Deep Linking Could Be Infringement In Germany If Website Puts Even Ridiculous Weak Attempts To Block It
from the anti-circumvention dept
We’ve pointed out numerous problems with anti-circumvention rules, which make it infringement to break pretty much any attempt at circumventing any type of content protection measures (even if not to infringe on the copyright). Sometimes courts realize how silly this is, such as a ruling from a few years ago in Europe, which noted that it’s silly to consider such anti-circumvention rules reasonable if the technical protection measures are not considered “effective.” In other words, if your protection scheme is laughable, it’s silly to make it infringement to get around it. Apparently not all the courts in Europe have gotten this message yet. An anonymous reader points us to a case from a few months back in Germany, in which the court said that deep linking to content that had ridiculously weak measures to block deep-linking is still infringing (that link is a not so great Google translation of the original German — though, the submitter gave a more complete explanation).
In this case, the content involved online maps, and the “protection measures” were that to visit a page with an actual map, you had to have a sessionID, that you would get as you visited the website. If you went to a deeper page without a sessionID, you would be redirected to the front page. Of course, it’s not hard to actually provide the user with a sessionID, which one site did upon linking to these maps, meaning that visitors went straight to the deep-linked page, rather than being redirected to the home page. This is basically how the internet works. While the lower court properly rejected the copyright infringement claim as being ridiculous since the technical protection measures were so laughable, the higher court appeared to ignore all precedent on this matter, and said that as long as the site owner made any attempt whatsoever to block such deep linking, getting around those measures could represent infringement.
Filed Under: copyright, deep linking, drm, germany, session id
Comments on “Deep Linking Could Be Infringement In Germany If Website Puts Even Ridiculous Weak Attempts To Block It”
If a door is locked, no matter how weak the lock, pushing it open is still breaking and entering.
No matter how weak the security on a website, bypassing it isn’t exactly much better. Providing a fake sessionid is like providing a fake key to get in.
You may not like the ruling, as it is very extreme to the end, but it is a logical conclusion. Think of it as a bizarre absolute, similar to what happens in many US constitutional cases.
Re: Re:
Agreed. Anti-circumvention laws are dumb, but given that they ARE law in Germany, I don’t think the effectiveness of the preventive measures being circumvented is relevant.
Re: Re: Re:
It’s relevant when the linker can’t tell that it’s a preventive measure rather than a simple coding idiosyncrasy.
Re: Re: Re: Re:
You’re right, I hadn’t thought of that. I think I was blinded by how ridiculous this whole thing is. A redirect to the front page could just have been bad coding.
If it had, instead, redirected to a nasty “you can’t link to that page” message, then what I said above would still apply.
Re: Re: Re: Re:
That was my first thought to. Session IDs are used for lots of purposes – mainly just as a way to track a visitor’s travels on your site and let some persistent data follow them around without needing cookies. If I had seen this happening on a site that I wanted to link to, I probably would have thought I was doing them a favour by attaching a Session ID to the users I’m sending them.
Re: Re: Re:2 Re:
If session IDs are passed in through the URLs, people may not even know that they’re “circumventing” a security measure in the first place. They could just be copying the url from the address bar and not know what is and isn’t allowed.
Re: Re:
False comparison, I’ll give you that it makes a good image upon reading, and might even be “close” to the situation.
Digital “objects” are not physical “objects”, no matter how hard we try to make them (at least until Tron is real… but ehh)
A slightly better example might be a company posting all of their maps on a billboard and handing out a “code word” that could let them see the billboard past the old 90 year old , sitting at the folding table, given the title of “Security” so he can get a paycheck… then one person gives out his/her code word to others….
See… That wasn’t so hard… to at least get farther away from physical objects and closer to the real situation
Re: Re: Re:
It’s really not a false comparison because the status of the object, digital or physical, is immaterial. What matters is if the person bypassing the “security” can tell that it was supposed to be security.
Say you come upon someone’s front gate with a lock and chain on it. The lock isn’t locked. Is the owner trying to secure the gate or simply using the lock and chain to keep it from swinging open and letting the dog/cattle/whatever out? Is it a security measure or a utility measure?
