> The "position would be different" for links that bypass a paywall.
This is interesting. It seems there is a growing burden on consumers of information to understand the intent set up by website owners and technology maintainers: Aaron Schwartz died because his use of curl was deemed hacking. A judge here is making a distinction between linking and linking that bypasses a paywall.
I'm afraid that people will one day be required to divine whether or not a site was meant to be viewed by them: suppose page A displays links to a paywall-less version of page B when the user agent is "GoogleBot" in order to allow news to be indexed. Meanwhile, all other user agents see a link to a paywalled version of page B. Suppose a bug causes that page to display paywall-less links to all agents, and visitors to that page follow through to the non-paywall version of page B.
Under this interpretation, visitors to page B's non-paywall version could be exposed to allegations of unauthorized access to computer systems (or its EU equivalent) and be charged with hacking. What's worse, it seems the burden to prove that the link was shown to them in a legitimate fashion falls on the accused, and there's basically no way they can prove that.
I'm not a lawyer, so my interpretation could be way off, but this seems like a credible threat.
I came here with the same quote copied to my clipboard to say pretty much this.
The idea that the incompetence of paywall implementers should be patched up by the law and consideration of clients' intent is worrying at best and honestly closer to insane.
If paywalls are implemented by covering page content with a white rectangle, will viewing source be considered unauthorised access?
If they are implemented by putting a large notice prohibiting unauthorised users from scrolling down, will such a notice stand up?
In both of these cases, the intent of the user viewing the content is clearly to bypass protection mechanisms that were put in place, but if such protections are implemented so incompetently, the burden (as it seems to be in real life, w.r.t. trespassing and similar laws) could well fall upon the consumer.
My suggestions get closer and closer to hyperbole but from a technical standpoint some of these 'protections' are scarcely distinguishable from some of the simple, meaningless protection schemes that have already been enough to trigger unauthorised access laws. :/
I think there's a legal doctrine along the lines of "open door" or "unenforced property", wherein if a person does not put up a minimum standard of defense of their property, there are limitations to what legal protection they have against trespassing and theft.
For example, if I leave my house with the doors wide open, all the time, I think the doctrine means I can't accuse people of breaking in if they simply walk in ... especially if they do so repeatedly without me doing anything to stop it.
Similar if my property has no fence, gate, locks, etc and people are in the habit of walking across it - and I haven't taken ordinary measures to stop them - then I can't accuse people of trespassing.
The examples are not great, and I don't recall what it's called ... but I believe there's a legal doctrine along those lines.
In my mind, it should be very simple. If I supply a URL to a server, and it responds with "200, here's the contents", then that to me means that I have been authorised. Unfortunately the courts don't seem to be seeing it that way.
That's an entirely separate issue though. Copyright infringement cases are almost entirely civil, and result in monetary damages. CFAA cases are criminal, and get you put in jail for years.
It gets even messier than that. What happens to the intent if it is public knowledge that a paywall has been specifically designed by the owner to be easy to circumvent?
"We did create something purposely porous," Arthur Sulzberger said of the system being implemented by the Times to begin charging readers next week for full access to NYTimes.com.
"Can people go around the system?" Sulzberger asked during an appearance at The Paley Center for Media here. "The answer is yes. There are going to be ways.
Read on, I promise I raise a good point. As for losing credibility, I suggest you might find discussions more meaningful if you focus on the argument presented rather than an inferred standpoint of the author.
Yes. This would also explain the other comments in this thread complaining about the ruling stating that bypassing a paywall would change their decision; the courts will not allow the legal question of whether access is authorized or not to be decided solely on what a hacker can convince a stupid computer server to do.
And, that's a good thing! I had the chance the other day to be in a legal training session, where the following quote from the Vice Chief of Naval Operations was mentioned:
"No set of rules can substitute for the exercise of sound judgment. Even when something is permissible under the rules, it may nevertheless be inappropriate in appearance." (emphasis mine)
This is also the same reason many hacktivists oppose the NSA's current surveillance programs, whether they're legal or not. Just because it is legal or technically possible for the NSA to do something doesn't mean they should be able to do it. But what's good for the goose is good for the gander, and such logic applies just as much to us as it does to them.
I like that quote. From my perspective, I've mostly seen people complaining about applications of the CFAA that lacked good judgement, in favor of a broadly applied, poorly-written set of rules.
Yes, there's definitely a tension between narrowly applying rules and leaving them too broad. IMHO the recent CFAA cases have correctly met the spirit of the law (save perhaps for Manning), the problem is that (especially in Aaron's case) the sentence is disproportionate.
There are many uses to spoof a user-agent that are not malicious though while SQLi is always intrusive (and thus in a way, malicious). Think about privacy or broken website compatibility sniffing etc.
