Violating Terms of Service Possibly a Crime

From Wired News:

The four Wiseguy defendants, who also operated other ticket-reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures -- including CAPTCHA -- at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites' terms of service, and according to prosecutors constituted unauthorized computer access under the anti-hacking Computer Fraud and Abuse Act, or CFAA.

But the government's interpretation of the law goes too far, according to the policy groups, and threatens to turn what is essentially a contractual dispute into a criminal case. As in the Lori Drew prosecution last year, the case marks a dangerous precedent that could make a felon of anyone who violates a site's terms-of-service agreement, according to the amicus brief filed last week by the Electronic Frontier Foundation, the Center for Democracy and Technology and other advocates.

"Under the government's theory, anyone who disregards -- or doesn't read -- the terms of service on any website could face computer crime charges," said EFF civil liberties director Jennifer Granick in a press release. "Price-comparison services, social network aggregators, and users who skim a few years off their ages could all be criminals if the government prevails."

Posted on July 19, 2010 at 1:11 PM • 46 Comments

Comments

RichJuly 19, 2010 1:33 PM

This is just out of control. As a programmer I am constantly looking for ways to automate my user experience online. I can say for sure that I violate all sorts of terms of service agreements (in the smallest of ways), however never with Criminal intent, or ever to the extent these guys did. Thank god I live in Canada.

AlJuly 19, 2010 1:46 PM

Ohh I see, so if a citizen violates the rights of a corporation you goto jail, if a corporation violates the rights of a citizen its business as usual.

kog999July 19, 2010 1:47 PM

Terms of service for sitex

"blah blah blah, we can change the these terms without notice at any time"

1 week later

"anyone currently using or has used in the past the name kog999 to post on this website is in violation of our terms of service"

guess i'm outta luck

I want to think our justice system would be smart enough to not let this stand but based on their track record i believe they will.

Also what if i got 1,000 of my friends together we camped out all night to be first in line and each bought the maximum amount of tickets then sold them for a profit. Would that be a crime as well? if not then there is no way this should be.

jamesJuly 19, 2010 1:57 PM

I am not in total disagreeance. I think it makes sense to obey the terms of service. Especially when denial of service becomes an issue r when regulators need to protect copyright.

I am a programmer. The only serious issue is the lack of a terms of service or the continually changing terms imposed by the service.

I can aggregate one day? But not the next?

I can download a freely available software package only to find out a few months later the license has changed?

There have been times when the terms of service have not been clearly defined and the rules are made up as the service provider goes.

I think it works both ways. There is a lack of understanding on the part of the developers in regards to how much resources are actually available to them, and there is a lack of understanding from the service providers that customers *ahem* programmers are self entitled gluttons who want it all.

The internet is currently living on ideals rather than reality in many circumstances.

Breaking a captcha, well... yes... I think it's a means t circumvent a protection measure. If I disobeyed the sign at the train station which says I should not cross the tracks, well... for my safety and the safety of others I would expect myself and anyone else breaking a "superficial" lock to be held accountable for it.

I don't believe there is any solid specific hard line any single rule can take. But come on, people need to stop playing into the hands of large corportation crowdsourcing ideals, and start sticking up for their own futures, otherwise criminals will be the only successful entrepreneurs out there (as if). jmo...

kashmarekJuly 19, 2010 2:07 PM

Another example of the government turning honest citizens into criminals whereas they have never turned a criminal into an honest citizen.

Harmy GJuly 19, 2010 2:24 PM

I am really torn on which side I am on in this case. I hate ticketmaster, but I also really hate ticket resellers. I guess I'll root for a long drawn-out battle that costs both sides a lot of money.

RHJuly 19, 2010 2:30 PM

@Harmy G: just do what I do... I've boycotted the whole business. If my tickets go through ticketmaster, I simply find my entertainment elsewhere, like renting DVDs.

If the industry thinks they'll replace music sales with concerts (accepting their argument that they're losing sales in the first place), they'll need to find a more transparent ticketing agency.

As for this one issue... where is the line between a criminal and "just another bloke cheating the system." I'm not familiar with any solid answer to that question

CJuly 19, 2010 2:47 PM

TicketMaster is a monopoly that has scalped tickets themselves:

http://www.nydailynews.com/news/2009/03/09/...

While I'm happy EFF are going after scalpers, I find the much bigger problems in the ticket industry far outweigh the Wiseguys in this case.

