"But last year, a federal district court in Nevada found a defendant guilty under both the California and Nevada state computer crime statutes for nothing more than that—violating Oracle’s website’s terms of use."
That's insane. The terms of service is essentially a contract that you are agreeing to to use the website/software/service. Failure to adhere to it is a breach of contract, not a violation of law.
If you break an NDA, for example, you don't wind up in jail or have a criminal history. The other party takes you to court to enforce the penalty listed out in the contract for the breach.
My understanding is that, under the CFAA, any unauthorized access to commercial servers is a felony (more-or-less; there are some requirements here, but as I recall they're so broad that they basically always apply).
The theory here is that, after breaking the TOS, if you continue to use the service then that use is unauthorized and therefore felonious.
As the EFF notes, previous judges have refused to rule it this way, basically on the basis of "that's insane, even if it is what the law says".
To me, that's kind of the equivalent of saying that if someone sends you the direct link to a file on a site that normally prompts to accept an agreement, and instead you bypass that with the direct link, you could be considered a felon because you didn't agree to the ToS, which is required to access that file. I think most people would say that anything publicly available that easily isn't protected and it is considered fair access for anyone with an internet connection. You would have to have some kind of protection to restrict access for anything to be deemed "unauthorized".
For this particular case, they were just told to cease and desist with the scripting/scraping of the data. Access was never revoked. Any decent lawyer should be able to easily make a claim that a reasonable person thought they still had authorized access because it had not been revoked. I don't think the article makes clear whether or not they had a username/password login or whether or not the files were available just with public URLs, but it doesn't matter in my mind because the company had a business relationship with Oracle to provide third party support for Oracle products. They would have to block access, end the business agreement, or specifically notify them that continued access is no longer allowed for the unauthorized access argument to hold up.
Actually, breaking an NDA might be theft of trade secrets, which in certain cases may be prosecuted as a crime. See, e.g., 18 U.S.C. § 1832[1].
(But, agreed that a ToS violation shouldn't ever be a crime by itself - that reading of the CFAA would give, for example, website operators the power to write criminal law).
True, it could be theft of trade secrets or something else. But that would depend on what you did with the information. Just breaking the NDA by blabbing to someone isn't a crime in of itself, but it is a breach of contract, which is what I was trying to get at.
Yeah, that's exactly right. Theft of trade secrets only applies in a narrow set of circumstances, but a broad reading of the CFAA could be applied to any condition in a TOS, which is why it is way more troubling.
It's not a contract, it's a license. A license grants you rights to something which is exclusively someone else's and that by default you have no rights to. But agreed that violation is not a crime, see my reply to @holtalanm below.
License and contract are overlapping, not mutually exclusive (a license can either be a gratuitous license or a license contract.)
Website ToS may be (a component of) either sort of license arrangement. (On a site where your access is undisputably part of an exchange-for-value, like a pay site, you have a contract relationship and the ToS are almost certainly a part of that contract, probably by reference.)
Just my opinion, but I think ToS were originally in place to define how a user _should_ use the site, and how the site operators could act in response to violation.
I don't think they should be held as even a contract, much less criminal law.
Truthfully, they are really only there to protect the company by outlining to the user what might get them banned from the site and so on. Oracle is overstepping its authority here imo. It is their own fault they didn't revoke access to the site from that company.
ToS is not a contract, it's a license. By default you don't get a free licence to access and copy others' work, and so one has to be granted.
Much in the same way that you can't start using someone else's land without their permission and you don't get to say "I never knew" or "I never agreed not to use the land". By default, you are not allowed to and must have that right granted to you and you are expected to know that.
Should an (otherwise non-criminal) violation of a software license be treated as a criminal offence by the courts just because it involved a computer? Hell no. Private citizens do not get to invent criminal law themselves and the EFF should fight this hard but not for the reasons you give.
why do you need a license to use something that is posted and publically accessible? A license makes sense for a copyrighted work that you are copying, but for a web service it's less clear.
If I had a physical analog of facebook (a bunch of photos, a travel journal, and a list of my friends) and left it on a table, then do you need a license to pick it up and review it? No. So why do you need one if I do the same thing as a web site?
