Suit To Let Researchers Break Website Rules Wins a Round (axios.com) 71
An anonymous reader writes: Anyone following Facebook's recent woes with Cambridge Analytica might be surprised to hear that there's a civil liberties argument for swiping data from websites, even while violating their terms of service. In fact, there's a whole world of situations where that thinking could apply: bona fide academic research. On Friday, a judge in a D.C. federal court ruled that an American Civil Liberties Union-backed case trying to guarantee researchers the ability to break sites' rules without being arrested could move forward, denying a federal motion to dismiss. "What we're talking about here is research in the public interest, finding out if there is discrimination," Esha Bhandari, an ACLU attorney representing the academics, told Axios.
You could justify (Score:3, Insightful)
Re:You could justify (Score:4, Insightful)
ANYTHING can be defined as "in the public interest", if your lawyers are halfway decent. Including having the government spy on everyone, all the time.
This looks like the beginning of a very slippery slope, and we aren't going to enjoy the ride to the bottom even a little bit....
DO remember that even if you approve of this sort of thing when done to your enemies (political and otherwise), it won't be nearly so much fun when they use it against you by and by.
And they will....
Re: (Score:2)
Well hell, the Washington Post was perfectly happy to publish a love letter to Xi over his abolishing term limits and consolidating the secretary-general and presidential posts into one so clearly they're on board.
Re: (Score:2)
Yeah... this is a minefield.
What Cambridge Analytica did was "research". Ostensibly, their research was "in the public interest" because they thought the best thing for the public was for Trump to win the election. At the same time, yes, there are places out there doing legitimately bad things, and if their TOS is enforceable, investigative researchers won't be inclined to look into the transgression, because they might be sued or face other undue consequences.
It might be a bit more appropriate to have some
Re: (Score:2)
"Actually Cambridge Analytica had very little if not nothing to do with Trump winning the election."
An assertion based on what?
Re: (Score:3)
The summary is terrible (Score:4, Informative)
The summary is terrible, the short version of the argument is that private companies shouldn't be able to write overbearing ToS and turn violations into a federal felony under the CFAA. The only thing it does is to make it so private companies can't attack people with felonies over some stupid ToS on their website. They could still go after you at the civil (but not criminal) level for damages related to any breach of your agreements, the main difference is that they can't get you thrown into jail for violating some nonsense they wrote on their web page this way.
If you want to defend privacy, it's better to get actual privacy laws so that the hundred thousand other companies who misused the Facebook friends API to suck in your social graph can't misuse it. Yes, I realize the only thing that CA did wrong was to break Facebook's ToS, but making that into a federal felony is a bad idea because a ton of you have likely broken their ToS in some trivial way don't belong in prison. I mean, they're especially after disparagement clauses. Would you like for everyone with a Facebook account to be forced, under pain of federal felony charges, to not be able to say bad things about Facebook any more?
Because that's the kind of crap you're asking for if you defend this use of the CFAA.
Whether algorithms are biased? "Of course" (Score:2)
An algorithm cares about is nothing but whether it's profitable. Rest assured it will be biased. Why? Because of exactly that. All it takes is that some algorithm determines that $minority as a group has a higher chance of destroying something, not paying rent or generally being something you don't want as a landlord. And there you go.
This is near certain. Yes, that's unfair. Algorithms don't care about fairness, though. They "care" (strange word with computers. Or corporations for that matter...) about pro
Re: (Score:2)
The algorithm does not care.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Also known as capitalism. Also known as human nature.
BTW, also notice that you did not concede that you were willing to volunteer yours. Just upset that others are not willing to volunteer theirs.
Re: (Score:2)
An algorithm cares about nothing
FTFY. Algorithms don't care about anything. They don't care about valid or invalid input. Either they will work or they won't, but they still don't care.
Re: (Score:2)
Even if fed correct data the outcome can be considered "biased" if it dares to come to the conclusion that you should not deal with $minority.
Remember, we redefined words. "Biased" no longer means "unreasonable opinion about a group". We struck the "unreasonable" from that definition.
Re: (Score:2)
That's what I did. Worked pretty well so far.
