• FreeAdvice has a new Terms of Service and Privacy Policy, effective May 25, 2018.
    By continuing to use this site, you are consenting to our Terms of Service and use of cookies.

Insecure Website / Possible Copyrighted Material

Accident - Bankruptcy - Criminal Law / DUI - Business - Consumer - Employment - Family - Immigration - Real Estate - Tax - Traffic - Wills   Please click a topic or scroll down for more.

L

linux_dude

Guest
What is the name of your state? New York
College? New York
Company(ies) Involved? USA (That's the best I can do)

My college hires a company to provide photography service for everyone that graduates. I recently received the order forms to pick out the pics I wanted, and they have an online option to place your orders where they also have thumbnails of your pictures. For the purposes of this discusions let's say the site is called place.com, and the link to the thumbnail is place2.com/00001small.bmp (This company just provides hosting for place.com I think). Now, I removed the small from the url to make it place2.com/00001.bmp. This provides a ~30mb 8x10 high glossy copy, and nowhere on either site is there a link to this, you have to figure out to remove the small. Now, if I just save that large pic, am I breaking any laws because I'm not paying them? Also, increasing the number to 00002.bmp provides another classmate, and would I be breaking any laws if I go through them all and have a nice photo yearbook of my fellow college graduates?

P.S. I don't remember what type of consent forms the photographer has or if there were any at all, end of the year was so hectic. Also by "Breaking the law" I means that I would be breaking any type of law (Federal, State, Local), or would be liable for anything, or in any way would let anyone sue me for something.
 


HomeGuru

Senior Member
linux_dude said:
What is the name of your state? New York
College? New York
Company(ies) Involved? USA (That's the best I can do)

My college hires a company to provide photography service for everyone that graduates. I recently received the order forms to pick out the pics I wanted, and they have an online option to place your orders where they also have thumbnails of your pictures. For the purposes of this discusions let's say the site is called place.com, and the link to the thumbnail is place2.com/00001small.bmp (This company just provides hosting for place.com I think). Now, I removed the small from the url to make it place2.com/00001.bmp. This provides a ~30mb 8x10 high glossy copy, and nowhere on either site is there a link to this, you have to figure out to remove the small. Now, if I just save that large pic, am I breaking any laws because I'm not paying them? Also, increasing the number to 00002.bmp provides another classmate, and would I be breaking any laws if I go through them all and have a nice photo yearbook of my fellow college graduates?

P.S. I don't remember what type of consent forms the photographer has or if there were any at all, end of the year was so hectic. Also by "Breaking the law" I means that I would be breaking any type of law (Federal, State, Local), or would be liable for anything, or in any way would let anyone sue me for something.
**A: how is it that the website is insecure? Does it have feelings?
 
L

linux_dude

Guest
Well, I could see this being illegal if you need a password to get to 00001.bmp, or even 00001small.bmp, but neither is required. place2.com's front page does have a password prompt, but that's basically only for place.com to manage their files (photos). So it's insecure because you can get to the files of place.com hosted by place2.com without any password prompts. But I was wondering if this meant that they feel this is open to the public and freely viewable, or that I'm not supposed to be able to view them.

If anyone has any questions or needs clarification, please ask, I really need an answer for this.
 

divgradcurl

Senior Member
Well, I could see this being illegal if you need a password to get to 00001.bmp, or even 00001small.bmp, but neither is required. place2.com's front page does have a password prompt, but that's basically only for place.com to manage their files (photos).
It doesn't matter if it is insecure or not. The fact is, you had to "hack" to get in -- even if it is a really, really easy and minor "hack" -- and therefore you got stuff that you were not supposed to have access to. Yes, there are laws that related to hacking, do a search on Findlaw and see what turns up. There are also copyright implications here as well -- you don't have a license to reproduce those photos.

So it's insecure because you can get to the files of place.com hosted by place2.com without any password prompts. But I was wondering if this meant that they feel this is open to the public and freely viewable, or that I'm not supposed to be able to view them.
So, by your logic, if someone comes over to your house, and the front door is locked, and they get in anyway, that's stealing -- but if you forget to lock the front door, then your stuff is "open to the public."
 
L

linux_dude

Guest
So there is no burden to protect anything online? How am I supposed to know if a site wants me to see something or not then? There are no warnings, TOSs, or password prompts here.
 

divgradcurl

Senior Member
So there is no burden to protect anything online?
What "burden" should there be? Go back to my hypo -- if you forget to lock the door to your house, should the police come by and say, "hey, this guy didn't meet his burden of protecting his stuff?" Besides, they DID protect it -- they had it in a directory without a link to it. Is it the most secure way to hide something? Not by a long shot -- but you actually had to do some "snooping" to bypass their minimal security measures. It's like locking the front door, but leaving a window open.

