3

I am not sure if this is the right form to ask this question, so please tell me if I should post this somewhere else.

There are some websites (like this) that have part of the page free to view, and the rest of the page is locked behind a paywall/subscription/trial/registration.

Now, these websites send over all all the content, even content that is supposed to be behind a paywall, and just hide the content with a CSS class. This means that the page contains all the content, but some of it is hidden by the browser on my end. So, this means that if the CSS engine of my browser breaks, or the stylesheet is not received properly, or I analyze the source of the website, I can read the whole content, without any sort of payment. The whole content is buried in the source of the page, I am not accessing URLs that I am not supposed to.

Now, I know that no website is going to care about this, but I am curious, am I breaking any terms and conditions/laws by doing this. On one hand, I am entirely within my rights to see the content that the website is sending in any form I see fit. On the other hand, I am not viewing the content in the way the original authors envisioned.

Note: I am in India, and most sites are based in the US or EU. So, I am interested in whichever countries' jurisdiction will apply.

Kartik Soneji
  • 155
  • 7
  • What country/jurisdiction's laws are you interested in? – JeffUK Mar 15 '19 at 10:51
  • 1
    If I am in India, and the site is based in, say, the US or EU, which jurisdiction will apply? – Kartik Soneji Mar 15 '19 at 11:03
  • If somebody sends you a package by mistake, do you suppose it is legal to keep the contents? That the sender would have no claim upon realizing you had the item? – Patrick87 Mar 15 '19 at 17:52
  • @Patrick87 But if the sender intends to send the package, then I have full right to anything and everything in the package, unless stated otherwise, right? It is not that the site is unaware that they are including the full content, it is a conscious choice that had to be made during the development of the site, and any web developer who knows anything about how websites work will know that this this content would be visible to anyone who cared to look. – Kartik Soneji Mar 15 '19 at 18:25
  • My browser doesn't support CSS - what does the site have to say anout that? –  Mar 15 '19 at 23:35
  • If the label said "access the contents for only $19.99!" then I'd not open it unless I paid planned on paying $19.99. You don't know that a competent developer implemented their mechanism and their incompetence is not a license to avoid paying them for access to their content. If I forget to lock my door, it's not permission for every guy on the road to come in and drink my beer. If you're smart you might not get caught. Doesn't make stealing right. – Patrick87 Mar 16 '19 at 00:06
  • @Patrick87 if you leave your door unlocked, someone taking your beer would commit several crimes doing so. In the example given, you are actually handing someone a beer and a note which says "this beer does not exist" while also saying "I will hand you a beer if you pay me". You've already handed them a beer, the transactions already done, you just neglected to require payment before handing them the beer. There are no actual laws being broken here - it's not theft, it's not copyright infringement. The site would have to prove a breach of their terms of service, which is a civil matter. –  Mar 16 '19 at 00:10
  • @Moo Not all goods and services are paid for in advance. How does what you're saying not apply to all goods and services paid for after using them? Violating terms of service using technical means could be treated criminally under cyber crime statutes. Violating the content's license makes your use of your local copy a violation of their copyright. I think if the site can't prove that you were doing it intentionally, you're right, and might only be liable for reasonable compensation; but that's not what this is. This is knowing access without paying. What does IP protect if not this? – Patrick87 Mar 16 '19 at 01:28
  • @Patrick87 cyber crime statutes? Hahahahahahaahhaha. No. The DMCA doesn't apply here, the CFAA doesn't apply here, no EU laws apply here, absolutely NO copyright law applies here - the best you can try for is a civil act based on violation of terms of service and that's going to be a seriously hard sell. The sites given you the content and then is requiring you on scouts honour to not read it - that doesn't make it effectively controlled, and therefore any "technical" measures you take are not illegal under either EU or US law. The site needs to change its approach. –  Mar 16 '19 at 01:33
  • @Patrick87 as for "what does IP protect if not this?" Well, that depends - there is no single thing such as IP, so let's enumerate them - no patents involved, no unlawful use of trademarks involved, there is copyrighted material involved BUT the client isn't distributing it, so it's not copyright infringement. As noted before, there is no "effective control" involved, so the DMCA doesn't apply. The client isn't doing anything to breach any IP law. The MOST that is involved here is contract law through the terms of service, and that's a civil matter. –  Mar 16 '19 at 01:33
  • @Patrick87 at the end of the day, sites like these need to understand that handwaving security away and pretending or deluding themselves that ridiculous control measures are somehow legally or technically effective doesn't protect them in the slightest. They need to do it properly. –  Mar 16 '19 at 01:37

3 Answers3

3

A web site that is serious on protecting some content behind a paywall will put the protected content, or a version of the page with both protected and unprotected content, on separate page or pages, so arranged that a user will not be able to follow the link until that user has signed in and been accepted as an authorized user. A site that merely uses CSS to hide "protected" content is not really protecting it. CSS is designed to be modified by the ultimate user -- that is part of its function.

