Many on HN seem like to feign ignorance when it comes to intent. Have fun playing dumb in court when you try to bring out your strictly technical argument why you should have legally downloaded all of those credit card and social security numbers since you "could".
It is a terrible analogy because websites have status codes defined in RFCs.
All analogy is terrible if we're talking about computer access.
The door analogy fails because there are two existing sets of laws covering both sets of circumstances, and how the courts interpret authorized access might have very little to do with what normal people would mean.
By having a website on the public facing Internet with no access controls you are inviting anyone to view that page. You are giving implied consent to view that page. Except that's not how some courts interpret it, so my opinion means very little.
That implied invitation gets absurd quickly in the real world, like when it accompanies access to millions of stored credit card numbers. There is information that cannot possibly come with a legitimate implied consent to access.
It's also a technical non-starter, because the HTTP status code that accompanies a response is an artifact, not a promise; the result of a SQL injection attempt could for instance very well have a 200 code on it.
I think of it more like calling someone and asking them to send you a book. They do. Then the police come knocking on the door saying you accessed the information illegally...
If you don't want someone to have something, don't have your system dispense it when they ask for it.
But yes, intent does come into it - and that's often the problem - people investigating systems for curiosity or academic interest or because the system owners won't take them seriously when they have reported problems that put people's data at risk and want to demonstrate it are treated like criminals (often charged with felony offences with potential jail time worse than assault or theft)
a better analogy would be, you're invited to a friend's apartment, there's a living room, a bathroom, and bedrooms. Some doors are shut and some are not. You clearly were invited to enter the dwelling, much like a web server invites you to use a service. You are invited to sit on a couch, but may not be invited in a bedroom. If the door is locked, it is clear that it is restricted, if it's not, it's ambiguous.
As per other people's comparisons, some things are implied restricted: credit card information of another individual is not for you to see. The door to a bathroom is closed: If no one is in it, you may enter, if someone is using it, usually not.
I think in the bathroom analogy, it's clear that 1: A person should lock the bathroom door if they want privacy and 2. An individual may want to knock if a door is shut instead of trying the door.
Therefore, engineers should explicitly restrict access to certain data (rate limits, terms of service, passwords etc..) and people working on projects and what have you may want to actually ask: (is it ok, if I do this?)
The physical analogy is completely inapplicable as you don't "enter" a webserver, you send it a request.
Putting things into a state wherein they get auto-served to any request is something akin to posting documents inside your front window for passerby on the sidewalk to see.
The whole thing's a fucking terrible analogy though, and every time I see it trotted out to support some "if I leave my doors unlocked" argument I die a little bit inside.
If you "request" that the doorman of a building let you in and then subsequently rob the place, the doorman's complicity does not lessen the severity of your offense.
People like to make this debate more complicated than it really is, what with the warring analogies. Really, the issue is straightforward: did the person accessing the information have a reasonable belief that they were authorized to access it?
Your argument is, "if the webserver says it's OK, then my belief that I'm authorized is reasonable". That's a sane argument, but has any court ever agreed with it?
All of these physical analogies are completely inapplicable.
When you send a request to a machine owned by a person and it responds with data that person doesn't want you to have, it is not your fault for sending the request - EVEN IF YOU KNOW/SHOULD KNOW/COULD REASONABLY BE EXPECTED TO KNOW/ETC THE PERSON DOESN'T WANT YOU TO HAVE THE DATA.
> Really, the issue is straightforward: did the person accessing the information have a reasonable belief that they were authorized to access it?
The inherent flaw in this interpretation is that it uses a self-referential definition of authorization. Saying "access is authorized if it is reasonable to believe that access is authorized" is meaningless. You would need an independent definition of authorized access in order to evaluate the reasonableness of the belief, which defeats the purpose of using it to define authorization.
Where a "reasonable belief" standard makes sense is in determining intent, not in establishing the definition of an element of the crime. For example, it may be illegal for you to steal my laptop (where the definition of the elements of theft are fairly rigorous), but if it turns out that you have exactly the same model of laptop and "reasonably believed" mine to be yours then even though you objectively stole my laptop, the prosecution may not be able to prove that you intended to.
But "authorization" is clearly not about intent. The alleged perpetrator is not the one permitted to define the scope of authorization, so their intent is irrelevant in determining whether the access was in fact authorized, and the intent of the owner of the computer system is also irrelevant because it isn't reasonable to subject a defendant to the intent of a third party if that third party fails to clearly articulate it. What matters instead is what has been articulated -- the information made available to users of the computer system about what level of access is permitted.