And as someone else pointed out, using ToS here is just feels like another avenue to prosecute individuals while companies can continue to conduct shady business at their expense.

kog999July 19, 2010 2:52 PM

I hate how things on the internet are treated differently in courts and by the people then things in real life based on no other reason their its online. Imagine i buy a car say a Toyota. they have terms of service they leave in the glove box for me to find. It says by starting this car the first time i agree to these terms. they say i can only have my car serviced at a toyota dealership. If i have it serviced anywhere else or if i dont have it service every 5,000 miles they can take the car back. Oh and i need to buy my gas from their partner BP. People dont read the terms for a car purchase beyond the monthly payment any more then they do for a website. I wish a car dealership would do something like this just to see how the courts would handle it. i suspect it would be thrown out of court alot quicker then an internet based case.

PeterJuly 19, 2010 3:30 PM

Is breach of contract a criminal act? Isn't a ToS considered to be a contract?

snarkJuly 19, 2010 3:33 PM

ToS are at best civil contracts, at worst no better than "Swim at Your Own Risk" notices. This trend of making civil violations into criminal charges is going too far. There's a reason the courts are separate entities.

JimFiveJuly 19, 2010 4:01 PM

@kog999
Car dealers used to try stuff like this, it was made illegal in the 1970s(?).
--
JimFive

JamesJuly 19, 2010 4:07 PM

It's too unilateral and the websites have too much control. I agree that you can leave it as a contract and if the visitor breaks it then the website can break their side of the deal, but criminal is obviously going too far. This is what happens when you get some zealous prosecutors that are holding on to anything that can allow them to move on with the charges.

What if the company breaks the contract? Are they going to arrest the logo or the CEO? Many companies have lost private information about users only to go "oops". Little is done about it, much less criminal.

Maybe the prosecutor wants some good tickets.....

Peter E RetepJuly 19, 2010 4:16 PM

The problem of criminalizing "violations" of the terms actually compounds somewhat more.

TOS and TOU are written for many purposes.
Prior Restraint is an unlikely outcome.

Some are written to define a minimum that is tranferred.
If the issuer transfers more than is specified, does this make the owner and/or the buyer/user criminals?
Does Maple Leaf allow one to calculate munitions operations?
Is it therefore a violation of U.S. Federal Law for a Canadian visiting in the United States to resell a copy of Maple Leaf to a citizen of Iran? If so, which revision, and as of when?

Other TOS are written to disclaim or limit liability for misuse of applications. This application is NOT intended to be used to control nuclear reactors, says a famous SUN Microsystems TOU.

Others protect against an implied guarantee of performance that is logically impossible for the provider to guarantee.

Bavis Meacon does not guarantee that use of this product will improve your GPA in high school or college.

Others are written to insulate the issuer of the service from the differing jurisdictions ideals of transferred responsibility beyond the agent for their own acts.
Micro Flight Commander does not qualify the user to operate an actual US F-129 fighter aircraft, nor license the user to strafe or bomb targets with such a device.

Or, for example, a word processor translator's terms of use license is void if the word processor is used to write a criminal extortion note, to avoid having the word processor becoming an accessory to a terrorist act.

Ah, the magic words, in the era of electronic magic.

That is the real witch hunt problem: badly understood science and technology. The Mathers (Cotton and Justice) were in the high tech leading edge science debate of the day, and actually on the side of unobserved causes for diseases rather than strictly mechanical observable criminal causes (poisoning), and so pre-figured the germ theory. They got led astray by (a) a lack of microscopes to identify the agents and (b) a confusion of unobserved with the magical.

The untrained mind often tries to deal with (electronic magic) as (magic) rather than as technology.

Peter E RetepJuly 19, 2010 4:18 PM

@ Peter

A breech of contract cabn be a criminal act if it defrauds someone.

Tangerine BlueJuly 19, 2010 5:12 PM

@kashmarek

Just as laws can criminalize virtue, so laws can sanction vice.

JohnTJuly 19, 2010 5:31 PM

I thought this was settled in the Lori Drew case! The LA US Attorney charged Lori Drew with violating the Computer Crime Act because she violated MySpace's (?) TOS. Eventually, the trial judge threw the case out as a too-broad extension of the Computer Crime law. I followed this case as close as I could, and was relieved that the case was thrown out. Orin Kerr of the Volokh Conspiracy defended Drew pro bono, and someplace I have stashed away his successful arguments. In addition to TOS, I was also worried about the law being too broadly extended to EULAs.

I'm dumbfounded that yet another prosecutor is trying to extend this bad law where criminal law should not go.

Can't we prosecute prosecutors?

