Ask HN: Threated with legal action if I don't remove deep links to another site

31 points by shepherdjerred ↗ HN
Hello HN,

I'm looking for some advice. I'll keep it short. There's a site called Skill Capped[1]. They have videos that help you get better at the competitive video game League of Legends. You can pay monthly for access to these videos. I subscribed and quickly found their site to be unusable. They have about 1000 videos which are organized into groups called courses. Their website has no search bar, and uses a single-page design with lazy loading. In practice means that CTRL-F in-browser search doesn't work (because of lazy loading and windowing/virtual lists), so there is absolutely no way to search the site without programming knowledge. The website altogether is very hard to navigate.

In response I created a thin wrapper around their site called Better Skill Capped[2]. It's a React web app with no backend. It has basic search and filter functionality. It also contains deep links to download the videos that Skill Capped offers which allows for me to watch in VLC and on my phone. It's very convenient, so I shared it with other subscribers. I don't monetize or plan to monetize the site in any capacity.

The owner of the site reached out to me and claimed that I'm committing copyright infringement by allowing anyone to click these links and access their videos without paying. All I do is link to the .m3u8 files stored on their server. There's nothing more going on. As far as I know this is completely legal.

While I don't wish for my site to be used to circumvent paying for their content, I also don't believe that I'm doing anything wrong here. I want to provide a better experience for those using the original site, and a download button is a part of that.

So, in summary, is deep linking to a video hosted by another site at all illegal? Is anything that I'm doing here illegal/immoral?

[1] https://www.skill-capped.com/lol/browse

[2] https://better-skill-capped.com/

58 comments

[ 4.7 ms ] story [ 132 ms ] thread
Interesting question. This is not legal advice so take what I say with a grain of salt.

I think there is an argument to be made from both sides. On one hand, they are providing public URLs and they are the ones who should implement security mechanisms in order to avoid what you are doing with their content. There is also precedent regarding web scraping (which is not exactly what you are doing, but some arguments still apply). [1]

On the other hand, just because you attribute ownership to them in regards to their content, it does not mean you are not infringing copyright.

[1] https://news.ycombinator.com/item?id=22180559

I am not a lawyer so please consult a lawyer before taking any action. The fact of the matter is they own the copyright on their videos. And while they don't have any security persay on their videos beyond the obfuscation of the urls that does not change the fact that you do not have permission to share those links to said videos.

Those links are provided to paying customers. By sharing them to non paying customers you are effectively breaking their digital rights management of their content (as awful as it is). Thus they are fully within their right right issue you a cease and desist and follow up should you fail to obey.

Again. Not a lawyer. Consult a proper one before you take any action.

> have permission to share those links to said videos.

Also not a lawyer, but links aren’t copyrighted and don’t require any special permission to share.

The reason why pirate bay and others got in trouble for sharing links is that they were linking to copyright infringing material.

Linking to the copyright holder where they publicly host content is not the same.

If they have want restricted access then they should configure restricted access. This is why Netflix makes you log in, etcetc

Signing up for a subscription to a site and sharing the acccount is illegal. But there you are essentially just sharing a link that contains a secret. That secret is the username and password. But nothing wrong in that secret being a uuid, which is what we have in this case.

Not saying that their “security” is snot bad. But you can’t defend a car theft by saying that the defendant left the key in the ignition.

Those links are public.

I can sell my public website to paying customers, but cannot prevent non-paying customers to see the links. There is no TOS or agreement with non-paying customers to agree to pay me money, they are free to click on links.

Their digital chains management is not affected.

Your best statement is your last paragraph, you are not a lawyer.

Can you do a Google search and have a result that includes the secret videos? If so, maybe replace your direct links with links to carefully crafted Google search results, which happen to include only the desired secret videos? Not legal advice; for entertainment purposes only.
(comment deleted)
IANAL, but... ethically (I am not stating a legal opinion), you're just linking to a public URL, which doesn't feel that awful to me. They should really have a login on anything they want to gate access to.

As for the legal warning, I feel like their lawyers are about as competent as their web designers in that regard.

But, that all said, is this _really_ the hill you want to die on? They can be wrong and still cost you a fortune.

While it's their fault they don't put authentication on their videos, you are certainly are not entitled to share links to content that is for paid users.
Even if he is entitled to, doesn't mean he should - and certainly not continue to do so after being asked not to.
I would suggest a 3rd option. Offer to do some security consulting for them, they obviously need it.
Feels like you fired the first shot by calling your site "better-<their-domain-here>".
It's an apt name :)

Really I just wasn't feeling super creative, and I felt that it got the point across.

If the videos are accessible through a public non-signed URL then the owner of that website is an idiot.

