257 comments

[ 3.9 ms ] story [ 211 ms ] thread
(comment deleted)
Do not click that link. I am a consultant for WashingtonPost.com and fully empowered to demand that no one here follow that link. Not sure if you should believe me? Why take the chance?
Leave HN now and do not visit it again.
Here's how I usually do it: Send the email from a domain name that's not gmail, and your new fake law firm has to have LLLP in the company name

I've gotten so much stuff removed from the internet without even touching the DMCA, it's kind of sad actually

And you actually do this?

And this company is actually registered? Or it's all fake?

I've actually done this. Its an art of social engineering that I call how to get your way on the internet without provoking a Streisand effect.

The company being registered doesn't matter, I don't expect people to search through 250+ jurisdictions around the world to figure out where its registered. So you can pretend the company name is the same as the domain name, reference "Your Client" in the sternly worded email, and "trade secrets" or "unauthorized privileged information" being hosted on "your server"

A lot of companies will take it down very quickly and apologize profusely. Anywhere in the world, US, Russia, you name it.

(comment deleted)
Does this apply to google bots and other spiders/crawlers?
It would if you sent Google a cease and desist notice. But Google seems to obey "robots.txt", so you usually don't have to.
1. register lots of domains

2. send Google cryptic cease and desist for each domain

3. wait for Google to accidently violate cease and desist

4. profit

What can possibly go wrong?

The judge, a human who possesses common sense, sees you've registered lots of domains and spammed C&D letters to Google, calls you out on your BS, and orders you to pay Google's legal fees?
So, find a Judge in east texas?
Wrong issue. That's for patent lawsuits.
Well, it was more in jest, but the argument I wanted to make was that there will be a judge allowing that.

Remember Scientology's SeaOrg suing thousands of IRS employees and the IRS? Those weren't thrown out either.

> the argument I wanted to make was that there will be a judge allowing that.

This argument only works if the system doesn't have the ability to appeal.

In Switzerland this would be «manifest abuse of a right». https://www.admin.ch/opc/en/classified-compilation/19070042/... (art. 2 paragraph 2 of Swiss Civil Code: Acting in good faith).

This is a common standard in many jurisdictions and an important element of the rule of law, so I think that in the US, if law is done right, a judge will identify such behaviour as abuse.

CFAA: "Whoever having knowingly accessed a computer without authorization..."

I am not a lawyer, but accidentally violating the cease and desist would clearly not be a breach of the CFAA.

And in any case, civil suites are designed to compensate you for damages. If Google's acts caused you no harm, then you wouldn't get anything even if they were in the wrong.

Hmm. Is having 'robots.txt' a requirement. What if one just changes the terms and conditions page? Can the bot figure out it just committed a crime?
If you yelled at a deaf person to go away, are you surprised that they don't comply?
If I am facing them, and they can read lips, then yes.
robots.txt has no legal standing by itself, but is a convenient way to translate "terms of service" (which do have legal meanings, but they're often more limited than people assume) into something that bots can automatically understand. You're under no legal obligation to follow robots.txt, but it's a tool to prevent stepping on toes.
The physical space analogies in the comments seem reasonable:

"If I am given a formal trespass warning by Wal-Mart which covers the property of Wal-Mart, going back is a criminal offense. Going into the store is an offense. Driving in the parking lot, if it is owned by them is an offense. The different norms of public spaces vs private spaces vs semi-public space goes out the window when you have been formally trespassed from a place. I don't see why the exact same rules shouldn't be applied in the context of computer trespass."

It doesn't quite feel right and my intuition says that the same rules should NOT be applied in the context of a computer trespass, but I haven't yet thought of a satisfying counterargument.

1) Physical trespass notifications are not readily generated automatically, with criminal weight of enforcement. While this particular case is intentionally served, the precedent is awful for the automated case.

2) It's next to impossible not to "visit" a site like Facebook, considering links and buttons pervasively inserted to other sites, causing your machine to "visit" Facebook. In real life, "visiting" a place is usually a quite obviously intentional act.

It sounds like the same reasoning could not be applied if it was client side javascript (or an app) that interacted with Facebook and then sent information back to Power Ventures. I could ask my friends to go inside a Wal-Mart and send me pictures of it even if I were given a formal trespass warning.
To refine your example:

If you were given a trespass warning, would your telepresence robot entering the same space, be a violation?

In my example it would be my friend's telepresence robot that I gave him.
Let me help.

Why is this practice reasonable on the physical space? Because being physically in a place is usually the first step to commit any damage, to harass people, to steal things. Barring blacklisted people from a place is the easiest way to prevent some problems. (Disclaimer: I am not saying that this practice is acceptable, merely that it is why it is accepted).

If someone threw a tantrum in your place or if someone was caught trying to steal stuff, preventing them from being physically present is much easier than having someone check their every action once they are in.

And this tells us why the comparison with the online world does not hold directly. Accessing a website is not like accessing a place physically. And misbehavior is easier to spot online where any unauthorized access can easily trigger a warning.

However, the current case breaks the metaphor of websites being like physical space: Facebook argues it instead provides a service that Power have abused (by breaking Facebook's EULA) and it then required that Power stopped this abuse. What is attacked there is basically a EULA violation after a cease and desist letter. It is far less about trespassing and accessing website than the author makes it sound like.

>And misbehavior is easier to spot online where any unauthorized access can easily trigger a warning. //

Sounds like you've forgotten to factor in zero-day exploits that mean remote access can be done in an almost entirely covert way.

Your argument works if comp sec is perfect and has no costs to implement.

> The different norms of public spaces vs private spaces vs semi-public space goes out the window when you have been formally trespassed from a place.

Being formally trespassed hinges on it being a private space. If it's a public space, then they can't make you leave.

The analogy might be a walmart stall in a downtown square. Private server, public space.

I don't know if that's the best way to handle things, but it's workable.

To me, a website feels more like a newspaper than a physical space. Can the WaPo legally ban me from reading a copy I find whether its in a news-stand or on the metro?

We don't try to apply trespass laws to my eyeballs, instead we have copyright to prevent actions like reselling WaPo content.

Except that unlike reading a newspaper, accessing a website consumes resources on their server.
Let's say you start harassing the newspaper delivery boy and WaPo decides to cut off service to your house after he reports it. Also, WaPo sends you a letter saying that you are prohibited from seeking delivery in the future. You decide to start living at your neighbor's house and set up a new delivery service there instead. That's not okay.

With your newsstand example, let's say you go to a newsstand and tear up all the newspapers while laughing maniacally -- banned for life! Now you can't get WaPo from the newsstand either. You're not banned by WaPo, and, yes, if you find a copy on the sidewalk, you're still free to read it, but you're further limited in your legal options for obtaining it.

Facebook isn't the "eyeball police" but it can refuse to deliver content to you for violating their terms of service, after notifying you. Because they own the data and the only way to access it is through their servers, they can ban you from accessing their servers. Theoretically, if someone prints out their data and sends it to you, yes, you can read it. But if you initiate the request/delivery, that's not allowed.

The court seems to have it right, while the article author doesn't see the court's reasoning. The issue is whether accessing a web site after being sent a cease and desist letter telling you to stop is an act for which the accessor can be assessed damages. (Despite the title, this was a civil case, not a criminal case.)

A previous case established that accessing a web site in violation of its terms of use is not a offense under the Computer Fraud and Abuse Act. That's just a contractual issue.

Here, though, the site operator (Facebook) explicitly sent a cease and desist letter to the accessing service, telling them to stop doing what they were doing (which apparently involved some kind of message sending on behalf of Facebook users). That put the accessing service on notice that they were accessing the site without authorization. After that, access was considered unauthorized. Seems reasonable enough.

(comment deleted)
Doesn't seem reasonable to me at all. If you do not wish someone to visit your public website, you have to close it to them e.g. by revoking their login credentials or blocking their IP address. Or, don't make your page public---there are plenty of technologies to connect people that do not involve public web pages.

We can also look at it the other way round. Let's check whether Facebook will be convicted of a violation of the Computer Fraud and Abuse Act if they continue to track any data related to a person (e.g. obtained from embedded Like buttons or images uploaded by FB users) after that person has send them a cease & desist letter...

> or blocking their IP address

It's mentioned in the article that Facebook DID block their IP. Power simply changed it and continued.

I've never used Facebook's API but I assume each server/app that wants to access it has an API key specific to that server/app. Couldn't Facebook just revoke the key? Or change its permissions?
I don't think that's entirely correct though. Facebook allows people to give other services access to their accounts (and apparently to the things Power was doing). When those services then use that access to do the things they were authorised to do, Facebook can't suddenly complain.

They shouldn't have offered access to those services in the first place then. So the solution is to rescind access to the services that they don't want accessed, not sue the infringing entity for using the service they were granted access to.

Then again, I have too little information. I don't know what messages were sent, and where and how.

While you have a valid point, I think it comes down to a matter of how one likes to run their business. Facebook could definitely use this case against other parties in the future.
> When those services then use that access to do the things they were authorised to do

Reread Animats' comment more carefully. As Animats pointed out, the accessing service wasn't authorised because authorisation had been revoked by way of the cease and desist letter.

> So the solution is to rescind access to the services that they don't want accessed

Which they did via a C&D letter.

