Is Breaking CAPTCHA a Crime?
By Kim Zetter July 7, 2010 | 3:37 pm | Categories: Crime, Cybersecurity, Hacks and Cracks, The Courts
Prosecutors in a New Jersey ticket scalping case are pushing the envelope on the federal computer hacking law, setting a precedent that could make it a felony to violate a website’s terms-of-service and fool a CAPTCHA, according to electronic civil rights groups intervening in the case.
At issue is a four-month-old criminal prosecution against the online ticket-reselling business Wiseguy Tickets, which allegedly used a network of shell companies, rented servers and automated scripts to snatch up more than 1 million premium tickets for coveted concerts and sporting events, which it resold for more than $25 million in profits.
The four Wiseguy defendants, who also operated other ticket reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures — including CAPTCHA – at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites’ terms-of-service, and according to prosecutors constituted unauthorized computer access under the anti-hacking Computer Fraud and Abuse Act, or CFAA.
But the government’s interpretation of the law goes too far, according to the policy groups, and threatens to turn what is essentially a contractual dispute into a criminal case. As in the Lori Drew prosecution last year, the case marks a dangerous precedent that could make a felon of anyone who violates a site’s terms-of-service agreement, according to the amicus brief filed last week by the Electronic Frontier Foundation, the Center for Democracy and Technology and other advocates.
“Under the government’s theory, anyone who disregards — or doesn’t read — the terms-of-service on any website could face computer crime charges,” said EFF civil liberties director Jennifer Granick in a press release. “Price comparison services, social network aggregators, and users who skim a few years off their ages could all be criminals if the government prevails.”
The brief urges U.S. District Judge Katharine S. Hayden to throw out the charges, on the grounds that they go beyond Congress’s intent in passing the CFAA and would allow website operators to determine what constitutes criminal conduct merely through their terms-of-service. The groups note that website operators can arbitrarily change their terms-of-service, and users often fail to read them. In such cases, users would not be given adequate notice of what constitutes criminal conduct.
To prevent bots from purchasing tickets in bulk, online ticket vendors use CAPTCHA challenges and Proof of Work software designed to detect and slow down computers that are attempting to purchase large numbers of tickets. They also block IP addresses showing suspicious purchasing activity.
But according to the indictment, unsealed in March, the Wiseguy defendants devised sophisticated ways to bypass CAPTCHA challenges and defeat ticket queues, landing them coveted spots at the front of purchasing lines.
Their bots monitored ticket websites and sprang into action the minute tickets went on sale, opening thousands of internet connections simultaneously from a changing line-up of rented servers and as many as 100,000 different IP addresses. The scripts could defeat both visual CAPTCHAs and the audio alternatives offered to visually-impaired customers. When the bots filled out purchase pages with customer credit card information, they used fake e-mail addresses and mimicked human behavior by occasionally making typing mistakes in the online forms.
The bots would then seize a block of prize seats, from which Wiseguy employees would cull the best for clients, then release unwanted seats back to the system.
In its amicus, EFF argues that the CFAA prohibits online trespassing and theft, but “does not criminalize improper motives for access or improper use after authorized access. . . . The fact that some of those people chose to use automated means in violation of the websites’ terms-of-service may result in a breach of contract claim, but does not convert otherwise authorized access into a crime.”
In an interview, Granick told Threat Level that bypassing a CAPTCHA should not be treated the same as cracking a password.
“Technologically and legally CAPTCHAs can be thought of as nothing more than a speed bump as opposed to a barrier,” she said. “CAPTCHAs are very easily broken. To the extent that it’s any kind of a guard, it’s one that only works a certain percentage of the time. Figuring out how CAPTCHAs work so you can solve them more quickly if you are otherwise authorized to use the server is not a CFAA violation.”
The Wiseguy case recalls similar issues that arose in the 2008 prosecution of Lori Drew, a woman who was charged with violating the Computer Fraud and Abuse Act for participating in the creation of a MySpace account used to bully a 13-year-old girl who committed suicide. In that case, prosecutors charged the adult Drew with criminal hacking on grounds that she and her alleged co-conspirators violated MySpace’s terms-of-service agreement in providing false information to set up the account and use it to harass another MySpace account holder.
A jury convicted Drew of three misdemeanor counts of violating the CFAA, but the verdict was later overturned by the judge presiding over the case, on the very grounds that the EFF is arguing in the present case — that allowing such a prosecution to stand would leave it up to a website owner to determine what constitutes a crime and allow what are basically breaches of contract to become crimes.
A spokeswoman for the U.S. attorney’s office in New Jersey said her office would not respond to EFF’s amicus brief in the Wiseguy case outside of the legal response it will be filing in the near future.
Not that I'm happy with scalpers, but this sure as hell is NOT good for the rest of us. Can you imagine what will happen if this suceeds? You piss off an admin in a wank war and they can charge that you violated TOS and thus are now liable for a felony conviction.