44 comments

[ 3.6 ms ] story [ 105 ms ] thread
(comment deleted)
It does beg the question, does changing a user's password without their consent violate the CFAA?
At the very least I smell potential fraud with the trip wire limits then associated messages saying no more screen times and password resets. CFAA could potentially be applied but I think since it’s their platform and done by an authorized agent it may be a stretch. But some state AGs could read into these actions and open wider lines of investigation, and compel other evidence. If this is what they are okay talking about, think of the other dirty deeds that were kept hush hush..
(comment deleted)
it's just one way to lock a user out. on my server i can set a flag that blocks login instead. (that flag is normally set until a user is verified)

so the question is not: am i allowed to reset your password. but am i allowed to limit your access to my service.

the problem is not what they did and why, but how they did it and how it affected the users.

> am i allowed to limit your access to my service.

And the clear answer to me is 'yes'. And the customer can try to sue for non-delivery of service if they like, but probably won't get back much more than the $10 subscription fee.

The problem is not locking out users, it’s allowing yourself or someone else to impersonate them.
It's your system, you're free to design it as you wish. The accounts aren't "property" of users, they're instruments you use to provide some service - if you allow your employees to impersonate these accounts, then that's authorised access.

You're generally liable for the consequences of that access - e.g. if Twitter would have their employees take over Trump's account and post "I'm a doo doo head" every five minutes, then that might result in some legal challenges; or if a PayPal employee made payments impersonating your account, then those payments would constitute fraud; but, in general, your employees accessing user accounts and altering data in them is not prohibited by any laws.

[edit] It would be nice if the downvoters could provide some argumentation why they disagree - I can accept that users should have some rights, but according to the current laws they don't. CFAA protects the owner of the system, who gets to decide what access is authorised and what not.

Yes, this is the important point. Changing someone's password is not just locking them out, it's allowing you to log in as them.

I have control of a user database for my site. I cannot log in as my users since I don't know their password and the database is hashed. But if I log into the database and change their password, now I know what their password is. And now I can log in as them.

depends on how it's done. i could randomize the password in such a way that i don't know what it is. better yet, since the password should be stored in hashed form, just changing that string would change the password to one that is unknown or even impossible. that's how i lock unix accounts.
It depends whether they had permission from the owner of the system. An employee who tampers with passwords may violate the CFAA but if the system owner (MoviePass) authorised it it's fine and dandy, the users have no particular rights there.
LOL explains why I kept "forgetting" my password and had to reset it a bunch of times!

PS. Thanks to the investors of MoviePass for giving me an appreciation of independent and foreign cinema.

I used my moviepass only to buy tickets to my local independent cinema!

I have to thank those venture capitalists.

Is there any fail-safe law out there that catches all loopholes in existing laws?
There is no need for laws for this stupidity. Unless you want to consider the laws of economics.

Namely: Create a shitty business model that depends on treating your customers like shit and you can expect to out of business as soon as your venture funds dry up.

This is the sort of problem that solves itself.

Either that or people can keep giving these jokers money, wait for some lawsuit to happen and then in 7 or 8 years after the lawyers take their cut you can expect a check in the mail for 4 or 5 dollars.

But it can still take a long time for a problem like this to solve itself, especially, in an area dominated by a monopoly. So the need for laws for this is not completely unnecessary.
> This is the sort of problem that solves itself.

Unfortunately it doesn't. If you've ever watched the UK TV series "Watchdog" you'll see time after time people set up businesses, rip people off, go bankrupt, rinse and repeat. Game theory trumps economic models here - and the rules of the game are whatever loopholes these people can find.

To be fair these cinema clowns haven't done anything much worse than a 'fair usage policy' on a mobile phone offering 'unlimited calls' would do. They were sly about it rather than upfront. They could have just introduced new terms as of the next payment. But the general point is about the free market sorting this sort of thing out doesn't work.

Yes there is, "honest services".

Should there be a catchall law that criminalizes unspecified bad behavior? No. But there are a few.

There's no way to write such an "open-ended" law without it being just as open-ended for arbitrary abuse by police and courts.

That's the principle why the "letter of the law" needs to be followed, not the "spirit of the law" which isn't actually defined. (E.g. a legislature can pass a law but each representative could be voting for it for a different "spirit" or intention, while the wording is the same.)

“with the hope that a majority of users wouldn’t see more than one movie a month, much in the same way a gym offsets high overhead by relying on members who hardly ever show up. The problem is that people enjoy going to the movies in a way that they don’t particularly like going to the gym”

Ha !

