This is bad reporting on a reasonable ruling. Power were sent a cease and desist letter, and had their IPs blocked by Facebook, and then circumvented the block to continue using the service. Permission had been clearly revoked, and the judge is careful in their ruling to note that in ambiguous circumstances the deference should be to the user, not the server owner. Furthermore, the ruling makes clear that a TOS violation is not sufficient for liability under the CFAA, which is absolutely a good thing. One of the CFAA’s problems is a lack of case law related to it (many high profile cases involving it were settled before trial). This is good case law, and the reporting makes it sound terrible.
It’s funny to me that companies like Facebook and LinkedIn freely abuse OAuth to mine customer data, but when somebody else does it “Holy shit stop the presses everyone this is a hacking disaster!”.
Instead of looking at the usual “APIs are public and use thereof shouldn’t be prosecuted”, or “Computers are priviate property, this is trespassing”, or any of the threadbare arguments that usually get brought up first–look at the question of authorization, and look at the question of having a different IP to source a request from.
Has anybody sent Facebook a cease and desist letter informing them that OAuth access has been revoked?
I’m willing to entertain the idea that sometimes people don’t know they are “hacking” because the server sends back “200 OK”, though most people are probably bright enough to suspect a site operator may not approve of their SQL injection hijinks… But when you get a letter in the mail that says “YOU, YES YOU, STOP NOW”? Hard to play dumb.
I would be much more concerned if Power got a C&D, generally obeyed it, but then was busted because a visitor connected to Facebook via their office wifi. That would be silly. But the access in question was neither accidental nor incidental.
I think the part about this that bugs me is that the users were providing access to their own data, stored on Facebook servers, to this company and that the C&D would limit their ability to delegate access to that information.
However, the part about event creation and whatnot I have no problem with Facebook wanting off their system–let the users organically make their own shilling groups for Power if they want to.
Yeah, if they had provided a client app for users, I’d feel pretty differently. In much the same way that ad blockers are something that sites have to put up with, but an ad replacing/injecting proxy is a separate matter.
This is bad reporting on a reasonable ruling. Power were sent a cease and desist letter, and had their IPs blocked by Facebook, and then circumvented the block to continue using the service. Permission had been clearly revoked, and the judge is careful in their ruling to note that in ambiguous circumstances the deference should be to the user, not the server owner. Furthermore, the ruling makes clear that a TOS violation is not sufficient for liability under the CFAA, which is absolutely a good thing. One of the CFAA’s problems is a lack of case law related to it (many high profile cases involving it were settled before trial). This is good case law, and the reporting makes it sound terrible.
This is such a bad idea.
It’s funny to me that companies like Facebook and LinkedIn freely abuse OAuth to mine customer data, but when somebody else does it “Holy shit stop the presses everyone this is a hacking disaster!”.
Instead of looking at the usual “APIs are public and use thereof shouldn’t be prosecuted”, or “Computers are priviate property, this is trespassing”, or any of the threadbare arguments that usually get brought up first–look at the question of authorization, and look at the question of having a different IP to source a request from.
Has anybody sent Facebook a cease and desist letter informing them that OAuth access has been revoked?
I’m willing to entertain the idea that sometimes people don’t know they are “hacking” because the server sends back “200 OK”, though most people are probably bright enough to suspect a site operator may not approve of their SQL injection hijinks… But when you get a letter in the mail that says “YOU, YES YOU, STOP NOW”? Hard to play dumb.
I would be much more concerned if Power got a C&D, generally obeyed it, but then was busted because a visitor connected to Facebook via their office wifi. That would be silly. But the access in question was neither accidental nor incidental.
I think the part about this that bugs me is that the users were providing access to their own data, stored on Facebook servers, to this company and that the C&D would limit their ability to delegate access to that information.
However, the part about event creation and whatnot I have no problem with Facebook wanting off their system–let the users organically make their own shilling groups for Power if they want to.
Yeah, if they had provided a client app for users, I’d feel pretty differently. In much the same way that ad blockers are something that sites have to put up with, but an ad replacing/injecting proxy is a separate matter.