EFF: Accessing Publicly Available Information On the Internet Is Not a Crime (eff.org)

← Back to Stories (view on slashdot.org)

EFF: Accessing Publicly Available Information On the Internet Is Not a Crime (eff.org)

Posted by BeauHD on Thursday December 14, 2017 @09:50AM from the free-for-all dept.

An anonymous reader quotes a report from EFF: EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage -- without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony "hacking" under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.

EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn's request to transform the CFAA from a law meant to target "hacking" into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not "hacking," and neither is violating a website's terms of use. LinkedIn would have the court believe that all "bots" are bad, but they're actually a common and necessary part of the Internet. "Good bots" were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison. LinkedIn's position would undermine open access to information online, a hallmark of today's Internet, and threaten socially valuable bots that journalists, researchers, and Internet users around the world rely on every day -- all in the name of preserving LinkedIn's advantage over a competing service. The Ninth Circuit should make sure that doesn't happen.

7 of 175 comments (clear)

Min score:

Reason:

Sort:

robots.txt by Anonymous Coward · 2017-12-14 10:04 · Score: 4, Insightful

Shouldn't a "good bot" abide by https://www.linkedin.com/robots.txt?
1. Re:robots.txt by Obfuscant · 2017-12-14 14:37 · Score: 1, Insightful
  
  Yes, a "good bot" should follow robots.txt. But failing to implement a standard is not "hacking".
  Tell that to Volkswagon, who "failed to implement" the standard regarding how their vehicles respond to situations they can interpret as being "testing".
  Robots that ignore the robots.txt standard are not just "failing to implement." They're ignoring the standard for their own gain.
Re:Wait just a minute... by ColaMan · 2017-12-14 10:10 · Score: 5, Insightful

If:
I can send a simple http request to your server, and
Your server sends me the information without doing its homework, then
Sucks to be you.
Don't want your information to be scraped? Have it behind a login - free or otherwise - then ban accounts that are slurping down 10,000 pages a day.
Ohhhhh then it wouldn't be easily indexed by search engines and thus findable by the general public and your site would fade into obscurity. What to do!? Courts to the rescue, it seems!

--

You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Re:Wait just a minute... by mycroft822 · 2017-12-14 10:13 · Score: 4, Insightful

I think they are only making the argument that you can't charge someone with felony hacking because they are accessing the information you make publicly available in a way you don't like.
Re:Arrest records... by rogoshen1 · 2017-12-14 11:46 · Score: 3, Insightful

Every single man, woman, and child in the US has heard the phrase "innocent until proven guilty", and look at the effectiveness of that caveat.
If they aren't using clever tricks to get it by raymorris · 2017-12-14 12:19 · Score: 2, Insightful

I'm thinking LinkedIn is wrong here, but a simple, clear-cut, and correct statement of public policy is more difficult than it first appears.
"accessing publicly available information" sounds pretty clear and simple, but the more I think about it, the murkier it becomes. Suppose in each of the following scenarios the data is by the owner's terms not to be accessed by bots and:
A) The system pops up a user/ password dialog before allowing access. User "admin" and an empty password works
B) The system pops up a user/ password dialog before allowing access. User "admin" and password "password" works
C) The system pops up a user/ password dialog before allowing access. User "admin" and password "correct horse battery staple" works
D) The system pops up a user/ password dialog before allowing access. Sending 17,000 requests each with a password that consists of a million null bytes followed by carefully crafted machine code to overwrite memory sometimes works
The thing is, ANY data that has been hacked over the internet was accessible to the public, if they public tried hard enough, and was clever enough in defeating access control measures. That makes it difficult to legistlate a bright-line rule.
Re:Wait just a minute... by omnichad · 2017-12-14 15:04 · Score: 4, Insightful

if I'm reading this right (and I may not be), using your login and ignoring Terms of Use is A-OK.
You're reading it wrong. Using your login and ignoring terms of use is a breach of contract (albeit a unilateral EULA). It is not and should not, however, be considered felony computer hacking under the CFAA.