Ask HN: Take down my reverse-engineered Snapchat lib because they asked?
A few months ago, I spent a couple days reverse engineering the Snapchat protocol and wrote a quick and dirty library to use it in your own PHP apps:
https://github.com/tlack/snaphax
Today Snapchat has written me requesting that I take it offline:
Hi Thomas,
I'm writing to ask that you remove Snaphax from github
and no longer publish or distribute it. Snapchat does
not permit third party software to access our API and
we consider Snaphax to be an unlawful circumvention
device under 17 U.S.C. § 1201(a)(1).
Please confirm that it has been removed by end of day
Monday, July 22nd.
Thank you,
Micah Schaffer
Snapchat, Inc.
I haven't had much time to really finish Snaphax (and I doubt I ever will) but I strongly support the idea that third party software should be able to interact with the services I use every day.I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case? How should I respond, if at all?
136 comments
[ 3.1 ms ] story [ 182 ms ] threadI'd ignore it. If they want to go hard-ball they'll threaten to sue/actually sue. Until then keep silent.
> I am under the impression that reverse engineering is still protected under fair use doctrines. Is this the case? How should I respond, if at all?
Speaking as someone who has been involved in an arduous civil matter for the last four years, matmaroon's advice would be well heeded.
"There's no way they can sue you for that."
"No way a judge will even allow this case."
"This case will be dismissed after the first hearing."
When someone sends you a letter like this, the first decision you have to make is "how much is this thing worth to me". Once you've decided that it's worth fighting for, your best counsel will come from a lawyer, who can help you determine the thing that really matters: how much it's going to cost you.
Assuming the posted letter is complete, a lawyer can't really do anything at this point. The letter (or is it actually an email?) doesn't invoke any requirements one is bound by law to obey. One might even say that it's careful not to do so, so I suspect that even though the "Director of Operations" signed it, it was originally written by a lawyer. This would actually be a useful form letter for people who have their underpants on a bit too tight: even if they send it five times a month, it doesn't create any sort of SLAPP liability or anything else that will damage Snapchat in a legal sense. Of course, giving someone 12 hours to comply with anything looks like amateur hour. tlack isn't the only party reluctant to run up billable hours.
IANAL. If I were, I would recommend you start paying me or one of my colleagues to talk with you immediately.
A lawyer can analyze the facts of what you have done, and provide you with advice as to whether it is likely to be found to be an anti-circumvention device under the cited section of the DMCA and, if so, what the likely consequences of that are and what steps you can take to mitigate any exposure you might have in that regard (including, if there are any, steps short of taking down the existing offering.)
Of course, you could wait to see if they actually file a suit rather than having a lawyer look at the C&D, but if you do that, then there will be less, not more, that a lawyer can do for you.
At this point in time, OP can take down the repo (but not the 115-and-counting forks thereof), or modify it (someone suggested removing keys issued by Snapchat), or not. How will this set of options change if Snapchat file suit? Of course one must respond to a suit, but couldn't one's response be "ok we've complied with all requests"?
If you're telling me that the suit could allege OP owes Snapchat money for his/her misdeeds, that's true, but it's always true, even after one complies with the sort of namby-pamby "C&D" we see here.
Without specific answers to many of the foregoing questions, this message amounts to asking OP to forego all use and value of work that OP has personally performed, merely on Snapchat's say-so. So, actual meritorious C&D's require some actual work on the part of the sender. This letter took some knucklehead five minutes, so that's about what it's worth.
C&D's are usually courtesies to avoid...
...the expense of an actual lawsuit. In many cases a vague and overbroad (see above) message is mere bullying, attempting to imply threats that would be impossible to articulate or enforce. Papers filed in a court are held to a higher standard, and penalties are enforced. The fact that OP might be well-advised to retain counsel in response to this turd is an indictment of the USA legal system.
You do not need to wait until you are sued or prosecuted to get advice from a lawyer.
They say "we consider Snaphax to be an unlawful circumvention device under 17 U.S.C. § 1201(a)(1)."
They are implying he would be subject to lawsuit and/or criminal prosecution if he keeps distributing the software.
How likely is that to happen? How risky is it for the guy? How expensive might the defense be, and how much pain might this be for a weekend project?
I'm not really sure. But you know what class of people are expert at answering questions like that? Lawyers.
But, sure, if the poster want to keep it up anyway cause you think it's bullshit and are willing to see what they do next, certainly that's another option. It's potentially a brave and commendable one.
But I wouldn't do it because a bunch of people on HN who don't know what they're talking about told me that since they didn't use some special magic words in the letter, there's "nothing a lawyer can do", what?
For what it is worth, we were given a few days in a cease and desist letter recently and our $250/hr lawyer laughed at the idea of just a few days notice. 12 hours or even a few days now doesn't seems serious at all.
Another alternative is to mail them back and ask them for clarification. Why do they consider it an infringement?
The law clearly states the following:
The way I interpret this is that if one is overcoming some encryption or authentication scheme, it may be disallowed under the law. If one is simply observing a protocol online, then one may be doing something bad as this says.At least for me any EULAs that aren't signed before purchase (i.e., all shrinkwrap or clickthrough "agreements") aren't binding unless I choose to - B2B sales with explicit signed contracts would be binding; or if I want to do something that by law requires permission (i.e., redistribution instead of just using the software) then I might accept an 'EULA' such as GPL.
