Ask HN: Take down my reverse-engineered Snapchat lib because they asked?

194 points by tlack ↗ HN
A few months ago, I spent a couple days reverse engineering the Snapchat protocol and wrote a quick and dirty library to use it in your own PHP apps:

https://github.com/tlack/snaphax

Today Snapchat has written me requesting that I take it offline:

    Hi Thomas,
    I'm writing to ask that you remove Snaphax from github
    and no longer publish or distribute it. Snapchat does
    not permit third party software to access our API and
    we consider Snaphax to be an unlawful circumvention 
    device under 17 U.S.C. § 1201(a)(1).

    Please confirm that it has been removed by end of day
    Monday, July 22nd.

    Thank you,

    Micah Schaffer
    Snapchat, Inc.
I haven't had much time to really finish Snaphax (and I doubt I ever will) but I strongly support the idea that third party software should be able to interact with the services I use every day.

I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case? How should I respond, if at all?

136 comments

[ 3.1 ms ] story [ 182 ms ] thread
I'd consider it good-faith reverse engineering for the purposes of interoperability.

I'd ignore it. If they want to go hard-ball they'll threaten to sue/actually sue. Until then keep silent.

It looks like the law is written to prevent people from writing code to decrypt or descrambler signals (like cable TV or payperview). But I'm not a lawyer. Is there a place someone could post the code anonymously? My guess is this is a threat which wouldn't hold up / but they also have cash and lawyers, which is most of the legal game anyway. Good luck.
Whatever you decide to do, don't make posts like this that could potentially be used against you.
Just how can this post be used against him?
Anything you say can be used against you by a creative lawyer. Hence Miranda for criminal suspects. In civil cases you don't get that warning, but it's generally best to keep your mouth shut except when talking to your own attorney.
Simple things like being able to prove that OP received the request can be useful to an attorney.
Ignore 99% of the responses in this thread, particularly any that say "I think...", "It seems fair...", and so on. You're in a legal situation here, if you are worried, contact a lawyer.
Agreed, talk to an attorney.
Agreed, never hesitate to drop $10K on an attorney for any request like this, even if it bankrupts you. Better safe than sorry.
What, really? $10k on an attorney for something like this? Seems a bit excessive... they haven't even got their lawyers involved yet.
That's only 20 hours of a good attorney's time, plus his/her expenses. One wouldn't want shoddy representation on such an important matter, right?
I guess that's what I'm confused about.. No legal action has been taken (or even threat of legal action), so isn't that overkill at this point? Seems like something that would require a few hours of advice at most. Perhaps I'm vastly underestimating the legal ramifications here.
Sorry, I'm being sarcastic. It's a pet peeve of mine that people say to lawyer up at such early point.
I think he's asking for moral, not legal advice.
Asking for moral advice when you need legal advice isn't a good idea. The two are often conflicting.
Save the lecturing, you don't know if he needs legal advice. Maybe he has already gotten legal advice.
The quote below is decidedly "legal" in nature. The meta-question of whether the author is interested in moral guidance or legal advice is immaterial, as the framework within which Snapchat is operating is legal.

> I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case? How should I respond, if at all?

Speaking as someone who has been involved in an arduous civil matter for the last four years, matmaroon's advice would be well heeded.

I would also like to point out to tlack that prior to having been dragged in to a civil suit four years ago, there was no shortage of people (pseudo legal professionals and otherwise) that were all to happy to shout at me with a similar refrain:

"There's no way they can sue you for that."

"No way a judge will even allow this case."

"This case will be dismissed after the first hearing."

When someone sends you a letter like this, the first decision you have to make is "how much is this thing worth to me". Once you've decided that it's worth fighting for, your best counsel will come from a lawyer, who can help you determine the thing that really matters: how much it's going to cost you.

