Suit To Let Researchers Break Website Rules Wins a Round

An anonymous reader writes: Anyone following Facebook's recent woes with Cambridge Analytica might be surprised to hear that there's a civil liberties argument for swiping data from websites, even while violating their terms of service. In fact, there's a whole world of situations where that thinking could apply: bona fide academic research. On Friday, a judge in a D.C. federal court ruled that an American Civil Liberties Union-backed case trying to guarantee researchers the ability to break sites' rules without being arrested could move forward, denying a federal motion to dismiss. "What we're talking about here is research in the public interest, finding out if there is discrimination," Esha Bhandari, an ACLU attorney representing the academics, told Axios.

You could justify

[macxcool]

just about anything if you start with 'in the public interest' and 'finding out if there is discrimination'. Also. Can people just use 'unjust discrimination' instead? Discrimination is what we do as human beings. We can't function without it. (sorry. Pet Peave).

Re:You could justify

[CrimsonAvenger]

Read summary, and this was the first thing that occurred to me.

ANYTHING can be defined as "in the public interest", if your lawyers are halfway decent. Including having the government spy on everyone, all the time.

This looks like the beginning of a very slippery slope, and we aren't going to enjoy the ride to the bottom even a little bit....

DO remember that even if you approve of this sort of thing when done to your enemies (political and otherwise), it won't be nearly so much fun when they use it against you by and by.

And they will....

Re:You could justify

I'm a researcher... (am now anyway)... let me at em.

Re:You could justify

[Sarten-X]

Yeah... this is a minefield.

What Cambridge Analytica did was "research". Ostensibly, their research was "in the public interest" because they thought the best thing for the public was for Trump to win the election. At the same time, yes, there are places out there doing legitimately bad things, and if their TOS is enforceable, investigative researchers won't be inclined to look into the transgression, because they might be sued or face other undue consequences.

It might be a bit more appropriate to have some kind of governmental body to do research into illegal activities (a bureau of federal investigation, if you will), and instead ensure that things like discrimination are suitably illegal. That office's investigations could be explicitly authorized to violate TOS and EULAs, through the normal warrant process.

Re:You could justify

[butchersong]

There are very few or possibly no scenarios in which I think breaking the TOS on a website should be prosecutable as a criminal offense in any case.

Re:You could justify

Actually Cambridge Analytica had very little if not nothing to do with Trump winning the election. Cambridge Analytica's claim to fame was they collected data that could be useful to any of their clients. And their marketing of their analytical data services made claims that were unsupported. And prior to the presidential election there was not a single political operative or analyst that predicated Trump would win. And every single political commentator who makes a living loves telling us mere mortals what is and what is not important while also telling us what we should think was wrong. Weatherman and tara card readers have better track records when it comes to predicting major events than the over paid political hacks who are handed the pulpit and bullhorn by the MSM. Trump winning the election might not be that big of surprise if those backing Clinton had realized that her supporters were more annoying than even Trump's supporters. Clinton's supporters were too busy declaring Trump supporters uneducated inbred rednecks who were just too stupid to vote. In the end people didn't vote for Trump they voted against Clinton's supporters and not against Clinton. She would have won if she had muzzled her biggest fans during the election. And all the ongoing investigations on the election results is because those who lost have still not faced the fact that no matter how bad Trump may be he still beat them. There has been no allegations of ballot miscounts or voting irregularities only about some nebulous and ill defined "collusion". How bad do you really need to be to lose to Trump at anything? He spent less money, had almost no supporters from Washington insiders and he won! So obviously he must have cheated? And the really bad thing is that all the people investigating and harassing Trump think that once he is gone things will go back to normal. The vast majority of things people are attacking Trump over is really just the political SOP that every politician since the founding of the country has practiced.

