Saturday, May 11, 2013

Nobody reads the ToS -- not even those who write them

GoGo Inflight is running a promotion right now giving you free Internet access on airplanes from your Blackberry phone/pad. Even if you don’t have a Blackberry device, you can still get the free service by changing your browser identifier to match a Blackberry (instructions below). Here’s the question: is spoofing your browser ID like this in order to get free Internet service illegal under laws like the CFAA ("Computer Fraud and Abuse Act")?

That’s an interesting debate, but there is a further twist: GoGo Inflight’s promotion violates their own Terms of Service (ToS). According to the ToS, you need a "user account" to use the service. However, the Blackberry promotion doesn't give you one, because it triggers off the browser ID. Thus, even if you have a valid Blackberry (and aren't cheating), you are still technically in violation of the Terms of Service.

The relevant text, edited a bit, from the Terms of Service is:
In order to use the Service, you must either
(a) create an account to become a registered User of the Service, or
(b) sign in through an existing account with a Roaming Partner.
With GoGo’s Blackberry promotion, neither (a) nor (b) happens. Instead, some sort of undocumented (c) event happens.

What I’m trying to show here is that nobody reads the Terms of Service – not even the people who write them. The marketing droids who negotiated the deal with Blackberry clearly had no idea that the promotion violates their own ToS.

That’s why Internet activists are up in arms about the anti-hacking law known as the CFAA. It’s so vague that it’s impossible to tell the line between legal or illegal. Even lawyers can't tell if you if cheating on the browser ID is legal/illegal. Prosecutors often try to use the ToS as a guide, but as this example demonstrates, companies don’t even mean what their ToS says.




Even though I paid the $12.99 for GoGo Inflight service (with a user-account), I also flushed the cookies and change the MAC address in order to test getting the free service. (Actually, I just rebooted -- my machine automatically flushes cookies and resets the MAC on reboot). I used a Chrome addon called “User-Agent Switcher” to change the browser identifier to:
Mozilla/5.0 (BB10; Z10) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Mobile Safari/531.21.10
GoGo Inflight sees the “(BB10; Z10)” portion and assumes I’m using a Blackberry Z10 device and offered me the free service instead of paid service. The sequence of screens activating this are shown below:

From this point on, I had free Internet access from my MacBook Air. I didn’t use it, but switched back to the account that I’d paid for. But, what you are supposed to see in these screenshots is that even with a real Blackberry device, no user account is created. This means all Blackberry users are technically in violation of the ToS.

You can go read the Terms of Service yourself and find some reading that makes sense, thus refuting this blogpost. I’ve spent some time at it, and as far as I can tell, GoGo Inflight does not mean what its own ToS says.

3 comments:

Anonymous said...

This reminds me of two other cases I've heard of where nobody really read the TOS. Firstly, one company which changed direction massively, and who paid some lawyers to update the TOS of the old service for the new service — all they did was search-and-replace old-name for new-name, leaving large tracts of totally irrelevant terms and conditions. Second was even worse, and occurred in a different company: someone copy-pasted the TOS of a totally unrelated product, and didn't bother to change the name.

grecs said...

Interesting finding... Shows laziness on their part. And if it breaks the CFAA ... we'll only known after a case comes up and makes it through the court system.

Anonymous said...

Grecs got banned for spamming hackernews twice daily and now he does blog comment spam? Classy.