What is so special about a cease and desist letter? So now 1 company can destroy the business model of another company by simply sending out a letter? Power was using a public API with user permission. If Facebook did not like that then change the API, or introduce a different security model.
If I created a business sending unsolicited snail mail to your address, and you asked me to stop using a cease and desist letter, should I comply, and allow you to destroy my business model?
I don't understand this analogy. Do most people have the legal ability to prevent letter-sending without working with the Post Office? Did the company have many other sources of revenue besides Facebook?
In Europe you can't send me unsolicited marketing mail if I've withdrawn permission.

(In most cases you need my explicit opt-in confirmation that I want your junk mail before you send it to me).

> In Europe

Is there some kind of Europe-wide agreement on unsolicited marketing mail that covers every country?

There are EU data protection directives that have that effect. (Saying "Europe" to mean "the EU" is technically "wrong" in the same sense as saying "America" to mean "the USA", but it's common enough to be widely understood. Language is a tool for communication)
Yes, if your business model revolves only and completely around sending these unsolicited pieces of mail to my address, I think there would be no problem in getting a court to uphold the cease-and-desist letter, thus destroying your business. Quite how your business was going to produce revenue just sending mail to one person is a mystery though, anyway...
In the US, people have the right to decide a sender may no longer send them snail mail if the sender has sent them obscene materials.

It's my understanding that case laws has led to obscenity in this context being 100% as defined by the recipient. If you believe content type X is obscene, and someone sends you content type X, you can follow the procedure for reporting obscenity. They are obligated to stop sending you anything.

but in this case, the users, through the Power website, did give permission to receive, or send, the "snail mail".

From the article "Power users also authorized the software to send Facebook messages to other Facebook users for them"

So in your analogy. I created a business of sending snail mail to addresses I already had in my possession on my list of contacts. My contacts might not appreciate my snail mail, but I am not sending snail mail to the Facebook corporate Office -Or- if I am sending to the Facebook Corporate Office, then only though its mail routing department, which was set up to handle these very packages.

The C&D, I think, is equivalent to preventing contacts from communicating with each other, or, Postal Censorship[1], which I suppose is more a policy issue than a legal one. Which I suppose extends FB to be a governing body, which I guess leads us to CFAA...

[1]https://en.wikipedia.org/wiki/Postal_censorship

Cease and desist is someone giving clear, unambiguous instruction that they're withdrawing permission for someone else to do stuff.

In this case they'd already tried some technical measures which he evaded.

It isn't a "public" API, it's Facebook's API that they're making available to the public. They have the right to control access to their API, be it by password authentication or telling someone to stop using it.

Not that I necessarily agree with how this case turned out, but Facebook is under no obligation to support the business model of another company...

> "Facebook is under no obligation to support the business model of another company..."

Agreed, but neither should they have the ability to destroy a business by the single act of sending out a letter. Pretty much from that point on the company can't legally operate.

If you build a company that is a) fully dependent on another company to exist and b) reliant on that company providing you service it doesn't have any business reason to provide, then you the founder of the company destroyed it.

If a business is flimsy enough to be destroyed by a letter, it was toast anyway.

Not to mention this argument that someone else's business is this precious thing that can't be destroyed. Its totally bizarre. How often does Apple release features that eat another company's lunch? Better yet, think of all the disruptive SV business models that are purely based on destroying businesses and replacing them with alternatives.

> "If a business is flimsy enough to be destroyed by a letter, it was toast anyway."

Completely disagree. In the early stages of its life, almost any business is very vulnerable. If Microsoft had irritated IBM just the slightest bit in the early days, they would have been toast, or at best a small niche company, because they were completely dependant on IBM's goodwill. An IBM executive could have decided they preferred the boys at Apple instead. no letter even required. Yet look at Microsoft today. Who is to say that a business starting out using a Facebook API today, could not diversify and be a powerhouse and industry leader, tomorrow?

The point is that this ruling allows one company to make illegal, the business activity of another just by sending out a letter irrespective of whether that company's activity is actually illegal

It became illegal when Power circumvented the C&D letter to continue accessing systems they had expressly been forbidden to access. Their conduct was fine until FB decided they wanted no part in it.

This is how it should be. If I, as a company, decide I don't want to do business with you, either individually or corporately, barring discrimination rules, why shouldn't I have that right?

Facebook has the right to determine who can and cannot access their systems, barring a court order. You seem to be suggesting they should not have that right.
But Power was using its customers' fb users' credentials with their permission, so it was fb users "who" accessed fb. Only they did it through other computers that were owned by Power. Should fb have the right to determine what and which computer you use to access fb?
(comment deleted)
So you're saying that a business should be able to deny service to any customer for any reason?

(For the record, I agree)

This gets into the whole debate over who owns, or should own, your data

IMO I should have the right to access, and authorize 3rd parties to access, data stored about me even if it is on a 3rd party platform like facebook. If Facebook does not want to allow Me or my authorized agents to access this data then facebook;s only recurse should be to prevent me from using their platform AND delete any and all they have collected about me.

Here Facebook wants to control how my data is used, stored, and disseminated. they want the ability to Prevent me or my Authorized Agents from access my data, but they do not want to be forced to delete said data.

I am a strong advocate of strong Data protection, access, and Right to Know laws.

Authorization is the key question, for me Power Partners was authorized, by the USER, that should be all the Authorization they need. Facebook should be sending notices and cancelling the accounts of the USERS that authorized Power Partners, not be going after power partners directly.

Yes, but the USERS are not facebook customers, it's the bussinesses that pay money to advertise, FB considers user data their property so that's why they act this way.
So did the credit reporting agencies until laws were passed requiring them to give people access, and a path to correct inaccurate info.

Now these are hardly perfect, but I think this idea needs to be expanded to all companies that store PII about you.

For example I do not have a Facebook account, but I am sure they have data about me, I have no way of ascertaining what info they have, or the accuracy of the info, and they could in time be selling that inaccurate info to agencies or other parties that could impact my life in some manner.

Facebook is hardly the only one, and actually is far from the most egregious when it comes to the potential of screwing up your life. There are many companies most people have never heard of that take data from all kinds of sources, some with out any kind of actual verification and compile massive databases on people for sell to anyone.. Stalkers, Creditors, Employers, etc etc etc.

I disagree. That is, I agree that you should ultimately own your data and have the right to decide what Facebook is allowed to do with it, to have them tell you what data they have, and to have them delete it. I don't agree that you should have the right to force them to provide data-related services to you or anyone else simply because they have your data. If you want another third party to have access to your data, you can provide it to them directly. Don't have a server set up with a popular API for that? That doesn't mean you get to force someone who does to do it for you.
I do not believe I advocated for anything like that.

In this case The data was either Scraped via downloading the HTML pages, or used Facebooks API with the users permission. I believe that should be all that is required is the user permission, if the USER does something that is a violation facebook policy then the recourse should be banning of the User, and removal of all data for that user. Facebook does not want that however. So you see Facebook does not have to provide anything, but they can not pick and choose what a person does with the data they are storing about them.

That said there is one Data Service I do believe should be required, I should be able to request my data from any company to be delivered to me in some kind of Machine Readable format. XML, JSON, some other structured format. This could be only on Condition of Closing my account, or some other string attached, but I should be able to get access to this data.

Do you believe you have the right to access data stored about you in 3rd party SQL databases, and thus the right to exploit SQL injection flaws to get at that data?

(I'm stipulating for this question that you "should have the right" you generally advocate for. Obviously, under US law, you have no such right.)

HUH????

Seems like you are attempting to construct some kind of terrible and very specific straw man.

I believe I explained my position fully, and your comment does not pose any additional information or questions that requires any more comments than i have already made, if you would like to try again I will be happy to respond.

No, not a straw man. Clearly, your answer to my question is "no".

Follow-up question: what distinction would you draw between exploiting SQL injection to access data stored about you, and violating a TOS and ignoring a C&D to access that data through a service you knew was not authorizing you to do so?

Authorization is indeed a key question.

In delegating power in general there is usually an explicit point made whether that power can be delegated or not. In most TOC this power is not given to the customer.

Whether such TOCs are valid is another question - courts may decide that one side had too much power and just forced terms down the throat of the other. Still in this case the question is not b2c but b2b. In that realm different rules apply. Again courts may decide that one side has too much power - facebook as the dominant social media platform has be be very careful to treat everyone in acceptable similar matter.

I totally agree with syshum's comments on this thread, I had the same thoughts while reflecting on this article.

Facebook (and LinkedIn and others) love to get your email login and grab your list of contacts. This is the exact same situation, except now fb is the dominant network and doesn't want other networks to get its users' data, even if those users explicitly authorize it. So it really boils down to what data the TOCs can lock down (fb would want it all locked) and what users should be allowed to "control" (I think it should be the users' right to control their data). And with the CFAA, or at least this court's interpretation, the government has sided massively with corporations, to the detriment of users (aka non-corporate citizens) and markets.

There is also the whole issue of C&D letters being binding. Just because a Corp (or person) believes something and has a lawyer paid to write up that belief does not make it a legally enforceable document. For example: I have vegetation on my property that produces oxygen. I like oxygen and I reserve all oxygen produced on my property for myself. You are hearby notified that all oxygen produced on my property, no matter where it is currently located belongs to me and you must cease and desist from consuming it.

[edited to add:] Or maybe those who don't want to be on Facebook can send it a cease and desist order to stop collecting data about them. I bet if you tried to enforce that, you'd find that the government doesn't protect citizens' right to their own data with overly broad laws the way it protects companies' right to gather and lock down data.

So if someone writes a novel about you, then you own the data in the novel?
while the article author doesn't see the court's reasoning.