Re: Re: Re: Re:
Actually I think this better suits the situation right now…
you tell your employees that the secret code to get past the security guard is “hello”…Then arresting the pizza delivery guy for getting into the building with false credentials.
Re: Re: Re: Re:
That would only be valid if the side gate that is locked or not has a sign that says must enter via front gate but then has no fence to actually keep you from just walking in.
Its like putting a screen door on the side of a submarine.
Re: Re: Re: Re:
“What matters is if the person bypassing the “security” can tell that it was supposed to be security.”
What matters is that laws against trespassing or burglary are vastly different to laws against copyright infringement. As you suggest, security measures in the offline world have pretty much one effect in relation to the law: evidence of intent. In this case though, how does bypassing a security measure prove intent to infringe copyright? They aren’t committing burglary, they’re sharing information. If a company gives out passwords to all its customers and one of those customers shares that password with a stranger then are they liable if that stranger uses the password to commit a crime?
Re: Re: Re:
Interesting analogy.
Someone using that code word without authorization is very likely trespassing.
If you have a code to enter your office building and you give that code out to someone who does not work there, can they legally enter?
Now, while I agree that it is pretty dumb to secure information on the internet that you want available to the public but want to force them through your website in a certain way to get to it, the effectiveness of the security should have no bearing on this type of case.
In this case, however, it is arguable that they did not have ANY security. They intended the information to be public. It may be arguable that it was not security that was circumvented as it was not a measure against people getting to the information. The intent may be very important here.
Re: Re: Re: Re:
“Someone using that code word without authorization is very likely trespassing.”
They are trespassing if they are not authorised to be there, it has nothing to do with whether they bypassed any security measures. I would guess that at most you could use it as evidence of their intention to trespass, much like a ‘no trespassing’ sign would be.
Re: Re:
Except this does not correspond to a locked door. It is more the case of a closed door with a doorknob and you turn the knob to get in. Is it still breaking and entering?
Re: Re:
If a door is locked, no matter how weak the lock, pushing it open is still breaking and entering.
The user would have to have some inkling that there were doing something untoward for this to be a valid analogy.
It’s more like being arrested for trespassing when walking through a public park, because you accidentally crossed into private territory. However, there were no doors, no fences, and no signs stating where one ended and the other began.
(However, the judge finds you guilty because, unbeknown to you, the owner put a “No Trespassing” sign on display in the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying “Beware of The Leopard”.)
If a door is locked, no matter how weak the lock, pushing it open is still breaking and entering.
There was no password – so there was no lock. If they poorly designed their door to be secure, but didn’t put a lock on a ‘public’ place, how is that illegal?
Misunderstanding perhaps..
Eh...
Can’t really say I’m with you on this one. While given that trying to lock up information this way is probably silly, and the need to actually take this to court seems nonexistent, why try to argue that a website sucking at securing their info should matter?
Is it any less of a crime if someone steals your vehicle because you didn’t lock your doors? (Yay! A car analogy!)
Does it make abuse any less heinous if it’s against a child, who can’t defend themselves as well? (Won’t somebody think of the goddamn children?)
Does it make it not piracy if some eyepatch-wearing Somalians attack a boat not equipped with guns? (Them pirates just want everything for free!)
Okay, now this is just getting fun….
Re: Eh...
New addition to the alphabet salad lexicon:
OCA – Obligatory Car Analogy. 😉
I’m not so sure ineptitude in security isn’t something that should be considered. I know anecdote doesn’t equal evidence, but I’ve gone to sites where I could, by clicking around, get past whatever sign-in or register procedure is in place. My intent wasn’t evil, more confused about how to get to this page or that of the site.
And shouldn’t a distinction be made between security and procedure? I could make up a tag and register here at TD, but I don’t have to. Is registering somehow a security system? Doesn’t seem so to me.
Re: Eh...
Missing Darryl today were you?
Re: Eh...