He is not the first wealthy President. He is not the first President who couldn't string together two complete sentences without looking like an idiot. Obama was an exceptional public speaker but he was the exception when compared to past Presidents. FDR wielded more personal financial power than Trump could ever hope to have. And FDR used his wealth and connections when setting economic policy to speed recovery after the depression. He held private meetings with the 5 wealthiest industrialists at the time and personally convinced them to help transition from a demand economy to a supply economy. They would not have agreed to his demands without getting something under the table in return. Something like guaranteed government contracts or favorable tax laws was certainly not out of the question. He set a record for the number of constitutional violations during his 5 terms. He ignored Congress when it came to wire tapping suspected German spies operating in the country. He violated the Congressional neutrality act by "leasing" war materials to Britain. He unilaterally expanded the US territorial boundaries in the Atlantic so the US Navy could escort ships traveling between England and the US. He basically dared Germany to sink a US ship and give him the authority to officially enter the war. Lincoln suspended habeas corpus for the express purpose of jailing journalists who published articles unfavorable to the government in the early stages of the Civil War. Now it has become a crime for any US citizen or Government official to even talk with a Russian. The previous administration had back channel off the books discussions with the Iranians and North Koreans. These are official government contacts that have no accountability or oversight. Even at the height of the Cold War there were interactions between Russian and American government elected officials and their proxies. So when Trump is gone all those following him should look forward to the same level of scrutiny and accusations of wrong doing. If you are accused of wrong doing just by talking to your enemy than why talk at all and see were that leads us to.

Re:You could justify

A pet PEEVE of mine is people demanding that everyone else change the accepted common usage of words because although it is entirely unambiguous in context it makes them uncomfortable.

Do you often get confused about what people mean when people are talking about discrimination, or would you just prefer that they stopped? Because it comes across as the latter.

Re:You could justify

[mrclevesque]

"Actually Cambridge Analytica had very little if not nothing to do with Trump winning the election."

An assertion based on what?

Re:You could justify

[ravenshrike]

Well hell, the Washington Post was perfectly happy to publish a love letter to Xi over his abolishing term limits and consolidating the secretary-general and presidential posts into one so clearly they're on board.

Re:You could justify

This looks like the beginning of a very slippery slope ...

FYI, the slippery slope is giving any legal credibility to a website's ToS page.

The server has absolute authority and should enforce rules as it and its owners see fit.

Whether algorithms are biased? "Of course"

[Opportunist]

An algorithm cares about is nothing but whether it's profitable. Rest assured it will be biased. Why? Because of exactly that. All it takes is that some algorithm determines that $minority as a group has a higher chance of destroying something, not paying rent or generally being something you don't want as a landlord. And there you go.

This is near certain. Yes, that's unfair. Algorithms don't care about fairness, though. They "care" (strange word with computers. Or corporations for that matter...) about profit.

Just like I was really pissed when I was 23 and needed to rent a car and they only would've given me one if I paid through the nose. That's ageism! Or an algorithm telling them that young people tend to have more accidents.

Re:Whether algorithms are biased? "Of course"

Have you ever possibly taken a moment to stop and think that maybe... JUST maybe... people are actually products of their environment, and that perpetuating those environments and shoving certain groups into them creates the behaviors these algorithms pick up on?

Re:Whether algorithms are biased? "Of course"

[XxtraLarGe]

An algorithm cares about nothing

FTFY. Algorithms don't care about anything. They don't care about valid or invalid input. Either they will work or they won't, but they still don't care.

Re:Whether algorithms are biased? "Of course"

[Opportunist]

The algorithm does not care.

Re:Whether algorithms are biased? "Of course"

Algorithms, and in particular machine learning systems, can very well be biased if they are fed biased data.

Re:Whether algorithms are biased? "Of course"

You can be the first to volunteer your own property, money and safety to change things.

Re: Whether algorithms are biased? "Of course"

Also known as "screw you, I got mine!"

Re:Whether algorithms are biased? "Of course"

No, but the users do. In the 1990's I worked for a DC area bank that had been told it could no longer use race as a factor when determining credit worthiness. So we switched to a "Neural Net" model that was fed information such as census block, education, income, etc. that were easy proxies for race. We even convinced the courts that a "Neural Net" was completely neutral, completely unbiased (which it is). But we were not.

Re:Whether algorithms are biased? "Of course"

[butchersong]

Even when you control for all of that you still see disparities by race. People have this knee-jerk reaction when these topics are brought up but honestly.. if you adopt 100 chinese babys and 100 babys, isolate them from any external media influences and treat and raise them the same, does anyone really doubt that you are likely to see very distinct differences between the adult populations of both groups?

Re:Whether algorithms are biased? "Of course"

[butchersong]

Obviously I for example have some sort of genetic trait that impairs my ability to spell babies properly.

Re: Whether algorithms are biased? "Of course"

[Shotgun]

Also known as capitalism. Also known as human nature.

BTW, also notice that you did not concede that you were willing to volunteer yours. Just upset that others are not willing to volunteer theirs.