JamesJuly 19, 2010 6:29 PM

@JohnT

You're right except in common law, only supreme court decisions apply to all lower courts. Decision in some region of the country apply only to that and all lower courts of that region and not to the country as a whole. That's why the supreme court is called to solve the divide when different circuit courts end up with different rulings for the same basic questions.

NobodySpecialJuly 19, 2010 9:22 PM

There was also a case which ruled that typing in an address - so simply changing page1.html in the title to page2.html rather than clicking 'next' was hacking ie illegal access to a computer system.

It was based on somebody who simply typed in next weeks date to get the answer to a competition - but is probably a terrorism crime now !


PhilJuly 20, 2010 2:05 AM

On this specific situation, there's no doubt about the criminal part.

These resellers have designed their software to bypass security measures (their weakness is secondary to this matter). The important part is that this is the core of their own reselling business.

What qualifies it as criminal activity is not that they violated contract terms once in a while by mistake or for comfort but that they do it on a large scale and as a business.

SnallaBolagetJuly 20, 2010 4:57 AM

@NobodySpecial; You're probably right. It doesn't take much to be a terrorist these days. We probably all qualify just or nosing around in security stuff. ;)

I've always thought that TOS's were supposed to protect the website (owners) from prosecution, not lead to the prosecution of "civilians". The expansion of the use of ToS's probably won't hold up in court, in the end, also because it would be impossible to prosecute the instances originating from another country.
I.e. if I were to access a website flagged to South Africa and break their ToS, I would never be picked up by the cops.

That would also go for someone from outside the US breaking US-based sites' ToSs.

BF SkinnerJuly 20, 2010 6:45 AM

@Peter "Is breach of contract a criminal act"

Companies CHOOSE to breach contracts all the times for various reasons.

@kashmarek "Another example of the government ..." RANT REDACTED.

Uh. No. This is an argument between those magically wonderful private enterprises who bring everything good to the world and their users.

This ruling is based on interpretation of law by courts. Just like RIAA being an acceptable (though vile) advocate for it's industry is based on law.

Don't like the law? Get off your duff and Change 'em.

@SnallaBolaget "and break their ToS, I would never be picked up by the cops"

Possibly. But with the movement and transparency of records it could be used to deny entry. Maybe not sufficient to become a No-Fly villian but I have a friend who had a DUI years back. Can NEVER go to Canada.

greg roodyJuly 20, 2010 7:35 AM

Think about it this way. Almost every cable/dsl/cell ISP has terms of service that state you can only connect ONE computer to their network.

How many computers, game systems, DVR's, etc do you have on your home network as we speak?

Welcome to the felon pool.

anonJuly 20, 2010 8:02 AM

Here's what get's me. Ticketmaster is basically complaining that they sold tickets to someone against their will.

Really? Here's the deal, if you don't want to sell to someone ... DON'T SELL TO THEM, the merchant controls this transaction. If, as a merchant, you are incapable of determining who you sell to, either quit complaining, get out of the business, or develop better authentication schemes. From where I sit, as much as I hate ticket re-sellers, the onus is on Ticketmaster.

Just because a store has a no more than 3 items per customer policy, doesn't mean the burden is on the customer not to exceed it (even if you don disguises to skirt the policy.)

Michael LockyearJuly 20, 2010 8:08 AM

So anyone who uses Greasemonkey or similar techniques to change the way a browser interacts with a website (for example bypassing a POORLY IMPLEMENTED captcha) could be charged with hacking?


BF SkinnerJuly 20, 2010 8:11 AM

@anon "store has a no more than 3 items per customer "

Be an outlaw! Take 16 items into 10 or less express checkout!

David ThornleyJuly 20, 2010 9:29 AM

@kog99: Your analogy is off. Buying a car is like buying software, and you're arguing against EULAs.

A website is a service, not a product. Once I've bought a car, it's mine. If I want to take it to a certain mechanic, I have to abide by that shop's terms of service.

The problem I'm seeing with the Ticketmaster issue is that it's not easy to enforce terms of service programmatically. No physical ticket outlet would be subject to the same mass purchases, because that behavior will be noticed and a solution implemented (whether standard or improvised). The only real recourse Ticketmaster would have would be to void the transactions and invalidate the tickets later, and that's got its own problems. (Ticketmaster could try to stop such behavior, at which point they're in an arms race they'll probably lose.)

Therefore, websites are trying to up the consequences of violating ToS, since they can't enforce them themselves. This is similar to some RIAA lawsuits about illegally copied music: there's no good technical way to stop such copying, so the RIAA is using high-profile lawsuits with devastating penalties as a threat.

paulJuly 20, 2010 9:33 AM

Anyone who reads this comment must immediately stand up and walk three times around their chair counterclockwise. Reading this comment constitutes acceptance of its terms of service.