See our thread above. This is not just poor security – it’s arguable if it even qualifies as security, and it’s by no means obvious. To an observer it seems more like a glitch of idiosyncratic engineering than a weak security measure.
Re: Re: Eh...
Your chain, it has been yanked.
Re: Re: Re: Eh...
Actually I’m having a tough time figuring that out. Because about 50% of the comment seems totally serious and the argument seems pretty valid from one perspective… I’m confused.
Helmets within helmets.
Re: Re: Re:2 Eh...
“Actually I’m having a tough time figuring that out. Because about 50% of the comment seems totally serious and the argument seems pretty valid from one perspective… I’m confused.”
A good novel writer leaves the writing open to the reader’s interpretation….
Re: Re: Re:3 Eh...
Excellent! In that case I choose to forget this debate and interpret your comment as a heartwarming story about puppies beating cancer 🙂
Re: Re: Re:4 Eh...
BTW, I submitted a chapter of my book to your site and it hasn’t appeared to have gotten past moderation….
Re: Re: Re:5 Eh...
indeed – been meaning to email you about that. I just don’t want to publish your piece in a vacuum, so I’m mustering up a couple other new posts and re-motivating my other writers. Expect things back in full swing within the next week or so, with your submission leading the pack!
we’ll talk more, outside the TD comments 😀
There's no such thing as "deep linking"
It’s a fiction, constructed by those who either (a) don’t understand how the web works or (b) understand how it works, but wish to extort money from others who are using it.
In the HTML world, links are either absolute or relative. Relative links obviously have no meaning outside local context, so we may dismiss them from further consideration here. Similarly, we may also dismiss absolute links whose targets are local.
This leaves us with absolute links whose targets are external. All such links are topologically equal: the construct called a “home page” is just a label, an artifact of convenience. It has no special place among those targets, in a technical sense — it’s merely some people who choose to elevate it above others because they find it convenient to do so.
And as a convenient artifact, that’s fine: it’s handy to be able to refer another human to a site’s “home page”. But as a technical matter, there is no difference between an external link to http://www.example.com and one to http://www.example.com/foo/bar/blah.html.
Beyond all that: when one publishes a web page (glossing for a moment over the complexities involved in doing so) on the Internet, then one has clearly expressed one’s intention to make the content on that page available to everyone AND to make that page a possible target for an external link. It is utterly preposterous to contend otherwise.
Re: There's no such thing as "deep linking"
Beyond all that: when one publishes a web page (glossing for a moment over the complexities involved in doing so) on the Internet, then one has clearly expressed one’s intention to make the content on that page available to everyone AND to make that page a possible target for an external link. It is utterly preposterous to contend otherwise.
So, you’re saying that all of the methods down through the years that’ve been implemented to provide security to websites have been just academic exercises that were never meant to really secure anything? That must be some seriously good crack you’ve been smoking.
I’ll grant you that there’s little to no effective difference between /index.html and /foo/bar/baz.html but your end conclusion is absurd.
Re: Re: There's no such thing as "deep linking"
Is it really absurd? I personally think all attempts to stop any sort of linking are absurd.
Information can be protected in tonnes of different ways online, but the string that identifies its location is not one of them. All content must have a location, and once it does, people are free to point to that location. Lock down the content if you want so those people are pointing to a dead end – but trying to control references to its location is pointless and, in my mind, has no legal basis.
Re: Re: Re: There's no such thing as "deep linking"
one has clearly expressed one’s intention to make the content on that page available to everyone
That’s more of what I was calling absurd than urls pointing to the content. It’s possible Richard just misspoke but I have to go by what he said.
Re: Re: Re:2 There's no such thing as "deep linking"
Ah yes on re-reading the end of his comment I see what you mean. However I’m pretty sure he meant public content – because obviously securing or restricting access to online content is completely legitimate.
Re: Re: There's no such thing as "deep linking"
So, you’re saying that all of the methods down through the years that’ve been implemented to provide security to websites have been just academic exercises that were never meant to really secure anything?
I really have no idea why you think security is relevant to this. It’s not — at all.
