here is and can make a more informed decision than you would be able to make based on lay advice you might get from HN. If its not, you should probably take it down.

At this point, I would just remove it. Since this is on the front page of HN, there's no way Snapchat can make the code disappear anyway.

If you need legal advice, I recommend seeing if SFLC (http://www.softwarefreedom.org/) will help you. In the past, I worked on a free software project where we willfully ignored a cease and desist notice and got sued by a large multinational corporation, and they were awesome.

Like many others have said, it would be best to consult an attorney if you're concerned.

However, while you may not be able to distribute software which uses the API, I think many people would enjoy/benefit from a post describing how you reversed it and what steps you took to create the library.

"Written" as in sent you a registered letter? Or was this an email?

I don't know anything about the Snapchat API but if it's simply undocumented I don't see how that would be a "technological measure" of "effective control."

If you had to sniff or crack an API key of some sort, maybe that does.

In any event, it seems like a friendly enough request, maybe take it down as a courtesy pending their clarifying exactly what "technological measure" of "effective control" they think it "circumvents." Depending on their response and how much you think you want to push it, you can then decide what to do.

I'd consider it good-faith reverse engineering for the purposes of interoperability.

I'd ignore it. If they want to go hard-ball they'll threaten to sue/actually sue. Until then keep silent.

Morally, I would take it down.

It is all well and good to write these sorts of things as a demo, but distribution is something where I would defer to the actual owner of the API in question.

After all, how many of us would want someone creating an unauthorized library to a private API that we don't wish to have public?

Here's what I'd do if I were you.

First, I'd ask myself how much I care about this. Do I care enough to pay legal fees to defend myself if Snapchat decides to come after me? If yes, consult an attorney and find out what you're looking at. Ignore any legal advice you get here. Unless it's from an actual attorney on your payroll (and attorneys you aren't paying won't give you much beyond an initial consultation)

If no, you've got an easy choice: take it down.

Book a session for today with Lior on LiveNinja. He specializes in this kind of stuff and can help you out for sure: https://www.liveninja.com/liorleser/

If they really had any standing, wouldn't they have sent the DMCA takedown request to github instead? Or are they just afraid it would be negative on their part to be permanently in https://github.com/github/dmca?

If you want to keep it up, you should contact a lawyer.

It _may_ indeed be illegal under the DMCA to distribute. Or it may be legal, as there are some exceptions for reverse engineering etc.

Nobody here knows. Heck, even a lawyer might not know, but a laywer will know your level of legal risk and possible expense.

Whatever you decide to do, don't make posts like this that could potentially be used against you.

This is completely off-topic, but I'm curious. How does one go about "reverse engineering" a protocol like what Snapchat uses? Do you just listen in on the bits that the phone sends (say, with Wireshark) and kind of guess and poke at it to see what each part does?

Edit: after some research (like reading TFRepo), I found some links mentioned that give some info in case anyone else is curious too.

http://adamcaudill.com/2012/06/16/snapchat-api-and-security/

https://github.com/tlack/snaphax#motivation-and-development-...