I got a cease-and-desist letter

As a developer who likes building small integrations and apps to integrate with existing platform, I’m used to dealing with odd terms of service and long and hard-to-read legal documents. I just didn’t expect to receive a cease-and-desist letter from the same law firm that represents the Universal Music Group.

---

On September 26, 2023, I published the source code for a Chrome browser extension known as Smarterbook on GitHub. The extension was designed to integrate with a platform by the McGraw Hill textbook company called SmartBook. SmartBook is an e-learning software in which students have to achieve “mastery” of concepts by answering multiple questions about each topic. I was taking an online class at the time that utilized this platform, and I found myself often reaching out to external resources to complete the questions. To speed up my workflow, my extension added a row of buttons above each question: one to search Google, one to search Quizlet, and one to ask an AI assistant. The extension would copy the text of the question and paste it into whatever external platform’s button was clicked. The code wasn’t complex at all, sitting at only 124 lines.

I had originally created the extension for my own personal use, but since I already had a Chrome developer account I figured I would go ahead and publish it. Within three months the extension had over 8,000 installs, more than 6,000 active users, and a rating of 4.5 stars. I was surprised at the response to this seemingly insignificant piece of code, but I wasn’t complaining. The extension stayed on the Chrome Web Store until the following February.

On the morning of February 7, I received an email from a law firm called Oppenheim + Zebrak. From a quick glance at their website, I learned that they were the same law firm representing giants like the Recording Industry Association of America, Universal Music Group, HarperCollins, and Sony Music. Their letter stated that I was violating copyright not only in my extension’s naming (which I would argue would be protected under fair-use parody), but in the actual functionality. They claimed that Smarterbook was “facilitating cheating by students”. The extension only did something that users could do manually - copying and pasting the questions from SmartBook into a search bar on another platform.

I cautiously constructed an email explaining this point, and offered to change the name and branding of the extension to be less associated with McGraw Hill’s brand. My response also made it clear that I was not, as the letter claimed, “accessing the protected computers that host SmartBook without authorization”, but that my extension only had the same access to SmartBook that the user’s browser itself did. I got a response a few days later, including the following hilarious paragraph:

Chrome store warns that the Extension can “Read and change your data on learning.mheducation.com.” That is the URL used to access SmartBook, meaning the Chrome store recognizes that the Extension can access SmartBook data from the protected computers that host SmartBook

This was hilarious to me. The permission that triggers this dialog is known in the Chrome API as content_scripts - a recognition that the extension should be able execute code in the website’s content on the user’s computer. It grants no special access to the server hosting the website. It accesses only the content that the user already has access to.

Regardless, after a few emails back and forth with the associate at O+Z I was forced to comply with the cease-and-desist for my own legal safety. On March 9th, I rolled out an update to Smarterbook that automatically redirected users to a webpage explaining why the extension no longer functions.

This entire process was an educational experience for me. I learned first-hand about the cease-and-desist process, and was reminded of how little importance massive firms actually care about the technical accuracy of their legal claims when they’re represented by indomitable law firms.