Originally Posted by
Sean Peever
That's literally not at all even remotely technically correct.
It is exactly technically correct. Open an incognito browser and do a search for award visibility on ac.com and tell me what you see. This information is made available publicly by Air Canada on the open internet. This is black and white.
Originally Posted by
historiclurker
There's quite a lot to unpack here. First, Akamai and other CDNs have a far more sophisticated rules engine than just "robots.txt" which is about as good as you'll get for a public facing interface that isn't required to have authentication. I'm curious to hear what your technological solution is to this problem while maintaining the requirement that authentication cannot be required for access. If you're about to suggest caching on the backend, how _exactly_ will that help solve TSP? If you're aware of some linear or constant time solution, the rest of the world would be glad to hear it.
Secondly, while neither altering the HTTP header nor screen scraping is illegal, it is quite illegal to gain unauthorized access to a system by altering a program (though for a different legal reason). Likewise, it's also illegal to knowingly and fraudulently present identification to misrepresent who you are, such as stealing someone else's credentials and logging in with them.
If you put data on the internet without requiring authentication then people can come and get it. If Air Canada wants to restrict this information then they can put it behind authentication. There is not some magic solution here, nor have I pretended there is one. This website is not "knowingly and fraudulently present identification to misrepresent who you are, such as stealing someone else's credentials and logging in with them" - it is hitting a public endpoint that AC makes available and collecting the resulting data.
Originally Posted by
historiclurker
Lastly, this is a legal brief. It's not meant to go in-depth. It's only purpose is to serve as a general overview and provide context behind the dispute at hand. It has done its job and presented the fact that AC has made some modicum of effort to prevent unauthorized access, specifically against seats.aero, and that they have consequently and actively circumvented such measures. For all we know, they could've explicitly dropped all inbound requests from their EC2 instances..
The context is being explicitly misrepresented. Using Akamai Bot Manager is not "preventing unauthorized access".
Originally Posted by
historiclurker
This is also a pretty bad analogy. The internet is not as public facing as most people think it is. The building with an open door with a sign next to it that says seats.aero & affiliates are unauthorized to enter through this door, along with requiring the person to provide a piece of paper that says I'm not seats.aero is more accurate.
Air Canada doesn't get to put information on the public Internet and then say "you can't access it" - this has been pretty effectively settled.
I guess the bottom line for me is that the public internet only works because it is interconnected, and this needs to be protected. There are ways to make information private, and Air Canada chooses not to use them here. Trying to use terms of service, lawsuits, etc. to restrict access to information you make public has been pretty effectively upheld as wrong by the courts in the US. The EFFs
amicus brief on this from the last court case reflects my feelings pretty well, and I'm reasonably confident that on at least these claims Air Canada will lose, although of course IANAL.
I'll bow out of this now, ciao.