If I’m clicking around on a website and find a gallery of images, that’s something I’m supposed to have access to. If I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to. If I’m doing this with the intent of getting data and distributing to others, then yeah that would be illegal.
The law allows for someone to exercise judgement. The people who do this are not so coincidentally called Judges. If the 4chan guys had have been white hat and reported the issue to the site owners, then they’d be fine. But it’s obvious to anyone their intent was to get private information, they poked around to find some private information, and then distributed that private information to others causing a privacy violation. Yes, it was easier to do than it should have been, but it’s obvious they had malicious intent and it’s obvious they were accessing information they weren’t supposed to access.
A crime being really easy to commit doesn’t make it no longer a crime. Many times I’ve seen things that I could easily steal, but I don’t steal things when I have an opportunity to do so because a) stealing is wrong and b) saying “they just left this thing out there in a place anyone could steal it” would not be any kind of legal defense. Simply because you’re presented an opportunity to do a crime doesn’t mean it’s acceptable to do a crime, both legally and morally speaking.
I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to.
Doesn’t work like that. With the policy you describe, anyone who ever sees a “404” error is a criminal.
I don’t have to publish everything I am willing to offer. You are free to ask for something I may or may not have. I get to decide how to respond to your request.
To use your analogy, I can walk up to your door and request a glass of water. You’ve never explicitly offered a glass of water to anyone; I’m still allowed to ask. If you dont want me to have your water, you can say “No” or you can ignore me.
When you go ahead and give me a glass of water, you don’t get to claim I stole it from you. It is not theft to ask.
You have to make some sort of effort to have your web server limit my access, and I have to make some sort of effort to convince your webserver to bypass those restrictions before you can claim I am exceeding my authorization.
@SpaceCowboy
Then how do I know what I am not allowed to access?
In this specific case there was no (formal) indication that the data was out of bounds.
I can’t put 10 pdf files in a web dir and claim 5 are public and 5 are private, then charge you with a crime for viewing them.
You can’t have “unauthorized access” when there’s no authorization at all
If I’m clicking around on a website and find a gallery of images, that’s something I’m supposed to have access to. If I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to. If I’m doing this with the intent of getting data and distributing to others, then yeah that would be illegal.
The law allows for someone to exercise judgement. The people who do this are not so coincidentally called Judges. If the 4chan guys had have been white hat and reported the issue to the site owners, then they’d be fine. But it’s obvious to anyone their intent was to get private information, they poked around to find some private information, and then distributed that private information to others causing a privacy violation. Yes, it was easier to do than it should have been, but it’s obvious they had malicious intent and it’s obvious they were accessing information they weren’t supposed to access.
A crime being really easy to commit doesn’t make it no longer a crime. Many times I’ve seen things that I could easily steal, but I don’t steal things when I have an opportunity to do so because a) stealing is wrong and b) saying “they just left this thing out there in a place anyone could steal it” would not be any kind of legal defense. Simply because you’re presented an opportunity to do a crime doesn’t mean it’s acceptable to do a crime, both legally and morally speaking.
Doesn’t work like that. With the policy you describe, anyone who ever sees a “404” error is a criminal.
I don’t have to publish everything I am willing to offer. You are free to ask for something I may or may not have. I get to decide how to respond to your request.
To use your analogy, I can walk up to your door and request a glass of water. You’ve never explicitly offered a glass of water to anyone; I’m still allowed to ask. If you dont want me to have your water, you can say “No” or you can ignore me.
When you go ahead and give me a glass of water, you don’t get to claim I stole it from you. It is not theft to ask.
You have to make some sort of effort to have your web server limit my access, and I have to make some sort of effort to convince your webserver to bypass those restrictions before you can claim I am exceeding my authorization.