Cambridge Analytica started off as 'research' (Score:1)
Re: (Score:3)
TFA notes this as well. This is an area where I say the ACLU is wrong, if their cause has a good case then they can make an arrangement with the service provider rather they flaunt a right to 'break the rules'.
You should read the news from the original ACLU [aclu.org] one. Slashdot shouldn't use the current link to a blogger anyway...
Re: (Score:2)
You don't own data about you. Too bad and all, but that's the state of affairs.
_If_ Cambridge did anything wrong, the victim was facebook. Who's valuable dataset was accessed without sufficient payment in cash and/or influence.
Re: (Score:1)
Fine .. then every single purveyor of data, their family, their children, their grandchildren, and friends ... should be entirely and thoroughly doxxed. Throw in any lawmaker who has ever voted against data privacy, and their families as well.
Let's level that fucking playing field, and stop pretending that rich assholes like Zuckerfuck get privacy and we don't.
Let's take this shit to its logical conclusion, and go scorched eart
Re: (Score:3)
If you don't want your personal data to be grabbed, don't put it in a place that is publicly accessible...like Facebook.
It's one thing to rip off info from your account on Amazon, where you enter it merely to find and purchase products. That's is wrong.
But if you post personal info to Facebook or other social media sites and leave it marked Public, let alone take part in surveys, etc. then that data is fair game no matter what the website hosts says.
Re: (Score:2)
You can avoid social media if you want--it won't stop the companies from harvesting and selling your data. If you vote, pay taxes, own property, have a bank account, use a phone, you'll be tracked anyways. And if you have friends (or enemies), nothing stops them from posting your info.
Re: (Score:2)
vote, pay taxes, own property,
Public Data
bank account
Private. Penalties should exist.
use a phone
Hmm...mixed. Public airwaves. Almost like a CB Radio.
Deliberate legislation required if it doesn't already exist.
Re: (Score:1)
This isn't about 'stealing your data'.
This is about being able to create fake accounts for the purposes of researching if people react differently to a person based on information from a profile (specifically, the information which falls under 'protected status' like race).
The ACLU and research companies can't get your data unless you put it out there publicly. It's not like they are asking for permission to haxorz the facebook dbz.
If you put your data out there on the street you shouldn't go crying when so
To clarify: (Score:5, Informative)
This suit is over whether breaking a site's TOS consittutes a criminal offense under the CFAA, notably 18 USC 1030(a)(4-6) [cornell.edu].
There is a circuit split on this issue, which this suit attempts to clarify.
This suit does not have any impact on civil or contractual suits researches might face for breaking TOS, only whether doing so is a federal criminal offense under this specific law.
Re: (Score:2)
Thanks, I figured it was like Iron Man or something.
Re: (Score:1)
Under the CFAA, it is a criminal offense to, among other things, to gain something of value by "access(ing) a protected computer with intent to defraud," or "exceed(ing) authorized access." It is also an offense to access a "protected computer" without authorization and intentionally or unintentionally cause damage or loss, or to "traffic in any password similar information through which a computer may be accessed without authorization."
So a lot of the analysis depends on whether intentionally violating TOS
Re: (Score:2)
Given that in many cases researchers pay for the type of information the lawsuit is about, they are clearly getting something of value.
Aaron Swartz but we need an PD willing so stand up (Score:2)
Aaron Swartz but we need an PD willing so stand up to long case with EULAs as the contracts and no 100K+ bails
same argument used for experimentation on people? (Score:2, Interesting)
Re: (Score:1)
Because the intent is different. The intent here is social justice so the law shouldn't be allowed to be used against that.
Re: (Score:1)
It may be a different order of magnitude but somehow "I've got a great reason for violating you" just doesn't cut it in my mind.
I'll grant though that I tend to see personal violations greater than physical ones. For example, if raped, I'd much rather it be a physical assault than someone saying they love me, having sex, and then saying they don't love me and never did but just wanted to have sex. The latter is a much greater and more damaging personal violation because it involved my trust. I consider it t
Shitty summary. Read the actual complaint (Score:4, Informative)
I don't see in the actual lawsuit anything about swiping collected data, nor is the suit suggesting accessing website data other than through the normal access a person typing at a keyboard using the site in a normal way would do. In other words, it isn't about mass data grabbing from servers behind the web site.