Now regarding whether what you are doing is legal or not, I think it depends entirely of how you’re retrieving those URLs and if they can really be interpreted as being “public”. Are you “figuring out” the urls or are they simply there hidden in their front-end source?

In any case, he is the owner of the videos so he definitely has a legal ground to claim that what you’re doing goes against his copyrights, mostly because you’re facilitating some circumvention of whatever he has in place to keep them invisible to non-paid users.

I think what would be totally fair game is for you to put the source code in GitHub and let anyone run a version of your React App but INAL, so don’t take my word on it.

In any case, the owner should be more worried about to protecting his videos through a proper authentication system and not so much about the one guy who wrote a wrapper around his crappy website.

Just to be clear, I believe the owner is totally in his right to protect his creative work in any way he deems appropriate. I’m just baffled by the idea that his first instinct isn’t to fix the root cause of the issue.

The project doesn't involve any scraping. All of the site's data (i.e. a complete list of videos) is embedded in the HTML that they serve as a JSON blob[1].

[1] https://lol-content-dumps.s3.amazonaws.com/courses_v2/lol/co...

I checked given json and found no links to videos, just UIDs. So, yeah you helped me to get unauthorized access to videos i was not intended to get. Now, it all depends on your jurisdiction if its punishable or not.
To clarify it can be derived with the JSON blob and the public website source.
:/

You're pretty clearly being a bad actor here.

Links to videos on their site that you need to log in to view? Totally no problem and they'd be unreasonable to complain.

Deriving direct links to private content to make it accessible to the general public? Doesn't matter if their content has the security of a wet cardboard box, you should not be doing this.

I think they should probably be fixing deep linking to the content working for unregistered users instead of threatening you with legal action, but that doesn't make what you're doing OK.

I agree, I've worked with universities who share content as private youtube videos, heck even businesses use "private links" accessible by anyone who has the link for spreadsheets etc.

I don't think you have a guilt-free position, the fact your website is public puts you at risk of litigation (not a lawyer.)

that sounds more like a security hole that should be reported to their admin
I guess the question would be: is this JSON blob available before you identify as a paying user or after ?

If it’s before, the website have a serious conception problem. But if it’s after then it’s not « public ».

In any case (but IANAL) it’s not because you can hack it that it’s ok to do it.

The JSON blob is accessible before logging in.
Please be precise: are the JSON blob, the location of this blob, and the "website source" (as any other item that you used in order to reach the videos) "accessible before logging in"?

Can a non-registered user read all these?

I am not a lawyer... but if I was, I would put forward a case that you created this site specifically to help people access content they had not paid for. I would give examples of many other sites that rely on URL obfuscation to protect content and show that you are circumventing the protections that have been put in place by the content owner. I would also say that because you published this site on the internet with its own similarly-spelled domain name, that you fully intended for this site to be publicly accessible and be used by many other paying and non-paying customers.

So yeah, in my opinion what you're doing is definitely immoral, but whether it's illegal or not doesn't really matter, because you just need them to have a reasonable case to force you into expensive court proceedings. If this site is just for your convenience, why publish it publicly anyway?

It's public because I wanted to help others who had the same problem with discovering content on the site so that they could get the most out of their subscription.
Then you should have restricted the downloads to only users that can prove they paid for the subscription.
I am not a lawyer but personnly I think the fact that you are hardlinking the download links of the premiums videos is a really unethical behavior.

Lets say you were doing the same thing to any big company that host premium video content like Netflix (if they didn't had security mechanisms), you would be likely to get sued.

Why would anyone pay for their service if they can access it for free with your website?

Sharing with friends and public references that publishers provide online is nature of Internet. It is not "really unethical", to contrary, it is very ethical to share.

If somebody complains "I am losing money because you pointed to my website links" -- must have some serious internal legal and technical conflicts.

Keep sharing.

Just because your lawn has no fence doesn’t mean I’m entitled to your lawn games.
(comment deleted)
Did you offer to help this person improve their site first?
If you needed privledged access to get the url's and are then using them in your own solution you've most likely violated some TOS, and they can argue you're sharing privledged information. It doesn't matter if the links are accessible without an account if you need an account to get the links in the first place.

Understand that their website, terrible as it may be, is apart of their product. Browsing on their platform is apart of their business and they can argue you're taking that away by aggregating privledged links on your own website.

Also understand it doesn't matter if you're legally right or not. They probably have more money than you, and defense of a case is a minimum 80k. You would have years of back and forth and a judge that doesn't understand tech doing summary judgement. U.S. civil system is entirely broken.

Change it to a tinyurl and send the lawyers after them. ;)
Not a lawyer.

