[shmatt]

I just noticed over the weekend new Claude agreed to reverse engineer a graphql server with introspection turned off, something Im pretty sure it would have refused for ethical reasons before the new version

it kept writing scripts, i would paste the output, and it would keep going, until it was able to create its own working discount code on an actual retail website

The only issue with these kinds of things is breaking robots.txt rules and the possibility things will break without notice, and often

The use of unofficial APIs can be legally questionable [1]

[1] https://law.stackexchange.com/questions/93831/legality-of-us...

As the authors of essentially a hacking tool, I would expect at least some legal boilerplate language about not being liable

[richardzhang]

We are working on a way to auto-patch internal APIs that change by having another agent trigger the requests.

Regarding the legality aspects — really appreciate you mentioning this — we’ve put a lot of thought into these issues, and it’s something we’re continually working on and refining.

Ultimately, our goal is to allow each developer to make their own informed decision regarding the policies of the platforms that they're working with. There are situations where unofficial APIs can be both legal and beneficial, such as when they're used to access data that the end user rightfully owns and controls.

For our hosted service, we aim to balance serving legitimate data needs with safeguarding against bad actors, and we’re fully aware this can be a tricky line to navigate. What this looks like in reality would be to prioritize use cases where the end-user truly owns the data. But we know this is not always black-and-white, and will come up with the right legal language as you recommended. What does help our case is that many companies are making unofficial APIs for their own purposes, so there are legal precedents that we can refer to.

[shmatt]

I have to disagree, it is definitely not legal in the US to use unauthorized access points to access authorized data. Thats like saying you're allowed to get into your apartment through breaking your neighbors door and climbing between the windows

In the US this is pretty simply covered by Computer Misuse Act and Computer Fraud and Abuse Act, both federal laws

Im not claiming you're liable, just surprised no lawyer pointed this out at YC

[conradev]

There is a carve out if the data is "publicly available": https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn

If I open the Safeway app and it fetches what is available in a given store without any authentication and everyone sees the same data, that could possibly fall under that exemption.

[chatmasta]

If my browser is downloading some data, then what’s the difference if my AI agent is doing the same? I’ll even tell you it’s my browser. Who are you to say what qualifies as a browser?

[anon291]

The law will say what qualifies as a browser.

Computer programmers are not legal experts lol. The law is not a program.

The difference between you accessing it and a computer accessing it makes these things different.

[chatmasta]

A browser is a user agent, it's some software that makes requests to a server and renders them in a way I can understand. There's no difference between using a screen reader to vocalize content and using an AI agent to summarize it.

[anon291]

Sigh and now you're arguing with me instead of the law, as if I matter.

Bits have color and if you don't know what that means, Google that before responding.

[kgc]

Just have the AI use the browser.

[nkrisc]

Likely a judge or jury will decide. Law isn’t code.

If it’s two different things then it’s not the same thing.

[daveguy]

This analogy is completely off. A closer analogy is someone calls you on your phone letting you know they're here. You were expecting them, so you say "come on in." But, they were at the back door instead of the front door. I don't think anyone would consider that your friend did something illegal.

[korkybuchek]

Yeah, the CFAA doesn't work by analogy unfortunately.

[erohead]

CFAA has recently (2021) been limited by Van Buren ruling.

[CPLX]

The entire US legal system works by analogy.

[rozap]

You're right in principle, but I think in practice this is sort of a non issue. Most sites now employ (for better or worse) anti botting tools which have some sort of javascript challenge that will generate a unique token. Given that this tool is only capable of replacing the dynamic parts of the request graph with tokens found in the output from the previous steps, I don't see how it would get around these sorts of challenges. So effectively, if you're using methods to prevent "unauthorized" use of your APIs, I think this sort of tool will be defeated extremely easily. The reverse engineering/web scraping world has unfortunately evolved to be extremely adversarial, and this sort of tool is does not have the sneakiness required to get around even the simplest anti botting measures.

Until LLMs become smart enough to emulate a full JS stack, I think we're safe :)