Curl - Legal Question - PHPBuilder Forums

Curl - Legal Question

kpowning

I know this isn't the place to get legal advice, but just wanting to get some feedback and opinions possibly from people who have already experienced/researched doing this.

I have a customer that has a website where people can sign-up to receive notifications throughout the year in regards to new public data becoming available on a remote website, basically if new game standings/results are posted they send out a notification to their customers telling them these results/postings are now available on the remote site. The remote site has no terms of service / privacy or anything in regards. This has been working fine, but my customer is wondering about the following.

When his customers register on his website for notifications, can he provide two fields for their username and password for the remote site being monitored if you will, and ask the customer to provide authorization for his site to log into the customers account on the remote site using curl to verify some of the customers information? This is strictly for verification purposes only! Nothing within the SSL log-in area for the customer on the remote site is being sold / distributed, but just verified.

I'm curious, because to me, isn't this what Facebook basically does for numerous websites?
What would make this different if you are authorized and provided the access info to the remote site from the user?
Thanks in advance!

laserlight

kpowning wrote:
I know this isn't the place to get legal advice, but just wanting to get some feedback and opinions possibly from people who have already experienced/researched doing this.

You already know this, but: consult a lawyer.

The best scenario would be if the remote website's owner gave you permission to do this, and moreover provided users with some kind of API key instead of their username and password. Then, instead of your customer merely promising not to do more than just verification, your script would really be unable to do more than just verification. Or maybe the remote website can provide you with an API and private API key such that you can verify a particular user given just the username, without having to go through the hurdle of logging in on behalf of the user.

But if such permission, API key, etc is not feasible, then this kind of "under table" logging in on behalf of another user should really be cleared by a lawyer competent in this area. You have to consider things like the fact that you will be storing user credentials: what if your database is compromised, and an attacker uses the credentials obtained to login to the remote site and mess it up for your users? What if the remote site suddenly implements CSRF protection, and your "under table" logging in fails?

kpowning wrote:
I'm curious, because to me, isn't this what Facebook basically does for numerous websites?
What would make this different if you are authorized and provided the access info to the remote site from the user?

I may be mistaken, but I do not recall Facebook asking me for authentication details for Facebook to login to other websites on my behalf. You are probably thinking of Facebook login, which involves Facebook asking me for my Facebook authentication details for me to login to other websites that have integrated Facebook login. The other websites may get my Facebook details (ostensibly with my permission), but Facebook does not get my details from those other sites, other than what they already know (e.g., that I am actively using a particular email address).