(2025-07-21) When buying isn't owning, piracy isn't stealing
------------------------------------------------------------
First, there were pirate ships.
Then, there were pirate radio stations.
Then, there was pirate software.
Then, there were pirate books.
Then, there was pirate photography.
Then, there was pirate music.
Then, there were pirate movies.
Of course, all of these things still exist, yes, even ships. Alas, no
pirate zeppelins (except my Nex station lol). But now, a new kind of piracy
has emerged, hiding in the shadows since the mid-2000s but suddenly becoming
hugely relevant in the mid-2020s. And the reason for that is the reason for
all the previous iterations of piracy to appear: greed. This time though, it's
even worse: you don't even get a copy of the item you're supposedly pirating,
all you get is an alternative way to access the same resource you'll never own
anyway. This was pretty niche before because no one had an incentive to have
something as unappealing as this. Now, cloud-based LLMs are a thing. Along
with their APIs. As such, the world of API piracy is reborn.
It is quite surprising what you can do even without any key leakage: someone,
somewhere, always exposes those APIs in one form or another, be it a Web chat
or a "client-side-protected" library, or even a fair subsidized API (not even
compatible with the original, of course). Using all this doesn't even involve
any cracking in a traditional sense, it just involves quite a bit of work of
reverse-engineering existing public resources and knowing exactly where to
look and what to look for. As much as I despise modern Web browsers, I have to
admit that their developer tools provide pretty much everything necessary to
facilitate these search efforts, up to the point of finding "which requests
use this exact cookie", and the first one usually is the one that sets it.
Then, any request can be exported in the curl command format and further
refined to eliminate any unnecessary headers. And the final request chain can
be converted to the programming language of your choice in order to use the
APIs of interest outside the browser. Thus, you can build your own API on top
of them. In the format suitable just for you.
At this point, congratulations, you have become a Captain Jack Sparrow of
APIs. You're not violating any "intellectual property rights" or any other BS
but you still are bending the rules to your favor. Someone might not like this
and block you. This just means you have to mimic the web clients better. In
the most hardcore cases, people even leverage browser engines like Selenium or
Playwright, as well as use cloudscraper to bypass stupid CloudFlare pages.
The point is, however difficult it may turn out to be, it still can be done.
Sometimes, it not only can, but should be done. The case of yt-dlp is not the
only one that shows this. When the time comes, I'm going to announce something
of my own as well.