Re:Whether algorithms are biased? "Of course"

[Opportunist]

Even if fed correct data the outcome can be considered "biased" if it dares to come to the conclusion that you should not deal with $minority.

Remember, we redefined words. "Biased" no longer means "unreasonable opinion about a group". We struck the "unreasonable" from that definition.

The absurdity of an exemption

So do we just put "security researcher" on our business cards or what?

Re:The absurdity of an exemption

[Opportunist]

That's what I did. Worked pretty well so far.

Re:The absurdity of an exemption

I for one welcome our new I.T. closet cleaner overlord.

Cambridge Analytica started off as 'research'

[Ayano]

TFA notes this as well. This is an area where I say the ACLU is wrong, if their cause has a good case then they can make an arrangement with the service provider rather they flaunt a right to 'break the rules'.

Re:Cambridge Analytica started off as 'research'

The suit has nothing to do with what Cambridge Analytica did.
The reporter who wrote the article is a moron.

Re:Cambridge Analytica started off as 'research'

[parkinglot777]

TFA notes this as well. This is an area where I say the ACLU is wrong, if their cause has a good case then they can make an arrangement with the service provider rather they flaunt a right to 'break the rules'.

You should read the news from the original ACLU one. Slashdot shouldn't use the current link to a blogger anyway...

Re:Cambridge Analytica started off as 'research'

But the problem was CA did research for anyone that would pay them. In this case, the researchers are doing this to help the public.

The ends do not justify the means ...

"What we're talking about here is research in the public interest, finding out if there is discrimination"

Look, this is all noble and all, but at no point have you been given permission by the people whose actual fucking data you are collecting to have it.

Fuck your research if it means grabbing my personal data without my fucking consent.

People will do anything if they can just say oh, golly, I was doing research. It can't be allowed to be carte blanche to just do as you please.

In this case, I think the ACLU is full of shit, because it opens the doors for more cases like Cambridge Analytics to just claim an exemption because it's research.

No, just fucking no.

Re:The ends do not justify the means ...

[HornWumpus]

You don't own data about you. Too bad and all, but that's the state of affairs.

_If_ Cambridge did anything wrong, the victim was facebook. Who's valuable dataset was accessed without sufficient payment in cash and/or influence.

Re:The ends do not justify the means ...

[sycodon]

If you don't want your personal data to be grabbed, don't put it in a place that is publicly accessible...like Facebook.

It's one thing to rip off info from your account on Amazon, where you enter it merely to find and purchase products. That's is wrong.

But if you post personal info to Facebook or other social media sites and leave it marked Public, let alone take part in surveys, etc. then that data is fair game no matter what the website hosts says.

Re:The ends do not justify the means ...

This isn't about 'stealing your data'.

This is about being able to create fake accounts for the purposes of researching if people react differently to a person based on information from a profile (specifically, the information which falls under 'protected status' like race).

The ACLU and research companies can't get your data unless you put it out there publicly. It's not like they are asking for permission to haxorz the facebook dbz.

If you put your data out there on the street you shouldn't go crying when someone picks it up and does something with it.

Re:The ends do not justify the means ...

[Khashishi]

You can avoid social media if you want--it won't stop the companies from harvesting and selling your data. If you vote, pay taxes, own property, have a bank account, use a phone, you'll be tracked anyways. And if you have friends (or enemies), nothing stops them from posting your info.

Re:The ends do not justify the means ...

You don't own data about you. Too bad and all, but that's the state of affairs.

Fine .. then every single purveyor of data, their family, their children, their grandchildren, and friends ... should be entirely and thoroughly doxxed. Throw in any lawmaker who has ever voted against data privacy, and their families as well.

Let's level that fucking playing field, and stop pretending that rich assholes like Zuckerfuck get privacy and we don't.

Let's take this shit to its logical conclusion, and go scorched earth on the people who want to sell our data ... and then let's see what side of privacy they come down on.

Because these lying sacks of shit will all claim that is different. Fuck 'em all.

Re:The ends do not justify the means ...

[sycodon]

vote, pay taxes, own property,

Public Data

bank account

Private. Penalties should exist.

use a phone

Hmm...mixed. Public airwaves. Almost like a CB Radio.

Deliberate legislation required if it doesn't already exist.

To clarify:

This suit is over whether breaking a site's TOS consittutes a criminal offense under the CFAA, notably 18 USC 1030(a)(4-6).