What the complaint is covering is very narrowly defined behavior.
Here is the actual ACLU Sandvig v. Lynch - Complaint
https://www.aclu.org/legal-doc... [aclu.org]
It's about violating TOS access to websites that forbid using dummy accounts, bots to do testing, scraping (saving screenshots in this case), or violating TOS with non-disparagement clauses.
The complaint says that on-line access that may violate a TOS should not be covered under the CFAA, and that the penalties are far too harsh.
Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against. As an example, AirBNB, VRBO and such like are prime examples of where that sort of discrimination is in play. Many sites require real names, and non-disparagement clauses would obviously be violated if the research turned up anything.
I especially object to non-disparagement clauses in sites that have an open interface to the public, and although I think that requiring real names is a valid stipulation to use a website, I cannot support that using an alias is a criminal act. The website has the option of cancelling your account if they don't like you much in the same way that the mall can kick you out for not wearing shoes.
Re: (Score:2)
Yep, what you said.
If you do get a chance, read the case and just skip down to points 173-179.
To my eyes this is the most important part of the case, and it addresses a big question: Why does Facebook get to decide that using an alias on their website is a federal crime? The case also points out that the TOS can be changed at any time, so even if you read it, your initially legal conduct could be criminalized at any time while you're using the web site.
The Challenged Provision Represents an Unconstitutional Delegation of Authority to Private Parties
173. The Challenged Provision delegates to website owners the legislative
power to determine which conduct is criminal.
174. The Challenged Provision makes it a federal crime to visit a website in a
manner that “exceeds authorized access.” The private parties that draft terms of service
determine the conditions under which access is authorized; as a result, they wield the
power to define the conduct that violates the Challenged Provision, including conduct
that occurs subsequent to accessing a website or is unrelated to any legitimate access
restriction.
175. The Challenged Provision does not merely provide for the enforcement of
private contractual arrangements: It renders conduct a separate, federal crime if it violates
a website’s ToS.
176. The private processes through which terms of service are drafted and
approved are closed and nontransparent, with no requirement for public comment or
participation. Because terms of service can be and are constantly revised, members of the
public lack even the most basic notice that revisions are in progress, and have no right to
participate in defining what terms of service require.
177. The government retains no control over the lawmaking process because
terms of service prohibitions, drafted by private parties without public input, effectively
become criminal prohibitions backed by federal law. The Challenged Provision allows
private parties unilaterally and undemocratically to define the conduct that constitutes a
crime.
178. The Challenged Provision fails to notify ordinary people of what conduct
is criminal because there is no requirement that ToS be drafted with the requisite clarity
or precision required for defining conduct that is criminal.
179. For these reasons, the Challenged Provision’s delegation of the legislative
power to private parties completely removes the lawmaking function from the political
process and from the mechanisms for democratic accountability, and is unconstitutional.
Points 162-169 are also interesting.
Re: (Score:2)
The case also points out that the TOS can be changed at any time, so even if you read it, your initially legal conduct could be criminalized at any time while you're using the web site.
It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.
For example, if I open my door and say "party inside, y'all are welcome", then when you enter my property it is not the crime of trespassing. If I put up a sign that says "no trespassing", then your entry upon my property is a crime. Yes, truly, I have determined whether or not your presence on my property is a crime or not. Same act, two different results. I didn't
Re: (Score:2)
It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.
It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.
It may seem like common sense to you, but it is not true.
It is especially not true if the person is a tenant or has some previously agreed living arrangement, or if the property is otherwise open to the public.
There are many laws surrounding access to private property that is otherwise open to the public to enter, shopping malls for example.
The mall's owner's cannot arbitrarily declare that some behavior on their property is a criminal act and have you arrested for that. Suppose the mall decided to disallow
Re: (Score:2)
It may seem like common sense to you, but it is not true.