I'm not sure that's correct, but it could be. It was my understanding it was a contract. That's why you have to agree to it - you are providing your consent and acknowledgement that you have read the terms and agree to abide by them.
If it was a license, they could simply grant it to you without requiring your consent. For example - I can buy a license for some shareware/trialware software by just sending them money and getting the license key in my email. Then when I go to use the software, it may ask for me to agree to the terms of service so that there is a formal agreement on the allowed uses of the software.
The EFF is right, but the relevance of the TOS violation is more subtle than the EFF's explanation makes it out to be. Using someone's property without their consent is, of course, a crime. When that property is ordinarily available for public use, consent is presumed, but can be revoked. It's can be criminal trespass to remain in a store after you're kicked out (although usually it's just civil trespass).
Here, "Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts. It did not, however, rescind Rimini’s authorization to access the files outright." So the question is, was the implied consent to use Oracle's servers effectively revoked?
Arguably not. A public mall can get you kicked off the property for any reason, and can press charges for criminal trespass if you don't leave. But it can't press charges for criminal trespass for violating the sign on the door that says "no hats." And it probably can't press charges for criminal trespass if it sees you wearing a hat and tells you to take it off, but doesn't kick you off the property.
Here in Germany the law states that ToS are only applicable if they contain "no surprising terms". Which is really nice! Although this doesn't give you permission for everything, it protects you from any "cleverness" of a site's operator. It ensures that indeed almost nobody needs to read ToS. Even lawyers tell you this.
No, what you mean are "AGB" (terms and conditions) that govern contractual relations between companies and their customers. They are part of all contracts.
The terms of service ("Nutzungsbedigungen") that Oracle posts on their website that dictate how to use and access their website are invalid in Germany as well.
The fact that this has to even be argued is appalling. The erosion of the difference between a tort and crime over the last few decades is very concerning.
I think a lot of it started with the changing of copyright law into criminal law.
This is part of a larger situation where everything is becoming criminal law. The Yates and Bond cases illustrated the breadth of the government's use of laws to punish undesirable behaviours, and tens of thousands of regulations have criminal penalties with no mens rea requirement. The government is even using criminal statutes against corporations (not the officers or employees), which doesn't make any sense.
Having recently had my first major experience with US law, Im starting to understand (not agree with. Understand) why this happens.
The US civil laws really only apply to middle class suckers. Rich people can use their lawyers to work around it. Poor people are "judgment proof". If you don't have a house, you're working under the table, and your bank account is empty, there's fuck all people can do against you. With criminal law on the other hand...
There's only so many times you can hit someone who's judgement proof before you start wishing you could get them tossed in jail.
I recently had someone who screwed me over from about a very large amount of money. He was laughing at me in the face making sure I remembered that even if I won a lawsuit against him, I'd never be able to collect. He was unfortunately quite right.
In a sense, holding corporations criminally liable is better. The fact that a corporation can't go to prison almost balances-out the lack of mens rea requirement.
1. Make a website and write somewhere in the middle of ToS that visitor must pay $1000 (for example) for every page viewed or for every second spent on a site
2. Persuade him to press "I have read and agree to the ToS" and to stay as long as possible
I was thinking I'd add a header to all my HTTP requests:
X-Terms-of-Service: This HTTP request is subject to the terms of use published
at https://example.com/tos. By responding to this request you are accepting
these terms and conditions in full.
Then at what point does something become binding on the Internet? Most of my financial work over the last year has involved e-signed contracts. I typed my name and the date, certifying I had read and understand the contract - the difference between that and certifying that I've read the ToS via a checkbox seems arbitrary.
"Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts. It did not, however, rescind Rimini’s authorization to access the files outright. Rimini continued to use automated scripts, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict—concluding that, under both statutes, violating a website’s terms of service counts as using a computer without authorization or permission."
I'm a little confused here. I'm with the EFF that violating the TOS shouldn't be criminal. But if you're given a C&D that says "stop using automated scripts" and you continue using automated scripts, why is the TOS relevant at all? Isn't Rimini clearly exceeding their authorized access (left available for manual downloads) based on the C&D?