Hilarious quote. Imagine opening a bank that lets you get free unmetered cash at ATM's, on the theory that it will be like free drinks refills at restaurants, because how much spending money do you really need? Except "ooops, it turns out people really like money."
never heard of my dad then that will put a dvd in on loop for a few weeks. He has a player going into a TV splitter, so or movie channel is literally _a_ movie.
i used to have a raspberry pi wired up for exactly this purpose. it just played random files from a folder on a NAS.

the main advantage being no UI to run on the pi at all.

I’ve experienced something similar with ebay and paypal, 100%.

Suddenly and out of nowhere I couldn’t login to either and had to do “forget my password” for both of them.

This triggered a several month long incident of my old passwords allowing me to log in and my new password working some of the time. I have absolutely no explanation of it but it got the to the point of having the small number of passwords I’ve used for both of them written down next to my computer. I could type in the same password three days in a row and it worked, and then the fourth day it stopped working and the another old one worked.

Deeply frustrating and still no explanation for it.

How would this apply to Ebay and Paypal? As far as I'm aware your use of those services doesn't impose a similar financial burden. Moviepass is fairly unique in having a pathological business model like this.
I've also had inexplicable password issues with ebay like you mention above - paypal not that I can recall.
It’s somewhat of a relief to know it wasn’t just me...
I wonder if it's a database consistency issue, where there are several copies of the data and they have gone out of sync.
Did you file too many tickets/refunds? I heard from a friend (PayPal helpdesk employee) that they just close your account if you file too many complaints. Which is rather clever because even if it isn't true such urban myth has an effect.
Bank of America just tells you your password wasn't right if you are on a VPN. It's terrible from all angles and the only way to find out is to guess what they're problem is or search for forums where people have had the same thing happen and figured it out.
They must use a boolean of “is-vpn” as a (part of) salt for your password.

The worst thing is that they can’t even tell themselves if that boolean has to be true or false because of all the hashing.

/s

Sounds more like they have a blacklist of VPN IPs and just give the "wrong password" message if you try to login from one.
In terms of financial strategy and moral compass, this company looks like a good fit for a takeover by Uber.
I think there’s a general pattern here.

A subscription company can make its service hard to use and decrease usage and therefore costs to increase profit.

But it’s at the expense of long term profit as users gradually get fed up and leave.

Remember, the ideal situation for a business to be in is you paying them, while they do nothing.

Moviepass took this to a whole other level.

We have a similar subscription model in the UK for Cineworld. For a monthly fee you can go to the cinema as much as you like.

The key difference is, the monthly fee costs about 50% more than a single ticket, and you’ll be lucky to have more than 2 or 3 movies you want to watch each month, with the obvious dry-spells where nothing really appeals. Since it also gives a discount on snacks (already hugely expensive), it’s just a way to sell more sweets and pop.

It pays for itself after two films, when there are two worth watching, and as long as you don’t bother with snacks. Cineworld easily claws back some of that money when you skip the cinema for one month, or only go once.

It seems a lot better thought through than what turned out to be a free-for-all cinema subsidy with MoviePass.

It's the same with AMC stubs A-list in the US except for more of a premium; ~200% of a standard adult movie ticket, $22 a month (if you don't go to certain states) and only 10% off concessions. It's better if you have a theatre near you with IMAX/Dolby/etc. showings since it's the same price.

https://www.amctheatres.com/amcstubs/alist

Also lets you jump in front of people in the concession line. With the result that I (a non-A-List-member) will never buy concessions from them again. Which is kind of a good thing for me all around, actually, since I probably shouldn't have been in the first place.
I find it strange that the overall concept seems to work fine in the UK but not the US.

...like I'm basically in the cinema 2-3 times a month and that's been going for years

It works in the US too. All of the major chains offer subscription services now.

It didn’t work for MoviePass because they are a third party and charged less than the price of a ticket per month.

Pretty sure NordVPN have recently started applying a similar tactic. The apps (on all platforms) have all seemingly started logging you out between use (after a small period of time has elapsed). Presumably the hassle of logging back in decreases usage, but customers keep paying.
(comment deleted)
Why would they do that? I'm renting VPS for around $1/month and it can serve 5-10 VPN connections (well, not very loaded I guess, but it works just fine for average users). They're asking $2.62/month. So their margins are massive.
They quite literally have thousands of servers all around the world, many of which they need to go the extra mile with to keep off Netflix blacklists etc. so the service itself is very different to spinning up a single VPS.

In terms of utilisation; a significant portion of their users use the service for P2P (there's even dedicated P2P servers) and many more users such as myself for streaming (around geo-blocking).

Utilisation is public and many servers are indeed frequently near max utilisation, even when there are hundreds in a region. Decreasing utilisation at that scale will have a significant impact on profitability.