[Canada]

Why are you facing any liability whatsoever for linking to public resources?

If the owner of that S3 bucket is facing losses from serving files to the public, why don't they revoke public access? S3 prints big warnings that you are making things public, so it's unreasonable for a company to claim "We didn't mean to make this public"

What was in the bucket? In any case, sounds like you need a better lawyer, I don't see how HN can help you without you going public and telling the whole story.

[gdfgjhs]

It seems everyday web is turning into ask permission before you do anything environment. Companies instead of hiring competent technical person, spend money on lawyers and lawsuits.

It is scary for someone who grew up on 90s' Internet. Not sure what was in the bucket, but in 90s and 2000s, it was common to link to various resources on the web. My friend in college ran a popular forum where people shared direct links to video games, softwares, pdfs, etc. It, of course, facilitate piracy, but not everything linked there was illegal.

I run a blog where I curate and embed YouTube videos. Yes I am using their official embed code. Using standard http protocol to link to a resource on the web is official way to link. If they were bypassing url signature or something similar, then I can see how they were violating terms and conditions of that bucket owner.

[otterley]

It is no defense to burglary that the homeowner left their front door unlocked.

[theli0nheart]

This is a little different. This is akin to knocking on the door, asking if you can be let in, being invited in by the homeowner, and then having them give a tour around the house.

It's entirely up to the owner of an S3 bucket as to who they serve their static assets to. If the policies are so lenient that anyone can request the resources, then that is a configuration error—not unauthorized access.

[otterley]

You are falsely assuming that allowing public access and serving the requested object constitutes an intentional act of invitation by a bucket owner. If the alleged victim sought the FBI's assistance, it seems pretty clear that they did not intend to extend such an invitation, regardless of the bucket's configuration.

Or, to extend the metaphor I made earlier, just because I left the door unlocked, it doesn't mean I meant to invite anyone in. And if they tricked my housekeeper to invite them in by falsely claiming I authorized them to come to pick up my broken laptop, they'd have no invitation defense, either. (Maybe they wouldn't be guilty of burglary, but certainly larceny.)

Unauthorized access can occur whether the bucket is public or not. The law does not require that sufficient measures (or any measures, really) be taken to protect the assets in question. We can disagree as to whether it should, but that's not how it's written today.

Before making comparative arguments here, it's a good idea to think about whether a judge would laugh at you or not. :-)

[titusjohnson]

Please don't attempt to equate internet traffic to door locking. It's a tired old argument that fails the moment critical thought is applied.

> Unauthorized access can occur whether the bucket is public or not. The law does not require that sufficient measures (or any measures, really) be taken to protect the assets in question. We can disagree as to whether it should, but that's not how it's written today.

Citation needed. Probably more than one. Web scraping is most certainly legal. Everything involved in the ridiculous "breaking and entering an unlocked residential door" is done a billion times a day by web scrapers as a matter of course. The act if doing GET / wraps up finding a home, evaluating its entrances, knocking, opening the door, and taking photos of the entryway. In 50ms.

I do agree with your last line. Definitely think about whether a judge would laugh at you or not...

[otterley]

> Please don't attempt to equate internet traffic to door locking. It's a tired old argument that fails the moment critical thought is applied.

It's a useful metaphor that gets people convicted. You might not like it or agree with it, but that's the way it is.

> Web scraping is most certainly legal. Everything involved in the ridiculous "breaking and entering an unlocked residential door" is done a billion times a day by web scrapers as a matter of course

Unfortunately you, like others, are ignoring the crucial element of consent. Web scraping is done lawfully only with the consent of the website scraped. When scraping is done non-consensually -- even if the website is public -- it can be considered trespass to chattels and might even constitute a CFAA violation. I know this because my company scraped eBay without their consent in the late 1990s/early 2000s and was shut down by a lawsuit. See, e.g., eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (not my specific employer at the time, but in the same business).

Ignore robots.txt at your peril, and treat the absence of one as a lack of consent. That's what Google and other search engines do.

[c22]

I agree that the metaphor has some use, but I think most of these open access cases are more akin to trespassing in the woods at the far end of someone's large property or going through an unmarked door in a public building and finding oneself accidentally in a private space than breaking and entering into someone's home.

That is, if there are no signs posted and you have not received notice that trespass is prohibited you should be given a healthy benefit of the doubt. It is obvious that homes are intended to be private, but not so for files being publicly served on the internet. This whole 'treat the absence of notice as a lack of consent' is a non-starter for me.

[giantg2]

"It's a useful metaphor that gets people convicted. You might not like it or agree with it, but that's the way it is."

It's a blatantly false metaphor. Burglary requires intent to commit a crime once inside.

[rezbull]

“…treat the absence of one as a lack of consent. ” - do you have a source for this?

Their documentation states otherwise https://developers.google.com/search/docs/advanced/robots/ro...

[giantg2]

Most of the time trespassing (which is more akin to this than burglary) requires the owner to post obvious notice or ask the person to leave. I did not see that intentional act here either.

So there's no intentional act by the owner either way. In the physical world, no crime would be committed. It seems this is further reinforced by the fact that AWS documentation repeatedly states that buckets can be accessed publicly or secured depending on the settings. Kind of like the government (in most states) saying people can walk through your property unless you take steps to prevent it.

Yes, judges will laugh at a defendant bringing this up, but will eat up whatever comparisons a prosecutor makes.

[tinus_hn]

It’s probably not about the contents being public but more about paying the bandwidth costs.

[antifa]

I'm kind of wondering what the legal precedent is for the FBI to investigate "hotli king" instead of just telling the devops person making the bucket private + CDN'd.

[otterley]

I think this is highly unlikely. That would be grounds for a civil suit, but probably not a criminal prosecution.

[tinus_hn]

The criminal part would be using another’s credentials (the s3 keys) as your own.

[otterley]

The situation being discussed is an open bucket, with no access credentials required.

[tinus_hn]

Obviously no traditional access credentials are required because otherwise it wouldn’t be usable to link to (by the owner). But as with the codes you use to embed Google Maps in a website, there could be part of the URL that can be considered to function as something like an access credential.

Anyway I presume if the FBI ‘criminally charged’ the poster the charge included the criminal law they are accusing him of breaking.