There is a circuit split on this issue, which this suit attempts to clarify.

This suit does not have any impact on civil or contractual suits researches might face for breaking TOS, only whether doing so is a federal criminal offense under this specific law.

Re:To clarify:

[AmiMoJo]

Thanks, I figured it was like Iron Man or something.

Re:To clarify:

I have always been under the impression that violating "terms of service" is a nothing more than a civil offense to begin with. The Company whos terms one violated could sue a violator in civil court (monetary damages), but I don't think they could have the violator put in jail over it. Jail would require breaking an actual law. If one refuses to pay the fine or damages levied by a civil court I think one could end up in jail, but that wouldn't be for violating the terms of service, it would be more like Contempt of Court for refusing a lawful order.

Re:To clarify:

Under the CFAA, it is a criminal offense to, among other things, to gain something of value by "access(ing) a protected computer with intent to defraud," or "exceed(ing) authorized access." It is also an offense to access a "protected computer" without authorization and intentionally or unintentionally cause damage or loss, or to "traffic in any password similar information through which a computer may be accessed without authorization."

So a lot of the analysis depends on whether intentionally violating TOS 1) constitutes an intent to defraud or 2) creates an unauthorized access and 3) whether the passwords created by doing so are being used in an unauthorized manner, especially when revealed to other individuals within the research organization.

The second line of analysis is a public policy one that considers whether even if the answers to all the above questions are "yes," there is an overriding interest for the public to have access to this kind of study that allows for an exception for researchers.

Re:To clarify:

[ravenshrike]

Given that in many cases researchers pay for the type of information the lawsuit is about, they are clearly getting something of value.

Correct outcome

Many people will agree, you shouldn't be risking jail time just because you checked a checkbox on a website.

Many people will also agree, purveyors of data who have contracts with 3rd parties who are working with that data should certainly be able to enforce those contracts.

In other words, business as usual, nothing to see here, move along. This is the right outcome.

same argument used for experimentation on people?

[RhettLivingston]

Is this not the same argument used by doctors and governments throughout time for medical experimentation on prisoners and people who don't know they are being experimented on? Why would the ACLU of all organizations not see this?

Shitty summary. Read the actual complaint

[clovis]

I don't see in the actual lawsuit anything about swiping collected data, nor is the suit suggesting accessing website data other than through the normal access a person typing at a keyboard using the site in a normal way would do. In other words, it isn't about mass data grabbing from servers behind the web site.
What the complaint is covering is very narrowly defined behavior.

Here is the actual ACLU Sandvig v. Lynch - Complaint
https://www.aclu.org/legal-doc...

It's about violating TOS access to websites that forbid using dummy accounts, bots to do testing, scraping (saving screenshots in this case), or violating TOS with non-disparagement clauses.
The complaint says that on-line access that may violate a TOS should not be covered under the CFAA, and that the penalties are far too harsh.

Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against. As an example, AirBNB, VRBO and such like are prime examples of where that sort of discrimination is in play. Many sites require real names, and non-disparagement clauses would obviously be violated if the research turned up anything.

I especially object to non-disparagement clauses in sites that have an open interface to the public, and although I think that requiring real names is a valid stipulation to use a website, I cannot support that using an alias is a criminal act. The website has the option of cancelling your account if they don't like you much in the same way that the mall can kick you out for not wearing shoes.

Re:Shitty summary. Read the actual complaint

The complaint says that on-line access that may violate a TOS should not be covered under the CFAA, and that the penalties are far too harsh.

And, really, this should be extended to all of us.

The one account I ever had with Facebook was a completely made up name, and personal information. Because I would trust Facebook as much as they'd let me stab Zuckerberg ... which I will assume is zero on both parties behalf.

It should not be a criminal act to say "fuck you and your real ID policy, I'm not giving you that information". We should all have the legal right to deny personal information to web sites.

I think that requiring real names is a valid stipulation to use a website, I cannot support that using an alias is a criminal act.

See, I refuse to give my personally identifying information precisely because the internet is full of assholes, ad companies, and other parasites who want to collect your data. I'm just refusing to give it to them up front, because I don't trust them with it.

Not only should an on-line alias be legal, in a lot of contexts it should be common bloody sense. If I am doing anything for legal purposes, yes, I'll use my legal name. But for damned neat everything else .. no fucking way.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against.