So, that brings me back to the original question -- what kind of burden SHOULD there be? I would venture a guess that the method they used would thwart most Internet users -- how much more "secure" should they be? Or should there be a rule that if someone can get at it, it is, by definition, not secure?

How am I supposed to know if a site wants me to see something or not then?
If there is no link directly to the material, that just might be a sign...
 
C

charmander

Guest
Its not a security measure thought, he's just changing the URL to access a publicly accessible file.

Now the real question is, did that site have a statement in it TOU that state all the pictures and contents on the site were copyrighted by them. That would be an entirely different matter.
 

divgradcurl

Senior Member
Its not a security measure thought, he's just changing the URL to access a publicly accessible file.
It is a security measure to probably 90% or more of the internet users out there. If they wanted him to have access to this file, they would have provided a link. He had to "hack" the site to get at the file; admittedly avery simple hack, but unless there was a link directly to the picture, is was a "hack."

Now the real question is, did that site have a statement in it TOU that state all the pictures and contents on the site were copyrighted by them. That would be an entirely different matter.
Completely irrelevant. The pictures are copyrighted, period. There is no need for a copyright notice, or anything in the TOS or anywhere else.
 
C

charmander

Guest
Its not a hack unless he bypass some sort of physical security such as password. Assuming the password isn't publicly available of course. Plase provide any single precedent world wide (from an industrialize country) that state otherwise.

Remember several years ago the case of Google v. some artist dude who said they infringed his works by reproducing it on their wee little thumbnail search service thing. In that case Google was a for-profit entity using his images as a way to gain profits, and he still lost. In this case the OP isn't using the images for any profit gaining purpose, he isn't claiming the pictures are his own creation, nor is he publicly proliferating them in mass media.

I think a copyright statement and TOU statement specifying restrictions on use is very important in such case as this. The statement also have to apply to both place1.com and place2.com as the OP stated something about place2.com. If the copyright statement doesn't extent to a different Level1 domain if that's where the pictures were store then its also useless.

I also think there are other certain fuzzy and foggy states concerning the issue even with a copyright statement. I refer to the Court continuous upholding of the Fair Use right to use a VCR and tape anything off from broadcasting available to the public at large. In this case, the OP is getting images of himself off from a publicly available and accessible picture for his own personal use without regards to commercialization. That can very much fall under Fair Use by the court.

Similar type of Fair Use rights have been ruled in favor of celebs in certain case of picture use. Now don't remember exactly, but I think like 5 or 6 years ago some photagrapher sued a celeb because that person had used his pictures on an ads or something like that.
 

divgradcurl

Senior Member
Its not a hack unless he bypass some sort of physical security such as password. Assuming the password isn't publicly available of course. Plase provide any single precedent world wide (from an industrialize country) that state otherwise.
I don't have the time right now to search for a reference for you, so I guess you can feel free to scour servers to your heart's content.

Remember several years ago the case of Google v. some artist dude who said they infringed his works by reproducing it on their wee little thumbnail search service thing. In that case Google was a for-profit entity using his images as a way to gain profits, and he still lost. In this case the OP isn't using the images for any profit gaining purpose, he isn't claiming the pictures are his own creation, nor is he publicly proliferating them in mass media.
Not Google. Kelly v. Arriba Soft. And, although Arriba Soft won at the trial court, they were overturned by the 9th Circuit. The 9th Circuit did address the issue of "fair use" and said that it was "fair use" to copy the thumbnails for a limited time, but it was NOT a fair use to cache, even for a limited time, the full pictures.

And, in that case, the thumbnails did have a link to the full-size photos. The photos were not unlinked, as in this case.

I think a copyright statement and TOU statement specifying restrictions on use is very important in such case as this. The statement also have to apply to both place1.com and place2.com as the OP stated something about place2.com. If the copyright statement doesn't extent to a different Level1 domain if that's where the pictures were store then its also useless.
Why? Pictures are covered by copyright whether or not there is a TOU, copyright symbol, whatever. The copyright owner does NOT lose his rights simply by putting his work up on a website -- it makes it harder to control, but if he were willing to expend the time and effort to do so, he could still enforce his rights under copyright law.

And here, even though the works were on a server without a lot of security, there were no links to the pictures, which further suggests that the owner did NOT intend for public display of the larger photos.