Indeed, you can tell the author is in trouble because multiple times he says, "I don't understand the court's reasoning." Well, maybe you should try to understand it before criticizing it!

Just as a thought experiment, can this reasoning apply to agreements with utilities providers etc? For instance, if I fail to pay an electricity bill, and the electricity provider transfers my debt to a debt collector, can I send a cease and desist letter to the collector and insist that I only deal with the provider who I originally had a contract with?

I know this is probably subject to a whole bunch of regional laws, statutes and precedents, but it's (to my view) in the same category of problem.

To intentionally access a computer system after being told not to by its owner is, by definition, unauthorized access of a computer system - the core of the Computer Fraud and Abuse Act. That should be pretty clear.

However, the law in question is old and probably doesn't make much sense any more. Claiming that the courts made the wrong decision is nonsense - the law needs to be rewritten.

I'm not convinced that the article is entirely on point with the reading of the case. From the summary, Power Ventures, Inc (Powers) wasn't just visiting Facebook, they were interacting and removing userdata via a method that was not through the Facebook Connect program at the time:

>"Facebook has tried to limit and control access to its website. A non-Facebook user generally may not use the website to send messages, post photographs, or otherwise contact Facebook users through their profiles. Instead, Facebook requires third-party developers or websites that wish to contact its users through its site to enroll in a program called Facebook Connect."

[...]

>"In many instances, Power caused a message to be transmitted to the user’s friends within the Facebook system. In other instances, depending on a Facebook user’s settings, Facebook generated an e-mail message. If, for example, a Power user shared the promotion through an event, Facebook generated an e-mail message to an external e-mail account from the user to friends. The e-mail message gave the name and time of the event, listed Power as the host, and stated that the Power user was inviting the recipient to this event. The external e-mails were form e-mails, generated each time that a Facebook user invited others to an event. The “from” line in the e-mail stated that the message came from Facebook; the body was signed, “The Facebook Team.”

>"On December 1, 2008, Facebook first became aware of Power’s promotional campaign and, on that same date, Facebook sent a “cease and desist” letter to Power instructing Power to terminate its activities. Facebook tried to get Power to sign its Developer Terms of Use Agreement and enroll in Facebook Connect; Power resisted. " [1]

It's not made clear from the summary exactly what technical means Powers was using, but it seems like they were using functionality intended to be only available to developers via the Connect program and through access of the API through some other means.

That is, the access that is being described by the judge isn't just visiting a page, it's doing things like sending messages or photos or creating events as the user.

I don't really use Facebook and most definitely have not read the ToS for either developers or users, but it seems to me like the contention is that Powers was performing actions that should have been done through the Facebook Connect platform, not via the links they made on their page to have users post, and the users likely are not permitted within the TOS to grant someone developer access like this.

I'm not able to comment intelligently on how that should be handled, but I think that this is very different from the author's position of "it is a crime to visit a website you're not told to". Powers was very clearly not just visiting, they were interacting with data and exfiltraing data. Facebook said "as a dev, you need to access this data this way", Facebook blocked their method, and Powers circumvented these blocks. That is the contention, not that Powers "visited".

The rest I will leave for more intelligent people to argue.

[1] - https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/1...

What about where it says "Facebook explicitly revoked authorization for any access"? Doesn't that imply that the exact actions they made don't matter?
That phrase doesn't actually appear in the summary, and not sure what was actually in the C&D since it was not linked (and I haven't bothered to look for it).

My point was more that the Author did not really give a clear picture of what Powers was doing, which grants a bit more insight as to why FB even started the suit. I'm not sure that the summary or the article are very clear on what was forbidden and are using some lay person terms. (e.g., while the machines being accessed when you get at facebook are computers, we'd likely use a more precise term, like server, page, API, platform, etc.)

The summary misses a few key elements to make sense to us by and large, and the use of lay person teminology is causing confusion, and the article exacerbates this.

With Facebook buttons being on many websites now, wouldn't Power technically breach the cease-and-desist by visiting any web site that has a Facebook button? That's what troubles me about this, websites aren't fixed to a single location like physical locations are. You can 'access a computer' without really being aware of it.
IANAL but it seems it's about the intentional usage of Facebook API on behalf of the users. In this light I believe Power can continue to visit sites with Facebook buttons.
Yes, that is indeed what this case is about, but the judge seems to set the precedent much broader, with his shotgun in bank scenario. IANAL either, but I checked the ruling, and it only seems to refer to accessing computers outright, though it also mentions falsified headers, which wouldn't be the case when loading Facebook buttons.
Yes, it's a bit of a "we didn't cross the border, the border crossed us!" situation.
Playing devil's advocate, shouldn't this work in reverse? Providing their IP address, shouldn't someone be able to send Facebook a cease and desist order to stop trespassing on their system by running Facebook javascript in their browser (via like buttons) when visiting non-Facebook domains?
The funny thing is that would probably require a fb cookie on the machine
I'd recommend you put that devil back in it's bag otherwise we're going to end up with another annoying law like that EU one that gives rise to the cookie permission notification, which everyone just clicks to make the stupid banner go away, thereby granting permission.
I think a person should be able to visit any site they choose but not be required to accept any connection, image, etc, not originating on the site without restriction. If we are going to accept the idea that ad blockers are a thing then take it further and blocked linked sites like facebook, linkedin, and such.

I don't mind the cookie opt-in, I do mind that it can be made a requirement for access. If you want to gate way access then provide a subscription service with no free facing. Free cannot mean accepting x,y, and z, as payment. Its free or its not

I plan to use the phrase "put that devil back in its bag" on a regular basis now :)
> which everyone just clicks to make the stupid banner go away, thereby granting permission.

I don't use Facebook and would be happy to have all their like buttons (which are tracking me across sites) wiped out from all the sites I visit. Mmatrix mostly catches them but I wouldn't mind having it on a legal basis.

Websites would then just set up proxies to do the same thing. Rather than adding a JS call on a page, you'd get some sort of FB-provided box that makes it look like all scripts originate from your domain. This would only hit small operations without the time or inclination to add extra infrastructure to support social sharing, everyone else would carry on as before. Maybe an industry-standard proxy format for shared hosts would emerge at some point, giving the same power to small actors, and you'd be back to square 1.
Is that a legal way to avoid a cease and desist? If PowerVentures which was asked to cease and desist and lost, now outsourced their Facebook API use to a third-party (still performing the same function) - would the court really not find against them?
Based on the judge's reasoning, I would say yes.

Until the 3rd party received its own cease-and-desist, then Power would switch to another 3rd party provider.

(comment deleted)
The article badly misunderstands the court's ruling
I assume this is the same Power Ventures Facebook previously won an important judgement against: https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....

In that case Facebook asserted that it was a copyright violation when Power Ventures copied data to it's servers, parsed out the pieces they cared about (for contact aggregation), and dropping the rest. The court agreed, ruling that making even a temporary copy in computer memory was indeed a copy.

This appears to be another part of that same case, this piece dealing with the promotional campaign Power Ventures ran. These two have a long history of litigation.

This opinion is based on a fundamental misunderstanding of how the internet works.

A client which is on the same network as a server can request data from the server, and the server chooses how to reply. The internet is just a really big network, so for an internet-facing computer the assumption is that anyone can request data. The analogy of the request-response process to physical space isn't--as the judge claimed--someone entering a building, but rather someone asking permission to enter the building. Asking permission to enter a bank with a shotgun is very different from actually entering and is not itself a crime (as far as I'm aware).

Every interaction between the client and server begins as a request from the client. If the server replies "yes, have some data" it's nonsensical that this could be construed as gaining unauthorized access, as Facebook claims. Ultimately, Facebook still controls access to its servers; it just hasn't figured out a good policy for denying certain requests. This is a technical problem which should be solved through technical means (e.g. blocking IP addresses) or by changing its terms of service with its users.

Unfortunately, rather than solving the problem itself, Facebook has convinced the federal government to work on its behalf through an especially blunt weapon known as the CFAA. This risks changing the entire legal framework in which everyone else is required to operate. Technology moves much faster than the laws governing it, so we may not appreciate the full impact of this decision until later. That should give even proponents some pause.

Every interaction between the client and server begins as a request from the client. If the server replies "yes, have some data" it's nonsensical that this could be construed as gaining unauthorized access, as Facebook claims.

Using the same line of reasoning, you could explain away every computer breach in history as being authorized by the entity that suffered the breach...

Well, taking aside that security is hard, everyone should be responsible for their system and it is a much more apt analogy. The only thing that gives a free pass imo is that it is impossible to be 100% secure.
That's true, you could, however in this case Power isn't exploiting a security vulnerability in Facebook. Power is acting on behalf of a user. This is like saying a maid is guilty of trespassing because a tenant provided his room key while the landlord has a strict "no roommates" policy.
I like this analogy, it extends quite well.

Two more cases to consider: the landlord has a "no sharing keys" policy, and it has told the maid, "you may not enter, regardless of which keys you have".

But the maids agreement is with the tenant, not the landlord. So if the landlord wants to ban the maid, maybe they should change the locks, or kick out the tenant. The key sharing policy would be between the tenant and the landlord, not directly with the maid.
That analogy is bad because the tenant has the right to possess his apartment, and has the legal power to consent to people being there. Indeed, it would probably be illegal for the landlord to keep the tenant from letting a maid in. Facebook users have no property interest in Facebook accounts. They can't consent for someone to access the accounts over Facebook's objection.
Second this. A lot of the comments in this thread reveal some fundamental -- not "misunderstandings" because I'm pretty confident that we all know how the Internet works -- but perhaps "incorrect patterns of thinking/mental shorthands" about the Internet.