However, as a precedent, it would be applied much more broadly.

Automated access to the websites I run is an abuse of those sites, and such access is covered by a robots.txt rule. I don't care if an "academic researcher" thinks that making thousands of hits per hour is going to help him learn something, it's still an abuse and his desire is not an excuse.

I faced this issue back when robots were just taking over. I had a site that ran an ocean tide prediction program that I made available as part of other data for people-users. A very "kind" robot indexer came by and started making one hit per second, following the "next day" and "other sites" links and happily indexing the predicted tides. The problem was, the program took much longer than 1 second to calculate the answer. The term is "geometrical explosion", and I had to modify the code to emit a robots.txt -- it wasn't a web page in itself, it was a program running on a different port. (Because it was a different port than "80" the excuse was that it was a "different site", even though it was the same site, and the main site's robots.txt didn't apply to the happy indexer.)

The choices were not to run the site and deny everyone access to the data, or to block indexers using the standard method. Should this choice happen again today because the indexers or robots are ignoring robots.txt, the choice may not wind up the same. Putting deny clauses in firewalls is a losing game -- chasing robots that use hundreds if not thousands of addresses.

Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. It is a legal problem. Don't try slipping your web scraping in under "academic research" when your goal is not.

Re:Shitty summary. Read the actual complaint

[clovis]

Yep, what you said.
If you do get a chance, read the case and just skip down to points 173-179.
To my eyes this is the most important part of the case, and it addresses a big question: Why does Facebook get to decide that using an alias on their website is a federal crime? The case also points out that the TOS can be changed at any time, so even if you read it, your initially legal conduct could be criminalized at any time while you're using the web site.

The Challenged Provision Represents an Unconstitutional Delegation of Authority to Private Parties

173. The Challenged Provision delegates to website owners the legislative
power to determine which conduct is criminal.
174. The Challenged Provision makes it a federal crime to visit a website in a
manner that “exceeds authorized access.” The private parties that draft terms of service
determine the conditions under which access is authorized; as a result, they wield the
power to define the conduct that violates the Challenged Provision, including conduct
that occurs subsequent to accessing a website or is unrelated to any legitimate access
restriction.
175. The Challenged Provision does not merely provide for the enforcement of
private contractual arrangements: It renders conduct a separate, federal crime if it violates
a website’s ToS.
176. The private processes through which terms of service are drafted and
approved are closed and nontransparent, with no requirement for public comment or
participation. Because terms of service can be and are constantly revised, members of the
public lack even the most basic notice that revisions are in progress, and have no right to
participate in defining what terms of service require.
177. The government retains no control over the lawmaking process because
terms of service prohibitions, drafted by private parties without public input, effectively
become criminal prohibitions backed by federal law. The Challenged Provision allows
private parties unilaterally and undemocratically to define the conduct that constitutes a
crime.
178. The Challenged Provision fails to notify ordinary people of what conduct
is criminal because there is no requirement that ToS be drafted with the requisite clarity
or precision required for defining conduct that is criminal.
179. For these reasons, the Challenged Provision’s delegation of the legislative
power to private parties completely removes the lawmaking function from the political
process and from the mechanisms for democratic accountability, and is unconstitutional.

Points 162-169 are also interesting.

Re:Shitty summary. Read the actual complaint

[clovis]

Basically I agree with you about abusive bots, and this case document does state that these researchers scripts are designed to mimic an actual person typing and clicking, and they claim that their automated scripts should cause no impact or minimal impact. (point 96 or so)

Excessive/abusive access (whether by bots or groups of people) does need better rules regulating it. Right now the CFAA addresses that too vaguely.
And that should not be something in a TOS for one site but not another, it should be for all sites.

As for this "Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. ", you're just plain wrong there.
You're right that it is a legal problem, but studying laws and their impact on society is exactly among the things academic institutions are supposed to do.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

And that should not be something in a TOS for one site but not another, it should be for all sites.

Of course not. There may be sites that are happy to have robots come index them, and they should not be limited by laws prohibiting that. Neither should laws permit robot indexing in any blanket manner, since there are sites who have decided they do not want this.

As for this "Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. ", you're just plain wrong there.

BY DEFINITION, if someone is trying to determine if an illegal activity is being performed, it is not an academic research issue. It is a legal issue.