A site which publishes information — let’s say, by putting up a web page at http://www.example.com/foo/bar/blah.html — has explicitly disabled enough security to make it visible to the rest of the Internet. Otherwise…you wouldn’t be able to load it into your web browser, because it would (variously) be behind a firewall that prohibited HTTP, or on a server without a running web service, or in a password-protected directory, or accessible via subscription only, or readable by owner-only and not by the web service, or any number of other things that would stop you from accessing it.
But they did (publish it). They have thus — whether they realize it or not — explicitly made it a peer with billions of other web pages, any of which can link to any other.
Now…they may want to indulge in some wishful thinking: for example, they may want to think that page is more important than some other pages…but it’s not. Or they may wish to think that it should/should not be a page that others link to…but that’s patently absurd, since of course they don’t get to decide what characters anyone else gets to put in their pages, including the characters that comprise an HTML link.
Any entity which doesn’t get this doesn’t below on the web, because they lack a fundamental understanding of what it is. The solution that I endorse for such entities is to give them exactly what they demand: I “BOGUS” their domain in DNS. Seems reasonable: they don’t wish to participate as peers in the web, so I’m making sure that they get precisely what they’re so petulantly demanding.
(What “BOGUS” in this context essentially means is that their domain name, MX records, etc. will no longer resolve. This effectively removes them from the local view of the Internet, although of course they’re quite likely still reachable via IPv4/IPv6 address.)
Re: Re: Re: There's no such thing as "deep linking"
I am trying to figure out who died and made you god. What you are suggesting is censorship of any site that doesn’t want to work by your personal rules for sharing of their work.
Don’t get out much, do you?
Re: Re: Re:2 There's no such thing as "deep linking"
What you are suggesting is censorship of any site that doesn’t want to work by your personal rules for sharing of their work.
Of course I haven’t suggested any such thing, and it’s quite absurd for you to state that I have.
First, these are not “my rules”: I’ve merely articulated the method by which the web works. When you publish something…you publish something. If you don’t want it to be published, then don’t publish it.
But having chosen to do so, it’s not only disengenuous, but appallingly stupid, to complain that it’s been published.
Second, I’m not required to access any site that I choose to avoid. I’m quite free to refrain from visiting those sites, or to firewall them out of my network, or to use a browser plugin that blocks them, or to BOGUS them. This is not censorship — it’s merely a choice, and given that it’s a choice that only affects me/my operation, it’s my choice to make.
I suggest that your undertake some remedial self-education on how the web works as well as on the concept of “censorship” — as clearly the latter does not mean what you mistakenly think it means.
Re: Re: Re: There's no such thing as "deep linking"
Why? Primarily because the court case was about accessing secured information. Therefore it is relevant to this conversation.
Personally, I don’t see a session id as any form of security. That was where the judge made his mistake in this case, not in saying that deep linking was any form of hacking.
Your argument isn’t a bad one but it isn’t relevant to this conversation.
Re: Re: Re:2 There's no such thing as "deep linking"
Why? Primarily because the court case was about accessing secured information. Therefore it is relevant to this conversation.
I concur that the court case talked about secured information. I disagree that “secured information” was involved — because it wasn’t. (Secured, that is.)
Pictures and text have no copyright then?
So unless something has unbreakable DRM it’s free for grabs? Is that how we want it? That’s an interesting approach. I guess I can just copy and paste text from the Techdirt blog. There’s no block against it, so I’m not really infringing on copyright in that case I guess.
Re: Pictures and text have no copyright then?
Right, and Mike as fine with it as he stated numerous times.
Re: Pictures and text have no copyright then?
Logic fail. Linking and embedding are not copying. The original site is still providing the media in both cases.
If you want to put the TD, microsoft.com, and theregister.co.uk websites or any content they host inside iframes on your web page, you are fully within your rights to do so unless said sites have taken steps to prevent it and so long as you don’t use them in such a way as to constitute trademark infringement or something of the sort.
Copying and pasting is another matter entirely. Mike is fine with it but the other two would likely sue you and win.
Re: Pictures and text have no copyright then?