There are certain concepts that we often seem to forget when we're using the Internet day in and day out. Things like: "Facebook provides a service," "they're a private company," "you do not have an inalienable right to the service," "the service costs them money to provide," "content creators have certain IP rights to the content they create, but this does not translate into a fundamental right to use the Facebook service," "servers are real physical things," etc.

I can't believe how many people are going along with the whole "comparing Facebook to your rented apartment" line of thinking...

Exactly how are you distinguishing between "exploiting a security vulnerability" and "making innocent requests"? I don't think it's possible to reliably make this distinction.

The law, of course, doesn't try: it turns on whether the person who made the requests should reasonably have known whether they were authorized to make that request.

I know, and I also believe it's impossible. I was trying to steer the conversation away from that debate by pointing out that Power was invited in by authorized users.
This is like being banned from a restaurant, then returning the next day and saying "well, I pushed on the door and it opened, so it's nonsensical to say I was trespassing"
Isn't that a bit like arguing that if you're banned from a shopping centre, then if you walk past a security guard that doesn't recognise you, they should't be able to prosecute you for trespassing? After all the security guard let you past. What if he was polite and opened the door for you?

Security measures are imperfect and always will be. I don't think you can argue that those imperfections grant somebody authorisation when it has already been made clear to them that they aren't authorised. If somebody has been banned from accessing a service, I don't think 200 OK can reasonably be construed as lifting that ban.

I think your analogy is incorrect.

On a network you have to first identify yourself and then request access.

If you have been specifically asked to not access that (open) network in the past the onus should be on the network to keep a record of you.

If you knowingly change your identity to bypass that level of security, then yes you are now trespassing.

Power deliberately changed their IP address after being blocked by Facebook, so yes, they deliberately changed their identity and were in fact trespassing.
case closed, no new precedent needs to be set.
IP address does not equal identity.
For the purposes of this discussion, and the "technical solutions" the grantparent asks for, it does.
It really shouldn't. An IP is just an endpoint which could be accessed by n physical people. Going much further down this road ends up in some rather unpleasant territory.
So what if that guy moves away and Comcast reassigns his IP address to some other customer?
The guy did not do that in this court case, and for the purposes of this discussion. They did something else.
Pedantry. They instituted a technical change with the sole aim of circumventing Facebook's attempts to block their access.
This is the same argument people are making against this ruling. It sets a very bad precedent.

Arguing that an IP address is an identity "for this case" or "this argument" has the same fundamental problem. No, an IP address is not an identity and blocking an IP address is the physical world equivalent of putting up some traffic cones on a sidewalk. You can still get to where you want to go but you now have to "walk around" or "work around" as we call it in the digital world.

The only "clear message" it sends is, "don't use that IP."

I'm not arguing that an IP address is an identity. I'm arguing that Facebook made it explicitly clear, both via a cease & desist letter as well as technical changes, that it did not want Power accessing its servers or its data, whether on their own or on behalf of Power users.

> The only "clear message" it sends is, "don't use that IP."

Are you saying with a straight face that anyone at Power thought it was a coincidence that suddenly they couldn't access Facebook from very specific IP addresses?

> I'm arguing that Facebook made it explicitly clear, both via a cease & desist letter as well as technical changes, that it did not want Power accessing its servers or its data, whether on their own or on behalf of Power users.

Then it should stop authorizing Power to do so. Why would it let the credentials work for Power unless those credentials authorized Power access? That's the problem. The simple solution is 2-factor authentication.

This is a solved problem. If you have "open access" of your web services and and access is non-disruptive, I don't know why this should be a criminal violation. It shouldn't be criminal just because it doesn't fit with your business model.

If I tell you not to enter my house, and take no further steps to prevent you from entering my house, such as closing the door, it's still illegal for you to enter my house. If I tell you not to enter my business, and take no further steps for prevent you from doing so, it's illegal for you to enter (unless I have banned you for being a protected class). If I tell you not to ssh into a computer I own, and take no further steps to prevent you from doing so, it's still illegal. I think a lot of software engineers get so wrapped up in the technical side of security and dealing with anonymous and untraceable threats that they don't realize that for the most part, the law doesn't care about technical access control. It cares about social access control.
Thank you for coming up with a much better example than I could.
> If I tell you not to ssh into a computer I own, and take no further steps to prevent you from doing so, it's still illegal.

What if you tell me to stop doing it, but my friend is allowed and he types all of the commands that i tell him to type and then he sends me the data? That's why it doesn't quite make sense.

It doesn't make as much sense for a publicly accessible website and user tokens. It makes sense from a tort point of view, but not from a criminal point of view. The next step away would be for users to install an app that logs into facebook and forwards the data to the centralized server.

They weren't accessing Facebook with their own account, they were accessing Facebook with their users' accounts.
At that point there is a significant chunk of law which may apply: if they can be seen, by the latter of the law, to be falsifying their identity (by using someone else's) to gain access to a resource, then there may be a case for them to be charged with fraud.

Also, even though facebook themselves sometimes ask for the credentials to your other services (i.e. email accounts so they can scan for shared contacts), I bet their user agreements stipulate that your credentials for facebook should not be shared. I doubt they'd be stupid enough to punish their users for this, but is there some law that would be useful here for taking action against Power for encouraging users to breach their agreement with fb?

NOTE: I'm not a lawyer so you'll need to check with one before relying on what I've just said to be correct!

> if they can be seen, by the latter of the law, to be falsifying their identity (by using someone else's) to gain access to a resource, then there may be a case for them to be charged with fraud.

You've just made quite a few APIs illegal.

Where "impersonation" is part of the protocol no deception is involved, so this shouldn't affect such APIs. In fact in those cases it is not really impersonation, it is acting on behalf of, presumably by prior agreement (or similar by words that are a bit less anthropomorphic).
Using someone's identity is only illegal if you do it without their knowledge/permission. Valets don't need to sign a power of attorney contract in order to use your keys to park your car.

It's not really relevant to this case.

Car keys are not typically considered a form of identification.

Also, the laws against identity theft do not always (ever?) reference the victim's knowledge. In California, if you impersonate someone and profit as a result, you are guilty of false impersonation. The law doesn't care if the person you're impersonating knows.

That's not how it works for physical trespassing. The onus is entirely on the trespasser not to go places he's not allowed. If a property owner tells you to stay off their property, and you subsequently visit that property, you're trespassing no matter how few barriers you encountered to that visit. Why shouldn't a clear "don't touch my web site" be legally enforceable, just like a clear "don't enter my unfenced, totally open yard" is?

Note: I'm not at all sure it should be enforceable, and the idea makes me uncomfortable, but I can't come up with a good reason.

This is a bit different from the common problem where someone guesses a URL and gets hit with unauthorized access. There, they merely lacked explicit permission to access the system in question, and the weird legal argument is that building a URL by hand implies unauthorized access. Here, the access followed a letter explicitly telling him not to access their system.

Its internet. Anyone can request anything. All requesters knows this. Almsot all servers knows this and thus check each request for access.

So yes there is one node that is going out of the widely accepted "social" norm but its Facebook.

Instead of changing one node, your solution is to change all other billions node.

How does anything you said fail to apply to using a software vulnerability to create a request to which the server responds with "yes sir, here is the private information you requested"? Should we just say it's a technical problem that the operator should have solved themselves and make that legal too? How about physical locks while we're at it?

I'm not a fan of this ruling but your argument proves too much.

Normally I'd agree with you... see https://news.ycombinator.com/item?id=6434400#6435092

However in this case when you receive a cease and desist letter informing you that you don't have permission yet you explicitly ignore it and take steps to circumvent any technical restrictions that were put in place, that's where it crosses the line.

Yes the judge ruled that even though knowingly accessing a service in violation of it's TOS is not a crime, accessing it after being sent a cease and desist is. So it appears that the way in which you are asked not to do something has a bearing on whether it's ok for you to do it or not. That seems pretty crazy.

Facebook as a way to prevent this access that's guaranteed to work. They could block the user's account.

Furthermore the Judge's argument regarding a bank barring someone from entering if they are carrying a shotgun is bogus. They could just as well use an example of banning someone if they are carrying a cuddly toy. Using a gun in the example is a transparent attempt to appeal to emotion. There's nothing in Power Ventures activities that could be reasonably equated to openly toting a deadly weapon in a bank.

What if I know I'm doing something that Facebook doesn't like, see an email from them and ignore/delete it? Where does a "Please stop using our web" become a Cease and Desist order?
(comment deleted)
>So it appears that the way in which you are asked not to do something has a bearing on whether it's ok for you to do it or not. That seems pretty crazy.

How's that even remotely "crazy"?

If I merely ask you "I don't want to see you here again", and you come back, you don't get much problems with the law. If I get a restricting order on you, and you came back, I can have you arrested.

There are different levels of being "told not to do something", and some popup has less power than a TOS, which has less power than a cease and desist, which has less power than a full court order, etc...

Facebook did block their IP address.
Power had a clear signal that it's license to access Facebook's website had been revoked-- the C&D. In order to get around that, you're anthropomorphizing the computer and asserting that the computer can consent to access contrary to Facebook's express intent. That makes no sense. The computer is a machine-- it cannot grant consent.