If the moral advice is punt it, the legal issue is moot.
Bunk. He spent 2 days on a hobby project with no hopes of ever making any money off of it. It makes no sense to spend time and money consulting a lawyer over this.
Then it also makes no sense to not comply with the request. "It was just a weekend project" is not a legal defense.
If I complied with every request like this, I wouldn't have made a single successful website. You shouldn't be so afraid to stand up for yourself. Entrepreneurs need to have thick skin and not buckle under every little bit of pressure.
Every website you made received requests like these? If you don't mind me asking, what kind of websites do you make? I've never received requests like these myself.
I have been asked to remove profiles, data, images, features, the entire website, the domain, links, the list goes on. Sometimes just a few, sometimes an amount that would cripple the business. Most of the claims are overreaching bullying or ignorance. Sometimes they are just completely out of their mind nut jobs that don't understand how stuff works.
They haven't spent money on a lawyer yet, so why should he?
I'm writing to ask... we consider....

Assuming the posted letter is complete, a lawyer can't really do anything at this point. The letter (or is it actually an email?) doesn't invoke any requirements one is bound by law to obey. One might even say that it's careful not to do so, so I suspect that even though the "Director of Operations" signed it, it was originally written by a lawyer. This would actually be a useful form letter for people who have their underpants on a bit too tight: even if they send it five times a month, it doesn't create any sort of SLAPP liability or anything else that will damage Snapchat in a legal sense. Of course, giving someone 12 hours to comply with anything looks like amateur hour. tlack isn't the only party reluctant to run up billable hours.

IANAL. If I were, I would recommend you start paying me or one of my colleagues to talk with you immediately.

> Assuming the posted letter is complete, a lawyer can't really do anything at this point.

A lawyer can analyze the facts of what you have done, and provide you with advice as to whether it is likely to be found to be an anti-circumvention device under the cited section of the DMCA and, if so, what the likely consequences of that are and what steps you can take to mitigate any exposure you might have in that regard (including, if there are any, steps short of taking down the existing offering.)

Of course, you could wait to see if they actually file a suit rather than having a lawyer look at the C&D, but if you do that, then there will be less, not more, that a lawyer can do for you.

...there will be less, not more, that a lawyer can do for you.

At this point in time, OP can take down the repo (but not the 115-and-counting forks thereof), or modify it (someone suggested removing keys issued by Snapchat), or not. How will this set of options change if Snapchat file suit? Of course one must respond to a suit, but couldn't one's response be "ok we've complied with all requests"?

If you're telling me that the suit could allege OP owes Snapchat money for his/her misdeeds, that's true, but it's always true, even after one complies with the sort of namby-pamby "C&D" we see here.

If Snapchat files suit, all of the options that might have avoided a lawsuit are now off-limits. Assuming that's a non-empty set, a strict subset of the choices currently available will be available at that point in time.
Snapchat will not have all of the options available to them until they send a valid C&D.
Is that true? I thought it only applied to suing ISP if they failed to preserve their safe harbor status.
C&D's are usually courtesies to avoid prosecution, rather than legally required. (DMCA takedown notices have particular effect with regard to safe harbor, which -- because the DMCA is involved -- may be what you are thinking of, but this isn't a safe harbor issue; it would be if they were trying to get github to take it down, but that's not what is going on here.)
Which specific aspect of this package constitutes an "unlawful circumvention device"? If the Snaphax class instantiated a different low-level class from SnaphaxApi, that was written to a slightly different API, would it still circumvent? If so, why must the entire package be taken down? If the code here was used but pointed at a proxy, would the distribution of code itself still have limited commercial purpose and be designed or produced primarily for the purpose of circumvention? The actual USC section (Schaffer has the wrong subsub: it's (a)(2) (and maybe (b)(1)) not (a)(1) that governs "traffic in any... device") refers extensively to copyrighted works: what copyrighted works are referenced here? Do Snapchat claim copyright in their users' images? If not, what do they mean here?

Without specific answers to many of the foregoing questions, this message amounts to asking OP to forego all use and value of work that OP has personally performed, merely on Snapchat's say-so. So, actual meritorious C&D's require some actual work on the part of the sender. This letter took some knucklehead five minutes, so that's about what it's worth.

C&D's are usually courtesies to avoid...

...the expense of an actual lawsuit. In many cases a vague and overbroad (see above) message is mere bullying, attempting to imply threats that would be impossible to articulate or enforce. Papers filed in a court are held to a higher standard, and penalties are enforced. The fact that OP might be well-advised to retain counsel in response to this turd is an indictment of the USA legal system.

I don't think that is true. Plenty of companies are sued without notice for patent infringement. It's not generally the case that you have to notify the parties to a suit before initiating it.
(comment deleted)
A lawyer can give you legal advice. That is a lawyer's job.

