Bypassing website's paywall by modifying HTTP request headers

Question

Recently I see some debates about bypassing paywalls by modifying browser's HTTP request as stated on ghack.

Most paywalled websites allow users to read a certain number of free articles before blocking them outside of the paywall. They do it by saving a record in browser's cookies or by checking the request referrer to identify whether the user exceeds his / hers daily reading limit.

There's some browser extensions that clears the browser cookies and modify the request referrer before user send out a HTTP request. By this way they can gain access to unlimited articles since it's harder for websites to identify them.

Are making or spreading these kind of extensions illegal? How about the users that use the extension?

Even easier: spawn an Incognito (or equivalent) browser. When you reach the cap close it and open up a new one. — Giacomo Alzetta, Jun 13 '19 at 15:50

abelenky · Answer 1 · 2019-06-12T15:57:12.597

6

This is relatively uncharted legal territory, so until multiple cases establish some sort of precedent, we can only guess.

I know of no legal requirement that a Browser or User has to submit cookies or referrer data or other meta-information accurately. In that regard, a user is unlikely to be prosecuted just for submitting HTTP headers. It is likely closely related to Free Speech issues.

The DMCA spells out that it is illegal to circumvent copyright protection measures. While this law is typically used to make it illegal to copy DVDs, video-games or streaming movies, it is possible that the "3-free articles" policy could be interpreted as a copyright protection mechanism, and defeating it by changing HTTP headers is a circumvention. A good summary is here.

A specific site's TOS (Terms of Service) probably contains language that spells out it is a violation to use the site in a manner other than as it is intended. This is a typical anti-hacking, anti-screen-scraping provision. Altering a browser session to circumvent their services is probably a violation of the license to access the site, and may open a user to a civil lawsuit for damages or even criminal hacking charges (the details of which are different state-to-state)

edited Jun 12 '19 at 15:57

answered Jun 12 '19 at 14:08

abelenky

3,166
14
28

Agreed that it may be seen as circumventing access-control. However, the link provided only emphasize on circumventing DRM systems. In the paywall case, sometimes it can also be achieved easily through browser's incognito mode. Nice summary though! Seems like more precedents are needed before making a conclusion. – Johnson Jun 12 '19 at 16:57
1

This is not DRM bc it would have to be obstructed or encrypted in some way to be something you could prosecute. – Putvi Jun 12 '19 at 16:59
3

I think this is the crux of the issue: From a technical perspective, the measure is not a suitable protection (it amounts to just asking the client, which is under no obligation to answer in a specific manner), but one could argue that it communicates the publisher's intent. As a technical person, I would interpret such a measure as "advertisement" and skip/ignore or automatically filter it (like OP's browser extensions do), but to a judge or jury who lack the technical expertise, the difference between skipping a trivial annoyance and "hacking" a web server might not be as clear. – Ruther Rendommeleigh Jun 13 '19 at 08:32
1

@Putvi Can you cite some statute or case law which defines DRM in the way which you've done here? – Chris Hayes Jun 13 '19 at 19:28

score 2 · Answer 2 · answered Jun 12 '19 at 18:14

2

In the USA modifying cookies in this way would probably be considered a violation of the Computer Fraud and Abuse Act, which prohibits any "unauthorised" use of a computer. In the past the word "unauthorised" has been construed pretty widely.

The nearest parallel case I'm aware of was United States v. Andrew Auernheimer. Auernheimer had changed a numeric serial number in a URL to gain access to supposedly private data, and was convicted under the CFAA. His conviction was subsequently overturned on venue grounds, but the appeal court did not address the question of "unauthorised" use.

If the writers of the extension are promoting it as a paywall circumvention tool then they would be criminally liable too. However it would be a defence if they could show that the tool had legitimate uses and they were not promoting the illegitimate ones.

answered Jun 12 '19 at 18:14

Paul Johnson

13,533
2
38
60

I don't think that that case is relevant. In the OP case the resource is already available to them and the website is publishing it for everyone to see. So the case for the website owner would be way weaker than in Auernheimer case. Also there is a difference between an URL (which identifies a resource) and a cookie (which is just a string which the browser may or may not decide to send to the server). – Giacomo Alzetta Jun 13 '19 at 15:53
1

@GiacomoAlzetta The prosecution argument would be that the user is only authorised to access a certain number of articles before the paywall kicks in, and that therefore evading the paywall is unauthorised use. I agree that this exact theory has never been tried in court, but I don't see it as any weaker than the Auernheimer case, where the numeric ID was held to be an authentication token rather than a unique cookie. – Paul Johnson Jun 13 '19 at 16:00
1