It might be instructive to look at the physical world for analogies here. Sometimes violating posted terms of service is criminal even if no other measures have been put in place for security, sometimes not. Consider for example "No Trespassing" signs, or unattended moneyboxes for coffee or books. Or dress codes for restaurants.

I'm almost comfortable with the idea of ToS violations as aggravating factors in the commission of some other crime. In this case, for example, it appears that the defendants may have committed fraud for profit, since Ticketmaster would not have sold to them had they used their own identities and credit cards.

CSJuly 20, 2010 9:59 AM

This is a cut & dry case... people should stand up against it.

It may be possible to charge the fraud case under other, better laws.

You don't just make it up as you go, especially with material these lawyers apparently aren't smart enough to wrap their heads around.


These guys should be shunted off to lesser jobs, get guys who know how to prosecute a case that will stand up in court... and not waste a ton of tax payer money on.

Only ones celebrating here may be the media for having these people give them such an outrageous story.

(Joking.)

(On the last paragraph.)

(I sometimes wonder, shouldnt need to be explained... but after a story like this one starts to wonder: can people really be this stupid? Is that normal? )

(No. They have some agenda.)

JBJuly 20, 2010 10:13 AM

@Peter E Retep

If there's fraud involved in the breach of a contract, then the fraud is a criminal act because it's fraud, not because the contract that was breached. Contract law is quite permissive about breaches--you can't even recover statutory damages, only real damages, and different states have differing opinions as to what constitutes real damages. That's why walking away from an underwater mortgage is so popular these days--many states consider the actual-damage remedy to be the house offered as collateral, so defaulting on the contract can be a prudent financial move.

Sarcastic SamJuly 20, 2010 11:55 AM

[sarcasm]You mean if I run a website and have a grudge against someone, I can just rewrite my TOS and then have the full force of government available to prosecute them and get them sent to prison? Awesome![/sarcasm]


This has to be the dumbest thing I've ever heard of.

RichJuly 20, 2010 3:14 PM

@Kyle
Wrong, if they have an API, use it.

If they don't, make a web crawler.

grrJuly 20, 2010 3:18 PM

I hope this gets slapped down. Even if the methods used by these resellers are pretty slimy, this will create a whole class of new criminals out of otherwise perfectly law-abiding citizens. Most of these new "crimes" will go undetected or at least unpunished, until the authorities decide they want to pile on you for some reason and then they will haul out these charges to give you an extra 2 years because you violated Facebook's terms of service (or whatever).

For one thing, NOBODY READS the Terms of Service(tm) of a web site before using it. Do you know anyone who read their last cell phone contract from beginning to end before signing it? I don't. How about an online game like World of Warcraft? They change their terms of service about every two months. Every time they do, all of the players are prompted to read it again (but the changes are not hilighted or anything like that). Its like 5 pages long. Nobody, NOBODY reads those damn things. Like EULAs, trying to enforce them as contracts is ridiculous because one party dictates the terms and the other has no choice but to take it or leave it. Contracts of adhesion are supposedly unenforceable, but shrink-wrap EULAs seem to have survived so far anyway. Lets not go and add legal enforceability to "Terms of Service" too, thats just nuts. Adding new classes of harmless criminals will just have the effect of decreasing most people's respect for the law.

grrJuly 20, 2010 3:28 PM

@paul:

It might be instructive to look at the physical world for analogies here. Sometimes violating posted terms of service is criminal even if no other measures have been put in place for security, sometimes not. Consider for example "No Trespassing" signs, or unattended moneyboxes for coffee or books. Or dress codes for restaurants.

------------

Those are examples where there are specific laws, where being notified of something affects whether you are violating the law.

That is totally different from saying "anybody can put terms of their own choosing on a website, and if you don't comply with them you are now guilty of a crime". For one thing, in the former case it was *legislators* that carved out each area of illegal behavior. But with the Terms of Service crap, anybody will be able to make your behaviour illegal (perhaps retroactively) without you even realizing it. Its just going to make the legal system even more of a mockery than it already is, if they succeed with this argument.

Why should we even try to even follow the laws when its effectively impossible to know what they are? This is technically already the case, but its not biting us often enough for people to realize how stupid it is and try to do something about it. But I can imagine a ruling like this leading us quite a ways down that slippery slope.

