Tuesday, April 26, 2016

My Web Browser's Terms of Service

This post was co-authored with Jefferson Bailey. NB - neither of us is a lawyer. Follow us below the fold to find out why this disclaimer is necessary.

Many web sites have explicit terms of service. For example, here are the terms of service that "govern your use of certain New York Times digital products". They start with this clause:
1.1 If you choose to use NYTimes.com (the “Site”), NYT’s mobile sites and applications, any of the features of this site, including but not limited to RSS, API, software and other downloads (collectively, the "Services"), you will be agreeing to abide by all of the terms and conditions of these Terms of Service between you and The New York Times Company ("NYT", “us” or “we”).
So, just by using the services of nytimes.com, the New York Times claims that I have agreed to a whole lot of legal terms and conditions. I didn't have to click a check-box agreeing to them, or do anything explicit. The terms and conditions are not on the front page itself, they're just linked from it. The link is hard to find, in faint type at the very bottom of the page, wedged blandly between "Privacy" and the eye-glazing "Terms of Sale."

Among the terms that I'm deemed to have agreed to are:
2.3 You may download or copy the Content and other downloadable items displayed on the Services for personal use only, ... Copying or storing of any Content for other than personal use is expressly prohibited ...
So, if the Terms of Service apply, Web archives are clearly violating the terms of service. Interestingly, there is an exception:
9.1 You shall have no rights to the proprietary software and related documentation, or any enhancements or modifications thereto, provided to you in order to access the Services ("Software"). ... You may make one copy of such software for archival purposes only. ...
The software they are talking about must be the JavaScript they deliver to my browser. Recently there have been many instances of advertising networks serving JavaScript malware to visiting browsers, but if any of the ad networks the New York Times uses does this to you:
5.2 ... THE SERVICES AND ALL DOWNLOADABLE SOFTWARE ARE DISTRIBUTED ON AN "AS IS" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOU HEREBY ACKNOWLEDGE THAT USE OF THE SERVICES IS AT YOUR SOLE RISK.
The New York Times claims not to be liable. Even if you thought "arguing with a man who buys ink by the barrel" was a good idea:
11.1 These Terms of Service have been made in and shall be construed and enforced in accordance with New York law. Any action to enforce these Terms of Service shall be brought in the federal or state courts located in New York City.
Good luck with that.

So the interesting question is whether, in the absence of any explicit action on my (or an archive's crawler's) part, the terms of service bind me (or the archive)? Now, IANAL, and even actual lawyers appear to believe the answer isn't obvious. But writing on the Technology and Law blog a year ago, Venkat Balasubramani suggests that unless there is an explicit action indicating assent, the terms are unlikely to apply:
In place of the flawed browsewrap/clickwrap typology, we can use a simple non-overlapping typology for web interfaces: Category A is a click-through presentation where a user clicks while knowing that the click signals assent to the applicable terms; and Category B is everything else, which is not a contract.
Let us assume for the moment that Balasubramani is correct and if there was no click-through the terms are not binding. In the good old days of Web archiving, this would mean there was no problem because the crawler would not have clicked the "I agree" box. But in today's Web, browser-based crawlers are clicking on things. Lots of things. In fact, they're clicking on everything they can find. Which might well be an "I agree" box. Lawyers will be able to argue whether the crawler clicked on it "knowing that the click signals assent to the applicable terms".

Let us instead assume the contrary, that despite the lack of an explicit action conveying agreement, the terms are binding. In the good old days of the Web, my browser requested service from nytimes.com and as a result I agreed to their terms of service. But the Web's model has evolved from linked documents to communicating programming environments. Now, my browser requests service from nytimes.com, and in return nytimes.com requests the service of running JavaScript code from my browser.

Making this assumption, Jefferson and I argued as follows. Suppose my, or the archive's, browser were configured to include in the HTTP request to nytimes.com, a Link header with "rel=license" pointing to the Terms of Service that apply to the services available from the requesting browser. The New York Times would have been notified of these terms far more directly than I had been of their terms by the faint type link at the bottom of the page that few have ever consciously clicked on. Thus, using exactly the same argument that the New York Times used to bind me to their terms, they would have been bound to my terms.