Although there are no cases exactly on point, other cases dealing with "implied" licenses for copyrighted works have found implied licenses exist only in a very narrow set of circumstances. Merely putting a picture on a website does NOT give you an implied license to reproduce, display, or otherwise do anything with that picture in violation of copyright WITHOUT permission from the copyright owner.

I also think there are other certain fuzzy and foggy states concerning the issue even with a copyright statement. I refer to the Court continuous upholding of the Fair Use right to use a VCR and tape anything off from broadcasting available to the public at large.
Maybe you should read the cases here, starting with Universal Pictures v. Sony, because they do not say what I think you think they say. The cases do not suggest a broadening of "fair use" -- what these cases stand for is that you can't stop someone from making and selling a device that can infringe a copyright, as long as the device has a "substantial noninfringing use." In the Sony case, that "substantial noninfringing use" was the time-shifting of broadcast media that the VCR owners were already entitled to have. See Universal v. Sony and RIAA v. Diamond for starters.

This is completely different from the current case, where we are talking about pictures that the user is NOT entitled to have.

In this case, the OP is getting images of himself off from a publicly available and accessible picture for his own personal use without regards to commercialization. That can very much fall under Fair Use by the court.
The fact that it is a picture of him is irrelevant. Fair use is a balancing of 4 factors, only one of which (and not the most important one) is whether the use is private or commercial. The most important factor by far is the fourth factor, "the effect of the use on the potential market for or value of the copyrighted work." See Cambell v. Acuff-Rose Music. Because the market for "his" picture is small, and because his taking of the picture essentially "decimates" the market for that particular picture, it is probably VERY unlikely that he would have a "fair use" defense for the taking of this picture.

Similar type of Fair Use rights have been ruled in favor of celebs in certain case of picture use. Now don't remember exactly, but I think like 5 or 6 years ago some photagrapher sued a celeb because that person had used his pictures on an ads or something like that.
That has nothing to do with "fair use" rights, or even copyright at all. A famous person might have protections under the Lanham Act (trademark law) for misappropriation, and there are also tort causes of action for misappropriation of likness and false light publicity that cover the area of unauthorized use of a person's likeness in advertising -- it's illegal no matter whose likeness you are using, as long as it is without permission.

Look, the overall point is this -- the OP asked if what he was doing violated ANY laws. It does. Is he going to go to jail? No, of course not. Nothing is going to happen to him, unless he starts printing the pictures out and giving them to his friends so THEY don't have to buy them either. The fact is is that the OP is violating the photographer's rights to control his works, and is depriving the photographer of at least one part of the market, albeit a small one, for his work.
 
Last edited:
C

charmander

Guest
divgradcurl said:
And here, even though the works were on a server without a lot of security, there were no links to the pictures, which further suggests that the owner did NOT intend for public display of the larger photos.
What security? There is none. If the intent of the firm was to secure the base image, they shouldn't of put it where it was freely accessible.

No security expert you will ever find will collaborate that there were even minimal security.

Back in 95 you might have some sort of possible point there with a lot of people being computerilliterate, but at this time that's not a reasonable argument anymore. Esp also considering that those people seem to be smart enough to operate a website and controll access to a server. Web basic security is one of the first thing you learn about when you learn content distribution and publishing on the web.

And if they had hired a web designer/developer like me, I would of only granted them access to a small amount of space and instructed them to specifically upload the thumbnails. Sound like they might be hooking up a full server to a T-1 and storing the entire company data structure on that doohickey.

Google doesn't copy thumbnails, they're essentially creating those thumbnails from the base image on a website or a web server, a full resizing of the image. I don't see how that isn't reproduction and displaying that image without the written consent of the copyright owner.
 

divgradcurl

Senior Member
What security? There is none. If the intent of the firm was to secure the base image, they shouldn't of put it where it was freely accessible.

No security expert you will ever find will collaborate that there were even minimal security.

Back in 95 you might have some sort of possible point there with a lot of people being computerilliterate, but at this time that's not a reasonable argument anymore. Esp also considering that those people seem to be smart enough to operate a website and controll access to a server. Web basic security is one of the first thing you learn about when you learn content distribution and publishing on the web.

And if they had hired a web designer/developer like me, I would of only granted them access to a small amount of space and instructed them to specifically upload the thumbnails. Sound like they might be hooking up a full server to a T-1 and storing the entire company data structure on that doohickey.
Fine, you are a security or website expert. It still really doesn't matter. Just because someone doesn't understand security doesn't mean their work is free to take and do with as you please.

