Is Breaking CAPTCHA a Crime?# ebiz - 电子商务
v*h
1 楼
看着captcha的讨论这么多,顺便搜到的。
http://www.wired.com/threatlevel/2010/07/ticketmaster/
Prosecutors in a New Jersey ticket scalping case are pushing the envelope on
the federal computer hacking law, setting a precedent that could make it a
felony to violate a website’s terms of service and fool a CAPTCHA,
according to electronic civil rights groups intervening in the case.
At issue is a four-month-old criminal prosecution against the online ticket-
reselling business Wiseguy Tickets, which allegedly used a network of shell
companies, rented servers and automated scripts to snatch up more than 1
million premium tickets for coveted concerts and sporting events, which it
resold for more than $25 million in profits.
The four Wiseguy defendants, who also operated other ticket-reselling
businesses, allegedly used sophisticated programming and inside information
to bypass technological measures — including CAPTCHA — at Ticketmaster and
other sites that were intended to prevent such bulk automated purchases.
This violated the sites’ terms of service, and according to prosecutors
constituted unauthorized computer access under the anti-hacking Computer
Fraud and Abuse Act, or CFAA.
But the government’s interpretation of the law goes too far, according to
the policy groups, and threatens to turn what is essentially a contractual
dispute into a criminal case. As in the Lori Drew prosecution last year, the
case marks a dangerous precedent that could make a felon of anyone who
violates a site’s terms-of-service agreement, according to the amicus brief
filed last week by the Electronic Frontier Foundation, the Center for
Democracy and Technology and other advocates.
“Under the government’s theory, anyone who disregards — or doesn’t read
— the terms of service on any website could face computer crime charges,”
said EFF civil liberties director Jennifer Granick in a press release. “
Price-comparison services, social network aggregators, and users who skim a
few years off their ages could all be criminals if the government prevails.”
The brief urges U.S. District Judge Katharine S. Hayden to throw out the
charges, on the grounds that they go beyond Congress’s intent in passing
the CFAA and would allow website operators to determine what constitutes
criminal conduct merely through their terms of service. The groups note that
website operators can arbitrarily change their terms of service, and users
often fail to read them. In such cases, users would not be given adequate
notice of what constitutes criminal conduct.
To prevent bots from purchasing tickets in bulk, online ticket vendors use
CAPTCHA challenges and Proof of Work software designed to detect and slow
down computers that are attempting to purchase large numbers of tickets.
They also block IP addresses showing suspicious purchasing activity.
But according to the indictment, unsealed in March, the Wiseguy defendants
devised sophisticated ways to bypass CAPTCHA challenges and defeat ticket
queues, landing them coveted spots at the front of purchasing lines.
Their bots monitored ticket websites and sprang into action the minute
tickets went on sale, opening thousands of internet connections
simultaneously from a changing lineup of rented servers and as many as 100,
000 different IP addresses. The scripts could defeat both visual CAPTCHAs
and the audio alternatives offered to visually impaired customers. When the
bots filled out purchase pages with customer credit card information, they
used fake e-mail addresses and mimicked human behavior by occasionally
making typing mistakes in the online forms.
The bots would then seize a block of prize seats, from which Wiseguy
employees would cull the best for clients, then release unwanted seats back
to the system.
In its amicus, EFF argues that the CFAA prohibits online trespassing and
theft, but “does not criminalize improper motives for access or improper
use after authorized access…. The fact that some of those people chose to
use automated means in violation of the websites’ terms of service may
result in a breach-of-contract claim, but does not convert otherwise
authorized access into a crime.”
In an interview, Granick told Threat Level that bypassing a CAPTCHA should
not be treated the same as cracking a password.
“Technologically and legally CAPTCHAs can be thought of as nothing more
than a speed bump as opposed to a barrier,” she said. “CAPTCHAs are very
easily broken. To the extent that it’s any kind of a guard, it’s one that
only works a certain percentage of the time. Figuring out how CAPTCHAs work
so you can solve them more quickly if you are otherwise authorized to use
the server is not a CFAA violation.”
The Wiseguy case recalls similar issues that arose in the 2008 prosecution
of Lori Drew, a woman who was charged with violating the Computer Fraud and
Abuse Act for participating in the creation of a MySpace account used to
bully a 13-year-old girl who committed suicide. In that case, prosecutors
charged the adult Drew with criminal hacking on grounds that she and her
alleged co-conspirators violated MySpace’s terms-of-service agreement in
providing false information to set up the account and use it to harass
another MySpace account holder.
A jury convicted Drew of three misdemeanor counts of violating the CFAA, but
the verdict was later overturned by the judge presiding over the case, on
the very grounds that the EFF is arguing in the present case — that
allowing such a prosecution to stand would leave it up to a website owner to
determine what constitutes a crime and allow what are basically breaches of
contract to become crimes.
