I'm curious about the legality of this. Someone wrote that it was an "unauthorized" PHP API which was a client to the Whatsapp service. You don't need authorization to write a client to someone else's API, do you? They own neither the API, nor the right to build clients to it, right?
A second question is: so you have the right to build a client. Do you actually have the right to run that client against their service? Is that "unauthorized access"? It makes sense that you can control who accesses your computer system; controlling how they do it seems murkier to me.
It really, really doesn't matter. WhatsApp has the money to manipulate the law however they want. Small-time developers do not. I came up as an engineer in the bot development industry (for online games), and the history of the industry proves this. Historically, game companies like Blizzard[1][2] and Jagex[3] have managed to win multi-million dollar lawsuits against small bot developers, citing intellectual property laws; even though the defendants only ever created custom clients or injected code into clients with the permission of the players using them.
If gaming companies are able to use such absurd interpretations of IP law to win $7 million judgments against people who modify clients in-memory on end-user machines, then I'm sure a company with the capital of WhatsApp can destroy any open source developer that they want to.
I haven't read your links or spent time researching but is this really the same thing?
Seems like game companies can argue (and IMO be correct) that bots are damaging to the game and community. Technically you're "just" injecting code into their software to make it operate differently but they typically have a EULA to prevent this.
> You don't need authorization to write a client to someone else's API, do you?
If the owner says "don't do that" and you do it anyway, even if there are no technical limitations, you are committing a crime in the eyes of federal law.
Even if they don't tell you no and you just start poking around and accessing random (or guessed) API fields, it's still a federal crime since you "circumvented" their exposed interface.
> It makes sense that you can control who accesses your computer system; controlling how they do it seems murkier to me.
"How" can be difficult in a web context (browser vs. crawler), but in other contexts such as a mobile-only app with a proprietary API, they can say you're "hacking" their system if you access their system without directly interacting with their app (again, even if there are no technical limitations). Basically, just do this: http://static4.businessinsider.com/image/54db994569bedd6e65f...
I think you and many people are overcomplicating this subtopic into the legal context of receiving C&D, etc letters.
Their service is their software. They have control over it. If they wish to impose technical limitations to how it may be accessed and by whom, that is entirely their prerogative. Nothing in the law can tell a company or a user otherwise, short of subpoenas for customer data or some such like that.
I think the larger legal issues come from the fact that circumventing these technical limitations can lead to to degradation of value and security for a company's customers due to derivative products created via this unauthorized client -- much like what has happened with SnapChat and third-party services retaining snaps. If systematic unauthorized access to a system could serve to diminish the value and trustworthiness of a company and its brand, you're damn right they will legally pursue those enabling it.
Sure, they have complete right to safe guard customer data with authentication checks.
But the situation here is that the customer is offering its consent to use their data on another platform or application.
The same holds for rooting android/iphones and making them do what you want. Not getting into legal details, you should own your data across services and your hardware that you buy.
Adding technical barriers is one thing, suing and interdependent group of people trying to learn the API and building tools on top is completely unfair.
I think the real question is why would you spend your time working on an API for a closed protocol knowing that you don't have the expressed or even tacit consent to do so, when you intend to turn around and release it.
I mean if they made it for themselves and didn't share it maybe there wouldn't have been a problem, but I still wouldn't spend my time reversing a closed protocol without expecting the hammer to drop at some point.
I'm not clear on whether you can write a client for someone else's protocol, but I can say for sure that I have every right to incercept and block any and every request that the official app makes, despite SSL. I pay for my internet connection, not the app developer.
How people choose to spend their time is definitely not the "real question" here. The real question is it legal to write software that interacts with an API which is covered by someone else's copyright (assuming you can even copyright an API) without their express permission?
Since that happens pretty much every time you write a line of code, I would say it's a pretty important question. Whether or not you distribute said software, whether you distribute it in binary or source form, and whether you charge for said software are all interesting confounding variables and it would be extremely interesting to delve into whether those factors impact the result.
Keep in mind this is simply software which sends and receives packets over a network. The server has no obligation to response, and there is no "linking" of libraries. Let's assume that none of WhatsApp's code is being distributed (assume a clean room implementation of the API, not decompiled from WhatsApp source)
I wonder if things like if WhatsApp included a magic string in the header, and then claiming copyright of that string, if that could also impact the legal result.