Now, in some cases, you may reasonably infer that the property owner consented based on the computer allowing the access. "I thought I had permission because I was able to get the data from the computer" should be a defense. But that rationale disappears when the property owner makes its intent clear by other means.

Exactly this.

If you're on example.com/documents/foo and think there might be something relevant on example.com/documents/, try and gain access without coming across a warning or terms of service reasonably located, this is clearly acceptable.

Now if example.com warns you that they consider this unauthorized action and blocks your ip... well, that changes things.

> Power had a clear signal that it's license to access Facebook's website had been revoked

Wait: When did accessing Facebook require a license? Shouldn't the fact that Facebook is publicly-accessible make that argument moot?

I don't think there's a good analogy to be made here. Facebook lets anyone use their service for free, publicly advertises it as such, and exposes loads of APIs to the world in order to facilitate that.

What we have here is a company using those APIs in a way Facebook doesn't like. So what? It's not like Power's access of Facebook results in any sort of excessive burden on Facebook's servers. It just isn't compatible with their business model.

Governments should never be in the business of protecting business models.

> Wait: When did accessing Facebook require a license? Shouldn't the fact that Facebook is publicly-accessible make that argument moot?

Accessing other peoples' private property requires a license. That's true even when the property owner offers use of the property to the public. In that case, the license is implicitly granted, but can be explicitly revoked. E.g. shoppers have an implied license to walk into a mall, but malls are still private property and the owner can revoke that license at will.

> Governments should never be in the business of protecting business models.

In this case, the government is just protecting the property owner's right to exclude other people from its property. You can build a business on that right--e.g. Disney Land builds a whole business on excluding people from its theme parks unless they pay--but the protection exists even when no business model takes advantage of it. E.g. I can allow everyone in the world to use my pool for free, except Bob. No business model to protect--I just hate Bob and want to spite him. In fact, Bob isn't even doing anything bad on my property--I just hate his haircut. The government still has to enforce my right to exclude.

Why do you believe that (completely reasonable!) examples from physical laws should be used as guiding analogies towards digital problems?

Private property trespassing is not the same mechanism at all as making requests on behalf of a user.

If anything, this whole thing is more like an owner telling a dim clerk to ignore a particular person inquiring at a window, and then the person wearing a fake mustache.

> Why do you believe that (completely reasonable!) examples from physical laws should be used as guiding analogies towards digital problems?

The examples from physical laws articulate the principles underlying those laws. One of those principles is that the mechanism of the trespass is totally irrelevant. It doesn't matter if Bob gets into my pool by sweet-talking a dim-witted security guard or rents a plane and does a HALO jump. All that matters is the end result: he's using my property even after I told him not to. Why should that principle be modified for the digital world?

Now, I think that in the digital world, it can be harder to know what the property owner intends than in the physical world.[1] I think it's reasonable to require a higher standard in the digital world for proving that the alleged trespasser actually had notice he was no longer welcome. And the 9th Circuit did that when it held that a TOS was not sufficient notice. But that's not in play here--Facebook clearly and unambiguously communicated its intent to Power. Why should anything else be required?

[1] Maybe it's also harder to know when someone's property was accessed intentionally. But the CFAA has a pretty stringent standard for that--the access must be "knowing." Accidentally sending packets to Facebook's computer and getting a reply would not be enough. And there is no claim here that Power didn't "access" Facebook's servers nor is there any claim it did so "unknowingly."

Someone raises this argument in every thread about the concept of unauthorized access. I have yet to obtain from those threads a satisfactory answer to this question:

If what you say about "requests" and "responses" is both true and dispositive of the issue of authorization, then you're saying that virtually every SQL injection vulnerability on the Internet is also an "authorized" form of access to people's backend databases. Nobody should be prosecuted for those either. After all, most of those attacks take the form of simple HTTP requests --- in fact, many of them are triggerable simply from GET URLs.

How does this definition of "authorization" make sense?

Classifying data of any form as illegal is a dangerous idea. Requests with SQL in them shouldn't be illegal. If people want laws against hacking, they should be based on something other than the contents of files and electricity on wires. If they can't find something, there just shouldn't be a law.
But it seems to me like 'ramblenode is arguing the exact opposite: that the law ignores the HTTP request and response on the wire to look at the actual interaction between Power and Facebook and the result of the packets Power sent.
The SQL injection is more like entering using a `back door` instead asking for permission. Power used the facebook API which is the `main entrance`.
(comment deleted)
You realize trespassing is illegal regardless of which door you use, right?
This came up on a recent thread here, where someone was surprised to learn that the crime of entering someone's house through an unlocked window or door is called "breaking and entering".
Yeah, I was reluctant to mention breaking and entering here because it depends on the state. In California, it would be burglary because they don't actually have a "breaking and entering" law. If you somehow entered through the window with no intent to commit further crime, I think it would be trespass, but I'm not sure.
I think the fact that it's surprising is an indication of a problem with the law. If people think that breaking and entering actually requires physically breaking something or disarming some security measure then that's probably what it should be.

Is there really a harm in calling it trespassing?

Trespassing is a different crime. It's a bother to have a stranger enter your property uninvited. It's a huge invasion to have a stranger enter your house uninvited. The former may be trespassing. The latter is likely breaking and entering (or burglary or some similar law).

You could try to change the names, but it honestly doesn't matter. Many people also don't know the difference between assault and battery. No one really thinks it's okay to threaten others with physical violence even if no blows are dealt, though. Similarly, no one really thinks it's acceptable to enter someone's home without permission even without literally "breaking in". The laws around these are generally reasonable even if the legal names aren't exactly what people expect.

> If people think that breaking and entering actually requires physically breaking something or disarming some security measure then that's probably what it should be.

"Breaking and entering" appears to have originated as a English legal doublet [0] -- a pair of words with origins in different languages with similar meaning adopted as the language of the law changed. As an aid to clarity.

> Is there really a harm in calling it trespassing?

Well, yes, because:

(1) "Breaking and entering" already has another name, "burglary". [1]

(2) "Trespassing" is the name of another, broader and, by itself less serious, crime of intrusion onto property without permission.

[0] https://en.wikipedia.org/wiki/Legal_doublet

[1] See, e.g., https://en.wikipedia.org/wiki/Breaking_and_entering

This at least points towards a coherent position. Before assuming that you hold it, let me clarify a little: we both understand that SQL is just an example, right, and virtually all other security vulnerabilities would be lawfully exploitable as well? The difference between SQL injection and memory corruption is simply that of two different programming languages being used to carry the attack.

So the position you hold is that people on the Internet should be allowed to hijack each others computers, lest the law begin determining the legality of contents of files or electricity on wires?

As I said: that's a coherent position. It's not one I hold or would personally find tolerable, and I think the long term public policy consequences would be surprising to people who hold that position out of a rooting interest for underdogs (people are quick to forget that money buys more exploits every year than principle ever has). But I don't know that I could rebut arguments based on it simply based on logic.

The terminology as it stands it too broad. The people on the internet shouldn't be allowed to hijack each others computers. There should be a law specifically against hijacking another computer without permission.

Just like guns, and going to the bank aren't illegal. In some places going to the bank with a gun isn't illegal. But pointing a gun in a bank at a teller and saying "give me all the money" is illegal.

> In some places going to the bank with a gun isn't illegal. But pointing a gun in a bank at a teller and saying "give me all the money" is illegal.

Right, it's entirely about intent. Assuming you live in a place where you can legally open-carry a gun into a bank, it's still illegal for you to stare down the teller while motioning to the gun if you're doing so with the intent of stealing money from the bank. It's not about what you say or don't, or how you indicate that you want the money. It's entirely about whether you intend to steal from the bank. If the teller gets freaked out just because you're open-carrying and hits the alarm button, you've not committed a crime unless you had intent.

Intent is not enough. You have to have acted on the intent (planning and conspiracy count as action).
Fair. It's not all about intent. Intent definitely matters, though.
Phishing and social engineering attacks are close to conventional fraud and should be prosecuted.

But nothing that goes over the wire should be interpreted by prosecutors and judges as a criminal act. It's simply far too arbitrary what they will consider legal or not and the law should be reasonably predictable.

On the wire security is the responsibility of server operators and blame shifting has already undermined the influence of correct security practices far too much.

> But nothing that goes over the wire should be interpreted by prosecutors and judges as a criminal act

The law, as written, doesn't look at what "goes over the wire." It focuses on the end-result of getting access to a computer. I don't think that's arbitrary or unpredictable.

It focuses on the end-result of getting access to a computer. I don't think that's arbitrary or unpredictable.

There are sites that, all the time and with authorized and well-meaning users, have unpredictable results when serving a page request. We call them bugs. :|

The law is out of its depth here, least of all because it is attempting to proscribe what it can neither reliably control nor measure.

And if you exploit a bug to gain unauthorized access to a computer, you've committed a crime.

Computers and networks are not magic and it makes no sense to pretend that laws cannot limit unauthorized access. We do need to improve many of the laws related to computers, but it's unreasonable to claim that there's no way for laws to cover computers in a reasonable way.

> The law is out of its depth here, least of all because it is attempting to proscribe what it can neither reliably control nor measure.

You could claim the same about trespass. The courts cannot control access to your property, nor can they monitor or measure such access. Nonetheless, they can prosecute and convict people who trespass on your property and in general, we tend to agree that this is a good thing.

I don't see how it's not coherent to think that something that is allowed should be allowed for everyone, but that something that isn't allowed shouldn't be except if you get permission.

