advertisement
advertisement
advertisement

The Legal Quicksand Of Giving Online Stuff Away For Free

Written by Mark Rasch
January 16th, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

We all love to get stuff for free. Whether it is a coupon, a sample or a trial, if it’s free, it’s good. For retailers, offering a freebie can get customers used to using their products or services, may engender goodwill and may be a smart business decision. But if those retailers fail to adequately define the terms of the free trial, they may be setting themselves up for a disaster. The recent suicide of online activist Aaron Swartz, who was under indictment for breaking into MIT’s computers to “steal” information from an online resource, raises many issues about criminal law, prosecutorial discretion and the open nature of information. But for retailers, it raises questions about the terms and conditions under which they can control the distribution of digital access and digital information.

This holiday season, I was walking through the mall seeking out the See’s Candies ladies with their free samples. I would gladly take a chocolate lollipop or a toffee square, circle the mall and come back for another. The free sample came with no terms or conditions and no obvious limitations on access or use. Could I then argue that, because See’s was giving away chocolate lollipops, these items were “free” and that I was, therefore, lawfully entitled to take six or seven boxes from behind the counter without paying for them? Absurd. But why? Because in the real world, we have loosely formed social conventions and a system of shaming to enforce them. I can have one or two chicken teriyaki samples on a toothpick but can’t make that my dinner for a month. The enforcement tends to be of the type, “Hey, haven’t you been here before?” Although there are some abuses, for the most part, the system does what it is supposed to do.

Online may be different. I say may, because although the normal conventions for what is “acceptable” and what is not may still apply online (or new comparable conventions may exist), the ability to quickly and efficiently thwart such conventions may create new legal and technological problems for anyone with an online presence. To understand this, we must first understand what Aaron Swartz did that got him into legal hot water.

In a nutshell, Swartz—by all accounts a brilliant programmer and online activist—initially obtained a free trial to the U.S. Government’s PACER system of electronic court records by visiting the federal courthouse in Chicago. Virtually all filings in the federal courts, pleadings, motions and court opinions are stored on PACER, which charges a per-document fee for access. Because these are government documents (well, many of them are not, but we’ll put that aside for now), the government does not obtain an enforceable copyright in its works. Swartz then used his free trial and a bit of technology (a PERL script) to attempt to download the entire PACER database, which he was going to make available for free on a cloud server. He downloaded more than 19 million documents, for which PACER would have charged $0.08 each, or a potential “theft” of more than $1.5 million from the federal government. Certainly not what PACER envisioned when it gave Swartz a free trial. But because neither the PACER Terms of Service nor free trial terms appeared to prohibit this, and because the works taken were not obviously subject to copyright (at least those created by the government), the FBI investigated but did not prosecute these actions.

In the second case, Swartz accessed the open networks at MIT and obtained a free wireless MIT account, using it to access the MIT library’s JSTOR access account. JSTOR is a repository of academic and technical journals that charges a fee of up to $50,000 a year to academic institutions for access. These institutions then make access to these journals available to their communities. Ordinary users must obtain a user ID and password from JSTOR and pay for access to individual articles. But Swartz accessed the MIT Wi-Fi network, created a guest account and wrote a program called “keepgrabbing” to get around JSTOR’s limits on downloading. When MIT and JSTOR blocked this access, he changed his IP address, got a different computer and, eventually, just went into an MIT wiring closet and hardwired a computer into the network to keep downloading JSTOR documents. Swartz planned to make the JSTOR documents available on P2P networks. This time, he was indicted for hacking, and those charges may ultimately have lead to his suicide.

So what does this mean for retailers?


advertisement

Comments are closed.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.