Assuming that those third-party services are ones that the public can access via their own web interfaces, such that the only thing unauthorized is the manner in which the APIs are consumed, this would seem (unless I am missing more specific precedent) to fall out of CFAA coverage as a result of the Van Buren v. United States decision.
I remember seeing "Help: FBI criminally charged me with $6MM loss for hotlinking. I didn't do it" on HN earlier this year (https://news.ycombinator.com/item?id=30589489). Was this person lying?
There is no indication of what the charge was, and usually with hotlinking to an asset the legal issue is copyright infringement (which can be criminal as well as civil); that’s very different from suggesting that use of an API endpoint intended to be used by a public web frontend is a CFAA violation.
I remember when this passed and thinking that it was all the big, incompetent businesses that can afford lawyers on retainer making sure that only big businesses that can afford lawyers on retainer maintain their position of superior power over individuals. Snuffing out any hope that the little guy - who through sheer talent - can do things on this incredible newfangled equalizing innovation called the Internet will finally have some real chance at power.
Bank of America used it to make people who simply changed the account number in their URL bar the criminals instead of them, who were completely incompetent at securing access to their customer's accounts. What previously would have been arguably criminal negligence.
It placed intent above competence - but only for those who can afford lawyers.
> Keeping in mind that "not complying with a corporation's policies" is not the same as breaking the law.
Actually, the law says that the Terms of Service is a legally-binding contract unless you can prove any provision is legally considered unconscionable. However, if that happens, all provisions except that provision still bind. It is illegal to break a legally-binding contract, and you can be sued or taken to arbitration at a minimum in a civil court for "breach of contract." And that's before any Computer Fraud and Abuse Act or Digital Millennium Copyright Act violations.
Yes, corporations don't sue users for "breach of contract" almost... ever. It's expensive, risky, has low compensation for doing so, and is just bad PR. But they legally always can.
> Actually, the law says that the Terms of Service is a legally-binding contract unless you can prove any provision is legally considered unconscionable
No, it doesn’t.
It says they can state the terms of a contract if all the requirements of contract formation have been met, which are more than just the absence of unconscionable terms.
I'm assuming the users of Gpt4free haven't signed up to OpenAI's terms and conditions, even if they do contain language prohibiting use of these private APIs. A corporation can't unilaterally impose their TOS on the entire population (or, at least, one would hope they can't).
In that case though, let's say OpenAI decided to enforce their Terms of Use by potentially suing. The defendant would likely have to show, whether he likes it or not, that he never once signed up for ChatGPT, never once signed up for the official OpenAI API, and managed to perfectly reverse-engineer the API from the outside. Seems unlikely to me.
But then of course... CFAA and DMCA. The DMCA in particular, for example, doesn't consider the strength of the lock in the criminality. DVDs can be cracked with 7 lines of Perl since 2001, but it's still a DMCA violation.
> The defendant would likely have to show, whether he likes it or not, that he never once signed up for ChatGPT, never once signed up for the official OpenAI API, and managed to perfectly reverse-engineer the API from the outside.
These aren’t reverse engineering the OpenAI API, they are reverse engineering the APIs of public services that in turn call the OpenAI API.
I’m not sure under what theory OpenAI would even sue.
> But then of course... CFAA and DMCA. The DMCA in particular, for example, doesn't consider the strength of the lock in the criminality.
The DMCA only applies to technology addressing copyrights, and CFAA seems inapplicable to consuming the backend APIs used by publicly accessible services because that’s just use of authorized access by a different manner, outside of CFAA scope under the Van Buren precedent.
This is almost certainly an instance of Unauthorized Use under the CFAA and therefore criminal in the USA and any jurisdictions with similarly broad anti-hacking laws.
If those are APIs consumed by public sites, then they are APIs the public is authorized to use by way of those sites, and Van Buren v. United States says that if you are authorized to access a system, accessing it a different “manner or circumstances” is not “unauthorized” as that term is used in the CFAA.
I wasn't aware companies could, by fiat, declare certain publicly available endpoints private, thereby compelling everyone by force of law to pretend they don't exist.
My bank's website is publicly available. That doesn't mean anyone is free to access my bank account. Just 'cause something is accessible on the internet doesn't mean you have the right to access it. Case law and statute goes back at least to the 1980s on this point.
Citing convictions overturned on appeal probably isn't the strongest evidence of illegality. (Because they were overturned on threshold issues that didn’t involve inquiry into the substantive merits of the charges, its not evidence against illegality, either, but...)
My point is people have gone to prison over GET parameters, not the legality of the it. DOJ has CFAA. Abusing private APIs is flying close to the sun. Even if you do get out of prison eventually
So, if I create a cat GIF API, but announce that it's a private cat GIF API only I am allowed to use, I can sue anyone else who uses it to retrieve a cat GIF?
Knowingly using a private API without authorization can fall under CFAA, contract law, copyright law, trespass to chattel, etc -- and you can issue a C&D and/or sue for whatever is relevant.
These are the exact same “private API”s your browser utilizes when visiting chat.openai.com and require your own API keys granted to you by OpenAI.
Calling it illegal is utterly insane. It’s just a different user-agent and they’d prefer people use their official ones. OpenAI literally controls the keys so if they don’t want someone using an alternate mechanism, they can and will just ban the account.
My website is private. If you visit it I will sue you.
If someone bypasses authentication I understand but if your api is open on the public internet on purpose, you don't get to randomly declare what's private and what isn't.
> mycoolsite.com is the same as mycoolsite.com/api/bb8d4cc4-1453-473b-8594-95db0f41877d/3c9242b8-2394-48c1-9643-618ca38eb13d for which you'll also need these dozen parameters and custom headers for, which there is no public documentation for
If someone I didn't grant access broke (in a very smart way) into my house, turned on the lights for a minute and then left, I'd still be pissed and would call it illegal.
The situations aren't really comparable. We're talking about sending a request from a computer to a publicly available API endpoint that Open AI would rather you didn't, and then using the data that endpoint sends in response.
(Somewhat tangential, the "networks as a 3D space you travel around in with locations you visit" analogy does more harm than good. It's not what's happening and it results in muddled thinking.)
Something being accessible does not mean you're authorized to access it. Someones house being unlocked doesn't mean it's okay for you to enter. Authorization is the key part here and you likely can be convicted under the CFAA[1].
Again, I don't think the analogy holds—no one is entering anything. A better analogy would be someone standing outside your house and asking you to pass a book to them through the open door, which you then voluntarily do.