But then we're back to the terms of service trouble again. If you allow contractual restrictions to define authorization then you're allowing corporations to define the contours of a federal felony and anyone who lies about their name on Facebook can be thrown in prison at the whim of an overzealous prosecutor. Conversely, relying on technological authorization makes the law extremely narrow (capturing only the likes of perpetrators who defeat technological denials of authorization via e.g. physical intrusion into the victim's data center -- although that would align better with the established penalties). Neither seems particularly satisfactory, and the reason is that "unauthorized access" is the wrong thing to prohibit. "Authorization" is vague and subjective, and the specifics of a violation span such a wide range of conduct and misconduct that lumping them all together under the same set of penalties is all but guaranteed to violate proportionality unless the penalties are set so low as to make the prohibition nominal.
And I still don't understand what useful purpose it serves as distinguished from the already-existing penalties for vandalism, fraud, misappropriation of trade secrets, etc. etc. If someone engages in access without authorization, without more, the warranted level of punishment is minimal and almost never even worth prosecuting. If they engage in some further malicious act then the penalty for the greater crime can be imposed and unauthorized access is only a side show and a dangerous instrument of prosecutorial overreach. When is it ever supposed to be useful in proportion to the controversy and abuse it produces?
You really are overthinking it. Context and intent will always have a place in the law.
Did you typo a wget to random URL and it returned my credit card number / ssn and home address, realized this was something you shouldn't be accessing and stop? I'm sure you would have a good case that your intent was merely an accident or innocent and you won't get in trouble.
Did you wget a million URL's over the course of the day and store these credit card numbers / ssn's for some use later? Probably might have a harder time justifying that. Again it is all about context and intent, these are going to be a factor in the court. It is never going to be a simple black or white sequence of events that can be followed to determine if you were doing something harmless or not, no matter how much the crowd here doesn't want that to be the case.
> You really are overthinking it. Context and intent will always have a place in the law.
But there is a difference between the definition of a crime and the intent to meet that definition.
Let's try an analogy. Suppose I go to a local retailer and tell the clerk that I'm a professor at the local university and ask her to record the name, address, credit card number and other information of everyone who buys something in the shop for me today because I want to collect some statistics. There are now two issues here.
The first issue is whether the clerk agrees to provide me with the information. The shop owner and the credit card company need for her to not agree to this because it is clearly a security vulnerability. Even if I really am a professor collecting statistics for my research, she can't know that for certain, and I could be a scam artist out to commit credit card fraud. But let's suppose the clerk hasn't been properly trained and she gives me the credit card numbers. The obvious analogy is to a misconfigured web server.
At this point it matters quite a lot what I do with the credit card numbers. If I'm a scam artist and start making fraudulent charges to the cards, there ought to be significant penalties. But if I really am out to do statistical analysis on local retailer purchasing behavior, should there be? Or should the retailer just take the opportunity to retrain the staff? There is a strong case for a lack of penalties -- because intent does matter. Which is the fundamental problem with the CFAA. It doesn't require the intent to commit a malicious act, only a vaguely defined lack of authorization to commit any act regardless of whether or not the act is malicious.
I think there is a lack of distinction over exploiting to obtain data or exploiting data obtained. In the web-server case I would argue access was allowed unfettered but authorization for the data was not. This is how more than a few cases have gone down. Gotchas don't really cut it in court.
Edit: My original comment further up in this thread hinted at this difference and how lawyers seem to be trying to shift the line so unwanted access by a user is treated the same as exploitation of the data within even if the data was not exploited upon.
While I'm not with you on how "lawyers" are trying to "shift the lines" on the distinction between accessing and exploiting information, which simply does not exist in the law, I agree that the distinction is important; in a perfect world, non-commercial non-malicious non-damaging use of unauthorized data would be relegated by the sentencing guidelines to something less than a felony.
Rather sure it does, some crimes like credit card fraud are separate from unauthorized access of the computer systems the information came from. Exploiting the data is not the same as exploiting to access the data.
Lawyers are deployed to push their client's POV, wins or losses may "shift the line" regarding how written laws are upheld in court. Which in my opinion is used by some as a chance to defray from responsibility to properly administer public facing systems.
Sir your analogy doesn't mesh with reality as another commenter above noted. Servers provide responses, not hand over the hard-drive.
Calling people children is absolutely negative and is a detriment to any reasonable discussion, which is what this site seems to be about. Very kindly shut your gob if you want to continue this route.
Oh god, this again