If the site chooses to send you content, you are entitled to read it. Even if some of the content has a CSS tag attached which suppresses or obscures the display of that content, they know perfectly well that any user can supersede this with local CSS, and so I don't see how they have any legal claim, nor any way of knowing if you have accessed the "hidden" content or not.

If you attempt to bypass or hack a login screen, that might be circumvention under the US DMCA, or "Unauthorized computer access" under any of several laws.

Kartik Soneji
  • 155
  • 7
David Siegel
  • 113,558
  • 10
  • 204
  • 404
  • Yes, I agree that protecting content with CSS is almost useless, and can be bypassed easily by the end user, what I was curious about the legality of it. However, CSS was never meant to be modified by the end user. That is not its primary purpose. The site could argue that they never intended for the end user to modify the CSS or look at the source of the page. – Kartik Soneji Mar 15 '19 at 18:50
  • Think of it this way, Suppose I give you a paper to read. Half of the text is written in normal ink and the rest is written in invisible ink. I tell you that you can read the paper, but if you want me to make the invisible ink readable, you have to buy a solution that only I have. But, you discover that if you heat the paper, you can read the invisible ink. Is it illegal to do so without paying me? I could argue that I never wanted you to heat the paper. You could argue that I never forbade you from heating the paper. – Kartik Soneji Mar 15 '19 at 18:50
  • 1
    @KartikSoneji whether the CSS was intended to be modified is neither here nor there - it can be, readily, and it can even be ignored entirely. CSS is styling, not a security measure by any interpretation of the term - the fact that the website screwed up their security and sent you the full content is their fault, not yours. –  Mar 15 '19 at 23:34
  • 4
    @KartikSoneji I think you are plainly wrong about "CSS was never meant to be modified by the end user." I think the original purpose of CSS was that each user provides their own style sheet. For example, a blind person might want all content delivered via audio or via braille and might provide their own style sheet to control how things show up in these alternative media. – emory Mar 16 '19 at 02:00
  • @emory Just so you know, CSS was developed so that "different style sheets could describe different presentation for printing, screen-based presentations, and editors". These alternative stylesheets were to be provided by the developers themselves, and not by the end user. While CSS can make the font bigger or change the colors to be more readable, it cannot be used to deliver content in the form of audio or braille. – Kartik Soneji Mar 16 '19 at 04:10
  • 4
    @KartikSoneji every desktop browser has the option for the user to override every sites stylesheet, or not use any sites stylesheet. The user does not have to use the sites stylesheet at all. CSS is there for styling, it's a suggestion by the website, it's not a legal or technical requirement. You as a user are not beholden to use all or indeed any of the assets a site wants you to use, be it HTML, CSS, JavaScript, images, whatever. This is why adblockers are completely legal. –  Mar 16 '19 at 04:17
  • 2
    @KartikSoneji Emory is highlighting the fact that when CSS was introduced, the intention of the CSS working group was that a user could decide how a site they are visiting looks, by supplying their own stylesheet. It's just so happened that we've ended up accepting the websites defaults in pretty much all cases and the original intention was forgotten, but it still exists as a capability. –  Mar 16 '19 at 04:19
  • 1
    @KartikSoneji it was my understanding that accessibility was one of the goals of CSS. You can (but no one does) provide your browser with user style sheets. You do not have to disable the css b/c you can override it. Technologies like screen readers interpret CSS inconsistently. Some blind patrons may be getting the "paywall content" for free and others not. – emory Mar 16 '19 at 04:19
  • 2
    @emory browsers interpret css differently, it's a nightmare for web developers –  Mar 16 '19 at 04:21
  • So, I take it that the website cannot argue that they intended their website to be viewed a certain way? – Kartik Soneji Mar 16 '19 at 05:03
  • 2
    @KartikSoneji yes they can, what they cannot argue is that it must be viewed in a certain way. The only way to deny that is to not serve the content they want to be hidden. –  Mar 16 '19 at 05:34
  • Then that answers my question. Thanks. – Kartik Soneji Mar 16 '19 at 08:25
  • @KartikSoneji they can argue that they intended it to be viewed a certain way. they can not argue that it must be viewed a certain way. almost certainly they did not specify how they intended it to be heard, felt, or perceived non-visually. – emory Mar 16 '19 at 12:41
  • @emory I understand. Thank You. – Kartik Soneji Mar 16 '19 at 12:46
  • 1
    @Moo I know all browsers interpret css differently. However, if I as a designer successfully "hide" content in chrome but it is visible in IE, then as a I developer I would say IE is broken. I would still have to fix it. As a tech savy person reviewing my code you could probably realize my intent to make content invisible, but would you necessarily realize my intent that the content should not be heard? – emory Mar 16 '19 at 12:47
  • 1
    one of the most relevant reasons to access the CSS content and override its display look is for blind users that swaps pictures for their descriptor text and removes all formatting brackets. Another might be to get a high contrast display. Both goals are accomplished via a custom Style Sheet that then is displayed or read by the screenreader bar. – Trish Mar 18 '19 at 17:29
2

It depends on your intent.

