Pokemon Company Threatens Pokemon Go API Creator With CFAA Lawsuit

from the because-of-course dept

Fri, Aug 5th 2016 6:34am — Mike Masnick

Is there no goodwill that the Pokemon Company's lawyers won't step in and kill off? With the popularity of Pokemon Go, some third parties had started trying to develop some services to go with it, and as part of that, a few have tried to create Pokemon Go APIs. A user going by the name Mila432 had created an unofficial Pokemon Go API in Python, and posted it to GitHub. If you go now, you may notice that the Readme now reads:

see you in court nianticlabs, with love from russia xoxo

That's because the Pokemon Company (not the game developer Niantic, but rather the Nintendo subsidiary that owns a piece of Niantic along with all the Pokemon rights) sent Mila432 a legal nastygram claiming that the creation of the API could violate the Computer Fraud and Abuse Act (CFAA). Mila432 posted screenshots to Reddit. We have all the screenshots posted at the end of this post.

The letter first claims that creating this API is a violation of Pokemon's Terms of Use as well as Pokemon Go's Terms of Service. But, more importantly (and ridiculously) it claims a violation of the CFAA -- a law we've discussed many times before, mainly for it being the one law "that sticks" when no law was actually broken, but you've done something people dislike "with a computer." Here's what Pokemon's lawyers have to say:

Additionally, your actions with respect to the Mila 432/Pokemon_Go_API potentially violate the federal Computer Fraud and Abuse Act ("CFAA"), a statute that prohibits the unauthorized access of servers and access which exceeds authorization, as well as similar state statutes. And your inducement of others to violate numerous terms of service provisions violates the CFAA. While notice is not a prerequisite to liability, Pokemon hereby puts you on notice that you are barred from accessing Pokemon servers or infrastructure, and barred from facilitating access by others. Any continued access, whether directly or at your direction or on your behalf, will be unauthorized.

See that language right there, about putting Mila432 "on notice" and saying that s/he is barred? That's straight out of the very recent Facebook v. Power.com decision in California, where the court ruled that once a company (in that case, Facebook) had sent a cease-and-desist notice, any further access was a CFAA violation. We were troubled by that ruling, and the use of it here further illustrates how problematic it was.

Now, yes, you can argue that unauthorized APIs can cause problems for games -- and that's true. Of course, it can also help make them more compelling by allowing others to build on the game and add more value. But, wherever you come down on that debate, going legal seems pretty silly. Niantic, for its part, had simply gone the technology route of limiting access to third-party servers, to deal with some quality of service problems created by such third parties accessing its system. That is, rather than totally freak out about such APIs, it noted the actual problem (overloaded machines) and sought to fix it through technology.

It's just the Pokemon company that took it up a few unnecessary notches to pull out a big gun like the CFAA. But, I guess, how can I be surprised? This is the same company that legally fucked over a party by Pokemon fans at PAX last year, suing the people who organized it.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: api, cfaa, pokemon, pokemon go, terms of service, threats
Companies: niantic, nintendo, pokemon company

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 5 Aug 2016 @ 6:51am

What does the API actually do?
[ link to this | view in chronology ]
- Ninja (profile), 5 Aug 2016 @ 6:52am
  
  Re:
  My first thought..
  [ link to this | view in chronology ]
- Anonymous Coward, 5 Aug 2016 @ 7:26am
  
  Re:
  If you look at an older readme update i.e.
  
  https://github.com/Mila432/Pokemon_Go_API/commit/f5289b6d80a33809e29d3c776ddf9132f0100895
  
  then my guess is that is was a bot.
  Walk logic, catch pokemon automatically, drop if bag is full all reads like some program you run on whatever to play the game for you.
  
  While I do agree that CFAA is a bit weird to fight an API, the Pokemon Go guys did ban people for GPS spoofing. I guess if Blizzard can sue bot makers so can these guys.
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Aug 2016 @ 7:28am
    
    Re: Re:
    "edit"
    Yes it was a bot, I should have read the rest of the update:
    https://www.youtube.com/watch?v=rtGyUPhrGY0
    [ link to this | view in chronology ]
  - Ninja (profile), 5 Aug 2016 @ 9:25am
    
    Re: Re:
    That would be kind of nice in real life. Ie: go out for a walk and let the software do part of the job (ie: collect pokestops), automatically set eggs to an incubator and things like that. Focus yourself in catching pokemon and fighting at gyms.
    [ link to this | view in chronology ]
  - John Fenderson (profile), 5 Aug 2016 @ 3:34pm
    
    Re: Re:
    So, it's not an API at all, then.
    [ link to this | view in chronology ]
- pegr, 5 Aug 2016 @ 10:10am
  
  Re:
  The API, or Application Programming Interface, is a standardized interface for communication between the client application and the application server. By duplicating the API, the programmer facilitates communication with the application server with an unauthorized client.
  
