You can’t coerce someone into a contract against their will, but you also can’t try to get the benefits of a contractual arrangement without agreeing to the contract. And agreement does not have to mean signing on a dotted line. For example, if you say “I’ll $100 for someone to clean my yard,” and someone comes and does it, the contract is binding (acceptance by performance).
In the Linked-In case here, someone didn’t just happen to involuntarily agree to the TOS by making an HTTP request. They agreed to the TOS as part of creating a new account. That’s an affirmative act, as part of a bargained-for exchange. It’s no more “coercive,” in substance or form, than the release I signed the other day to rent a jet ski. You want the benefit of access? Abide by the terms.
After having agreed to the terms, the Does violated them repeatedly on a mass scale. Again, this wasn’t accidental. The complaint lists a litany of ways where the scrapers clearly encountered technical barriers Linked In put in place, and used technical means to get around them.
This is a catch-22. I see this mostly on US sites in regards to cookies.
Something along the lines "by using this site, you agree to our terms of service and use of cookies". You'll definitely see a banner like this on paywalled news sites.
Thing is, I got to the site from a link from say HN. I haven't agreed to anything, let alone seen the ToS, let alone had a chance to affirm or unaffirm to the conditions until I've already used the website. Thus, they assume my tacit approval of their ToS. The only way to not agree to the ToS is to never have visited the site to begin with. Yet, you cannot know the ToS unless you visit the site, and even if you knew the exact link to their ToS, that is still construed as usage, and once again assumed implicit approval.
Additionally, if I'm accessing publicly available material without being authenticated, you cannot prove I ever agreed to your ToS.
I don't work on scrapers or anything, but I abhor the idea that I have implicitly entered into a contract by virtue of visiting a public, unauthenticated, webpage.
Want me into a contractual ToS? Make me sign up and sign in.
> Something along the lines "by using this site, you agree to our terms of service and use of cookies".
This is something I have seen getting a lot of rise since the introduction of the GDPR on German/European sites.
The law text of the GDPR on the other hand is kind of strict in that you really have to agree to something by clicking and this "accept by doing nothing"-method is explicitly not valid.
Curious to see when the first people will go to court against this.
I’ve always assumed those “by using this * you agree to *” statements are meant for someone else. Presumably they’ve read and agree with whatever is I’m skipping.
People will not be going to court. It is up to the data protection agency of each respective country to build a case based on the available evidence (eg have they been informed, what was their response, have they been given adequate time to compensate, did they know they were breaking the law, etc).
Suppose a company allows anyone to access HTTP resources without authenticating.
In that case, can people get in trouble for scraping such HTTP resources at scale, all around the Internet?
I am worried not about breaching the TOS, but the kind of "hacking" definition that involves "circumventing the intended use" regardless of technological availability and never agreeing to a single contract.
If by “hacking” you’re talking about the CFAA, (1) violating that statute requires knowledge that you’re exceeding authorized access; (2) the Ninth Circuit has held that merely violating the TOS can’t be the basis for a CFAA violation anyway.
To go back to the Linked-In example of the article. The predicate for the CFAA claim is not merely scraping. It’s intentionally bypassing technological measures intended to block the scraping, after there was notice that the scrapping was not permitted.
It’s very much like real life. If a shop keeper has the door open, he can’t sue you for trespass for walking in and looking around. That’s called implied license. But if he kicks you out and tells you not to come back, you can be prosecuted for trespass if you come back, even if the shop keeper leaves the door open for everyone else. An open web server is similar.
So, scraping data at scale is fine until they rate-limit you or cut you off. Which means if you used a botnet and rate-limited yourself "just to be safe" or "just to be nice" without knowing whether they liked it or not, then that's fine.
There could be a strong argument that continuing to make additional http requests after the first one constitutes accepting the ToS. If you didn't accept them you shouldn't continue to use the website by making further requests, and you should discard the content of the first request without using it.
In the Linked-In case here, someone didn’t just happen to involuntarily agree to the TOS by making an HTTP request. They agreed to the TOS as part of creating a new account. That’s an affirmative act, as part of a bargained-for exchange. It’s no more “coercive,” in substance or form, than the release I signed the other day to rent a jet ski. You want the benefit of access? Abide by the terms.
After having agreed to the terms, the Does violated them repeatedly on a mass scale. Again, this wasn’t accidental. The complaint lists a litany of ways where the scrapers clearly encountered technical barriers Linked In put in place, and used technical means to get around them.