Tuesday, November 28, 2006

Legality of Stealth Robots, Are They Trespassing?

What is the legality of a stealth robot, are they doing anything wrong?

Take a look at "Computer Hacking and Unauthorized Access Laws" and you'll see there's a quagmire of various laws but the topic that's most relevant to this discussion would be "Unauthorized access" which basically covers trespassing onto a computer, theoretically even if that service is a public web server as the laws don't specify the server or service has to be private.

I'm no lawyer, so this obviously isn't valid legal advice, just my musings over the content of the California law, particularly the definitions in 502.c:

(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:

(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(3) Knowingly and without permission uses or causes to be used computer services.
Let's examine what these transparent stealth crawlers do and see if it fits the definition.

First, the people using stealth crawlers know if they use a real user agent like "Bob's Bot 1.0" that it will expose their presence and they will be blocked. To avoid this, they mask their presence which obviously falls under "knowingly accesses and without permission" to get to the content on the web site attempting to block their trespass.

Second, after they have gained access they "wrongfully control or obtain ..., property, or data" and do with it as they please, republish without permission, use to compile reports, etc., so I think we've covered two aspects here.

Even if the act itself causes relatively little harm, there is still a potential for penalty.
(3) Knowingly and without permission uses or causes to be used computer services.

(A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.
The obvious solution for the crawler to be technically "legal" is to simply identify the bot by an obviously unique name like "Bob's Bot 1.0" and stop trying to spoof the web server as being Internet Explorer or Firefox in order to gain access.

I'd be curious what some legal minds might think about this interpretation of these laws for this particular application.


Anonymous said...

interesting point, I know that craigslist has something like this in their terms of service when you post. In other words, if you spam CL they can sue you for X amount per post. I wonder if anyone has been sued by CL?

StuartL said...

I find it interesting that these wonderfully "great guys" still won't reveal there UA despite repeated requests.

I'm afraid the latest excuse from Rand of "we're just too busy" says nothing positive but that bunch at all.

Doug Heil said...

Good stuff Bill. It seems to me the moz bot is in violation of the rules in California at least. Oh yeah, they have no time to deal with things now, but Rand does have time to write paragraphs of nothing. You'd think he also had the time to simply state the user-agent of his bot. People keep saying that it's no different from this site or that site, etc, but it is. Moz is a SEO. What if my firm created this same thing? Actually, a few years we seriously considered doing something similar but scratched the idea because of the exact same issues.... people would want to block it. Duh?