Interesting, and it sucks because this kind of feels like selective application of a law.
Google probably violates this all the time with automated crawling (I've no doubt that there are sites without robots.txt, but with a written ToS that prohibits use of "automated scripts".
The federal law at issue here isn't contingent on the owner delivering a Cease & Desist letter or even taking any affirmative steps whatsoever. No court is going to read that into the law. At best a C&D is evidence of the rescission of authorization, but all the statute cares about is whether authorization existed or not.
Importantly, Oracle didn't actually lock their account. And even more importantly, AFAIU this guy was an employee.
For these and some other technical reasons (I haven't read the case but likely part of it may be related to the jury instructions), the question to be answered by the court really comes down to whether violation of Terms of Service alone suffices to meet the "without authorization" prong of the criminal statute.
If the answer is no then the case goes back to trial. The defendant doesn't get a free pass, it's just that the prosecution will have a slightly higher burden to overcome in showing lack of authorization. Higher in the sense that the burden involves taking into consideration other factors than merely boilerplate policies and notices.
Another way to look at it is, say your boss tells you that you must leave the office at 5PM sharp, and that nobody is allowed to log into corporate accounts after 5PM. This policy is also displayed from /etc/motd everytime you login. You occasionally stay at work late some evenings, accessing the corporate accounts in a typical fashion. One day you're accused of doing something nefarious--maybe you were, maybe you weren't. Is your working after 5PM a prima facie showing that your access was unauthorized? That is, do all they have to show is that corporate policy was not to login at 5PM? Is it rebuttal? Does it matter whether your boss communicated this to you personally?
The way these legal tests work, at least in common law countries, is that you break the law down into predicates. For the law to apply, you must show that each predicate holds. Each predicate is it's own little universe. You don't take other predicates into account; there's often a separate predicate for intent and other overarching context. The predicate here is "without authorization". What does that mean? It's a tricker question than you'd think. And it can't merely mean whatever your boss intended--it has to be an objective standard that doesn't lead to absurd outcomes in the real world. Especially in criminal law, a crime can't turn on someone's subjective intent, except for the intent of the accused. Similarly, specifically in regards "without authorization" not even the accused's intent matters.
>all the statute cares about is whether authorization existed or not.
No, that's not all the CFAA cares about.
>(a)(2)(C) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer;
Thus my confusion. Why present the case as "without authorization" (based on the TOS) in the first place, when "exceed[ing] authorized access" (based on the C&D) seems like a much lower bar to clear and is less likely to provoke nonprofits complaining about precedent?
Recent case law has mostly struck down the CFAA criminal penalties for violating TOS. But case law generally imposes a higher obligation on employees to comply with authorized use agreements that they've signed.
If you concretely enumerate the authorized uses of employee access and leave out subpoenas, the first time you're served with a FISA letter you can keep the court busy for weeks pending a ruling on the CFAA consequences.
This will never work long term and it will certainly piss off some judges & FBI agents, but at least it can further defang the overzealous authorized use language in the CFAA.
The fact that the FBI (or whoever drafted the natl security letter) is inducing you to commit a felony may also trump the gag order. But YMMV with that argument. Even if you win that one on appeal you'll spend some time in jail in the interim.
I'll accept your argument as an upper bound on the issue. I don't agree fully with "breach of contract" in such cases, but it's less unreasonable than making it a criminal offense.
That's a great perspective. Breach of contract would be the upper bound.
I don't think ToS should be able to be enforced either because it is unreasonable in today's society to assume checking that box in a sign-up process is actually giving informed consent to the terms for the wast majority of people. But even if it was, worst case it's a breach of contract.
Exactly, that's also the most reasonable interpretation of the designation too. 'Terms of Service' literally -> the terms you need to agree with for us to provide you the service. No agreement or no adherence -> no service.
Yes, it's absurd - "terms of service" are not practically any different to the rules of any other establishment or service provider. Breaking the house rules is not breaking the law. It should get you kicked out, not arrested.
To be honest I think all of this stems largely from gross incompetence/ignorance among the people responsible for this sort of legislation.