Yes, you're using the same or similar name and that may confuse users (trust me, more often than not users are [very] easily mislead [- ever heard of dark patterns?]). You can do what you're doing but you need a new and different name and the same about its content applies - the videos, images, aesthetics or whatever from the original one. That way you'll be competing against them, until then you're just outright stealing everything or impersonating from them.

Next time you want to do something like this approach the site owner and ask them if they are interested in a new visual or whatever and show them your prototype (make sure it's either private or password protected). If so you might even earn some money.

I wouldn’t be worried about the copyright implications nearly so much as I’d be worried about the CFAA, state equivalents, and similar statutes, assuming you’re in the U.S.:

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

It does not apply as hyperlink is public, referencing to someone's hyperlink published by someone is not a fraud neither abuse.
It appears that you may not have read anything but the title of the act.

“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer;”

Would you want to go to trial over whether circumventing security through obscurity qualifies as access without authorization or exceeding authorized access?

(comment deleted)
That is great service, thank you. Please keep deeplinking.

Quote:

Deep Linking: The most straightforward case is so-called "deep linking," which refers to placing a link on your site that leads to a particular page within another site (i.e., other than its homepage). No court has ever found that deep linking to another website constitutes copyright or trademark infringement. Therefore, you can link to other websites without serious concerns about legal liability for the link itself, with the exception of activities that might be contributory copyright infringement or trafficking in circumvention technology (discussed below).

From: https://www.dmlp.org/legal-guide/linking-copyrighted-materia...

https://en.wikipedia.org/wiki/Copyright_aspects_of_hyperlink...

You’ve done something nice with the site but in the process you affected the content owner’s income. Since you mentioned a few times that the content itself helped you and you obtained value from it, consider respecting the owner’s wish not to publish those deep links.
A legal threat seems unreasonable.

You have a first amendment right to type strings on your web site.

The target of the links has the right to respond to them as it wishes (e.g. looking at the referrer link and put up a 404 or whatever response they wish).

They could also list their pages in a robots.txt which you should be kind and respect.

BTW: good work! Sorry it came to this.

robots.txt is well... for robots. It is not a binding agreement, it is a preference by website owner not to index some pages in search engines.

Public pages are still public pages, and regardless if they are indexed in search engines, everyone is free to to hyperlink to such.

I agree with you but apparently some do not!

As for robots, well it’s expressing a preference which I shy I said “be kind”. In particular I believe the OP is mechanically building the indexes so it makes sense.

But yes those pages are provided for the public’s use, else the people posting could have taken steps to change that. I don’t feel the OP did anything at all wrong.

Don't take legal advice from a website called Hacker News. Talk to a real lawyer or shut it down.
In your place (I would first talk to a lawyer to verify whether I can do the following):

I would comply. I would stop helping them by providing the service, as soon as humanly possible.

On its place, I'd show the scary letter, verbatim, and an explanation that, due to the scary letter, I am no longer willing to help Skill Capped by providing the service.

While at it, if at all possible, I'd suggest people just unsubscribe from Skill Capped.

I would also link some resources on the evils of recurring payments in general, for added damage.

In short, fuck them. You've wasted enough of your time and effort already. They don't deserve your help.

So a company created a product (videos) and now charges access to them.

You created a website that clearly utilizes the company's name and offers their product, which you acquired in a devious manner, for free.

What is ethically unclear about this situation?

The fact that it's publicly-accessible is irrelevant. If I leave my front door unlocked, does that give you a right to rob my house?

It’s the age old question asked since the dawn of the internet: “How can i be doing anything bad, when stealing their content was easy?”
I’m starting to suspect the OP is the actual site owner and this is some attempt to drive traffic to his business by feigning as a bad actor trying to hurt said business.
Hi it's Jeff D the pastry man. I think at this point consulting with my Staten island family friend the gambinos columbos francgese fitti cousins that bit only will you do 25 plus years in solitary confinement we talked it over and for your best interest we agreed that you need to cut especially me and the 5 plus families 65% of what your streaming Yes my lawyer is a pitbull and the judge went to my college football team u suggest if you want to see daylight again you do the right thing. My boy Joey D said u got one shot. You do git one shot they say. You do t call tomorrow nit only will these pissed off Italians talk you down but your getting the book thrown at you. Be smart it's all my content and my girls too. As me c Gambino says now you have to own up to it. Don't fuck it up. 862-260-7868 willing to work one shot
There's a better option you could have taken and possibly still can take. Explain to them what you did, why you did it, and the value it would bring to their site. Then offer to make it available to them for a reasonable fee. That way you've solved your problem, made some money, and made things better for users. It's win-win.
Yeah... they might very well just view this as added extortion.