What's sauce for the goose is sauce for the gander. If an explicit action is required, archive crawlers that don't click on an "I agree" box are not bound by the terms. If no explicit action is required, only some form of notification, browsers and browser-based crawlers can bind websites to their terms by providing a suitable notification.

What Terms of Service would be appropriate for using my browser? Based on the New York Times' terms, perhaps they should include:
1.1 If you choose to use any of the features of this Browser, including but not limited to the ability to run JavaScript and WebAssembly (collectively, the "Services"), you will be agreeing to abide by all of the terms and conditions of these Terms of Service between you and [insert name] ("us" or "we").
1.2 We may change, add or remove portions of these Terms of Service at any time, which shall become effective immediately upon posting. It is your responsibility to review these Terms of Service prior to each use of the Browser and by continuing to use this Browser, you agree to any changes.
and:
1.4 We may change, suspend or discontinue any aspect of the Services at any time, including the availability of any Services feature, database, or content. We may also impose limits on certain features and services or restrict your access to parts or all of the Services without notice or liability.
and:
4.1 You may not access or use, or attempt to access or use, the Services to take any action that could harm us or a third party. You may not access parts of the Services to which you are not authorized. You may not attempt to circumvent any restriction or condition imposed on your use or access, or do anything that could disable or damage the functioning or appearance of the Services,
I.e. you and your advertising networks better not send us any malware. And, of course, we need the perennial favorite:
5.2 ... THE SERVICES AND ALL INFORMATION THEY CONTAIN ARE DISTRIBUTED ON AN "AS IS" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOU HEREBY ACKNOWLEDGE THAT USE OF THE SERVICES IS AT YOUR SOLE RISK.
A reverse EULA. Wouldn't you like to be able to do this?

So far, this may sound like a parody or a paranoid fantasy. But many online media companies have begun to target client-side browser information to police content delivery. Sites like Forbes, Wired, and maybe even (gasp) The New York Times are now disallowing access to their sites for those with ad-blocking browser add-ons:
We noticed you still have ad blocker enabled. By turning it off or whitelisting Forbes.com, you can continue to our site and receive the Forbes ad-light experience.
It turns out that the "Forbes ad-light experience" includes free bonus malware!

You have probably noticed that European websites are now subject to the Cookie Law, requiring your click to explicitly assent to the web site's use of cookies, because the use of cookies implicates the EU's directive on privacy. Alexander Hanff argued:
that using an ad-blocker detector script is basically doing the same sort of thing as a cookie in terms of spying on client-side information within one's web browser, and a letter he received from the EU Commission apparently confirms his assertion.
Thus running a script that collects information from an EU citizen's browser (which is what the vast majority do) apparently requires explicit permission. If Hanff's efforts succeed, anticipate European Web publishers going non-linear.

As the web has grown into a processing environment, it presumes a reciprocal interactivity, the parameters of which are still shifting and unbalanced. In the end the terms of this overall interplay of information exchange and license seem, as they so often do, inequitable. The future is here, it's just not evenly licensed. On one end, media and other corporate content sites target user browsers, inject (accidentally or via 3rd parties) potentially malicious scripts, monitor for plug-in screeners, install browsing trackers, analyze cookies and add all sorts of profiling and monitoring scripts, all generally without any explicit agreement on our part. On the other hand, we, simple users, often are presumed to agree to prolix legalese and verbose, obscure license agreements, all simply so we can read about people doing yoga with their dogs.

7 comments:

David. said...

Megan Geuss at Ars Technica reports that a federal judge has ruled that Facebook's Terms and Conditions don't override Illinois law:

"Last week, a Northern California District Judge ruled that Facebook will have to face a class action lawsuit (PDF) from Illinois Facebook users who are unnerved by the site’s photo-tagging feature that relies on facial recognition ...