  Google and Oracle had a dust-up over APIs. Google argued that an API is purely functional and, as such, is not copyrightable. Oracle differed in that they could copyright the "Structure, sequence, and organization" of the API for Java. First judge said no. Appeals judge said you can. First judge replied, OK, you can copyright it, but others can use it under Fair Use.
  [ link to this | view in chronology ]
Ninja (profile), 5 Aug 2016 @ 6:52am

Gotta sue 'em all!

I wonder if the lawyers get xp per lawsuit..
[ link to this | view in chronology ]
Anonymous Coward, 5 Aug 2016 @ 6:59am

related?
On a related theme, a developer of one of the many unofficial (and free) Pokemon tracking apps had all his android apps (several years work - all the others unrelated to Pokemon obviously) pulled from the Google play store
https://plus.google.com/u/0/+CyrilPreiss0/posts/LJqHh3WmUQ4 (G+ link)
[ link to this | view in chronology ]
Anonymous Coward, 5 Aug 2016 @ 7:48am

I fully support Niantic in their decision to fight back against the hackers. They are ruining the game for everyone else who plays legit and in my opinion if you are cheating then you deserve to have your falsely acquired assets wiped.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Aug 2016 @ 8:27am
  
  Re:
  I was under the impression that Pokemon GO was largely played "against yourself". I don't see how this bot would have affected interactions with other players at a pokestop, pokegym, or whatever. That's not the sort of thing easily automated.
  
  If someone else "actually does collect them all", how are you harmed?
  [ link to this | view in chronology ]
  - David (profile), 5 Aug 2016 @ 9:32am
    
    Re: Re:
    If you can build stronger Pokemon faster than everyone else, you can take over lots of gyms. This blocks other from getting to points from taking and occupying a gym.
    [ link to this | view in chronology ]
  - Anonymous Coward, 5 Aug 2016 @ 10:07am
    
    Re: Re:
    If you play the game and have stood at a gym and taken it over with no one around and then instantly spoofing sniper bots take it back that affects everyone playing. Keeping gyms is how you get in game currency for free every 24 hours. So the bots keep all the gyms and get all the in game currency leaving normal players to have spend real money if they want shop items.
    [ link to this | view in chronology ]
    - Stoatwblr (profile), 7 Aug 2016 @ 11:20am
      
      Bots
      I was at at my local gym (it's at least 100 metres from any houses) at 2am today with nobody around and the bots are still active.
      
      Whatever they're doing to nobble the API for the trackers isn't affecting bots - and that does suck if you're trying to play the "right" way.
      [ link to this | view in chronology ]
  - Ruby, 5 Aug 2016 @ 11:04am
    
    Re: Re:
    Aside from the fact that a lot of the epic server problems were being caused by tracking API's accessing the servers, shutting out players?
    
    The app itself is free but uses micro transactions. You use real money to buy in-game coins then use coins to buy items to advance in the game.
    
    But, you can earn some coins in the game for free. If you have GPS spoofing technology, you can manipulate the game to get a lot of coins. Obtaining for free what other players have to pay for.
    
    You can also quickly obtain and hatch a large number of eggs, without buying incubators.
    [ link to this | view in chronology ]
- dakre (profile), 5 Aug 2016 @ 8:31am
  
  Re:
  Anyone who runs the risk of running bots, usually know the risks. That's their decision, and if they get banned, that's their fault. My problem with your comment, is that they are not all ruining the game for everyone. That statement is too broad, and generalizes everyone as a "bad guy" if they don't play through the app.
  
  I will admit, the number of botters may be ruining the game by creating server instability, but even that isn't preventing people from playing. What I will defend, are the people providing a beneficial service for everyone, such as PokeVision.com. They have a much better tracking system, that does get abused (I.E. bots), but at least it provides a positive experience for anyone who uses it.
  [ link to this | view in chronology ]
  - Rustic Prince, 5 Aug 2016 @ 8:33pm
    
    Re: Re:
    The problem of clients making large numbers of requests at once can be easily solved by:
    1. Limiting the number of requests per client/account per second
    2. Restricting account creation by phone number/email address
    3. Limiting the number of events such as level up
    etc.
    
    It seems that the service is designed in a way that they need to keep the API secret to keep it secure. If so, too bad. Security by obscurity don't work
    [ link to this | view in chronology ]
- Anonymous Coward, 5 Aug 2016 @ 8:34am
  
  Response to: Anonymous Coward on Aug 5th, 2016 @ 7:48am
  It's a fucking game. Get over the attitude that laws can be twisted just because players can cheat. Save the CFAA for real breaches.
  [ link to this | view in chronology ]
- Rustic Prince, 5 Aug 2016 @ 9:01am
  
  Re: I fully support Niantic in their decision...
  1. What did they "hack"? They didn't exploit any security vulnerability of the Pokémon Go servers. They wrote programs that communicate with the servers in a normal way.
  2. How does their actions "ruin" the games for others? It's not like there is a finite supply of Pokémons in the world.
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Aug 2016 @ 10:10am
    
    Re: Re: I fully support Niantic in their decision...
    A lot of it was figured out with MITM attacks and decompiling. This isn't a public API given out by Niantic. It's ruins the game because bot cheaters have characters that are impossibly strong and can keep all the gyms for themselves in a local area. This keeps other people from earning in game currency.
    [ link to this | view in chronology ]
- Mike Masnick (profile), 5 Aug 2016 @ 10:22am
  
  Re:
  I fully support Niantic in their decision to fight back against the hackers. They are ruining the game for everyone else who plays legit and in my opinion if you are cheating then you deserve to have your falsely acquired assets wiped.
  