OK, lets take another example.
You publish some information on the web,
You then decide it should no longer be available and make the page itself a member only access.
I try and access it via a previously created direct link, but I can’t.
It’s fairly clear to me that this is intentional on your part. You don’t want me to see it before I sign up and register (and maybe pay a subscription).
But I find a cool technology that allows me to access the content anyway, without registration.
Clear intent.
And hence I go and read the content for free.
have I breached any laws ?
Has the maker of the technology breached any laws ?
(the technology in this case is the Google page cache)
Re: Re: Pictures and text have no copyright then?
And if it were secured so poorly that you weren’t even aware that it was supposed to be secure? There was no clear intent here, at least to me and I do this kind of thing for a living.
Your Google page cache example is erroneous too. You are not accessing content protected by the new security when you view a cached page. You are accessing a snapshot that the site allowed to be taken, with full consent of the host of the cached page, Google. Google might have something to worry about (though they don’t if you go by the cases they’ve won on this very thing) but you do not.
Re: Pictures and text have no copyright then?
I guess I can just copy and paste text from the Techdirt blog. There’s no block against it, so I’m not really infringing on copyright in that case I guess.
Yes, you are free to do this. Why would we mind that you’re promoting our content?
Re: Re: Pictures and text have no copyright then?
I’m amazed people still throw this argument at you.
Re: Re: Pictures and text have no copyright then?
Unless of course we felt that this was hypocritical in your case because of previous statements, (ie Lily Allen) in which case we’d go on and on about it while stressing that we didn’t mind…
Re: Re: Re: Pictures and text have no copyright then?
Lily Allen was obliviously advocating kicking people off the internet for 3 *accusations* of copyright infringement while infringing copyrights belonging to not only Mike but other writers and musicians on her blog and websites.
Mike was pointing out the hypocrisy, not committing it.
Re: Re: Re: Pictures and text have no copyright then?
Unless of course we felt that this was hypocritical in your case because of previous statements, (ie Lily Allen) in which case we’d go on and on about it while stressing that we didn’t mind…
Not sure I understand your point? In the Lily Allen situation, we did, in fact make it clear that we didn’t mind, but we used it to highlight how she apparently had not thought through her own positions, as she seemed to be violating the same rules she was advocating. We had no problem with her doing it. We just used it as a chance to help her understand that the issue was more complex than she made it out to be.
Re: Re: Re: Pictures and text have no copyright then?
None of the Lily Allen affair had to do with hard feelings over her copying a Techdirt post at all. It was more funny than anything: on her blog dedicated to fighting copyright infringement, she committed it blatantly (and even went beyond infringement into plagiarism by not linking to or crediting the creator)
The reaction would have been the same no matter where she copied content from – and the goal, if you read the stories at the time, was not to chastise her but to find a way to possibly turn it into a teaching moment – to perhaps make her realize that copyright infringement is a lot more commonplace than she thinks, and that she should take a step back before continuing her tirade against it.
Re: Re: Re:2 Pictures and text have no copyright then?
er, yeah – what Mike said.
Doesn’t anyone see the implications of this ruling? It’s far more than a simple case of n abused anti-circumvention clause.
The reason for making people go through the main page is advertising. Either advertising for their own service, or for others. If it is illegal for someone to allow people to bypass the mainpage/ads, then how long do you think it will be before somone sues the makers of adblock+ or any other ad blocking software for allowing people to bypass the ads on their site?
Also, another analogy.
There is a company that has free maps anyone can view, however there is a large billboard you have to walk past to get in the main entrance. There is also a side door that is unlocked, but has a sign saying “Do not use”. Of course, you open that door and let people in without walking past the billboard. In response, instead of buying a lock to put on the door, the map company decides to sue the guy who opened the door.
Seems perfectly reasonable to me.
Re: Re:
Only in modern times do people see a “do not enter” sign as a challenge to their freedom, rather than respecting the wishes of the shop owner.
No not enter (and closed door) means do no enter. Entering would be a trespass.
