Say you are invited to your friends apartment in an apartment building, but none of the apartments have locks. So you decide to open up some other random apartments and look through their things, who is responsible?
We don't need to reach for analogies to observe that while the theoretical ideal is to report it after just one false access, that no significant damage was done by accessing just a few more via human manipulation of the browser URL, with no recording or sharing of the results. From a human perspective, no damage was done.
Whether that legally crosses a line involves a whole lot of details that few, if any people here, will be able to speak to, because of the complication of the law, and HN's conclusion as to the legality is of marginal interest even if someone competent were to give an opinion.
We can speak to the fact that even if it does technically cross a line, a prosecutor really ought to use their discretion to not prosecute since nobody was hurt. We can say that because that's just an opinion. I expect we don't have very many people here who actually want the book thrown here (though, as always, enough read this that it's probably non-zero).
I don't think quantifiable significant damage should be the bar we use, though that should act to moderate the consequences.
OP admitted to continue changing URLs in order to check out what plans other companies were getting and what they cost. That means OP downloaded lists of employee names, ages, SSNs, and other data. If I were an employee at one of these other companies, I'd be pissed at OP for that. I'd be even more pissed at the people who built the marketplace website for making the rookie security mistake that allowed it, but it's absolutely not ok to download other people's information when you shouldn't have access to it, and use that to your own advantage.
Sure, I don't think this is something that should be prosecuted as a CFAA violation with big fines and jail time. That's not a proportionate response. But I also don't think we should signal that it's ok to look at (and use!) other people's data just because someone else forgot to lock it up properly. I think, for example, something on the level of a parking ticket would be appropriate here.
If OP had changed the URL once, found the vulnerability, and then immediately closed the page and reported the problem, I would see nothing bad in what they did. But they didn't merely do that, and IMO crossed the line in their subsequent actions.
There's no evidence from the original comment that anyone invoked any legal lines. Instead, they seem to be upset that the person they reported the incident to asked them questions about exactly what they did rather than being effusively grateful.
That's not even close to the same analogy though. This would be like knocking on the door, asking if you can come in, and the person living there letting you in. Then getting mad about it later even though they let you in.
More like your friend let you into their apartment but then got upset that you went into the dining room when they only intended for you to go into the living room.
No, this is more like if you asked the landlord to let you in, and then they did, without the permission of the tenant. The tenant would completely be within their rights to be angry about that. Both at you and the landlord.
I think that's a valid response if the person letting you in wasn't expecting you and didn't want you there. Like, what are you doing knocking on random doors and going into random places just to look around? That's not honest behavior. Honest behavior is that if you know you're not supposed to have access to a thing, you shouldn't obtain access to the thing even if you technically can. I think it's pretty clear that you shouldn't have access to another company's healthcare plans. The first one is a mistake, maybe. The subsequent browsing and comparison shopping of restricted materials is definitely not okay though, and the harsh, suspicious response was warranted.
>if the person letting you in wasn't expecting you and didn't want you there.
Then they shouldn't have let you in. How are you completely absolving them of responsibility when all they had to do was say "Who the hell are you? No, you can't come in."
Well, to go with the analogy more: I leave my door unlocked because I'm expecting someone. There's a knock at my door and I yell "Come in" without looking at who is at the door. Not an unreasonable thing, happens all the time. When I finally look, I find you in my house, going through all of my things, for no reason other than you wanted to gain insight on my financial situation.
Do I bear responsibility for letting you in? Yes. Should you be there? No. Should you have knocked on the door? No. Should you have tried the same at my neighbor's house and every house on my block? No. In this metaphor and in the original context, everyone is acting with honest intent except the actor knowingly trying to access obviously confidential documents.
No one said anything about legality. I'm still going to yell at you to gtfo and never come back again, and I don't see why it would be surprising that I would.
Let's drop the metaphor. The original story was that someone accessed a number of documents they weren't supposed to but technically could, and the question was whether or not that it was reasonable that the owners of the documents were upset with that.
I argue there was good reason to be upset given the facts on the ground. In this particular situation, the original poster was there to access their own document. Having accessed someone else's document, that would be the point at which the behavior crosses from legitimate to illegitimate if it continues. Leaving at that point would be one appropriate response. But systematically going through a number of different documents goes beyond a mistake and into the realm of intentionally exploiting this security issue for unauthorized purposes. That's when it crosses from "honest mistake" to "dishonest exploitation".