The lawsuit had been transferred from an Illinois court to one in California at Facebook’s request. The social media company then asked the judge to dismiss the case, saying that the plaintiffs had no grounds to sue given that Facebook’s Terms and Conditions have stipulated since 2015 that claims against the company must be litigated according to California law, where no such provision against biometric tagging exists.

The judge denied the request to dismiss the case, ruling that dismissing the case because California has no such prohibition against the collection of biometric data is “contrary to a fundamental policy of Illinois.”"

David. said...

Jérôme Segura's Large Angler Malvertising Campaign Hits Top Publishers shows why your browser should not allow sites to run JavaScript without accepting responsibility for the consequences. Sites that served the Angler malware included msn.com, nytimes.com, bbc.com and many others.

David. said...

Kieren McCarthy at The Register reports on an NTIA report that Americans cutting back on online activity over security and privacy fears:

"the decision by more and more American to opt out of online tasks is a logical one. But it is also one that has significant economic impact given the extent to which companies are moving their goods and services online."

and:

"Of people's fears, identity theft sits at the top with 63 per cent of people citing it as a real concern. Second comes credit card and banking fraud with 45 per cent. Then data collection by online services, loss of control over personal data, data collection by the government, and threats to personal safety with 23, 22, 18 and 13 per cent respectively."

David. said...

Mike Masnick at Techdirt reports on the challenge the ACLU has filed to the Computer Fraud and Abuse Act. It is based on the concept that researchers and journalists cannot study discrimination by websites because the CFAA makes violations of a websites terms of service "unauthorized access" and thus a criminal offense. Thus the CFAA is unconstitutional under the First Amendment:

"Because the Challenged Provision incorporates websites’ terms of service into the federal criminal code, its applications are virtually infinite; any speech or expressive activity that the private operator of a website has prohibited as a condition of access to its website becomes a criminal violation, even where that prohibition covers speech subsequent to the visit and in a different forum. In a good number of cases, a website’s ToS will prohibit speech that cannot constitutionally be prohibited. Accordingly, although the Challenged Provision may have legitimate applications, its unconstitutional applications are substantial in relation to its legitimate scope."

And under the Fifth:

"The Challenged Provision fails to notify ordinary people of what conduct is criminal because the phrase “exceeds authorized access” does not provide sufficient notice that an individual must comply with a website’s written terms of service at all times. The plain meaning of the phrase “exceeds authorized access” does not clearly cover instances where a website places no barriers, such as technological or physical barriers, to access by individuals."

David. said...

Most of what you do online is illegal. Let's end the absurdity. by Christian Sandvig and Karrie Karahalios is an accessible discussion of the issues behind the ACLU's suit against the CFAA.

David. said...

Following up on the comment above about malvertising, it turns out there were at least three "Angler" advertising malware campaigns, the third of which is much more sophisticated than GooNky and VirtualDonna:

"Security researchers from Proofpoint and Trend Micro have uncovered a massive malvertising campaign that has been targeting over one million users per day and infecting thousands, running since the summer of 2015, with unconfirmed clues showing that it might date back to as early as 2013.

...

According to subsequent research carried out by both companies, this campaign codenamed AdGholas used innovative and sophisticated techniques to avoid detection.

...

During their operation, the crooks showed malicious ads on 113 domains, including some big names such as The New York Times, Le Figaro, The Verge, PCMag, IBTimes, ArsTechnica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more."

More details are here, including:

"These networks and referers drove 1-5 million hits every day, and of these, 10-20% are redirected to the exploit kit (IP and cookie seem to be blacklisted for a week). By our estimation, AdGholas has been running in this configuration since summer of 2015, and evidence suggests that they may have been in operation using other techniques as early as 2013."

David. said...

Dan Goodin at Ars Technica reports that the HEIST attack, which has been implemented in malvertising using new Javascript APIs:

"exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection"

Yet more evidence that allowing even trusted sites to run Javascript in your browser is too risky.