You do not need to wait until you are sued or prosecuted to get advice from a lawyer.

They say "we consider Snaphax to be an unlawful circumvention device under 17 U.S.C. § 1201(a)(1)."

They are implying he would be subject to lawsuit and/or criminal prosecution if he keeps distributing the software.

How likely is that to happen? How risky is it for the guy? How expensive might the defense be, and how much pain might this be for a weekend project?

I'm not really sure. But you know what class of people are expert at answering questions like that? Lawyers.

But, sure, if the poster want to keep it up anyway cause you think it's bullshit and are willing to see what they do next, certainly that's another option. It's potentially a brave and commendable one.

But I wouldn't do it because a bunch of people on HN who don't know what they're talking about told me that since they didn't use some special magic words in the letter, there's "nothing a lawyer can do", what?

>12 hours to comply with anything looks like amateur hour.

For what it is worth, we were given a few days in a cease and desist letter recently and our $250/hr lawyer laughed at the idea of just a few days notice. 12 hours or even a few days now doesn't seems serious at all.

A lot of times when you use a product, you're required to agree to an EULA wherein you promise/commit to not reverse engineer a product or its protocols. If you did use snapchat as a registered user, this issue could affect you negatively.

Another alternative is to mail them back and ask them for clarification. Why do they consider it an infringement?

The law clearly states the following:

  (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
  (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
  (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
  (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
The way I interpret this is that if one is overcoming some encryption or authentication scheme, it may be disallowed under the law. If one is simply observing a protocol online, then one may be doing something bad as this says.
Yeah, isn't that one of the things that ended up getting geohot in trouble with the PS3? They found an account where he had agreed to the TOS, thus putting him in violation of the same?
It depends on your location - in sane jurisdictions, EULAs aren't worth the paper they're not written on. But it looks like that USA is not one of them.

At least for me any EULAs that aren't signed before purchase (i.e., all shrinkwrap or clickthrough "agreements") aren't binding unless I choose to - B2B sales with explicit signed contracts would be binding; or if I want to do something that by law requires permission (i.e., redistribution instead of just using the software) then I might accept an 'EULA' such as GPL.

Law always depend on the local jurisdiction. You are spot on that observation.

EULA is regarded as a contract in "most" (or all?) jurisdictions, and as such, depend on contract law to define what is allow and what isn't. EULA's is also regulated under consumer protection laws. Since each state in the USA have slightly different kind of consumer protection and contract law, one would really need to dig down into the law books to decide if the EULA is at all legally binding in a specific state.

But I have one correction to mention. Copyright licenses are not viewed as contract in the USA. Copyright licenses like GPL are granted permissions, waiving the right to sue distributors under specific situation. If the distributor get sued for distributing GPL software, then it is she who must raise the license as protection. "I got right to distribute this copyrighted work, because I received this license who says I can". The license "terms" only specifies under what situation permission have been given.

In EU however, licenses are contract and under contract law. As such, the permission to distribute can be revoked if contract law has been violated.

Like many others have said, it would be best to consult an attorney if you're concerned.

However, while you may not be able to distribute software which uses the API, I think many people would enjoy/benefit from a post describing how you reversed it and what steps you took to create the library.

You have created a good Streisand effect here. I approve :) Even if a lawyer advises you to take it down it will be cloned more than enough times for the IP to be preserved.
I'd take it down if I were you. It's not worth it. If you do feel really strongly about keeping it up for moral reasons, then contact a lawyer.
There's no "fair use" defense because they aren't asserting a plain copyright violation -- they're asserting that using their API is a DMCA violation. I'm not a lawyer, but this seems laugh-out-loud crazy of them, and I'm not aware of anyone trying that claim before.

So if you want to resist, you could start there: by finding out (possibly by asking a lawyer to talk to them) how they think your tool is acting to "descramble a scrambled work, decrypt an encrypted work, (or equivalent actions)". If you want to do this, you might consider reaching out to the EFF for help.

Morally, I think you're in the clear for the reason you already gave.