I have no idea about the illegality of the issue. But the fact is plain that this person was not the intended recipient of the documents, they knew they weren't the intended recipient, and then after realizing the nature of the exploit, they continued to use it.
This is not the same as knocking on a door for a legitimate reason, being let in, and then the person inside being mad you're there. It's knocking on a door for no reason or a malicious reason, knowingly doing something inside the resident doesn't want you to do, and then wondering why they are mad at you.
You let me in knowing exactly who I was. You showed me some stuff I wanted to see, but sitting right next to it, out in the open, was stuff you didn't want me to see. All I had to do was look somewhere other than where you were pointing, and I did that. And then you got mad at me for looking at the stuff and called the police.
> All I had to do was look somewhere other than where you were pointing, and I did that.
The way you phrase this makes it seem like accessing the documents was a mistake. Maybe the first one was, but I think the thing you are missing about the OP's story is that the behavior was repeated. I think the first instance was arguably okay. But subsequent access with the knowledge that what they were accessing was not intended for them is in my eyes beyond a mere misunderstanding.
You also have to remember that having physical or digital access to a thing is not the same as having permission to view the thing. For example, if a "Top Secret" document is delivered to your house with your name and address attached to it, if you read it without the appropriate clearance you will still be in trouble. The legality of such a thing is well established in that case, but the principle is the same: even though you have access to a thing and all you have to do is move your eyes in some direction to see it, the act of seeing it is still at minimum an ethical breach (why are you looking at things that you know don't belong to you?).
I guess this is the fundamental philosophical and ethical question: do you believe you are entitled to know any information as long as you have the technical ability to physically or digitally access that information? What if I have medical records on a screen in a room you are in, and all you have to do is move your eyes over to see my most personal info? Are you entitled to read that information because it's visible to you? Or do you think you owe it to others not breach their privacy even though you have the ability to do so? Would you be mad if someone violated your privacy, and then retorted with "well you should have a had implemented some better technology to prevent me from moving my eyes in that direction"? I guess in that scenario you would have to blame yourself and your technological abilities, and not the person violating your privacy.
I was thinking of a similar analogy but I don't think it holds.
The right analogy would be if I was in the apartment complex and I said to a door not mine "I'm home open up!" If the door opened and I did it intentionally, am I liable?
I still feel like yes but since you have to request the document and receive it I think it's different than just checking locks.
People of all ages suffer from confirmation bias. Analogies can be useful because they allow someone to appreciate the logic of an argument while temporarily dissociating from strongly-held opinions. After the framing moves back to the question under debate, the logic might stick. At least all parties might understand everyone’s perspective better after a few analogies are exchanged.
The analogies in this thread are mostly only furthering confirmation bias.
Because any physical analogy is such a poor representation of how a website actually works, everyone just cherry-picks the analogy that demonstrates the logic they believe should apply, and then tries to constrain the argument to that logic via analogy.
Indeed -- it is like if arguments were things to transport, and analogies were cars... wait, no, they are railroad cars.
So the argument is a heist occurring on a train, so we've got the thing that we're trying to heist (which would be our point) and then we're shifting it from one car to another. And some of the analogies here are clearly like passenger coaches, but others are more like those... coal transporting car, whatever they are called... and at some point we move to the inappropriate railroad car and drop the point in the coal which obscures it.
Anyway, the point is that at some point you really just hope that some conventional train robbers will show up and derail the whole thing because it has gotten too convoluted to follow.
Nope, opening an unlocked door is still considered break&enter. AFAIK, the "unlocked door" can even be a beaded curtain. Turns out that the legal definition of "break" in this context is extremely old and doesn't correspond to lay usage anymore.
But I think that a better analogy would be asking the apartment manager to see your payment history and getting handed the entire apartment building's ledger.
We don't need to reach for analogies to observe that while the theoretical ideal is to report it after just one false access, that no significant damage was done by accessing just a few more via human manipulation of the browser URL, with no recording or sharing of the results. From a human perspective, no damage was done.
Whether that legally crosses a line involves a whole lot of details that few, if any people here, will be able to speak to, because of the complication of the law, and HN's conclusion as to the legality is of marginal interest even if someone competent were to give an opinion.
We can speak to the fact that even if it does technically cross a line, a prosecutor really ought to use their discretion to not prosecute since nobody was hurt. We can say that because that's just an opinion. I expect we don't have very many people here who actually want the book thrown here (though, as always, enough read this that it's probably non-zero).