You're right that it is a legal problem, but studying laws and their impact on society

This alleged research project is not studying "laws and their impact on society", they're looking for illegal discrimination. The assumption that justified doing that is that it has a negative impact on society. They're trying to determine if those sites are violating the law, not whether those laws are good or bad or the violations have any impact. They're using made-up names to see if the sites are making assumptions based on the names and returning different answers, assuming that any differences are because of illegal discrimination and thus bad.

Using the ubiquitous car analogy, pointing a LIDAR unit at a moving vehicle to determine if it is speeding or not is not "academic research" into the "laws and their impact on society", nor is it studying the physics of light, it is a legal determination, and thus a legal matter. Yes, you, as a private citizen, can point a LIDAR unit at anything you want because it truly has no impact on what you are measuring (unless it is a camera that is sensitive to the IR light, at which point when someone tells you to stop you should) and normally undetectable. Hammering away at a website using fake names can be detected and does have an impact on the website.

You might argue that sampling the speed of many cars is a statistical measure of whether the current laws are being obeyed and what a more appropriate speed limit might be, but sampling one car ("airbnb", e.g.) does nothing to measure that. "Are YOU violating the law" is not a research issue.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

The case also points out that the TOS can be changed at any time, so even if you read it, your initially legal conduct could be criminalized at any time while you're using the web site.

It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.

For example, if I open my door and say "party inside, y'all are welcome", then when you enter my property it is not the crime of trespassing. If I put up a sign that says "no trespassing", then your entry upon my property is a crime. Yes, truly, I have determined whether or not your presence on my property is a crime or not. Same act, two different results. I didn't have to have "public notice" or "public comment", I just unilaterally decided that I did not want you on my property. I can even make it specific, and just because you see someone else on my property doesn't mean you are welcome to join them.

In fact, I can trivially convert your non-criminal act into a criminal act by simply telling you to leave. I can change it at a moment's notice. I don't need to ask anyone else or get everyone else's opinion on it. "Leave now".

The laws about unauthorized use were not created by Facebook or any other website. That was a function of the authorized legislative bodies. Determining what is and is not authorized use is a function of the property owner. They make these kinds of decisions all the time, all around you. It's private property. You do not want government stepping in and deciding what "appropriate use" of your property is, so don't expect others to welcome such legal meddling.

Now, "we" have decided that some things require such meddling, like making sure that commercial entities do not discriminate on certain criteria, but "use a real name" or "do not scrape my data" are not amongst those. Even "you must pay me $1000 to use my website" is discriminatory, but "have money" and "don't have money" are not yet protected classes.

Re:Shitty summary. Read the actual complaint

[clovis]

It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.

It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.

It may seem like common sense to you, but it is not true.
It is especially not true if the person is a tenant or has some previously agreed living arrangement, or if the property is otherwise open to the public.

There are many laws surrounding access to private property that is otherwise open to the public to enter, shopping malls for example.
The mall's owner's cannot arbitrarily declare that some behavior on their property is a criminal act and have you arrested for that. Suppose the mall decided to disallow wearing a name badge.
They can tell people with name badges to leave and not return, and then that person could be arrested for trespassing if they return.
But the mall cannot declare wearing a name badge to be a crime and have people arrested for name badge wearing.
And what this case is saying, Congress cannot delegate that law-making ability to the owners of malls, nor to web sites.
The Constitution's delegation of powers rule does not allow that.

Re:Shitty summary. Read the actual complaint

[ravenshrike]

Also important, by making fake accounts they make airbnb and uber less reliable since they obviously cancel any orders that do go through, which makes the users of the services trust them less. This is a material harm to the companies in question.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

It may seem like common sense to you, but it is not true.

For the most common cases, it is quite true. The examples I gave are true. Facebook is not a rental property nor is it a public space. They have the right to determine what an authorized use is. You do not want the government making that decision.

There are many laws surrounding access to private property that is otherwise open to the public to enter, shopping malls for example.

The example of trespass is quite accurate even when applied to a shopping mall. All it takes to convert your legal presence into a criminal act is for the owners to have you trespassed from the premises. They call the cops, the cops issue you a trespass notice, and the next time you show up there you can be arrested. It happens a lot. Even for a public space like a public university where the land is owned by the state -- the taxpayers. If you misbehave on a university grounds you can and likely will be trespassed, and that makes your presence there illegal.

The mall's owner's cannot arbitrarily declare that some behavior on their property is a criminal act and have you arrested for that.