A spokeswoman for the U.S. attorney’s office in New Jersey said her office
would not respond to EFF’s amicus brief in the Wiseguy case outside of the
legal response it will be filing in the near future.
http://www.wired.com/threatlevel/2010/07/ticketmaster/
Prosecutors in a New Jersey ticket scalping case are pushing the envelope on
the federal computer hacking law, setting a precedent that could make it a
felony to violate a website’s terms of service and fool a CAPTCHA,
according to electronic civil rights groups intervening in the case.
At issue is a four-month-old criminal prosecution against the online ticket-
reselling business Wiseguy Tickets, which allegedly used a network of shell
companies, rented servers and automated scripts to snatch up more than 1
million premium tickets for coveted concerts and sporting events, which it
resold for more than $25 million in profits.
The four Wiseguy defendants, who also operated other ticket-reselling
businesses, allegedly used sophisticated programming and inside information
to bypass technological measures — including CAPTCHA — at Ticketmaster and
other sites that were intended to prevent such bulk automated purchases.
This violated the sites’ terms of service, and according to prosecutors
constituted unauthorized computer access under the anti-hacking Computer
Fraud and Abuse Act, or CFAA.
But the government’s interpretation of the law goes too far, according to
the policy groups, and threatens to turn what is essentially a contractual
dispute into a criminal case. As in the Lori Drew prosecution last year, the
case marks a dangerous precedent that could make a felon of anyone who
violates a site’s terms-of-service agreement, according to the amicus brief
filed last week by the Electronic Frontier Foundation, the Center for
Democracy and Technology and other advocates.
“Under the government’s theory, anyone who disregards — or doesn’t read
— the terms of service on any website could face computer crime charges,”
said EFF civil liberties director Jennifer Granick in a press release. “
Price-comparison services, social network aggregators, and users who skim a
few years off their ages could all be criminals if the government prevails.”
The brief urges U.S. District Judge Katharine S. Hayden to throw out the
charges, on the grounds that they go beyond Congress’s intent in passing
the CFAA and would allow website operators to determine what constitutes
criminal conduct merely through their terms of service. The groups note that
website operators can arbitrarily change their terms of service, and users
often fail to read them. In such cases, users would not be given adequate
notice of what constitutes criminal conduct.
To prevent bots from purchasing tickets in bulk, online ticket vendors use
CAPTCHA challenges and Proof of Work software designed to detect and slow
down computers that are attempting to purchase large numbers of tickets.
They also block IP addresses showing suspicious purchasing activity.
But according to the indictment, unsealed in March, the Wiseguy defendants
devised sophisticated ways to bypass CAPTCHA challenges and defeat ticket
queues, landing them coveted spots at the front of purchasing lines.
Their bots monitored ticket websites and sprang into action the minute
tickets went on sale, opening thousands of internet connections
simultaneously from a changing lineup of rented servers and as many as 100,
000 different IP addresses. The scripts could defeat both visual CAPTCHAs
and the audio alternatives offered to visually impaired customers. When the
bots filled out purchase pages with customer credit card information, they
used fake e-mail addresses and mimicked human behavior by occasionally
making typing mistakes in the online forms.
The bots would then seize a block of prize seats, from which Wiseguy
employees would cull the best for clients, then release unwanted seats back
to the system.
In its amicus, EFF argues that the CFAA prohibits online trespassing and
theft, but “does not criminalize improper motives for access or improper
use after authorized access…. The fact that some of those people chose to
use automated means in violation of the websites’ terms of service may
result in a breach-of-contract claim, but does not convert otherwise
authorized access into a crime.”
In an interview, Granick told Threat Level that bypassing a CAPTCHA should
not be treated the same as cracking a password.
“Technologically and legally CAPTCHAs can be thought of as nothing more
than a speed bump as opposed to a barrier,” she said. “CAPTCHAs are very
easily broken. To the extent that it’s any kind of a guard, it’s one that
only works a certain percentage of the time. Figuring out how CAPTCHAs work
so you can solve them more quickly if you are otherwise authorized to use
the server is not a CFAA violation.”
The Wiseguy case recalls similar issues that arose in the 2008 prosecution
of Lori Drew, a woman who was charged with violating the Computer Fraud and
Abuse Act for participating in the creation of a MySpace account used to
bully a 13-year-old girl who committed suicide. In that case, prosecutors
charged the adult Drew with criminal hacking on grounds that she and her
alleged co-conspirators violated MySpace’s terms-of-service agreement in
providing false information to set up the account and use it to harass
another MySpace account holder.
A jury convicted Drew of three misdemeanor counts of violating the CFAA, but
the verdict was later overturned by the judge presiding over the case, on
the very grounds that the EFF is arguing in the present case — that
allowing such a prosecution to stand would leave it up to a website owner to
determine what constitutes a crime and allow what are basically breaches of
contract to become crimes.
A spokeswoman for the U.S. attorney’s office in New Jersey said her office
would not respond to EFF’s amicus brief in the Wiseguy case outside of the
legal response it will be filing in the near future.