For the most common cases, it is quite true. The examples I gave are true. Facebook is not a rental property nor is it a public space. They have the right to determine what an authorized use is. You do not want the government making that decision.
There are many laws surrounding access to private property that is otherwise open to the public to enter, shopping malls for example.
The example of trespass is quite accurate even when applied to a shopping mall. All it takes to convert your legal presence into a criminal act is for the owners to have you trespassed from the premises. They call the cops, the cops issue you a trespass notice, an
Re: (Score:2)
I suppose the other thing that is bothering me is that the private property that is being regulated is mine.
Going to a web site and going to a store have something different. I'm using my device at home to access the web site.
The owners of the web site are saying that they have the right to dictate how I use my keyboard and mouse at my house. Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguish
Re: (Score:2)
I suppose the other thing that is bothering me is that the private property that is being regulated is mine.
Don't be silly.
Going to a web site and going to a store have something different. I'm using my device at home to access the web site.
You are using your device to access someone elses property. The violation of authorized use is not what you are doing with your property, it is what you are doing to someone elses.
The owners of the web site are saying that they have the right to dictate how I use my keyboard and mouse at my house.
Knock it off. You know that isn't what is happening. They don't care how you use your keyboard or mouse, they are responding to your use of their property.
Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable.
That's nice but irrelevant.
How can the owners of the web site declare it to be a crime to depending upon the method I use to create the packet on my PC?
They aren't, and you know that. The fact that you are creating thousands of packets containing fake names over a few hours pretending t
Re: (Score:2)
Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable.
That's nice but irrelevant.
How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen?
My God, are you never going to stop with this nonsense? They can't. And you know they aren't trying.
I'm not inventing these things. They are discussed in the complaint. You clearly have not read it.
The fact that you are creating thousands of packets containing fake names over a few hours pretending to want to rent an apartment on airbnb and sending them to the airbnb servers is the relevant bit.
Where did you get the idea that the researchers are creating thousands of packets containing fake names over a few hours?
Did you make that up, or do you have a source?
Re: (Score:2)
BTW, good talk ... see you around.
Re: (Score:2)
Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against.
However, as a precedent, it would be applied much more broadly.
Automated access to the websites I run is an abuse of those sites, and such access is covered by a robots.txt rule. I don't care if an "academic researcher" thinks that making thousands of hits per hour is going to help him learn something, it's still an abuse and his desire is not an excuse.
I faced this issue back when robots were just taking over. I had a site that ran an ocean tide prediction program that I made available as part of other
Re: (Score:2)
Basically I agree with you about abusive bots, and this case document does state that these researchers scripts are designed to mimic an actual person typing and clicking, and they claim that their automated scripts should cause no impact or minimal impact. (point 96 or so)
Excessive/abusive access (whether by bots or groups of people) does need better rules regulating it. Right now the CFAA addresses that too vaguely.
And that should not be something in a TOS for one site but not another, it should be for al
Re: (Score:2)
And that should not be something in a TOS for one site but not another, it should be for all sites.
Of course not. There may be sites that are happy to have robots come index them, and they should not be limited by laws prohibiting that. Neither should laws permit robot indexing in any blanket manner, since there are sites who have decided they do not want this.
As for this "Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. ", you're just plain wrong there.
BY DEFINITION, if someone is trying to determine if an illegal activity is being performed, it is not an academic research issue. It is a legal issue.
You're right that it is a legal problem, but studying laws and their impact on society
This alleged research project is not studying "laws and their impact on society", they're looking
Re: (Score:2)
Also important, by making fake accounts they make airbnb and uber less reliable since they obviously cancel any orders that do go through, which makes the users of the services trust them less. This is a material harm to the companies in question.
Re: (Score:2)
since they obviously cancel any orders that do go through, which makes the users of the services trust them less.
Not only that, but during the time that the property is rented it is not available to rent to someone who is actually seeking a place to stay. Further, if there are credit charges for deposits that need to be refunded, the company loses any transaction fees. These are even more direct material harm to the companies.
If the company tracks interest in a property and bases its rental rates on that interest, then fake rentals may appear to be fake demand, with an associated increase in the rental rate -- whic