[iypx]

I believe what we've got today in most countries is pretty ok, maybe ambiguous but it does the job as far as an ethically concerned person would go.

In my country they classify it as "unauthorized access". That's perfectly fine with me.

In other words, if your server sends it, and you intended to send it, then I can have a look at it. If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.

You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.

[trs8080]

> If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.

So if your server sends privileged data and I "View Source" to see how you implemented some unrelated part of your site and accidentally see that data, I'm now guilty of unauthorized access and should be prosecuted?

How about we shift the burden back to the people who have been entrusted to keep this data secure in the first place?

[iypx]

So if you left open the front door of a police station and I enter to see how an unrelated part of the building is built, and accidentally grab a gun I see on somebody's desk.. then I would most certainly expect to be prosecuted.

I understand you want to punish whoever forgot to close the door, and obviously the guy who abandoned his gun, I agree... but I have no business of being there whatsoever!

[Kim_Bruning]

We don't need to get this creative.

Say I mail a dead tree letter to the Department of Elementary and Secondary Education. And say in that letter I put a request for information on a particular teacher.

They send me a bit of a heavy envelope back. Which is a bit funny for my simple query but eh, I've gotten heavy envelopes before . The first page actually has the answer to my query, and then there seems to be a large number of pages of small print.

Normally people don't really read the small print, but today I'll do it anyway (maybe I'm suspicious due to the large packet) . What I find is that there's some normal legalese for a page or two I guess, and then on say page 5 through 100 it's actually a table with row after row of teacher's names and social security numbers. Ok, that's not good.

So the letter is addressed to me, and it landed on my doormat. It's pretty clear I'm the intended recipient.

In THAT case, I don't think it would fly for the state to go "But you were only supposed to read the first page, you were never supposed to read small print". I think that might be going a bit too far.

* If we assume the letter was printed by a computer, and

* And we assume the same knuckleheads who wrote the website also wrote the letter printing code.

Then it's not so much an analogy as it is very nearly the same thing (but now in terms a lawyer can understand, hopefully). All we've done is changed the underlying protocol and representation.

[trs8080]

Except in your analogy, I didn't "grab" anything -- I asked a question about paying a parking ticket at the front desk and as an answer they handed me a loaded gun. When I tried to give it back, they prosecuted me for theft.

[zaphod4prez]

There is a very big difference here. In your example, you've clearly entered into someone else's property; in the case of reading the info sent to your computer... I am reading a thing you sent me!

A more accurate version of your analogy is if I asked to hold a police officer's tazer and he handed me his gun by accident... or even if I asked to see his gun and he handed it to me thinking it was empty, but it was in fact loaded.

Point being, the website essentially put that information on my computer! I am asking for something from them, but what they give me is 100% their business! They don't have to obey my request but they do have to not-send-private-data-to-random-people-who-ask-for-it

[c1ccccc1]

Let's say I'm viewing a webpage, and I'm curious about some aspect of how it's implemented. I click "view source", and see something that isn't supposed to be there. Is the conclusion "whoops, guess I'm a criminal now"? Shouldn't there be some way for people to avoid committing a crime besides knowing in advance that a website is going to send them private data?

You could say, "obviously stumbling across the data is fine, as long as you then responsibly report the issue, or ignore it and go on with your day. It's only illegal if you then go on to do nefarious things with it." But this is exactly what the current system is failing at by prosecuting this reporter.

Getting the hacking issue right should not be this hard. In practice, it's pretty obvious what's hacking/unauthorized access and what isn't.

In the hacking category: SQL injection. Breaking DES. Cross site scripting attacks. Tracking cookies and browser fingerprinting, arguably.

In the not-hacking category: Incrementing integers in the URL. "Breaking" rot13. Using "view source".

[aidenn0]

> You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.

Disclaimer: IANAL. Also, don't take creepy photos of your neighbors through their windows regardless of the legality of doing so.

In many parts of the US at least, the law is less clear-cut than you might think. In many jurisdictions you would have to argue that the photos were of a sexual nature (probably not hard for pictures of people undressing, but it's not an automatic win depending on context). In some states and/or localities there are explicit laws preserving privacy when in ones residence, but in many others, a photograph taken through an unshaded window is legal as long as it doesn't violate other laws.

[edit]

I guess all of the above strengthens your point that such simplistic laws as "a 200 response means you are authorized to do what you want with it" are not in any way analogous to the way laws for other systems work.