Why would it not be okay to just ban people from your service "because you feel like it"? Given that you usually don't have any info on them which can be used as the basis of discrimination (and thereby sued over) what's left to worry about?
I would call that enforcement of a term of the service.
When I said arbitrary terms of service can't be enforced, I meant that the site owner won't have good luck trying to obligate users to do things (their typical response to a problem with the user will be limited to withholding access from the service). I wasn't very clear.
If you want a user to agree to something, you ask them if they agree to it and below that have two radio buttons labeled "Yes, I agree", or "No, I don't agree". Neither of them should be selected by default. You do this for every term you want them to agree to, not some general "Do you agree to these terms of service".
As long as you don't build this in a way that encourages people to mindlessly go through the list and click yes on all of them, I'd currently consider this, and nothing less, sufficient for informed consent.
I'd currently consider this, and nothing less, sufficient for informed consent.
You might, but it's doubtful that any court would.
For example, on a web site where you're taking real money in return for providing access to otherwise protected content, your terms and conditions would typically describe a contract, which the parties will enter into once you've offered those terms and your customer has accepted.
As such, the deal would be subject to the same safeguards as any other business-to-consumer contract. For example, here in the UK, there are some conditions that are automatically considered unfair and would not be enforceable, and for digital sales there is certain information you're required to provide at various stages in the purchase process or you risk the deal being challenged.
The flip side is that assuming your terms are reasonable and properly disclosed, they will normally be enforcible like any other B2C contract.
The argument that it is a crime comes down to arguments around what constitutes 'unauthorised access'.
As 'unauthorised access' to a computer system is a crime, if you make your definition of 'authorised' "access subject to our terms of use" : Huzzah! Violating your terms of use is now a crime!
This all comes back to laws written in wooly "the courts will work it out" language.
It's your own browser that interprets the header, saves the cookie, and passes it back to sites you visit. Passing a "here's a cookie" header to your machine doesn't, on its own, do anything. Your browser has to actively parse and store it.
By the same token, my sending an HTTP request to a server doesn't, on its own, do anything. Their server has to actively parse the request and send data.
The details are probably too complicated for an HN comment, but one point that sometimes gets missed is that you normally don't have the same disclosure/consent obligations for cookies that are essential to the normal operation of the site like login tokens or tracking what's in a shopping basket.
> surely violating Terms of Use is essentially a breach of contract
Is it though? Not a lawyer and my layman's intuition makes it hard to see a connection between ToS and contract.
Like, if I type `something.com` in my browser by accident and their ToS is "you owe us $400 for each TCP packet, kindly do provide goverment issued ID". So I have couple of questions:
- How is that different from ToS on Facebook?
- How marking a checkbox creates a contract between a person and entity owning a site, same way as my signature or providing personal info, address and money to Amazon in exchange for goods?
- And who that person would even be in FB case (anyone can put my name into a website from a public library computer)?
your argument is valid but your tone is missing the point PP made. To reword what he said "there is no way this is criminal law, this needs to be argued as perhaps contract law with 'breach of contract' as the upper limit if it rises to that level"
you proceeded to argue the case the way he said it should be argued, but by quoting PP and challenging, you seem to be arguing with him, when in fact you are agreeing with him.
if you edit your comment, I could even delete mine :)
It's true what they say. The justice system are defending our rights until we talk about digital media, software and the Internet, at which point they have a complete blind spot.
Going forward we should all have our minor children create accounts for us and be the ones to accept the TOS.
Once you realize that is a reasonable workflow you've realized how unenforceable TOS are for everything but corporate contracts where documents are being signed and witnessed.
Something like this worked out in my favor maybe 10 years ago. ChaCha (the search and get live answers site) was just started and wanting some extra pocket money I signed up to be an operator. I was probably 15 at the time, of course I just clicked 'yes I am 18' and ended up being accepted.
Well I found a few flaws in their system and started racking up money way faster than should have been allowed. After a few days of this and hundreds in my account I got a phone call during dinner. It was ChaCha, threatening to sue me for 'hacking them'. The 180 they pulled when I casually mentioned I was only 15 was amazing to witness. They completely dropped the matter on a verbal agreement that I would not visit their site anymore.