That's not what's happening. They're determining appropriate use. Then the laws against inappropriate use kick in.

Suppose the mall decided to disallow wearing a name badge.

There is no law against wearing a name badge. There are laws against trespass. The mall owners determine who is trespassing and who is not; the law is there to back them up. The mall owners did not create the law, they just decide who is violating it.

And what this case is saying, Congress cannot delegate that law-making ability to the owners of malls, nor to web sites.

They aren't delegating any law-making. They have made a law regarding authorized use of private property. The owners have the right to determine what uses are authorized. In the shopping mall example, you might have seen signs that say "no car sales from this parking lot". Or no alcohol. Or many other uses that are not authorized. Break those rules and you will be trespassed, which makes your presence a violation of trespass laws. The laws were not delegated to the property owners; the right to decide authorized use is and was theirs.

Re:Shitty summary. Read the actual complaint

If you invite people to use your property, and they come there and do something you don't like, your primary remedy is to ask them to leave. The non-criminal act (to use your phrase) is still non-criminal, regardless of what you want. The only criminal act here is trespassing after the visitor is asked to leave.

If you put up a sign that says "Party inside! All are welcome! No photography allowed", and someone comes and takes a picture, that's not trespassing and it's not criminal. You as the property owner can immediately ask them to leave, and they must comply with your wishes -- by leaving. In that way, you do get to control what happens on your property, but the important point is what constitutes a crime. You can't call the police to come and arrest someone for unauthorized photography. You CAN call them to arrest someone who won't leave once you ask them to leave.

In the web world, that would be akin to someone making an account, using your site, violating your terms of service, and then trying to break in after you deactivate their account. Violating the TOS is not (should not be) a crime. Breaking into the site after you've cancelled their access, that is a crime.

(Interestingly, movie theaters can have people arrested for taking videos of the film. It would be interesting to know if the perpetrators in that case are charged with trespassing, with copyright infringement, or with some kind of violation of a contract's entered into whey buying the ticket)

Re:Shitty summary. Read the actual complaint

I cannot support that using an alias is a criminal act

Indeed, no less a person than Benjamin Franklin himself used an alias, Silence Dogood, to get his work published in the New-England Courant , a newspaper founded and published by his brother James Franklin. This was after Benjamin Franklin was denied several times when he tried to publish letters under his own name in the Courant. Did he violate the "terms of service" and did that make him a criminal? This is exactly the sort of question that I would expect to hear a Supreme Court justice pose to the attorneys arguing the affirmative.

Re:Shitty summary. Read the actual complaint

[clovis]

I suppose the other thing that is bothering me is that the private property that is being regulated is mine.
Going to a web site and going to a store have something different. I'm using my device at home to access the web site.
The owners of the web site are saying that they have the right to dictate how I use my keyboard and mouse at my house. Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable. How can the owners of the web site declare it to be a crime to depending upon the method I use to create the packet on my PC?
How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen? Copyright law can prevent me from displaying that content anywhere else or showing to other people, sure, but otherwise it's mine.

It's like the owner of the mall tries to refuse access to people who ride the bus instead of walking there.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

I suppose the other thing that is bothering me is that the private property that is being regulated is mine.

Don't be silly.

Going to a web site and going to a store have something different. I'm using my device at home to access the web site.

You are using your device to access someone elses property. The violation of authorized use is not what you are doing with your property, it is what you are doing to someone elses.

The owners of the web site are saying that they have the right to dictate how I use my keyboard and mouse at my house.

Knock it off. You know that isn't what is happening. They don't care how you use your keyboard or mouse, they are responding to your use of their property.

Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable.

That's nice but irrelevant.

How can the owners of the web site declare it to be a crime to depending upon the method I use to create the packet on my PC?

They aren't, and you know that. The fact that you are creating thousands of packets containing fake names over a few hours pretending to want to rent an apartment on airbnb and sending them to the airbnb servers is the relevant bit.

How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen?

My God, are you never going to stop with this nonsense? They can't. And you know they aren't trying.

It's like the owner of the mall tries to refuse access to people who ride the bus instead of walking there.

No. It has nothing to do with how you get there, only with what you do when you do. It doesn't matter if you take a bus or walk to the mall if you set up a booth trying to sell gizmos without permission and get trespassed. Nobody cares how you got there. The issue is that you are not authorized to use the mall property for that activity.