@PaulJohnson But that case is bullshit. Because for example the website does nothing to enforce this in the case that, say, the user visits it from both their desktop pc and mobile phone. In fact even if the user uses two different browsers they will end up having "unauthorized access". So that's why the case is weak, because there are legitimate use cases where that measure does nothing so they can't really claim any damage. On the other hand manipulating an identifier to search for accidentally exposed resources is a completely different thing. – Bakuriu Jun 13 '19 at 18:57
Another related case is US. v. Swartz – abelenky Jun 13 '19 at 19:30
@Bakuriu You could argue that in court. You might win. – Paul Johnson Jun 16 '19 at 10:15

score -8 · Answer 3 · answered Jun 12 '19 at 16:24

-8

It's not really illegal. I know you guys want page long answers, but I mean no one really cares in this instance.

answered Jun 12 '19 at 16:24

Putvi

3,974
10
22

1

Business running paywalled sites care a great deal if consumers can download their content without paying for it. This is rather like saying that store owners don't care about shoplifters. No, I am not asserting that copyright infringement is theft -- there are significant differences. But in some cases there is a useful analogy. In any case, this answer does not give any reason why "this is not illegal". – David Siegel Jun 12 '19 at 16:49
It's not illegal bc there are no laws making it illegal. How do you prove the negative lol? – Putvi Jun 12 '19 at 16:50
2

It has been at least alleged to be contributory copyright infringement. There are already laws for that. It may also be circumvention under the DMCA, as another answer says. – David Siegel Jun 12 '19 at 17:01
@DavidSiegel I think that bypassing paywalls aren't like shoplifters, since these kind of tools seems to be in a grey area. If the Terms of Service of the site doesn't forbid this kind of action, it may only be seen as a way to circumvent access-control, which can be easily done through browser's incognito mode in most cases. – Johnson Jun 12 '19 at 17:07
DMCA refers to encrypted or obfuscated data and therefore has nothing to do with this. I can see how with no experience in court someone would try to make this copyright infringement, but at least the way courts have ruled so far, copyright infringement is not just reading the content on the original website. – Putvi Jun 12 '19 at 17:08
@DavidSiegel yeah I totally agree the site owner would care, but I just meant this scenario has nothing to do with what law enforcement or the courts would normally handle. I agree that the person doing this and the site would not see eye to eye, but if courts were involved in every disagreement the world would stop turning. :) – Putvi Jun 12 '19 at 17:11
1

@Putvi How about the anti-circumvention law in 17 U.S.C Sec. 1201(a)(3): "...or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure..."? I'm not quite sure but this seems worth mentioning. – Johnson Jun 12 '19 at 17:16
@Johnson that is why I am saying you guys don't have enough real world exp. Bypassing in the courts means to decrypt something or evade obfuscation or something like that. The content would have to be rendered unreadable in some way to bypass it. – Putvi Jun 12 '19 at 17:20
You and @DavidSiegel are just saying the word bypass could mean bypassing the paywall, which I can see if you have never been to court, but it is not what the court considers a bypass. Per the law you quoted:" (A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and" – Putvi Jun 12 '19 at 17:23
In the case you describe no technical measure is scrambling or encrypting the work, so that does not apply. – Putvi Jun 12 '19 at 17:24
However, in this case, the extension has been taken down from firefox addon sites saying that it might violates the law as stated in this issue. So I think we cannot make a conclusion that the approach is not illegal? (Ps. I didn't downvote your answer) – Johnson Jun 12 '19 at 17:30
@Johnson It's not illegal in and of itself, as in just getting through the pop up thing, but Firefox does not want to promote you not paying money when you should. It's the payment part that would make it illegal in some cases, not the tech part. – Putvi Jun 12 '19 at 17:40
@Putvi So you're saying that the author of the extension doesn't violate the law but the users might? – Johnson Jun 12 '19 at 17:45
If the site is requiring you to pay it would be stealing in the same way as Napster was, but if it's just a register for this site type full screen thing then you are not breaking the law. I mean the pop up blocker tech part does not make it legal or illegal, it's paying for something or not paying that does. – Putvi Jun 12 '19 at 17:48
Agreed. So bypassing the "3-free articles" policy is technically legal, however might be illegal since the user aren't paying for the 4th article? – Johnson Jun 12 '19 at 17:56
If it's a pay site yes. I just took paywall to be one of those full page things for sites that you have to sing up for at first. – Putvi Jun 12 '19 at 17:57
Just to double-check, so if the site uses "3-free articles" policy, both the extension's author and the user might get into trouble, even if one can easily read the 4th article by opening the webpage in incognito mode? – Johnson Jun 12 '19 at 18:00
I mean if you want to be super technical about it the user would be considered stealing, but I really doubt anyone would prosecute you for it. – Putvi Jun 12 '19 at 18:02
@Putvi Agreed. Maybe you can edit the answer and elaborate more based on our discussion? I think organizing your thoughts on this may be quite a complete answer! – Johnson Jun 12 '19 at 18:10
1

@Johnson I probably will later. – Putvi Jun 12 '19 at 18:14

Bypassing website's paywall by modifying HTTP request headers

3 Answers3

Linked