It think that if you have trouble understanding something as simple as this, you would have a hard time with things like DRM or file encoding in general.
Perhaps a version that isn’t in broken google ingleesh:
http://haerting.de/de/3_lawraw/aktuell/index.php?we_objectID=1735
In other words, if your protection scheme is laughable, it’s silly to make it infringement to get around it.
This seems illogical and backwards to me. You would give the least protection where it is needed the most. You would only give protection where none was needed.
Hmm
Re: Hmm
And there is no edit…
Anyways sorry for the blank comment.
The original post that I was about to make was to me a better analogy. This is like a building with a door but no walls with a sign out front stating that you can only use the door to enter the wall-less building.
You know your supposed to use the door, and there is a sign telling you to use the door. Since the building has no walls what are you going to do? My best bet is you’ll walk around the door.
To me even if there is a door, and there is sign telling you to only use the door. If the person who owned the building didn’t you to by pass that door they he should have put the walls up.
“if your protection scheme is laughable, it’s silly to make it infringement to get around it”
any protection scheme which can be circumvented is laughable. the protection of a movie can be circumvented, you can get DVD-rips of any movie on the net. that means the protection on DVDs is laughable. Ergo, DVD-rips are not infringement. Problem Hollywood?
Re: Re:
any protection scheme which can be circumvented is laughable.
Clearly this is false. A protection scheme requiring years of research or hundreds of hours of computer time to bypass is obviously not laughable. A “protection scheme” requiring three seconds with a copy and paste feature to “circumvent” is.
I put those in quotes because a session ID is not really a protection scheme, and supplying one is not really circumventing anything.
what the case is about
I had some help from a German speaking friend and with a little bit of guessing this is what I believe the case is about. The online map site allows individuals to access their content for free but they charge commercial websites to do the same thing. It’s not clear if they are trying to monetize use of the site by individuals by requiring them to go through the home page. Even so, I would imagine they don’t really care much about an individual bookmarking some desired map content. Bookmarks are a deep link. It appears the housing rental company is not paying as a commercial user of the site, but instead, allowing its’ users to access the map content by using deep links obtained by via the housing rental company pretending to be an ordinary user. It certainly violates ethics but even if it violates the law there are much easier solutions to this than some legal recourse. At the very least, a technical solution should have been tried wherein the map website blocked any queries from the housing company’s IP address or more generally any IP address which exceeded some threshold of queries and kept the lifetime of the session ID very short. That would also take care of deep links being stored on the housing site and use of a single proxy to obfuscate the source IP. The housing company could have stayed under the radar if they had used multiple proxies from the beginning.
I can’t see how more effective methods of enforcing a paywall, or subscription model, to protect copyrighted material would work here because of the mix of usage, wherein the common user was allowed free access. Depending on the law to make up for a bad business model or poor technical security is just awful. Hyperlinks are critical to the usefulness of the World Wide Web. Limiting access of websites or portions of websites is also critical to the usefulness of the Web. In general, there are technical solutions we should rely on for restricting access. There is no need to depend upon the law to restrict deep linking.
a good analogy
An analogy where I think everyone would agree that no law is being broken is this: An outdoor concert where patrons pay to get inside but the performance can be easily seen and heard from the sidewalk. Then you can progress to situations where one stands on a book to see, uses a ladder, peaks under the tent. jumps the fence or crawls under the tent, disables the security camera and then jumps the fence, jumps the fence while security personnel are distracted by an acquaintance, jumps the fence after threatening security personnel with physical violence. At some point in that progression you have broken the law. The law, however, should not depend on making distinctions in some gray area where it’s not clear or agreed upon that the law is being broken. What is much better are security solutions that require real work to defeat.
laughable protection
what content protection has been other than “laughable”?
from what I’ve read every sort of content protection devised thus far has been defeated in a few days if not a few minutes
“and said that as long as the site owner made any attempt whatsoever to block such deep linking, getting around those measures could represent infringement.”
the result of which is that the above is an appropriate response
Where is the copyright infringement here?
Nobody was making unauthorized copies. Linking is not copying.