And like I told you already, the mall owner is the one who gets to decide what you are authorized and not authorized to do.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

since they obviously cancel any orders that do go through, which makes the users of the services trust them less.

Not only that, but during the time that the property is rented it is not available to rent to someone who is actually seeking a place to stay. Further, if there are credit charges for deposits that need to be refunded, the company loses any transaction fees. These are even more direct material harm to the companies.

If the company tracks interest in a property and bases its rental rates on that interest, then fake rentals may appear to be fake demand, with an associated increase in the rental rate -- which will drive real customers away, or have them paying artificially inflated rates. These are material harm to both the company and the consumer.

Re:Shitty summary. Read the actual complaint

[clovis]

Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable.

That's nice but irrelevant.

How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen?

My God, are you never going to stop with this nonsense? They can't. And you know they aren't trying.

I'm not inventing these things. They are discussed in the complaint. You clearly have not read it.

The fact that you are creating thousands of packets containing fake names over a few hours pretending to want to rent an apartment on airbnb and sending them to the airbnb servers is the relevant bit.

Where did you get the idea that the researchers are creating thousands of packets containing fake names over a few hours?
Did you make that up, or do you have a source?

Re:Shitty summary. Read the actual complaint

[clovis]

BTW, good talk ... see you around.

What data belongs to who?

I think our society is legitimately and sincerely conflicted about what data belongs to who.

Fred tells Ethel, "My favorite color is blue." That blue is Fred's favorite color, is Fred's data, right? Except the experience of Ethel hearing that, is hers. Is she supposed to pretend she doesn't know?

I look at my server logs the same way. You sent that to my computer; I didn't make you do it.

I can also imagine more extreme examples, where I more sway in your direction on this. e.g. my doctor talking about what my dick looks like.

But there is no logical place to draw the line. Whereever you pick, is going to be arbitrary and people will fight over it. How would you do it? Can you write a sentence or paragraph that formalizes the conditions where someone's experience doesn't belong to themselves? I can't.

Re:same argument used for experimentation on peopl

[greenwow]

Because the intent is different. The intent here is social justice so the law shouldn't be allowed to be used against that.

Re:same argument used for experimentation on peopl

Is this not the same argument used by doctors and governments throughout time for medical experimentation on prisoners and people who don't know they are being experimented on? Why would the ACLU of all organizations not see this?

I think there is a world of difference between

"I used the information that you gave me in a way that you didn't intend."

and

"I modified your body without your knowledge or consent."

YMMV

Re:same argument used for experimentation on peopl

Social justice is a better intent than saving or making better possibly millions of lives?

Re:same argument used for experimentation on peopl

[RhettLivingston]

It may be a different order of magnitude but somehow "I've got a great reason for violating you" just doesn't cut it in my mind.

I'll grant though that I tend to see personal violations greater than physical ones. For example, if raped, I'd much rather it be a physical assault than someone saying they love me, having sex, and then saying they don't love me and never did but just wanted to have sex. The latter is a much greater and more damaging personal violation because it involved my trust. I consider it the worst, most violent form of rape.

The summary is terrible

The summary is terrible, the short version of the argument is that private companies shouldn't be able to write overbearing ToS and turn violations into a federal felony under the CFAA. The only thing it does is to make it so private companies can't attack people with felonies over some stupid ToS on their website. They could still go after you at the civil (but not criminal) level for damages related to any breach of your agreements, the main difference is that they can't get you thrown into jail for violating some nonsense they wrote on their web page this way.

If you want to defend privacy, it's better to get actual privacy laws so that the hundred thousand other companies who misused the Facebook friends API to suck in your social graph can't misuse it. Yes, I realize the only thing that CA did wrong was to break Facebook's ToS, but making that into a federal felony is a bad idea because a ton of you have likely broken their ToS in some trivial way don't belong in prison. I mean, they're especially after disparagement clauses. Would you like for everyone with a Facebook account to be forced, under pain of federal felony charges, to not be able to say bad things about Facebook any more?

Because that's the kind of crap you're asking for if you defend this use of the CFAA.

Aaron Swartz but we need an PD willing so stand up

[Joe_Dragon]

Aaron Swartz but we need an PD willing so stand up to long case with EULAs as the contracts and no 100K+ bails

ACLU discriminates

The ACLU discriminates against people who desire privacy on their electronic info.
Apparently, they hate the "under-privatized" and favor the "info-privileged" class of people who don't care what others do with their info.