  You do realize most of this article is not about Niantic, but Pokemon Company which went way beyond what Niantic did?
  [ link to this | view in chronology ]
Anonymous, 5 Aug 2016 @ 8:31am

Fuck pokemon go. They are taking everybit of fun out of the game anyway. Instead of worrying about people helping each other like those poke maps they need to worry about the huge bugs that need to be fixed
[ link to this | view in chronology ]
Anonymous Coward, 5 Aug 2016 @ 10:03am

What the API did (Niantic has killed access to as of about 48 hours ago by encrypting parts of their API) is allow map generation of all pokestops, gyms, and pokemon. tUnfortunately this led to a bunch of bot creators and people creating thousands of fake accounts so they could map large regions at once. The bots were literally plug and play. Turn it on and let it catch all pokemon in the area and take over all the gyms with high level pokemon and characters. It was definitely a problem. All trackers on GitHub and websites were also issued C&D. You could still run python scripts and maps locally though until they forced a game update that starting encrypting and validating calls came from a valid game client.
[ link to this | view in chronology ]
Ryunosuke (profile), 5 Aug 2016 @ 10:36am

i have to point to EVE online, very meta, heavy api usage, from outside game emails, to killmails, to basically looking at everything outside of the game (without actually being in game or effecting the game).

Pokemon/nintendo/niantic could do this very easily. they chose not too, they chose poorly
[ link to this | view in chronology ]
Anonymous Coward, 5 Aug 2016 @ 2:39pm

Pokemon go is unbelievably easy to cheat.

Location services ON...app will start

BLOCK gps for the app you can then happily change your location with various floating apps....and slide across the world at the speed of sound collecting as you go!
[ link to this | view in chronology ]
DocGerbil100 (profile), 5 Aug 2016 @ 5:00pm

Goddamit, what a fucking annoying mess of issues. :P

In FB vs Power, I felt (and still feel) that FB behaved more or less correctly - and that the CFAA was used in more or less the way such laws should be used: to protect both the service and its users from harm.

Now we have that exact judgment seemingly being used to try and protect a game from cheaters. My feelings are annoyingly ambivalent here.

On the one hand: the objectionable service is apparently a cheat-bot and I really, really want to just say "fuck 'em, they deserve what they get". I have no shred of sympathy for those individuals and organisations who fuck up games for everyone else.

On the other hand, it's the bloody CFAA being invoked, a ridiculously aggressive law that is profoundly not the right tool for the job. It's just too heavy-handed, by far.

The only thing I'm certain of is that America needs better laws.
[ link to this | view in chronology ]
- Anonymous Coward, 6 Aug 2016 @ 3:56am
  
  Re:
  America needs to punish those that abuse the current/future system, the too big to punish folk, otherwise it doesnt matter how much you reform
  [ link to this | view in chronology ]
raffishtenant, 5 Aug 2016 @ 11:32pm

It's an implementation of a private API, not a bot, though a number of bots have made use of it. I agree with TPC that these bots are no good for the game, and that TPC (and Niantic) have an interest in blocking them -- by technical means at the very least. The CFAA is considerably more problematic.

Either way, it would be possible for them to do this by blocking the "write" functionality of the API without shutting down the "read" functionality as well. As of this week, they've attempted to shut down both.

It's here that I suspect they're doomed to failure, as a practical matter if nothing else. With the official removal of the tracking feature that worked only briefly at launch, millions of players (including myself) have found the searching elements of the game to be roughly akin to stumbling around in the dark. Enough of these players have found their interest revitalized by the mapping features which the API makes possible that this is looking like the opening salvo of a long and tedious arms race.

In the meantime, yes: shutting down API will be a blow to the bots -- though it will have no effect on GPS spoofing, which is a much bigger problem for competitive gameplay than tracking could ever be.
[ link to this | view in chronology ]
gojek, 6 Aug 2016 @ 1:19am

okokoko
bootmaker or cheat indeed must eradicate because it makes people become dishonest. play games without a cheat will make the game becomes more exciting.
a true gamer would not want to play the game using a bot
[ link to this | view in chronology ]
dina, 30 Mar 2017 @ 6:23pm

great
I fully support Niantic in their decision to fight back against the hackers. They are ruining the game for everyone else who plays legit and in my opinion if you are cheating then you deserve to have your falsely acquired assets wiped and pokemon go hack download online for free .
[ link to this | view in chronology ]