[gist]

> It's like telling your neighbor his door is open.

I think it's more like your neighbors door being open and you going in side and seeing that the refrigerator is open. Therefore proving that you trespassed on private property. Not legal. Of course in most cases you wouldn't be prosecuted for that I would imagine unless you tramped around the house.

Article says:

"he'd come across an FTP server operated by another dental software company, Patterson Dental, which makes "Eaglesoft," a dental practice management software product. Shafer had discovered an openly available anonymous FTP server with patient data"

In order to determine it had patient data he would have to see the patient data not just connect to the server at the root level and then exit. So at the very least (in theory) he would have cd'd a few directories and perhaps downloaded a few files or noted the directory structure and names. That is entering and looking around.

[DarronWyke]

Occam's Razor would say he logged in, saw a patient_data directory or something similar, and logged out. We don't know anything really about how his perusal or lack thereof had him come to that conclusion. If it was running batch job processing that places like Epic and others do, it could have a recognizable directory structure that would give it a clear fingerprint.

[jtbayly]

First, I don't believe it is against the law to simply connect to a public FTP server. And I'm certain that I wouldn't bother to notify somebody that their public FTP server was... public. However, if I saw something that clearly wasn't supposed to be public.

It's more like looking across the street and seeing a private act through an open window, and going to the front door and knocking and telling them that the window is open.

There are laws against leaving patient data in the public. There are laws against public indecency.

There are also laws against unauthorized access and laws against being a peeping Tom.

Which one is going on is not necessarily easy to determine.