Peter A.July 21, 2010 4:06 AM

Non-resellable tickets (or any law or ToS against reselling) is a leftish nonsense in the first place. If I buy someting it's mine to sell or do whatever I wish with it - this SHALL be the RULE. If there is someone willing to pay $10k for a Lady GaGa show ticket of $100 face value, let him pay! If the original seller begrudges someone for making $9.9k on resale, he should have offered the ticket for $10k in the first place (and take the risk of not having sold it) - or, smarter, hold an auction for the last 10 seats or so.

You think it's immoral or at least inappropriate? Close the NYSE! Some guys there are buying stuff cheap and selling it at a much higher price the next day or month all the time!

paulJuly 21, 2010 10:22 AM

Peter A:

And here I thought laws against reselling were rightish nonsense, engendered by big content distributors.

They can also be looked at as simple market-efficiency rules. If people know that others will have preferential access, they may be less willing to buy at all, reducing utility for everyone but the resellers. And if reselling is perfectly OK, then the incentives for primary sellers to get in bed with them (the equivalent of front-running in the stock market) are way too big.

jrJuly 21, 2010 5:24 PM

@grr

I read my last phone contract. Really annoyed the guy in the store.

As someone said, "If Terms of Service become law, then we all become legislators." That would be horrible.

I would like someday to see legislation making it unlawful to change your ToS without notifying all parties involved in some manner. I've always cringed at that statement.

RossJuly 22, 2010 4:57 PM

When the terms of service can change at any time, this is a particularly dangerous precedent. A business I used to work for was badly burned by changing advertising terms, which isn't quite the same, but similar. We saw an ad, bought a service for what appeared to be a flat fee, and then found out later the service had additional rates. When we disputed with the credit card company, we were basically told we couldn't rely on the ad and the purchase page (neither of which mentioned any additional fees), we needed to have wandered around the rest of the site looking for other pages where that rate might have been mentioned.

Okay, so a little off-topic, but I was kind of surprised by the "you have to read and know an entire site to know what you're getting" stance.

MFPAAugust 15, 2010 4:44 AM

@SnallaBolaget: "That would also go for someone from outside the US breaking US-based sites' ToSs."

Not true - in recent years the US has extradited various people from the UK to stand trial on the flimsiest of charges. Think Gary McKinnon or the three NatWest bank staff.

MFPAAugust 15, 2010 5:14 AM

Reselling tickets at whatever price people are willing to pay for them is simply an application of the principle of supply and demand. If the organisation that sold me the ticket tries to impose without negotiation a term about not reselling the ticket, that is an unfair term that disproportionately disadvantages the consumer and could be legally challenged.

---


@SnallaBolaget: "That would also go for someone from outside the US breaking US-based sites' ToSs."

Not true - in recent years the US has extradited various people from the UK to stand trial on the flimsiest of charges. Think Gary McKinnon or the three NatWest bank staff.

---

@Peter E Retep: "many states consider the actual-damage remedy to be the house offered as collateral"

I've never understood how there could possibly be another fair interpretation. The lender accepted the house as security for the loan; if the borrower can't/won't pay up and the house is not valuable enough to clear the debt, that reveals an error of judgment on the lender's part. It should be their own problem; they should not be permitted to try and mitigate for their mistake by pursuing the borrower for the shortfall.

---

@grr: A restaurant operating a dress code that was discriminatory could be commiting a crime. A person ignoring the dress code is not commiting any sort of offence, civil or criminal (and might be refused service).

David SchwartzAugust 15, 2010 11:35 PM

This is not like the Lori Drew case. In the Lori Drew case, the violations of the ToS were not in bypassing security measures. And the victim was not the site owner.

Here, while the actions do violate the ToS, that's not the reason they're punishable. They intentionally bypass code-based security schemes. They're legally and morally equivalent to using an exploit. And the victim is the site owner.

The real world equivalent of what happened in the Lori Drew case is being arrested for walking into a fancy restaurant without a tie. The real world equivalent of this case is taking all the cup lids, napkins, and ketchup packets at a fast food restaurant.

ddAugust 16, 2010 1:52 AM

Thinking like this has turned America into a witch hunting country, with overflowing prisons making huge dents on the budgets. Make the law tight enough and there wont be any taxpayers to pay the taxes, all will be inside jails. Jails should be reserved ONLY for violent people not for ANYONE else. For any other offender, the punishment should be compromise, fines or discrimination not jail time.

Alex BAugust 17, 2010 4:54 PM

Good grief. Those guys defeated a reasonable process to make a huge profit scalping the tickets. Any way you look at it, that needs to be a crime. Quit moaning about the terms of service (a pseudo issue at best) and draft a law (in writing, it's called the Rule of Law) that makes that conduct illegal. Happy drafting!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..