If you take actions specifically aimed to freely access content for which the website is expecting you to pay, you at least break the site's terms. This is equivalent to sneaking into a venue and seeing the performance without buying a ticket: although you cause no damage that the venue/site could claim through the court, you violate any applicable laws about unauthorised access — tresspassing/hacking. The fact that the content is already on your computer does not change this: think of a meal at a restaurant that is already in your stomach but you haven't paid the bill yet.

If you were simply investigating what is wrong with the website ("CSS engine of my browser breaks, or the stylesheet is not received properly") then there is nothing illegal if this accidentally makes you see the paid content.

Greendrake
  • 27,460
  • 4
  • 63
  • 126
  • For example, suppose I give you a paper to read. Half of the text is written in normal ink and the rest is written in invisible ink. I tell you that you can read the paper, but if you want me to make the invisible ink readable, you have to buy a solution that only I have. But, you discover that if you heat the paper, you can read the invisible ink. Is it illegal to do so without paying me? I could argue that I never wanted you to heat the paper. – Kartik Soneji Mar 15 '19 at 18:56
  • Ah, yes, but it is very specifically mentioned in all the venue's advertising and Terms and Conditions, that I cannot enter the venue without paying for the ticket. The website on the other hand, is freely broadcasting the entire source of the webpage, with the full content, to anyone who asks for it (but not accidently. This is not a mistake, the site fully intends to do just that). What they do not intend is someone changing the CSS. Like if the performance can be seen very clearly from my apartment window, and I watch it from there, then there is nothing the venue can do about it. – Kartik Soneji Mar 15 '19 at 19:02
  • Meh, the intention has nothing to do with it - they sent you the content, you can read it. If they don't want you to read it, they shouldn't send you the content. Experts Exchange tried this approach to game search engines - put the question at the top of the page, and underneath it put 50 obfuscated answers. Then a load more pointless content. And then, right at the bottom, 50 screens down, the unobfuscated answers. This is no different - the content has been delivered, you are free to use it. –  Mar 15 '19 at 23:30
  • Following on from my last comment - what about browsers that don't handle CSS? Are they unlawful according to the terms of the website? No. –  Mar 15 '19 at 23:31
  • @Moo It's all about the intent. If one normally uses a browser that doesn't handle CSS (very rare event these days, isn't it?) then there is nothing unlawful about accessing the website with it, provided that the terms don't explicitly prohibit such browsers. But if you use that browser specifically to read content that the website wants you to pay for, you break the law. – Greendrake Mar 15 '19 at 23:51
  • 2
    @Greendrake yeah, I disagree with that, because every browser has the ability to turn CSS off, or replace the sites stylesheets with your own. CSS is not a security tool, and anyone arguing so should be laughed out of court and then laughed at some more. The site has already sent you the content, they just put some pretty styling around it that you, as owner of the browser, is fully and completely entitled to ignore. –  Mar 15 '19 at 23:55
  • @Moo security considerations are irrelevant here. Would you say that taking goods from honesty stalls without leaving money (or even taking money from them) is legal because there is no security? – Greendrake Mar 15 '19 at 23:58
  • @Greendrake they already gave you the content, you aren't taking anything. Your example there is completely different to what's being asked about here. –  Mar 16 '19 at 00:01
  • @Greendrake and yes, security considerations are relevant here - the site is attempting to pass off a style as a security measure, which wouldn't pass the sniff test in any prosecution or lawsuit. –  Mar 16 '19 at 00:06
  • 1
    @Moo It's not really all that different from just doing ANYTHING illegal. You have means (ignoring CSS), motive (save money) and opportunity (their error) and violated their rights (copyright, by violating communicated license terms) intentionally (mems rea). – Patrick87 Mar 16 '19 at 00:13
  • 1
    @Patrick87 you aren't violating copyright, because they willingly sent you the content, the means is irrelevant because there is no legal or technical requirement for a client browser to implement the styles as requested, motive is irrelevant because it's not unlawful to want to save money - the only thing that stands up is the opportunity, and good luck arguing in a court of law that someone isn't legally allowed to read something you literally handed them under no duress. –  Mar 16 '19 at 00:18
  • Experts Exchange did this for years - obfuscating the real content by placing it below a lot of garbage, and requiring payment to access it. You know what their legal team said when their oh so secure content protection became well known on the internet (all you had to do to circumvent it was to scroll down)? "Stop doing that, it's stupid". So they stopped doing that. –  Mar 16 '19 at 00:19
  • @Moo "they already gave you the content" They have delivered the content to your device, but it is normally under a veil, no matter how weak veil. Why does this make you think that being smarter than the most of their audience gives you the right to read the content if the website clearly did not intend to let you read it for free? – Greendrake Mar 16 '19 at 00:21
  • @Greendrake simple - they gave you the content. That's enough legal justification right there to allow you to read it. They willingly and voluntarily handed you the content when you requested the page - you are entitled to read everything they send you. The fact that they try to apply a style to it is neither here nor there - you are under no legal obligation to apply that style to the content you were sent. The fact that it takes some knowledge to do this is irrelevant - there is no law anywhere in the world requiring you, the recipient, to display a web page as the website intends. –  Mar 16 '19 at 00:24
  • @Greendrake and indeed, there are multiple tools built into browsers already which cause the content to be displayed differently to how the website intended it to be - they are not illegal, the developer tools built in to browsers are not illegal, the settings allowing you to turn off CSS or replace stylesheets with your own are not illegal. –  Mar 16 '19 at 00:26
  • Take the case of MDY Indus. v. Blizzard Entertainment, Inc., 629 F.3d 928, 952. (9th Cir. 2010) - the court ruled that there was no effective control of access to the work as the work was sent unencrypted to the client and available unencrypted to the client from their hard disk. That's broadly similar to the question being asked here, in that the means of "effectively control access to the work" that Blizzard required to limit access required the client to apply that means, and the work was readily available if they did not. This failed the "effectively controls access to the world" test. –  Mar 16 '19 at 00:37
  • Blizzard lost the argument that circumventing a second process which prevented access to their games assets constituted a violation of the DMCA. –  Mar 16 '19 at 00:40
  • It's also worth noting that search engine bots do not always apply stylesheets when scraping the content, so are Google et al breaching laws all over the world each time their bots request a page and the hidden content is "read"? –  Mar 16 '19 at 00:50
  • I also have to say that both the examples used in this answer are woefully inadequate- the question is better suited to an analogy that if the person went to a concert, was given access to a certain area by the concert organisers and told they could enter the actual concert if they paid, but in that area supplied they could experience the concert in full without paying, they owe the concert owners nothing and have broken no laws. –  Mar 16 '19 at 01:44
  • Equally, if the diner was to be offered a sample buffet on the understanding that they would get the full meal after paying, but were instead given a full meal at the sample buffet willingly by the restaurant, they would owe the restaurant nothing and would have broken no laws. –  Mar 16 '19 at 01:45
  • @Greendrake taking from honesty stalls without paying is theft, but taking https://wikitravel.org/en/Common_scams#Gifts_from_beggars without paying is not. In my opinion, this is more similar to a gift from a beggar than an honesty stall. – emory Mar 16 '19 at 02:08
  • 1
    @emory This could even fall under the concept of unsolicited goods, which pretty much all western countries allow you to keep, dispose of or use without payment - https://definitions.uslegal.com/u/unsolicited-goods/ In this case, while there was a request made, it was not for the full content, so receiving the full content may be considered unsolicited goods and the requirement to pay for them is void. –  Mar 16 '19 at 03:11
2