That's a very different kind of case. This one refers to creating third-party presences on WhatsApp's messaging platform by talking to their servers remotely and mimicking the official client software in order to gain access. The Oracle case is a matter of Google implementing a Java standard library so that their Google's Java VM could run the same code that runs on Oracle's.
Aside from an overloaded meaning of the term "API", the two situations have very little in common.
I can see two claims here: (1) the name is arguable confusingly similar to WhatsApp and could be considered a trademark violation, (2) using the service without permission could qualify as "exceeding authorized access" under the CFAA (Computer Fraud and Abuse Act, which is meant more for people who crack security for other purposes; although there's an argument that it applies here).
Even if we were to assume the CFAA is a reasonable and just law that should be applied in this case, it would still apply to those who use the code in a way that was against WhatsApp's permission, not for the one who provided the code. You might as well send legal threats to github for hosting the code.
Aiding and abetting someone breaking the law is often illegal. Consider someone building and selling physical lock picks, even with a clear legal use case it's considered a grey area.
One important consideration is whether your state, local, or national laws consider possession to be prima facie intent to commit a crime.http://lockwiki.com/index.php/Legal_issues
Tools that have both legal and illegal uses have a lot more latitude. Consider TOR was funded by the US government in the first place; they clearly had non-criminal intent in mind.
It's hard to picture a 'legal' use for something that is tied to a proprietary API.
Being used with that API when there is permission to do such and being an example to help someone who is building a similar access to the API (with permission).
Also, TOR was funded with illegal uses in mind. Beneficial to the US government, perhaps even legal with the US, but illegal in their intended application.
> Also, TOR was funded with illegal uses in mind. Beneficial to the US government, perhaps even legal with the US, but illegal in their intended application.
In what way is browsing the internet without someone recording your every move illegal? You may choose to use the anonymity for illegal purposes. But you may also choose to use your car or house for illegal purposes and no one says that these should be illegal.
I think you and Lawtonfogle are in agreement. For example, anonymity on the internet is illegal (or very close to it) in China, and Tor is meant to circumvent that law. Thus, it was designed for an illegal purpose as far as the Chinese government sees it.
It's the "in part" bit that is key (also the fact that this is legal in some countries). Where a tool has legitimate uses it tends to be legal (but may have restrictions placed upon its use - an example from the physical world is machetes) whereas when something has only illegitimate uses it tends to be made illegal (e.g. flick knives). Tor is the first category, some illegal use and some legal. An API for a proprietary service is tied to that services and can only be used to access it if this access is not allowed then why should the tool exist?
It has legal uses that I've already pointed out. First, it is legal to use by anyone with permission. Second, it serves as an example of code for others to learn from.
As for bans on knives and such, I consider such bans just as unjustified.
Yeah. I don't agree with the legal threats in any way; I'm simply answering "what law does the attorney claim was broken?"
I don't know enough about the CFAA to say whether providing the tools to exceed authorized access counts as an additional violation. But it would be reasonable to assume that creating the tools required (sporadic) efforts to exceed authorized access.
TBH, the CFAA scares me. While it isn't used to the full potential, it makes a vast amount of normal internet activity a felony, which then allows those in charge to pick off who they want as long as they don't incur too much outrage.
According to Sen. Ron Wyden (D-Ore.), the current incarnation of CFAA would make a mere violation of a website’s terms of service, like lying about your age on Facebook a felony.[1]
Another practice would be changing the '1' to a '2' in the URL http://www.example.com/1.pdf, since the computer running www.example.com is a 'protected computer', and you didn't get authorization to access 2.pdf on the server.
"Protected computer" is basically any server. The CFAA defines it as any computer used or affecting "interstate or foreign commerce", which works out to be most of the internet, thanks to CDNs and the practice of centralized data-centers.[2]
A second question is: so you have the right to build a client. Do you actually have the right to run that client against their service? Is that "unauthorized access"? It makes sense that you can control who accesses your computer system; controlling how they do it seems murkier to me.