[cmdrfred]

I believe that it is still considered unauthorized access even if they don't have a password set up. I think it goes back to law that existed before computers where if you entered someones home without permission you can't simply argue that there wasn't a lock on the door.

Edit: ProAm above reminded me of the Andrew Auernheimer case that was nearly identical to this and was resolved as I describe.

[fiatmoney]

Please stop with home / lock / etc. metaphors. This is a very simple situation and there is no need to analogize.

When you analogize to a separate situation like keyed locks or zeppelin airspace access rules you're attempting to say something about similarities between the reasoning in resolving the rule on both sides, which requires you to actually make a contention about what aspects of the situation are compatible, and which of those aspects are salient to the definition in question.

Computer behavior patterns are different enough that if you want to analogize, for the love of god explain the aspect you are analogizing. Even the notion of a "protocol" doesn't really exist in meat space.

Something like "transit through third-party routers is a form of access easement"? OK, I could maybe roll with that as a premise if we get into the weeds about what that would imply.

"It's like an unlocked door!" Jesus christ, stop. No, it's not. Even particular unlocked doors aren't what you're thinking of as an archetypical unlocked door, because "unlocked door" isn't a legal concept.

[cmdrfred]

I was merely theorizing that in 1986 when the Computer Fraud and Abuse Act was written that was the reasoning behind why it was written in that way. I assumed that the readers here understand the underlying tech involved.

[pdkl95]

It sure sounds like there wasn't a "lock on the door". There is a significant difference between FTP and other protocols: FTP has specific support for "anonymous" sessions. There is even an entire RFC (1635, "How to Use Anonymous FTP")[1] on the topic.

From the article:

    I actually remember them having a passworded FTP site
    back in 2006. To get the password you would call tech support
    at Eaglesoft\Patterson Dental and they would just give you the
    password to the FTP site if you wanted to download anything.
    It never changed. At some point they made the FTP site anonymous. 

While there so no mention of the username involved in the anonymous access, it sounds like they switched from handing out a common password (stupid, but probably qualifying as "unauthorized access" for CFAA purposes. However, if the change where they "made the FTP site anonymous" involved the standard username "anonymous", then the server is offering access.

[1] https://tools.ietf.org/html/rfc1635

[nfriedly]

Yea.. but a site on the internet is more akin to a store than someone's home. It's completely normal to walk into someone's store.

[maxerickson]

An ftp server is clearly more akin to a spooky abandoned building.

[agroot12]

A more accurate analogy for an FTP server is a machine that sends you letters on demand.

It's like Shafer wrote a letter to their office asking for their list of patients, and lo and behold, they've sent him back an envelope containing that list.

[logfromblammo]

Or a private lending library that is technically open to the public, but no one ever goes there, because all the books are about dental drills.

[ohyes]

I think that's a gopher server

[Buttons840]

Yea. This would be a felony that a 4 year old child, your tech ignorant grandmother, and any other random Facebook user could commit by clicking on a link.

[cmdrfred]

I'm not justifying the law I consider it ridiculous but I'm pretty sure that is how it is written.

[Natsu]

Yes, the law on the subject is mostly nonsense. That said, I've thought a lot on the subject and this is what I think the law should have been -

For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.

So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.

I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.

Sadly, I don't get to write these laws.

[CyberDildonics]

This doesn't hold up because homes are made to be accessed by one person or a specific group of people.

It is more like having a store with lights on and an open sign then arresting someone for breaking an entering when they go inside.

[TeMPOraL]

Yeah, somehow people forget that the act of connecting a computer to the Internet is an implicit permission for all the Internet to access it unless specified otherwise (by e.g. requiring authentication). That's, like, the fundamental principle of the Internet.