If someone thinks that the Internet should be a public network, it seems reasonable for them to also think that you shouldn't be able to exclude someone from using it in a way that is legal for anyone else.

You might think differently, but I don't see how their position wouldn't be coherent.

>Requests with SQL in them shouldn't be illegal. Intent matters here. If little "Johnny DROP TABLE" causes a problem with his input but there is no evidence he did so deliberately, I don't think a sane person would argue he was cracking. But if a user fetches "Main St. USA Business" unencrypted passwords and sells or distributes them, clearly a line has been crossed. That line seems to be "personal profit", financially or otherwise.
Actually, there's loads of laws like this! I'd argue that if a user fetches the unencrypted passwords of users from a website that they shouldn't be punished at all because merely obtaining such information isn't harmful to anyone until it is used (in a nefarious way).

If I download a huge list of credit card/account details that someone accidentally exposed on their website have I committed a crime? Certainly not! If I use those account details to commit fraud (or similar crimes) then it's a problem.

Aside: If someone is able to pull unencrypted passwords from any company's database the real crime there is the fact that the passwords were stored unencrypted in the first place!

(comment deleted)
This is a good point but a bit of a strawman argument. SQL injection is an intentional attempt at circumventing the security of a website. Performing GET and POST requests to merely use an API is an entirely different category of access.

A better argument would be that the IP address blocking is a security control and that Power circumvented that. However, that's a very, very thin security control akin to placing a "patrons only" sign next to a bench outside a store.

Is it rude to sit on the bench if you aren't going to buy anything? Maybe. Could the owner ask you to leave? Sure. Could you just come back later and sit down again? Yep. Would it be possible to have someone prosecuted with a felony charge for doing that? Absolutely not.

The service Power provides to its customers is but a mild annoyance to Facebook at best and certainly not worthy of criminal prosecution.

(comment deleted)
> Is it rude to sit on the bench if you aren't going to buy anything? Maybe. Could the owner ask you to leave? Sure. Could you just come back later and sit down again? Yep. Would it be possible to have someone prosecuted with a felony charge for doing that? Absolutely not.

If the owner asks you to leave and expressly forbids you from returning, you are guilty of trespass if you do so. The owner is not obligated to install a physical barrier to prevent you from entering. You are legally obligated to stay off the owner's property if they request that you do so.

>You are legally obligated to stay off the owner's property if they request that you do so.

You are not, however, legally obligated to never walk up to the edge of the property and ask the owner standing there if you can come onto the property.

You are at least legally obligated to not wear a disguise (the equivalent with the case at hand being changing IP addresses) to attempt to circumvent the owner's ban.
Sure. But you are legally obligated to keep off the property even if there's a sign in the yard that says "welcome to our home".
Laws often have the idea of intent. If the intent is to maliciously circumnavigate access control mechanisms, then that should be illegal. Requesting data that has no access controls should not be illegal.
What about the class of vulnerabilities that is due to missing or faulty access controls? For instance, is it your position that while SQL injection should be illegal, rotating the account number in a URL and using it to harvest the social security numbers of hundreds of thousands of bank customers should not be?
I feel like that should be negligence on the HOSTs part. If you have sensitive data, you often have a legal obligation (HIPPA, or whatever domain applicable law) to protect that information. Having it trivially harvested through a URL parameter is negligence in that light.
This is the second most popular argument in a unauthorized access threads. But what it suggests is a form of special pleading for the Internet. It's not an unusual situation in criminal law for the negligence of a victim (or a victim's agent) to interact with the malice of a criminal. What is unusual --- I think unprecedented, in fact --- is for the victim's negligence to negate criminal culpability.

Put simply: sure, create civil liability for companies who deploy insecure software (watch how fun it becomes to be an indie software developer!). That shouldn't change any part of criminal law.

Agreed. If you leave your house unlocked and someone walks in and steals your stuff, they can still be tried and convicted for burglary, though maybe not for breaking and entering.

Now, if you are running a self-storage warehouse and you leave the master key lying around, your customers will almost certainly be able to sue you for negligence. The thief is still committing burglary, though.

We live in a polite society, we are supposed to be able to make rules and have people respect them regardless of whether they are technically capable of circumventing them.

> burglary, though maybe not for breaking and entering.

Off-topic, but in a number of states, these are the same thing. e.g. California has no "breaking and entering" law. Burglary is just entering with the intent to commit larceny or a felony.

We have, up until this point, lived in a polite society. It's unreasonable to expect that this can continue in a world globally connected through the internet.
No, they can indeed be tried for breaking and entering.
Sure, but it isn't special pleading. This case is like Facebook leaving out a piece of paper on a table and telling someone not to read it. Is it then illegal to read the piece of paper if it is in plain sight in a place they are allowed to be? I sure hope not.

I explicitly reject that I want to negate criminal liability because of the hosts liability. If there are poorly designed access controls in place which are illegally eluded, both should be liable. If there are none, then only the host should be liable.

Clearly that analogy fails, since this thread is rooted in a comment suggesting (wrongly, I think) that authorization was mooted by the request and response nature of the Internet.
Meh.

FB : "Don't read this, Mr. X" PW : leaves the room, puts on a different hat PW : "Can I read this?" FB : "Sure!"

(comment deleted)
> What is unusual --- I think unprecedented, in fact --- is for the victim's negligence to negate criminal culpability.

You know more about these issues than me, but I expect that people who are thinking this way might be thinking in terms of an analogy of a conversation with a bank teller (the analogy being that network communication is just like a conversation between your system and theirs).

So if an attacker talks to a bank teller working at a bank and tricks them into revealing lots of private information about other customers that they shouldn't reveal, and it later comes out that the bank had not provided training to the bank teller about customer privacy, and had given them access to all kinds of data that they didn't need access to (which they shared in the 'attack'), I would expect there to be some liability on the Bank.

I agree though - even though they've 'just' spoken to the teller (and perhaps not told any direct lies), this doesn't negate the culpability of the attacker - if they've deliberately set out to trick the teller then they've committed fraud. If the 'attacker' didn't set out to trick the teller, and the teller just confused themselves, then yes, I'd expect there to be no culpability on the attacker but culpability on the bank.

In cases where it's less clear (maybe the attacker tricked the teller into giving them information in a way different to that desired by the bank, even though the attacker is normally allowed to access that information), I would very much want to err on the side of caution.

A world where using an unsupported browser or a scraper or unknowingly clicking a link or writing software that accesses data that you are otherwise allowed to read can make you liable for committing a serious crime would be a very worrying world.

(comment deleted)
As much as I'd like to make the argument "SQL injection vulnerabilities are your own damned fault" at this time, I understand it wouldn't be compelling to you. We'll table that for a moment, and similarly we'll table the obvious "Why the hell should using a public API in the way it was intended (e.g., incrementing an ID param in a public endpoint) be illegal?".

Instead, I think we should look at the authorization angle. The company in question appeared to be using the widely accepted OAuth scheme for exactly the purpose that it was intended: acting on a user's behalf to get data (here, contact information). That's why the whole thing exists, and that's why companies like Facebook and Linkedin have as much information about their users as they do--because they themselves pursue this exact behavior.

It seems kinda incongruous to say that user authorization is fine when you have the lawyers to back it up, and not fine when you don't. This seems like Facebook being anticompetitive against the wishes of their users.

I'm not sure I follow. This is a case where Facebook made it clear with an explicit cease & desist letter that the company was not authorized to use their API. Your argument seems to depend on some notion of compulsory licensing for APIs published to the Internet. There is no such concept.
> you're saying that virtually every SQL injection vulnerability on the Internet is also an "authorized" form of access

I think SQL injection would be analogous to "asking permission to enter a bank with a shotgun", as the OP put it.

Can you explain that distinction clearly? What's violent about SQL injection that isn't violent about, for instance, guessing account numbers?
Ideally, we would lose the notion of “authorization” and only retain “authentication”, with respect to a network of autonomous systems.

Authorization really only makes sense in the context of command and control (i.e. getting someone to do something that you want, and getting them to stop doing something that you don’t want).

But (as you know), the Internet operates by negotiation, where autonomous components adjust their goals (and sub-goals) based on their best understanding of the environment. Components don’t exchange commands, just information, and they make their decisions based on not only on the content of a message, but also its provenance. Thus, fraud is the actual impeachable act, since what we really care about is the authenticity of a message.

Admittedly, this regime does not allow for the prosecution of something like a SQL-injection attack (though it probably could be stretched to do so); but ideally, SQL-injection vulnerabilities would almost always be treated as negligence.

Of course, we all know that the world is not ideal and compromise is necessary (it would be ironic for me to suggest otherwise), but it would be nice to do the experiment.

(Yes, this is just recapitulating the arguments for capability-based security)

(On the other hand, while the Internet is not a command-and-control environment, it probably needs one on a meta-level.)

"On the other hand, while the Internet is not a command-and-control environment, it probably needs one on a meta-level."

How do you mean? Isn't the negotiation of autonomous components fine principle for the Internet?

> If what you say about "requests" and "responses" is both true and dispositive of the issue of authorization, then you're saying that virtually every SQL injection vulnerability on the Internet is also an "authorized" form of access to people's backend databases.

I would say that the SQL/HTTP equest with the SQL injection is _per se_ legal. The damage that it has intentionally caused is what the law should punish.

"You are free to tell me whatever you want, but beware: if you catch me offguard and make a damage, then you will be punished for it."