It was ChaCha, threatening to sue me for 'hacking them'. The 180 they pulled when I casually mentioned I was only 15 was amazing to witness.
Although it's an interesting story, it's worth remembering that you were probably just lucky here. I didn't notice where you were living at the time, but in most western legal systems you could certainly have got into real trouble under financial crime and/or computer misuse laws. Most likely, you weren't legally protected because you were 15, just practically protected because the company didn't want it on the record that it got outsmarted by a 15-year-old and/or because most 15-year-olds don't have enough assets to be worth suing for compensation.
Sure. This was somewhere around 10 years ago so my memory is slightly fuzzy on all the technical details but heres the gist of it:
As an operator your main interface to their system was a Java desktop application. Basically you sit there waiting for it to go 'ding!', you read the question, and accept if you think you're capable of answering. You would research (they heavily pushed their sources but Google was better about 100% of the time) and then communicate the answer back to the user using the application.
Once it was accepted the application would make an HTTP request to ChaCha's server to basically say 'A question was answered by this user'. This was easily visible using normal tools like Wireshark, etc. For your efforts you would be rewarded some very small amount of money, something like $.02.
I simply wrote a VB.NET application to hit this HTTP endpoint over and over again which would add money to my account without me doing any work. They didn't seem to be doing any verification that I had actually been given questions to answer.
The reason they noticed me was because I left ~8 instances of this program running for like 3 days straight which netted me hundreds of dollars ready to be cashed out, way more than any operator would be even remotely capable of normally given their pay scheme. So I was smart enough to figure this out but dumb enough to get caught almost immediately. And I'm not a lawyer but my guess is that this was considered fraud. Glad my morals eventually straightened out before I got myself in real trouble, honestly this was a decent lesson for 15 year old me.
I think in a democracy there should be some group of state attorneys who are not just allowed, but mandated to prosecute the law to the fullest extent possible.
For example, if Congress has a law making ToU violations crimes, then there should be a select few DAs who are required to go out and prosecute people who enable AdBlock and visit a certain site. And it should always start with legislators if possible. See how fast stupid laws go away.
If you have a false facebook account, you broke facebooks ToS! That means you accessed facebooks servers without authentication!! That is a crime under e.g. the CFAA!!!
You'd have had to lie to Customs and Border Protection, which is already probably a crime and quite likely sufficient to get you detained and deported.
but how would they find this "name of your facebook account"?
yes they will have my ID, real name, finger prints, etc.
but how would they figure out that I am using facebook account "puppy123"? And even if they would suspect it somehow (someone would report it), I can simply deny and there is no evidence that I am in fact owner of that account.
or what am i missing?
If you're logged into it on your phone/computer, it's evidence that you created the account. Or else you logged into someone else's account which is also a ToS violation.
They could look at your phone or computer and see which Facebook account you are logged into. This won't prove you created it but even logging into it is possibly a ToS violation.
Does anyone know the details of what was being automatically downloaded? I'm aware of several Open Source projects doing this with things like Java, but not if any of them have received cease and desist orders.
The only mentions I can find refer to "support materials" for assisting clients - That could broadly mean everything from documentation to firmware (which they hold on to tightly with cold, dead hands). Rimini's website seems to suggest they were probably accessing everything.
The fact that they were making money off it - and ignored a request to stop - is probably the main difference between this and going after open-source projects. Its essentially taking customers away from Oracle's own support services.
Supposedly they had a contract for support purposes; but whether Oracle intended for wholesale copying and redistribution (if that is even what happened,) is an exercise for contract nitpicking - obviously this is all speculation [[ stares longingly into the vacuum that was Groklaw... ]]
It could have come down to simply an aggressive/abusive crawler affecting other customers?
That's insane. The terms of service is essentially a contract that you are agreeing to to use the website/software/service. Failure to adhere to it is a breach of contract, not a violation of law.
If you break an NDA, for example, you don't wind up in jail or have a criminal history. The other party takes you to court to enforce the penalty listed out in the contract for the breach.