10

Prediction: New York Times paywall to be easily bypassed

Posted on March 22, 2011 by Natan Yellin in Web Development

The problem

Starting on March 28, most  NYTimes.com articles will be available to paying customers only. According to the FAQ, everyone will be able to read articles if they click-through from Facebook, Twitter, or a blog. Here is the exact wording:

Can I still access NYTimes.com articles through Facebook, Twitter, search engines or my blog?

Yes. We encourage links from Facebook, Twitter, search engines, blogs and social media. When you visit NYTimes.com through a link from one of these channels, that article (or video, slide show, etc.) will count toward your monthly limit of 20 free articles, but you will still be able to view it even if you’ve already read your 20 free articles.

(Source)

I don’t envy the New York Times right now, because implementing the new policy will be difficult. The simplest method of detecting Facebook click-throughs is to check HTTP referrers. That is also the weakest algorithm, because spoofing HTTP referrers is easy. Referrer spoofing wont be limited to geeks either – a small Firefox extension could enable the masses.

Implementing the paywall

Here is best paywall implementation I can think of. It too is severely flawed:

  1. Force all visitors to sign up for an account. Use accounts, not cookies, to count articles for the monthly quota.
  2. Keep each article’s URL a secret by adding a secret token to the URL. (Right now, URLs look like this.)
  3. If someone knows an article’s URL (including the secret token), let them view it.
  4. When non-paying users view the NYTimes homepage, link to individual articles without adding the secret token.
  5. When paying users view articles, add the secret token to their urls, even though they are logged in and have an authenticated session. This way, they can post articles to Facebook that everyone can see.

Can you bypass that?

There are a several ways to bypass the above implementation. Bonus points to the reader who finds the most elegant solution.

  1. Brian Nickel says:
    March 22, 2011 at 2:18 am

    I think you may be missing the point completely. The New York Times isn’t trying to lock out its content. Their main goal is to collect money from people who actively use their site for browsing and are willing to pay. This is similar to how Apple isn’t trying to stop music piracy with iTunes. It’s also similar to how Red Hat, et al. just give away code it develops while offering a premium service for a cost. (The premium service for the Times is the ability to use the website itself versus shared links.)

    I would think this is a move the open community would be supporting, a content company trying to earn a profit on its services without imposing DRM.

    http://www.nytimes.com/2011/03/21/business/media/21times.html

    Reply
    • Natan Yellin says:
      March 22, 2011 at 2:28 am

      Hey Brian,
      I wasn’t speaking out against paid subscriptions. I am excited by the challenge of breaking the system, and I intend to pay for a subscription after succeeding. My motivation is intellectual, not ideological.

      Reply
  2. Jeremy Bicha says:
    March 22, 2011 at 3:07 am

    Just use https://twitter.com/nytimes then. Or if search engines aren’t affected, use http://news.google.com/news/search?&as_nsrc=New+York+Times

    Reply
    • Natan Yellin says:
      March 22, 2011 at 3:12 am

      That wouldn’t work. The URLs from Twitter and Google News lack the secret token; Only paying users have access to secret URLs that everyone can view.

      Reply
      • Brian Nickel says:
        March 22, 2011 at 3:35 am

        If the Times were to require secret URLs wouldn’t that prevent them from having Twitter or Google News feeds? Imagine that @NYTimes tweets an article, then @aantn retweets it. According to the policy described above, I should be able to read the article from that retweet, regardless of the number of articles I’ve read that month. The website wouldn’t know if I had clicked from the @NYTimes post or the @aantn post. If they were going to use secret URLs they would either need to no use Twitter or have a policy where you can’t use links from tweets.

        I really think they’re just going to use a boring referrer filter for this. More of a payspeedbump than a paywall.

        Reply
        • Natan Yellin says:
          March 22, 2011 at 3:52 am

          Good point about retweeting @NYTimes. I was considering the case where @pogue tweets an article that he read, as a paying subscriber, so the URL includes the secret token. You are correct that retweeting @NYTimes would break the system.

          Working with Google News is less problematic, because (I think) NYTimes will allow unrestricted access to top stories.

          Edit: Scratch that. Google News remains a problem because of http://news.google.com/news/search?&as_nsrc=New+York+Times

          Reply
  3. Sean says:
    March 22, 2011 at 4:12 am

    “Referrer spoofing wont be limited to geeks either – a small Firefox extension could enable the masses.”

    I think perhaps you are overestimating the technical savvy of the masses and attributing far less geekiness to browser extensions than they merit. :)

    Reply
  4. Che says:
    March 22, 2011 at 6:22 am

    “Bonus points to the reader who finds the most elegant solution.”

    Create multiple accounts :)

    Reply
  5. Anonymous says:
    March 22, 2011 at 11:08 am

    Just go for the LWN solution: subscribers can create “subscriber links”.

    Reply
  6. fungerar propecia says:
    November 15, 2011 at 4:42 am

    fungerar propecia…

    [...]q Very few websites that happen to be detailed below, from our point of view tr[...]…

    Reply