At this point, what about malformed requests from homegrown browsers that trigger catastrophic bugs in the upstream application, does this now constitute a federal crime?

At no point did either party intent to cause harm, but it happened anyway.

Really, I quite like the British framework for this sort of issue: anything can be illegal or legal, it depends on context and motivation.

The CFAA requires you to have "knowingly (accessed a computer without authorization or exceeding authorized access)." (Under typical statutory construction rules, the mens rea requirement should distribute as shown by the parens; I have not checked whether case law has construed the CFAA specifically that way).

If you had permission to access the website otherwise, and exceeded authorized access because of a bug, you would not have met the "knowing" requirement and would not have violated the CFAA.

Intent goes a long way in many things concerning legal cases in many places around the world.
Problem with the British system is that in practice race, gender, and SES are just as relevant as context and motivation.
So you think only success is punishable? So if someone takes a swing at you, it's only assault if they connect? If someone takes a shot, it's only illegal if the bullet hits you? If someone tries to break into your house, it's legal until they get inside?

Or are computers special for some reason?

Computers are indeed not like any of these things.

I would compare to chatting with someone and talking them into committing suicide. Wasn't there a court case about this a couple of years ago? This is something that is only considered a serious crime if it is successful. Otherwise, it's just being creepy and annoying, who would accept those calls/chats anyway.

It's unfortunate that people accept and even love fundamentally unsafe designs of computer operation, where they are not in complete control of what their computer does, and then get upset when their computer does something quite actively opposite of what they wanted. This is inevitable! The biggest difference is in the prevalence.

> Computers are indeed not like any of these things.

None of those things are really like the others either, except that they are all still (lesser) crimes even if you're not successful.

> I would compare to chatting with someone and talking them into committing suicide. Wasn't there a court case about this a couple of years ago? This is something that is only considered a serious crime if it is successful. Otherwise, it's just being creepy and annoying, who would accept those calls/chats anyway.

Probably depends on the state. If it's a crime to convince someone to commit suicide, it's probably a crime to attempt to do so. In California, attempting a crime is a crime in itself.

> It's unfortunate that people accept and even love fundamentally unsafe designs of computer operation, where they are not in complete control of what their computer does, and then get upset when their computer does something quite actively opposite of what they wanted. This is inevitable! The biggest difference is in the prevalence.

"Fundamentally unsafe"? Unplug your computer if you want fundamentally safe. Otherwise you are always fundamentally unsafe. Access to your house is not "fundamentally safe", but if someone kicks in your door and barges in, few will tell you that it's your fault that for not living in a concrete bunker.

Computers are special for some reason.

I can't punch you in the face over the computer, but I can take a swing at you in front of my monitor even I don't know where you are afk. Is that alright under the law?

That was rhetorical; of course it's alright. I'm doing it right now, for all you know.

And yeah, it's not possible B&E until you('re caught) B&E. You might have to commit trespass to get that close, but that's a different law.

The perversion is when you get charged with B&E for walking into a building open to the public just because security didn't stop you from going inside.

I'm not following. You can definitely be prosecuted for attempting to break and enter into a house.

The distinction between doing that and entering a building open to the public is exactly the distinction the CFAA makes.

> Computers are special for some reason.

And what reason is that?

> I can't punch you in the face over the computer, but I can take a swing at you in front of my monitor even I don't know where you are afk. Is that alright under the law?

That's not taking a swing at me. That's you swinging wildly in the air in front of your monitor. Yes, that's legal, if pointless.

> And yeah, it's not possible B&E until you('re caught) B&E. You might have to commit trespass to get that close, but that's a different law.

As Thomas noted, attempted breaking and entering is a crime as well.

> The perversion is when you get charged with B&E for walking into a building open to the public just because security didn't stop you from going inside.

I'm not sure what you're trying to say here. Are you saying that unauthorized access is like breaking and entering? A better analog for the case here is trespass. You won't be guilty of breaking and entering if you enter a mall after being asked to stay out, but you will be guilty of trespass. No one is required to post guards to keep you out. Simply tell you is enough to legally obligate you to stay out.

(comment deleted)
No it's assault when you make the other person fear for their safety. It's only battery if the punch connects though.
It doesn't stop being assault when you successfully hit the person. It's assault and battery in that case.
Sounds like trespass to me because the request explicitly acts like it's conforming to a protocol while it's actually another.
That one doesn't, as it confuses a code exploit with discrimination against individuals.

Refusing service and calling the cops when a customer tries to empty your cash register are similarly different things.

> If what you say about "requests" and "responses" is both true and dispositive of the issue of authorization, then you're saying that virtually every SQL injection vulnerability on the Internet is also an "authorized" form of access to people's backend databases.

No GP is saying IP/TCP/HTTP does not define legality of a packet and you (not you) should not put such fragile server on Internet on first place.

Of course you can make laws to make some requests illegal. But even then you will have non-local nodes to worry about. Not to mention the change in softwares/hardwares as a result. Oh, the number brain cycles wasted.

Please fix your server its hard but not impossible.

IMO the real issue is that the data accessed and the operation executed are done on behalf of Facebook users that gave their permission. In that case I don't see why power is liable if he got explicit permission from users. FB should have sent those letters to the users and canceled their accounts for non complying.
> If what you say about "requests" and "responses" is both true and dispositive of the issue of authorization, then you're saying that virtually every SQL injection vulnerability on the Internet is also an "authorized" form of access to people's backend databases.

I think there's a clear and obvious distinction between a maliciously constructed request and a normal request (e.g. the difference between inserting lockpicks in a door and inserting an actual, correct, legally obtained key in a door, or having at the door with a sledgehammer).

Ok, then make that distinction, as clearly as you can. Like many here, I work on this specific problem for a living, and I don't think the distinction is easy to draw at all. Happy to learn something new!
You don't understand the difference between picking a lock and using a key? You do realize that the world isn't neatly defined - objects in the world don't have platonic labels assigned to them, a key vs lock picks is just as large or small a difference as a properly authenticated REST call vs some kind of exploit. Just as a lock smith might legitimately use lock breaking tools to open your door for you, the law understands that intent and method both contribute to understanding whether a criminal act as occurred.
It's obviously a question of intent. If service providers are granted by law the ability to define what's authorized and not ex post facto, then every request is a potential crime.

I realize this is a good scenario for authoritarians like yourself, but from the network point of view it's problematic.

To extend the metaphor of an HTTP request being an ask rather than an action:

I would liken SQL injection to asking if you can enter the building by throwing a brick through a window. Regardless of the content of the request, the requester knows the requestee doesn't want to receive requests in that fashion.

As several other users have pointed out, intent is important (and in the case of a SQL injection, pretty explicit).

Agreed, and you don't even need a SQL injection. If I steal your password, the server will give me 200 OK responses all day, even though I would obviously not be authorized in any legal or common sense.
Running compromised systems is consent. In any context outside of the very narrow scopes of law and morality, everything that can happen does, and everything that does happen is legal.
I disagree.

If there's a bug in the server and someone exploits it to gain unauthorized access -- even if the user has been warned via terms of service that doing this is unauthorized -- then by your interpretation this shouldn't be considered unauthorized access. Power was explicitly warned their behavior was unauthorized, had their IP banned, and Power implicitly acknowledged this ban by changing their IP.

>Ultimately, Facebook still controls access to its servers; it just hasn't figured out a good policy for denying certain requests.

Not having a lock on your door does not give everyone permission to walk into your home.

That's actually something that varies by state. Some states are more permissive than others when it comes to being in places where you don't have an affirmative legal right to be present, as might be indicated by a lease or ownership document.

At one extreme, you have Scandinavian-style allmansratten, wherein the right to wander is firmly entrenched in the culture, and trespassing requires an obvious, posted, and defended boundary. If your door has no lock, that is an implicit invitation for any wanderers to enter, also under the implicit condition that they comport themselves appropriately as your guests, even if you are not actually there.

At the other extreme, you have military bases, where you must show identification and your invitation at fixed points of entry, and you might get shot without warning if you are in an area that you have not been specifically authorized to be in.

So there are actually states in the U.S. where you can enter an unlocked home during daylight hours, sit on the couch and read a magazine, make awkward small talk, then leave before sundown, and no crime has occurred. And then there are other states where the homeowner or leaseholder could shoot you as you did that, without saying a word, and not commit a crime.

But I know of no jurisdiction where a trespass warning, where the visitor is specifically told to leave and not return, does not trump all of that. If you have been ejected from someone's property, and return to it at a later date, you are trespassing, period. It does not matter if you have disguised yourself such that you are not recognizable to anyone else as the same person; you still are that person, and that person is not allowed to be there.

>So there are actually states in the U.S. where you can enter an unlocked home during daylight hours, sit on the couch and read a magazine, make awkward small talk, then leave before sundown

Out of curiosity, which state(s) are these, and (if you happen to know), what laws surround it? Why sundown, for example?

It's from Anglo-American common law. Under common law, "burglary" must occur during the night. Similar behavior during the day is at most "housebreaking". Under common law, there must also be intent to commit a felony within the building in order for "breaking and entering" to be charged as an additional crime.

So if you look in, for instance, New Hampshire Title LXII, Chapter 635, as long as you have no intent to commit a crime, nor any reasonable expectation that you are not allowed within, you can open and enter any unlocked door you find and not be charged with some form of unlawful entry. But it doesn't even take a locked door to stop you. A handwritten note taped to the door, reading "keep out", would be sufficient to trigger unlawful trespass, a lesser crime than burglary/housebreaking.