The USA had a similar ruling back in 1996. Many people were engaged in "Deep Linking", that is, linking to a page that was not the front page of the website. The plaintiff won the case and it was briefly illegal to link to anything but the front page of the sites. This was overturned shortly after.
Nowadays, we refer to "deep linking" as "linking", but it was legally contested for a long time. This was published as late as 2004:
""Deep linking" is a special kind of hyperlink: it defeats the remote website's intended method of navigation, taking one to a page deeper than the home page [4] A deep link leads the user to an interior page of a website, rather than to the home page thereof.
"
Searching on Google, I see that the courts, in the USA and Europe, were ambivalent about deep linking, in the mid 90s when the Web was just emerging. For instance:
"The lawsuit against an online news search engine which allowed users access to articles in the database of the plaintiffs via deep links was based on paragraph 87 b of the German copyright law (UrhG). This paragraph derives from European Union Directive 96/9/ECC of March 11, 1996. A decision, which had banned deep linking by search engines to databases could have influenced other EU member states' jurisprudence and caused significant difficulties for search engines outside the European Union as well. "
also:
"Shetland Times v. Shetland News
"In 1996 the Shetland Times newspaper filed a lawsuit against the Shetland News for linking to Times' articles. Scotland's Court of Session issued an interim interdict banning the links. Before Scotland’s highest court could rule on the legality of the links, the two publishers settled the case."
"Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (C.D. CA, complaint, filed 4/28/97)
First major linking case in US. Microsoft's "Sidewalk" site allowed visitors to buy tickets to entertainment events via "deep" link to Ticketmaster site. Ticketmaster alleged trademark dilution and other unfair competition causes of action. Case settled on undisclosed terms, although Microsoft removed its deep link."
"Ticketmaster Corp. v. Tickets.com, Inc., CV99-7654 HLH (BQRx) (C.D. CA, Mar. 27, 2000) [requires acrobat reader to view]
Tickets.com deep linked to Ticketmaster's site to provide its visitors the opportunity to buy tickets to certain events. Court dismissed contention that linking constituted copyright violation, because there was no literal copying. Court also found that absent specific evidence of assent, allegation that defendant breached site's "terms of service" failed to state a claim. Literal copying claim and certain unfair competition claims not dismissed, however."
This is from the American Library Association:
" "Deep linking" is the practice of providing links to interior pages within a Web site without directing people using the link through the host site's main page. Some site owners see deep linking as problematic because it takes control over the viewer's experience away from them and may create confusion over whose site is whose. For sites with commercial advertising or subscriptions, for example, deep linking may mean users get to see the content of the site without having to "pay" for the information by first accessing advertisements placed on a welcome page or by paying for the subscription. Other people see linking as a necessary part of Web design and argue that deep links actually provide a service by steering users to the linked sites."
and also this:
"Some court decisions have been seen as very supportive of linking. In 1997, in an opinion striking down a Georgia Internet statute, a federal district judge suggested that the practice of linking is protected by the First Amendment (ACLU of Georgia v. Zell Miller). In a federal court in September 1998, a California judge dismissed a suit in which the plaintiff claimed that the defendants maintained Web sites that included links to a Swedish site containing copyright infringing material. The court ruled that the copyright infringing material was "several links removed" from the defendants' site (Bernstein v. JC Penney, Inc.)."
Needless to say, Google (and Hacker News) would be illegal if deep linking had been banned.
""Deep linking" is a special kind of hyperlink: it defeats the remote website's intended method of navigation, taking one to a page deeper than the home page [4] A deep link leads the user to an interior page of a website, rather than to the home page thereof. "
Wow. This sounds so anachronistic today it's hard to believe it was written only 10 years ago.
This is interesting. It seems there is a growing burden on consumers of information to understand the intent set up by website owners and technology maintainers: Aaron Schwartz died because his use of curl was deemed hacking. A judge here is making a distinction between linking and linking that bypasses a paywall.
I'm afraid that people will one day be required to divine whether or not a site was meant to be viewed by them: suppose page A displays links to a paywall-less version of page B when the user agent is "GoogleBot" in order to allow news to be indexed. Meanwhile, all other user agents see a link to a paywalled version of page B. Suppose a bug causes that page to display paywall-less links to all agents, and visitors to that page follow through to the non-paywall version of page B.
Under this interpretation, visitors to page B's non-paywall version could be exposed to allegations of unauthorized access to computer systems (or its EU equivalent) and be charged with hacking. What's worse, it seems the burden to prove that the link was shown to them in a legitimate fashion falls on the accused, and there's basically no way they can prove that.
I'm not a lawyer, so my interpretation could be way off, but this seems like a credible threat.