It may be dumb, but it's not laugh-out-loud crazy. In fact, it's specifically one of the things that the DMCA does. Here's a whole ton of information about the law: http://chillingeffects.org/reverse/faq.cgi

And here's an article from the EFF with a few citations of cases where DMCA article 1201 has been used: https://www.eff.org/es/wp/unintended-consequences-under-dmca

> In fact, it's specifically one of the things that the DMCA does.

Well, the specific thing the DMCA does is to stop circumvention of an "effective technological protection measure". The crazy thing here is that there is no such measure: no use of encryption or scrambling -- or even passwords! -- that I can see, just simply using a network service's exposed command set. That makes it different to most (if not all) of the case law your link mentions.

A private (that is, not published) API Key sure sounds like a protection measure to me.
So they can revoke the key.
It doesn't sound like the published API key is the problem here. They can revoke the key, and other users of Snaphax can put their own in the code. I think the larger issue is the reverse engineering of their protocol.
If you're using their API (which they host) without consent then you may well find yourself on the wrong side of computer misuse acts.

So this is definitely one of those occasions that legal advice is required, not moral advice.

I considered forking this, but how about doing the bastards one better?

You've already got a client library written--why not go ahead and post up a conforming backend as well? If you want, shoot me an email with your doc'ed API, and I'll shoot you back (gimme a week--things on fire right now) a simple Sinatra mockup.

Clean room all the things!

EDIT:

For an idea of a quick hack of this variety, see my work from last week -- https://news.ycombinator.com/item?id=6065652

The request might be unfair, but I wouldn't risk it.
I hate to play devil's advocate here (especially since I already have a post here) but I had a thought. For Snapchat some of the biggest selling points are the self destruct abilities of the media sent. So an unauthorized client puts a stake trough the heart of that claim (and the company). I see why they may be worried, but I think that they should have communicated their concerns more clearly and pleading, and not intimidating.
Exactly. "Self destructing" messages are an illusion. Publicizing this fact may be bad for Snapchat's business, but it's good for their users who have a false sense of security.
When I heard of snapchat I spent two seconds figuring out that turning off your data connection after receiving the photo allows you take as many screenshots/view the picture as many times as you want (I have no idea if this still works).
The product is untenable, as it is impossible to guarantee that the message is not copied when it is viewed. No amount of pleading or threatening will change that.
So why create the app using an API that makes it so easy to interface with via HTTP? I guess it's just a case of "when all you have is a hammer..." thinking. If the differentiating point of your app is the self destruct feature then a more closed communication channel should be utilized. The snapchat developers have nobody to blame but themselves.
If they rely on the client to determine when things are deleted from their service, they're doing something wrong. Never trust the client software! The only thing a rogue client should be able to do is surreptitiously send a copy of your pictures Somewhere Else (for storage). All the pictures sent to Snapchat should get deleted on schedule, regardless of who or what sent the pictures.
If they allow the client to display the image, they allow the client to do anything with the image. Of course they stop serving images on a particular schedule. (I sort of doubt they stick with that same schedule in deleting from their central storage, but whatever.) Since Snaphax is completely client-side, however, their server policies are irrelevant.
And...... cloned. Sure go ahead and take it down XD.
(comment deleted)
They give you less than 12 hours to respond? Really?

I would seek a lawyer if you can afford one and if not, then you can't afford a lawsuit either, so in this case, pull it offline. If you do the latter, you should post the results of your research somewhere, this can't be taken down as it is sharing information and not an API tool.

I've just forked it on Github, as have 25 others (as I write this).

As with file formats, the notion that network protocols & APIs should ever be granted any type of protection and that no-one other than the creators should be able to write software that conforms to these protocols is ridiculous.

Snapchat, in my view, have every right to restrict who uses their service and in what manner - via standard mechanisms like API keys and login credentials. But preventing third-party implementations of protocols or APIs is so 90s. Oracle had a bit of trouble with this recently.

One problem I'm personally trying to remedy is the proliferation of various APIs and protocols for accessing various online storage services (Dropbox, Google Drive, Box etc) by developing an SDK that supports all of them. We need more of this kind of these kinds of projects, not less.

Micah Schaffer, if you're reading this, you're welcome to send me a takedown request and discuss the issue with me. My email address is in my profile.

EDIT: It's at 62 now. I wouldn't be surprised if even Barbra Streisand has forked it.