I'll tackle the jurisdiction part of your question since none of the other answers here address it.

You are within India's jurisdiction, so India's law would apply to you regardless of where the site(s) are hosted from. If what you're doing were illegal in India (and the company who owns the copyright were aggrieved enough to make a case out of it), they would have to ask your government for permission to sue you, which isn't going to happen for something like what you described.

Now, regarding the technicals...

Bypassing copy protection mechanisms to access information for which you do not have a license would fall under anti-curcumvention laws. In the US, that would be the Digital Millennium Copyright Act (DMCA), and the Copyright Directive in the EU.

Anti-curcumvention laws make it illegal to circumvent any "technological measure" that controls access to a copyrighted work. Those laws are highly controversial because "any technological measure" is vague and overly broad in scope. Obviously, cracking an encryption key or exploiting an authentication bug qualifies. But removing a simple CSS tag?? That'd be like holding an envelope up to a light bulb and calling it mail fraud. It's the digital equivalent of removing a piece of masking tape.

It's hard to see how that could be considered a technological measure under the law. It certainly does not fit within the additional language those laws use to describe examples of technological measures.

Also an interesting footnote...

Both the US and EU laws are implementations of the WIPO Copyright Treaty. India is NOT a signatory to that treaty.

Wes Sayeed
  • 1,006
  • 8
  • 16