EULA is regarded as a contract in "most" (or all?) jurisdictions, and as such, depend on contract law to define what is allow and what isn't. EULA's is also regulated under consumer protection laws. Since each state in the USA have slightly different kind of consumer protection and contract law, one would really need to dig down into the law books to decide if the EULA is at all legally binding in a specific state.
But I have one correction to mention. Copyright licenses are not viewed as contract in the USA. Copyright licenses like GPL are granted permissions, waiving the right to sue distributors under specific situation. If the distributor get sued for distributing GPL software, then it is she who must raise the license as protection. "I got right to distribute this copyrighted work, because I received this license who says I can". The license "terms" only specifies under what situation permission have been given.
In EU however, licenses are contract and under contract law. As such, the permission to distribute can be revoked if contract law has been violated.
However, while you may not be able to distribute software which uses the API, I think many people would enjoy/benefit from a post describing how you reversed it and what steps you took to create the library.
So if you want to resist, you could start there: by finding out (possibly by asking a lawyer to talk to them) how they think your tool is acting to "descramble a scrambled work, decrypt an encrypted work, (or equivalent actions)". If you want to do this, you might consider reaching out to the EFF for help.
Morally, I think you're in the clear for the reason you already gave.
And here's an article from the EFF with a few citations of cases where DMCA article 1201 has been used: https://www.eff.org/es/wp/unintended-consequences-under-dmca
Well, the specific thing the DMCA does is to stop circumvention of an "effective technological protection measure". The crazy thing here is that there is no such measure: no use of encryption or scrambling -- or even passwords! -- that I can see, just simply using a network service's exposed command set. That makes it different to most (if not all) of the case law your link mentions.
So this is definitely one of those occasions that legal advice is required, not moral advice.
You've already got a client library written--why not go ahead and post up a conforming backend as well? If you want, shoot me an email with your doc'ed API, and I'll shoot you back (gimme a week--things on fire right now) a simple Sinatra mockup.
Clean room all the things!
EDIT:
For an idea of a quick hack of this variety, see my work from last week -- https://news.ycombinator.com/item?id=6065652
I would seek a lawyer if you can afford one and if not, then you can't afford a lawsuit either, so in this case, pull it offline. If you do the latter, you should post the results of your research somewhere, this can't be taken down as it is sharing information and not an API tool.
As with file formats, the notion that network protocols & APIs should ever be granted any type of protection and that no-one other than the creators should be able to write software that conforms to these protocols is ridiculous.
Snapchat, in my view, have every right to restrict who uses their service and in what manner - via standard mechanisms like API keys and login credentials. But preventing third-party implementations of protocols or APIs is so 90s. Oracle had a bit of trouble with this recently.
One problem I'm personally trying to remedy is the proliferation of various APIs and protocols for accessing various online storage services (Dropbox, Google Drive, Box etc) by developing an SDK that supports all of them. We need more of this kind of these kinds of projects, not less.
Micah Schaffer, if you're reading this, you're welcome to send me a takedown request and discuss the issue with me. My email address is in my profile.
EDIT: It's at 62 now. I wouldn't be surprised if even Barbra Streisand has forked it.
I think the impending 3Taps (padmapper.com) v/s Craigslist case[1] will shed more light on this. padmapper were using Craigslist data that is 'freely available' and Craigslist didn't like it.
[1] http://www.dmlp.org/threats/craigslist-v-3taps
Any access to or use of craigslist to design, develop, test, update, operate, modify, maintain, support, market, advertise, distribute or otherwise make available any program, application or service (including, without limitation, any device, technology, product, computer program, mobile device application, website, or mechanical or personal service) that enables or provides access to, use of, operation of or interoperation with craigslist (including, without limitation, to access content, post content, cross-post content, re-post content, respond or reply to content, verify content, transmit content, create accounts, verify accounts, use accounts, circumvent and/or automate technological security measures or restrictions, or flag content) is prohibited.
I don't believe they can (or perhaps "should be allowed to") stop people from accessing their site via http (which is a protocol or api). Either way, it feels the same to me; I think it's relevant.
https://twitter.com/ansimionescu/status/359361709904891904
Edit: Why not use some of these https://www.google.com/search?q=pro+bono+lawyer+advice
I don't know anything about the Snapchat API but if it's simply undocumented I don't see how that would be a "technological measure" of "effective control."
If you had to sniff or crack an API key of some sort, maybe that does.
In any event, it seems like a friendly enough request, maybe take it down as a courtesy pending their clarifying exactly what "technological measure" of "effective control" they think it "circumvents." Depending on their response and how much you think you want to push it, you can then decide what to do.
I persume they can't file a lawsuit without filing DMCA takedown notice first?
If so, when they'll file the notice, GitHub'll take it down (as they usually do). Then you may consider filing counter-notice (if you can afford legal action) or, I guess (IMNAL!) ignore the whole affair.
Anyway, you'd better consult a lawyer.
DMCA notices -- by which, presumably, you mean takedown notices -- are only required to a third-party that is otherwise within the DMCA safe harbor protecting hosts of allegedly-copyright-infringing user-submitted content to choose either to take the content down or forfeit the protection of the safe harbor. They have nothing to do with actions against direct violators of either the main body of copyright law or the anti-circumvention provisions of the DMCA.
> I persume they can't file a lawsuit without filing DMCA takedown notice first?
You presume incorrectly; even if the alleged violation was of the type to which a DMCA takedown was relevant, they can sue the offending party (though not a third-party host within the safe harbor) without a takedown notice.