Esp also considering that those people seem to be smart enough to operate a website and controll access to a server. Web basic security is one of the first thing you learn about when you learn content distribution and publishing on the web.
Have you ever designed and uploaded a website to, say, Yahoo or Tripod? You don't need to know ANYTHING about servers or security to do that -- in fact, you don't even need to know HTML if you use their design system. I think you grossly overestimate the skills of the average Internet surfer, even one who has a webpage. You are obviously an expert; linux_dude probably is as well. But most people aren't.

I would argue that the guy who put his pictures up on the site -- but didn't provide direct links to the pictures -- would have a "reasonable expectation" that his pictures would be secure, or, if not secure, at least that his pictures would be unavailable. He probably did it out of conviniece, so that he COULD provide a link to those who paid for the pictures.

Google doesn't copy thumbnails, they're essentially creating those thumbnails from the base image on a website or a web server, a full resizing of the image. I don't see how that isn't reproduction and displaying that image without the written consent of the copyright owner.
Creating the thumbnails is very likely a fair use under the Arriba Soft decision. If you read the Arriba Soft decision, is was the copying and cacheing of the actual photo that was the problem -- thumbnails were A-OK under fair use.

However, just because someone is doing something doesn't make it legal. A lot of people don't fully appreciate how diffiicult it can be to enforce their rights under copyright, especially on the Internet.
 
Last edited:
C

charmander

Guest
Yeah, but this isn't Yahoo Geocities (I had a website there back in the days, back then I had to actually build it instead of using the template... anyways... enough about my old memories :D )

The author would have a reasonable expectation that the masses wouldn't view that particular content upon entering his site. Which is not necessarily the same as secure or unavilable.

He put it up so that he could provide it as a convinent to customers.

Humm, possibly, but you'd have to prove intent there though. Does the firm offer a service of offering digital transmission of the Original Base Image? I've never really seen any firm that does it in that fashion though, they gouch ya on the printed pictures (many times on el-cheapo papers :rolleyes: ). Why would he be offering glorious ~30 megs pictures on the web. I haven't done the bitmap conversion but that's a lot of MegaPixel right there.

Not to mention it just isn't efficient to do so, while the US have just surpass 50% broadband saturation in the home, 30meg download is completely unreasonable for a picture.

In addition, why not use an FTP server? that allow for passworded access to who you wish and provide much more security. At issue is also the fact that he had it on an web server accessible via HTTP. It doesn't stand to industrial standard or common sense to put out the base product in a way that's so insecure.

If some hacker (Real ones) had some fun and broke in and somehow destroy the server, that would really serious screw up that firm. If they put the originals on an HTTP server, I have no confident whatsoever that they have any backups somewhere.

There's also another thing about fair use and the web. Whenever you visit a website, you're also making an exact duplicate of the said image and displaying it with the local version cached on your drive.

So what exactly is the precedent for defining fair use under this situation in dealing with how limited the implied license is for viewing and using images? Is the limit 1 view of the page? 1 week? 1 month? Do you have to just downloaded the image from the server and then view it in that one session?
But most browsers also have a feature allowing you to view cache internet contents which allow you to view a site from the last time it was locally cached while offline.

The same cache, as view in most browsers also are set by size, not necessarily date. I have a pair of 120GB and a 200GB HD. If I set a single 120GB to 10% cache (That's the default for MSIE if I remember right, I used to see some huge number at the default, had to set it to 100MB), I would have a cache of every single page I've ever visited in the last 2-3 years. And if I choose to never delete the contents, and keep viewing my cached copy of an image from some copyrighted place, what is the implied license under that case? What is the violation of copyright if any?

Remember, publishers also are very aware of the caching issue, as are most surfers.
 

divgradcurl

Senior Member
You are totally fixated on irrelevant points -- maybe not irrelevant from a security standpoint or web standpoint, bu definitely irrelevant from a legal standpoint.

This will be my last post on this subject because you are totally focusing on irrelevant techno stuff and ignoring the legal issues.

Look -- if you download a picture from the web, you may be able to keep it forever and have it be a "fair use." Whether or not a particular use is a "fair use" is ENTIRELY dependent on ALL of the facts of the situation. The OP's use is NOT a fair use because it significantly damages the market for that picture -- that's not the same as someone caching or downloading some random picture on the web.

If you want to debate security, or how copyright shouldn't exist on the web, or how ANY use is a "fair use" as long as it is on the web, you can do it at Slashdot or Kuro5hin -- this isn't the forum for it.
 

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential
data-ad-format="auto">
Top