"But preventing third-party implementations of protocols or APIs is so 90s."

I think the impending 3Taps (padmapper.com) v/s Craigslist case[1] will shed more light on this. padmapper were using Craigslist data that is 'freely available' and Craigslist didn't like it.

[1] http://www.dmlp.org/threats/craigslist-v-3taps

I don't think that's relevant at all. A "protocol or API" as the GP mentions exists independently of the entity which created it. PadMapper, on the other hand, is actively accessing Craigslist against their service's TOS.
IANAL, but it seems to me like browsers are violating their terms of use, too:

Any access to or use of craigslist to design, develop, test, update, operate, modify, maintain, support, market, advertise, distribute or otherwise make available any program, application or service (including, without limitation, any device, technology, product, computer program, mobile device application, website, or mechanical or personal service) that enables or provides access to, use of, operation of or interoperation with craigslist (including, without limitation, to access content, post content, cross-post content, re-post content, respond or reply to content, verify content, transmit content, create accounts, verify accounts, use accounts, circumvent and/or automate technological security measures or restrictions, or flag content) is prohibited.

I don't believe they can (or perhaps "should be allowed to") stop people from accessing their site via http (which is a protocol or api). Either way, it feels the same to me; I think it's relevant.

Right, I'm not saying whether Craigslist is justified here; just that the situations are different.
forked. 80+
I've actually amended my fork now to remove the API keys, adding the following instructions:

  /* Instructions for usage:
     1. Replace YOUR_SECRET_KEY and YOUR_STATIC_TOKEN in the code below with
        the values you have to access the service.
     2. Fill in SERVICE_URL with the appropriate endpoint. */
Not that it's going to stop anyone from going to any of the other forks or retrieving the previous revision of the file, but at least I've now only got up what I believe to be genuinely acceptable.
Forked - at least startups should know how to behave. Truly shameful

https://twitter.com/ansimionescu/status/359361709904891904

Edit: Why not use some of these https://www.google.com/search?q=pro+bono+lawyer+advice

It always amazes me how often this lesson is taught and how often people fail to learn from it ;)
What's annoying is that SnapChat got lucky, real lucky, and now they're acting as if they have a secret sauce worth protecting. Jokers.
A few weeks ago I was halfway through the process of reverse engineering the Snapchat API myself, when I found your library. I just wanted to say thanks for saving me so much trouble.
Quick, everyone fork.
If they really had any standing, wouldn't they have sent the DMCA takedown request to github instead? Or are they just afraid it would be negative on their part to be permanently in https://github.com/github/dmca?
"Written" as in sent you a registered letter? Or was this an email?

I don't know anything about the Snapchat API but if it's simply undocumented I don't see how that would be a "technological measure" of "effective control."

If you had to sniff or crack an API key of some sort, maybe that does.

In any event, it seems like a friendly enough request, maybe take it down as a courtesy pending their clarifying exactly what "technological measure" of "effective control" they think it "circumvents." Depending on their response and how much you think you want to push it, you can then decide what to do.

IMNAL, but if they aren't filing off a DMCA notice (but asserting it's a DMCA violation), why care?

I persume they can't file a lawsuit without filing DMCA takedown notice first?

If so, when they'll file the notice, GitHub'll take it down (as they usually do). Then you may consider filing counter-notice (if you can afford legal action) or, I guess (IMNAL!) ignore the whole affair.

Anyway, you'd better consult a lawyer.

IANAL, but I don't think a DMCA takedown is required to sue the infringing party, just to sue the ISP that may happen to be distributing a copy without a valid license.
> IMNAL, but if they aren't filing off a DMCA notice (but asserting it's a DMCA violation), why care?

DMCA notices -- by which, presumably, you mean takedown notices -- are only required to a third-party that is otherwise within the DMCA safe harbor protecting hosts of allegedly-copyright-infringing user-submitted content to choose either to take the content down or forfeit the protection of the safe harbor. They have nothing to do with actions against direct violators of either the main body of copyright law or the anti-circumvention provisions of the DMCA.

> I persume they can't file a lawsuit without filing DMCA takedown notice first?

You presume incorrectly; even if the alleged violation was of the type to which a DMCA takedown was relevant, they can sue the offending party (though not a third-party host within the safe harbor) without a takedown notice.