This is positive news. It seems like the more liberal approach taken when protocols were written is being challenged more by young users who grew up under more stable rules that accepted terms of service as very strong.
When I was growing up you went by what the protocol allowed. If an http response came back you have access, if it prompted for credentials, then you didn’t have access.
The mere idea that a web server gives you info and then you have to check a TOS that you might not even know exists is foreign to me. But when I talked with a young programmer they kind of agreed with Oracle saying “otherwise you could just request everything from every possible address.” They were unfamiliar with war drivers or even how early web crawlers started.
The EFF write up requires a bit of a caveat. The EFF states: "Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright."
That's true, but it would be incorrect to infer that the Ninth Circuit's holding in this case means that such a cease and desist is ineffective to revoke notice for purposes of the CFAA. To the contrary, the Ninth Circuit has held that where a defendant, "after receiving the cease and desist letter from" the plaintiff, "intentionally accessed [plaintiff's] computers knowing that it was not authorized to do so," the defendant was "liable under the CFAA." Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016).
The cease-and-desist letter dropped out of this case, because Rimini was accessing Oracle's website under delegated authority from Oracle customers, who had a contractual right to access the site. Oracle chose not to press the argument that it could limit the delegated authority from the customers by virtue of the cease and desist, I suspect because the wording of the cease and desist did not actually revoke Rimini's authorization to access the files. Oracle thus was stuck arguing that violating the TOS, despite otherwise having authorization to access the data, was enough to violate state-law counterparts to the CFAA. That latter argument was a losing one in light of United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where the Ninth Circuit held that a terms of service provided insufficient notice to alleged offenders to create liability under the CFAA.
"... the bounds of criminal law should not be defined by the preferences of website operators. And private companies shouldn't be using criminal laws meant to target malicious actors as tool to enforce their computer use preferences or to interfere with competitors."
If a website operator wants to control if a user can access the website, then there are ways to do this without resorting to criminal prosecution.
Through server software, websites can control how fast HTTP requests can be made in succession or how many requests can be made in a single connection.
Websites can further control what IP addresses have their HTTP requests fulfilled.
But users can still utilize client software to make automated requests and comply with any of these restrictions.
The user might just send the requests slowly or from a different IP address.
Ultimately, no website can force a user to use a GUI, mice or touchcreens. The same as no website can force a user to use a particular browser.
If a website wants to control how a user accesses the website, there is no way to enforce this under the criminal law.
IANAL, but violation of terms of service seems like a breach of contract, not a crime. For that sort of thing there is always the civil court system if the plaintiff feels like their loss due to the violation is high enough to warrant pursuing the legal case.
But maybe the actual loss caused by the automated downloads in this case wasn't high enough and they pushed the criminal angle to make some kind of point.
YES! This is ecstatic news for those operating under the constant threat of lawsuits from delusional folks who thinks their TOS is the fucking constitution of United States of America.
Linkedin and Craigslist will finally get the competition they've been fending off with scary lawsuits.
I can't wait to see the look on Craig Newman's face when web scrapers all around the world will do what he feared all this time, bring innovation.
This is possibly one of the best things I've read on HN. I'm more curious as who are the people at EFF pulling this off, stroking the legal justice warrior within me....I think this is the part of the law that deeply interests me but I don't know what you call EFF's area of law.
Happy Scraping everybody!
Note that the decision says that violations are not criminal acts, but that doesn't mean that license violations can't result in civil lawsuits and encumbent financial damages.
This is fantastic news, and a great step toward a more "sane" set of internet laws.
I just hope that this trend can continue and can sufficiently bury the idea that accessing public (as in without any kind of authentication method) information on the internet should not ever be a violation of any laws when done without malicious intent (a DoS attack should still obviously be illegal).
> Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, ...
Oh, the irony.
(For anyone unclear, I'm thinking of Oracle, which provides Red Hat clients with software support that competes with Red Hat's own services.)
In any case, I'm always happy to see Oracle lose a legal suit.
Oracle is downright evil in the most corporate way. No one with other options should be a customer or employee. Oracle needs to die with Comcast and the rest.
It borders on a joke, that people think accessing a website in breach of TOS is a crime, but storing passwords is plain text isn't.
I keep telling friends/colleagues that the order is:
1) Constitution - for countries that have one,
2b) Other executive orders
ToC is simply a contract. Breach of ToC/Contract is not necessarily a breach of law (unless a law is at the same time violated)
Does anybody know how this pertains to data scraping? Like many coders/tinkerers, I've been frustrated that TOS'es often forbid bots from scraping data from many sites. There are lots of ways data can be better visualized or synthesized than is currently done, but terms of service make this impossible (unless you're just doing a small side project you never plan to publish).
Does this mean that scraping is acceptable now, even if a site's TOS explicitly forbid it?
> Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually—which would have seriously slowed down Rimini’s ability to service customers.
So if Oracle had told Rimini outright that they were not allowed to access the files at all, Oracle might have prevailed?
A website’s TOS is not law so why should the violation of a TOS be treated like a violation of the law? Curious if anyone has any arguments
Always amusing when a website disallows adblocker in their ToS. Its my computer dipshits.
Besides its not as if they can actually do anything about it. I probably don't even come up in their analytics.
I feel like it's premature celebration? This seems like a very specific case, and not just violation of a terms of service in general?
they could just implement rate limit and oracle would've been fine. but instead they actually tried to sue -_-
This is great. However, I didn't see anything about whether it is a civil violation and assume you could still be sued by a third party (you just couldn't be thrown in not jail over it). Please correct me if I am mistaken.
This might be a somewhat unpopular opinion but I think that there should be some way (definitely not through criminal prosecution) for a website or similar to say "You can use my service for free, but only under the following restrictions". Not sure what the "punishment" should be for breaking these rules.
Does this mean it is also reversed? If a person chooses to not acknowledge the website's terms, does this mean a website doesn't have to abide by its own terms and can make up its own rules as it goes along?
People that hear about our software service always ask "hey whats to stop people from doing this illegal thing on your platform" and I say "a sternly worded Terms of Service"
Larry Ellison should be shot for treason.
These traitors who want to make up crimes should be shot for treason.
They are negative members of society who do negative work.
Letting them live is unethical and immoral.
Shooting Larry Ellison to death is the right thing to do.
Pretending that crimes exist when there are terrorists who want to murder Americans harms the war effort, it means you're helping the terrorists.
Larry Ellison is making up crimes and charging Americans with them in order to help terrorists. This is why he must be shot to death.