If you look at Pennsylvania's Title 18, Chapter 35, you can see a wordy example of the boolean expression (( A & B & C ) or ( A & B & ~C ) or ( A & ~B & C ) or ( A & ~B & ~C )), when only the last case is referenced by another section. Could use some refactoring. They also added a special "meth burglary" section.

If you look at California penal code sections 458-464, you can see that shoplifting is considered a lesser form of burglary, where the "breaking" is by deception, and the intended crime valued less than $950, and replaces both the burglary and the theft. In California, you can be charged with burglary of a tent or motor home, whereas the aforementioned states restrict it to fixed buildings.

As far as I know, the distinction between night and day is an artifact of history, from before the era of cheap artificial lighting. But all state laws differ. Where they do not, it is usually because the provisions implementing the common law definitions have not changed. It's usually pretty easy to find the sections of state law dealing with actual crimes against people, property, and peace. And many of them rarely change. One wonders why any state would even need a full-time legislature when most of the truly necessary laws are already written.

"This opinion is based on a fundamental misunderstanding of how the internet works."

Your opinion is based on a fundamental misunderstanding of how the law works.

Under the CFAA, to "intentionally accesses a computer without authorization" is a federal crime under most circumstances. If you don't have a written authorization from Facebook before you send your first HTTP request, you're already a criminal.

Of course, the prosecutors interpret that to mean, at various times, exactly whatever they feel it should mean. You can't tell in advance what that will be. But the judges and the jurors will pretty much follow whatever they say because they don't understand what happened. In that case, it's natural for them to just go along with whatever the FBI's paid 'experts' tell them.

That's how we keep law and order in a free country.

He didn't access a computer, he requested information from the computer, over a public channel, which was given.

This is a semantic difference so it doesn't matter that the CFAA that they consider the crime "intentionally accessing a computer without authorization" - he didn't remote desktop to the machine and log in and access the file system and get information. He used the OAuth protocol which is afforded over public channels exactly as prescribed to say "This user has granted me access to this information, please give it to me" and Facebook has said "here you go"...

This is akin to asking for the information, being issued a cease and desist to prevent you from asking for it again and then using the Freedom of Information Act to request information and subsequently being arrested for being in possession of that information on the grounds that you illegally obtained that information by breaking and entering and accessing files you weren't authorized to access... which you can see is clearly not true.

How would you know that the link was requested deliberately by a user and not by JavaScript or some other autonomous network client? You cannot, unless there's a tamper-proof and indisputable (aka we know how to interpret brain waves) 24/7 audit log of a person's brain activities. Clients prefetching resources or even looking up DNS is fully automatic and already happens today. If this becomes law, a random website need only insert URLs on an otherwise innocuous page, for someone to get into trouble.
This is the kind of logic that programmer types often apply erroneously to the legal system.

The answer to your question of how one would determine is the same as it generally is: humans would examine the available admissible information and draw a conclusion based on the preponderance of the evidence.

A huge difference between the two rules-based systems is that the legal system contains judges and juries, who routinely can and do just jump into the middle of a situation such as you describe and declare that's not what the rules meant.

Which seems like a good context with which to view this case. Many here are saying "well in this case it was deliberate but what if..." while others point out that noting the actions of the defendant as deliberate and purposeful is not an observation that's exogenous to the system.

Regardless of how you feel about the opinion. The one thing that stood out for me was the walled garden. If you really want more and more of these cases to happen, keep using these giant walled gardens like Facebook.
I wonder if the ruling would be different if Power had done the scraping client-side instead of using its servers. For example, if they had distributed a tweaked Facebook app for jailbroken devices that allowed users to "log into" Facebook and scrape data using their own device and Internet connection.

Or, more simply, a third party app that users install on their phone and calls the "private" Facebook API directly.

Would the same arguments hold?

I have the same question. In this case Facebook was able to identify Power acting on behalf of users because requests came from a common set of IP addresses.

If Power had instead provided users with software to run from their own devices would that change anything?

In both situations this is user authorized behavior and the ability of Facebook to identify an involved service as assisting users should be irrelevant.

Yes, they're still in charge of the said app that they are "distributing". Authorization is what matters, it doesn't matter how they're doing it.

In this case, the users are using an "unauthorized" app and Facebook can block the app if they figure out how to ban them. Facebook can also block the users for using it as well.

...This is why we have a SCOTUS.
SCOTUS are just as capable of bad decisions as other federal judges. They're not magical, and we get stuff like Citizens United and Dred Scott.
> They're not magical, and we get stuff like Citizens United and Dred Scott.

Leaving aside CU right now, I'm less convinced that Dred Scott was a bad judicial decision than I am that it reflected the fundamentally irreconcilably bad state of the Constitutional order when you have entities that, depending on which subordinate jurisdictions law applies to them, may be either chattel or persons with all the rights and privileges attendant thereto.

As much as the founders tried to make it work to cover up the deep divisions that existed in the early US, the basic structure of government set up under the Constitution just doesn't work well when the basic definition of "what is a person vs. what is property" isn't consistent across the states.

That's not to say that there isn't an argument that Dred Scott was wrongly decided, just that the usual argument (which focuses on the immorality, from a modern viewpoint, of the result) sort of ignores the fact that any system in which slavery is part of the law will necessarily produce results abhorrent to modern morality.

The problem with Dred Scott wasn't the ruling that SCOTUS was asked to rule on, namely, what the status of a slave was when an owner moved from a slave state to a free state. That aspect of the decision is fairly defensible under the given law (basically, you can argue that automatically emancipating the slave equated to an illegal, uncompensated taking of property). Odious, but defensible.

The problem of Dred Scott was that SCOTUS basically went on to argue that blacks, even freed slaves, weren't citizens and could never be citizens, and also argued that slavery could not be banned in any manner whatsoever by any level of government. It was a pretty naked attempt to tell the abolitionists "Slavery exists, and there's nothing you can do about it. Deal with it."

So, I suggest a few prominent web presences communicate to the judge and prosecution that they are no longer welcome at those sites.
What if Zuckerberg had received a cease and desist letter when he was accessing computers without authorization at Harvard?

Before any student willingly sent him personal information, he had to exfiltrate such information i.e. photos of other students so other students would be compelled to look at websites he created using said photos.

He did eventually receive a cease and desist letter, and he ignored it. But of course it was not from the people charged with protecting students' personal information nor the students themselves. You know the story.

As with Google, under today's culture it's acceptable for Facebook to aggressively collect personal information in bulk and pay little attention to obtaining permissions, but it is not acceptable for anyone to attempt to collect information in bulk from Google or Facebook. This make no sense to me, but I gues I am just obtuse.

Maybe what Kerr is wondering is when the necessity of sending costly snail mail cease and desist letters will give way to some less expensive digital form of notice. When that happens, the threat of the CFAA can be used on a mass scale. Perhaps then we would see it in every Terms of Service. Maybe we could create a new HTTP response code: HTTP/1.1 606 CFAA Notice.

Can somebody please clarify, Facebook initiated a civil suit base on the CFAA violation, after the cease-and-desists?

Facebook then sued, claiming that Power’s conduct violated the CFAA

So, was there a government initiated prosecution for this criminal violation?

How can you use CFAA violations in civil court without a criminal conviction of the violation?

By using preponderance of evidence in lieu of reasonable doubt seems troubling for a criminal violation, or is this not the situation?

> So, was there a government initiated prosecution for this criminal violation?

There was no alleged criminal violation. CFAA provides both civil and criminal causes of action; the interpretation that this sets a standard for criminal law is not that this was a criminal violation, but that the requirement which was being applied applies both to civil and criminal CFAA provisions.

> How can you use CFAA violations in civil court without a criminal conviction of the violation?

You can do so because the CFAA explicitly creates a civil cause of action not dependent on a criminal conviction,

> By using preponderance of evidence in lieu of reasonable doubt seems troubling for a criminal violation, or is this not the situation?

There is (in general) no "criminal violation" involved in a civil CFAA action.

Thank you for the clarification.

I was not aware CFAA provided civil causes of action.

but that the requirement which was being applied applies both to civil and criminal CFAA provisions

Since it applies to both, the burden of proof in a criminal proceeding, would still be higher, no?

> Since it applies to both, the burden of proof in a criminal proceeding, would still be higher, no?

Yes, even where the same fact question applies to establish criminal liability as exists to establish civil liability, in a criminal case the prosecution will be obliged to prove the fact beyond a reasonable doubt, while in a civil action it will only need to be proved by a preponderance of the evidence.

If I understood the ruling right, then I send FB a "cease and desist" letter prohibiting FB from accessing my computers, et voilà, all carte blanche privacy violations by FB will go poof because they would be committing a federal crime if they so much as showed their icon in another website I visit?
> If I understood the ruling right

You don't understand the ruling right. Or, possibly, you don't understand how the web works right -- Facebook doesn't actively reach out to your computer to show an icon, your computer sends a request to Facebook for the icon.

The law is not good, but the court's ruling seems correct and following the law.

The law says, "Unauthorized access to computer systems is a crime." Facebook sent them a cease-and-desist letter saying not to access their system anymore. The court agreed that at that point, they were no longer authorized to access the system, and that they knew they were not authorized.

So unless the law is unconstitutional, them the only way to solve the problem is by getting congress to change the law. Maybe that sucks but welcome to America.

I misread the title as "It's a crime NOT to visit a website after being told not to visit it" at first and it made a lot more sense that way.