My life as a criminal cookie clearer: Register vulture writes Chrome extension, realizes it probably breaks US law

Could paywall-dodging browser aid fall foul of DMCA rules? We ask the experts

113 Reg comments Got Tips?

Code dive Over the weekend, I created my first Chrome extension and prepared to publish the project to GitHub until I realized it was possibly illegal under America's Digital Millennium Copyright Act.

It's not a great loss to the world. The extension, which I called Bloom Broom, is about as basic as can be. I wrote it after completing the Chrome Extension Get Started Tutorial to see if I could complete a project of my own.

Specifically, I decided to create code that cleared the data stored in my Chrome browser by an unnamed website I'll call example.com, even though you can probably guess what the site might be from the extension's name. I wanted to see if I could bypass the website's soft paywall, which limits non-subscribers to reading only a few articles a month.

Unlike a hard paywall that grants access only to subscribers who have created an account, soft or metered paywalls provide visitors with limited access to content through gating mechanisms like browser cookies or storing values in browser-based databases.

This is phenomenally ineffective, not to mention annoying and non-consensual. Technically inclined individuals have got around soft paywalls for years by clearing particular cookies and browser data. Browser makers provide tools to do this manually and there are plenty of browser extensions that do so, often in the name of privacy or security.

Chrome provides an API for browser data manipulation, chrome.browsingData. I had initially thought I could just call this API from a content script, one of several possible components in a Chrome extension that can be set to run when a specific website is visited.

But it turns out chrome.browsingData isn't accessible from a content script, so after googling about, I understood I would need to load the content script when visiting the target website and have the content script send a message to a background script, another possible Chrome extension component, to invoke the chrome.browsingData API there.

So I declared the appropriate permissions in the manifest.json file:

...
"permissions": ["*://*.example.com/*", "browsingData", "storage"],
 "background": {
   "scripts": ["background.js"],
   "persistent": false
 },
 "content_scripts": [
   {
     "matches": ["*://*.example.com/*"],
     "js": ["contentScript.js"]
   }
 ],
...

And then wrote the code for contentScript.js...

chrome.runtime.sendMessage({ text: "Clear" }, function (response) {
 console.log("Response: ", response);
});

..and background.js

function callback() {
 console.log("Bloom Broom execution complete.");
}

chrome.runtime.onMessage.addListener(function (msg, sender, sendResponse) {
 if (msg.text === "Clear") {
   chrome.browsingData.remove(
     {
       origins: ["https://www.example.com"],
     },
     {
       cacheStorage: true,
       cookies: true,
       fileSystems: true,
       indexedDB: true,
       localStorage: true,
       pluginData: true,
       serviceWorkers: true,
       webSQL: true,
     },
     callback
   );
 }
 sendResponse("BrowsingData cleared.");
});

The console.log statements (which print output to the browser console) aren't necessary but I wanted to make sure the extension worked as anticipated. And it did. I could visit the site I'm calling example.com as many times as I liked and its article limit would never kick in because the server found no evidence of my previous visits in my browser's storage system.

But I decided not to publish my extension because doing so explicitly to bypass a technical protection mechanism like a paywall is at least theoretically actionable under the law.

The digital arm of the law

Attorney Theresa Troupson, an associate in the Intellectual Property and Litigation & Trial practice groups at Russ August & Kabat in Los Angeles, said as much in a 2015 New York University Law Review article titled, "Yes, it's illegal to cheat a paywall: Access rights and the DMCA's anticircumvention provision." [PDF]

And she maintained that's a possibility in a phone interview with The Register.

"I do think, as I argue in the law review note, it's basically legally actionable under the DMCA because the DMCA is written in such a way that it could potentially implicate people for clearing cookies," she said.

The reason for this, Troupson argued, is that the DMCA's language is so overly broad that any means of accessing paywalled content without authorization falls within the statute's scope.

"Deleting cookies, using ad-blocking software, or other routes past the paywall could be said to 'deactivate' or 'impair' the paywall protecting the online news article," the article says.

Not everyone necessarily agrees with this interpretation of the law and it's unlikely that publishing a paywall bypass extension or simply deleting cookies would result in a lawsuit, unless a large amount of money were at stake.

theft

Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm

READ MORE

Troupson said she's not aware of any paywall circumvention cases related to browser storage deletion. But in 2018 Mozilla did find enough cause for legal concern to remove a Firefox extension called Bypass Paywalls from its Add-Ons Store for alleged Terms of Service violations.

Whatever legal risk there is, it's not excessive, given that the Bypass Paywalls code has since been updated to work on Chrome and can be downloaded from GitHub. Also, the Mozilla Add-On Store nonetheless currently includes paywall busting extensions, as does the Chrome Web Store.

Troupson suggests stating that a particular bit of code was created specifically to bypass a paywall would increase the risk because intent matters.

But claiming cookie cleaning was carried out due to privacy or security concerns doesn't guarantee immunity under the DMCA. As Troupson's article notes, the DMCA's anti-circumvention provision lacks any intent requirement.

"The implications of this overbroad provision are troubling, especially for users' privacy and ability to use their personal computers as they see fit," the article states. "In effect, the DMCA codifies a requirement that users submit to cookie storage in order to gain access to certain copyrighted material.

"While it may be fair to require users to allow access protection technology to function properly, it is alarming that a user must either accept cookies he does not want or risk violating federal copyright law in the course of innocently browsing the Internet."

Clicking cookie acceptance popups, Troupson suggested, can be taken as consent to publisher terms over service, like not meddling with paywall mechanisms.

Er, remember the First Amendment?

In an email to The Register, Naomi Gilens, EFF Legal Fellow, expressed skepticism that cookie avoidance might be actionable. "People have a First Amendment right to browse the Internet anonymously, so it can't be a crime to lawfully use software that allows anonymous browsing, even if news sites don't like it," she said.

But Gilens allowed that uncertainty about the legality of cookie interference, something people do automatically via privacy extensions, is understandable given the vagueness of laws like the Computer Fraud and Abuse Act.

"News sites can solve the problem of paywall bypassing by not letting people read any free articles, but they can't stop it by using computer crime or intellectual property laws to block people from lawfully using available software to browse anonymously," said Gilens.

At least in the context of Chrome's cookie-crumbling Incognito mode, Gilens argues that the DMCA is not an issue.

"News websites are of course free to condition access to articles on payment," she said. "But if a news website chooses instead to allow access when viewers have no cookies, then there is not any measure in place that effectively controls access to the copyrighted works, so there's nothing that triggers Section 1201.

"The DMCA specifically contemplates that no one is required to implement any particular technology to interoperate with a DRM scheme – meaning that, in this instance, news websites can't require that browsers keep customers' cookies in order to make their DRM work. (Among other things, mandatory cookie retention would be a privacy nightmare.)

"In short: users aren't liable for 'circumvention' under the DMCA for accessing a news website through Incognito mode any more than they would be liable for accessing a news website from their phone or work computer in addition to their primary personal device."

Whether that interpretation would immunize the creation of software built to bypass a paywall may have to wait for actual litigation. Perhaps it's best just to hedge and call such code a privacy extension.

On a related note, Google earlier this year closed two privacy loopholes in Chrome that publishers had been using to enforce metered access. The ad biz advised disconsolate publishers to reduce their allotment of free articles, to require registration to view any articles, or to harden their paywall.

Troupson said she'd like to see copyright law evolve to address access in addition to copying, given the importance of streaming media.

"I think in general copyright protection has not kept pace with the way people use media today," she said. "I argue we need to rethink copyright as a field of law in general and find ways not just to protect copyright but to protect access rights." ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020