[otterley]

Indeed, and the crime is stealing (unlawfully copying) the data within.

Admittedly it is an imperfect metaphor -- as all metaphors are -- but it is not "blatantly false."

Data is not fair game for the copying just because it's in a place you can reach it with `curl` without having to pass an authorization check. That's not the law, and it's not common sense.

[giantg2]

Eh, you're not depriving a person of their property like in the physical world. It would be like trespassing and reading something. Again, a failed metaphor. What would really be common sense is for people to stop trying to fit bad physical metaphors on technology concepts. They don't work and they obscure the real points.

Frankly, tons of stuff is illegal on the internet. You've likely committed felonies by violating a site's terms of service. That's how the DOJ applies the CFAA. It doesn't get enforced, just like that MO reporter didn't get arrested. Should they have been? It was unauthorized access which you claim is enough under law and common sense...

It's my belief that intent alone is not sufficient. Actions speak louder than words. Who cares if you say "no one is allowed to access this" and then leave public access enabled to something? It's common sense that you didn't secure it and you have no expectation of privacy. Look at traditional cell calls and radio. You're putting your information in public and others can view it. DNA you leave on trash can be collected without a warrant - and with no intent/consent on your part!

The law is a mess and full of contradictions. Even when the statutes are sound they become perverted by activist or impartial judges as well as law enforcement or prosecutorial discretion. Rule of law is a joke when individuals have the power to decide not to enforce it.

Also, I believe there was some case law recently that stated that publically exposed or unsecured data can be accessed without it being a crime, but depended on the details. I don't remember the jurisdiction and I can't seem to find it now either. Oh well.

[otterley]

Property rights are about control and exclusionary rights, not about physical things like land and widgets. This is a common misconception among the public and one of the first things they teach you in your first-year property law course.

[giantg2]

"This is a common misconception among the public and one of the first things they teach you in your first-year property law course."

Typical lawyer response - I know more than you and I'll give you an answer that looks down on you without addressing the meat of the topic.

"Property rights are about control and exclusionary rights, not about physical things like land and widgets."

I haven't said otherwise. This reinforces my position that these terrible metaphors draw people off topic and do not translate to virtual property the same - the whole reason trespass and computer trespass are separate crimes with separate elements. In fact, I believe that most laws around computer resources have too much influence from traditional laws because the politicians and judges who wrote them relied too heavily on concepts from the physical world due to habit and a lack of understanding of the new concepts around technology and its possibilities.

The real question is whether the laws are appropriate. It's an asymmetrical power dynamic that favors the stated intent of the owner over the stated intent of the user, even ignoring the actions of the owner when they're contrary to their stated intent. Computer trespass and unauthorized access is much more complicated and lacks the protective mechanisms that physical property laws have to protect non-owners. For example, consent and intent to let others use a computer resource is terribly vague. You don't need written permission to visit a website, there aren't clearly posted boundaries with signs stating this or that resource is off limits, etc. Even ToS tend to very poorly define boundaries within a system.

Without clearly defined and posted boundaries as well as a lack of explicit grants or revocation of privileges in publicly accessible cyber spaces, we have created a system that favors the undefined undermining the underlying concepts of strict construction - that laws need to be defined strictly so that they can be applied equally and so that they are knowable to the subjects. In the case of cyber laws, relying on the stated intent of the owner which was not well defined anywhere nor communicated to the user as well as ignoring the intent preceived through the actions of the owner that contradict their stated intent.

What we have is a system that will allow bad laws to stand because of unequal enforcement. Accessing publically available URLs and the data returned can either lead to charges from the FBI against an unknown person, or to widespread support for a reporter. Prosecutorial and law enforcement discretion means that we can use the laws only against undesirables and leave the majority of the population unaffected even if they met the elements of the offense. If it doesn't affect you, then why fix it...

[otterley]

You’re thinking like a programmer, which is fine, but it’s not how lawyers think and operate. The law is not read literally in most cases — even in traditional property crime cases — and never has been. (“Breaking and entering” is a perfect example.) It can’t be, because English is an imperfect language, and situations in which the law is applied are frequently complex and novel. And I don’t think society wants an overly complex and literal legal system: not only will it be even more difficult to understand, but it will encourage even more attempts to evade it and leave a trail of innocent victims until we patch the law to fix the bug. (And if you think it can take software companies a long time to address vulnerabilities, the legislature can take an eternity).

As I’ve said elsewhere, you’re not going to be punished for the mere act of accidentally downloading an open file. Courts look at the totality of the circumstances to determine whether a crime was committed, and the adversarial system makes it such that the prosecutor is going to have to prove beyond reasonable doubt that not only did the proscribed activity occurred, but that the defendant had scienter (required intent/state of mind) and that in a case like this, the circumstances suggested that the data was not intended to be public. And as a defendant you will have the equal opportunity to argue that you didn’t violate the law, or that it was a mere accident. But if you’re keeping a cache of these stolen files around or sharing them with others, then perhaps you’re not so innocent.

There’s an old axiom that “a liberal is a conservative who’s been arrested; a conservative is a liberal who’s been mugged.” If you ever become a victim of a crime, you might appreciate these protections in a way you seem not to today.

[giantg2]

"But if you’re keeping a vault of these stolen files around or sharing them with others, that suggests perhaps you’re not innocent."

Perhaps you don't understand the (stated) facts around this case. They didn't copy/steal the files, merely pointed others to the publicly available S3 bucket. Could there be more details that we don't know? Sure. But this is the situation being discussed here.

"As I’ve said elsewhere, you’re not going to be punished for the mere act of accidentally downloading an open file."

How so? Courts have held that you are bound to the ToS even if you didn't read it. That you accepting those ToS implicitly and then violating them is sufficient scienter to prove you knowingly exceeded your authorization (which again, typically defines boundaries poorly) and violated the CFAA (except for that one case law about accessing unsecured things that I can't find).

"And if you ever become a victim of a crime, you might appreciate these protections in a way you seem not to today."

Who says I haven't been a victim of a crime? I have. I still think that many cyber laws are not appropriate. Of course most victims will view the protections favorably - they value benefit to themselves more than benefit to society; they aren't impartial.

Perhaps you will better understand my position if you've ever been screwed over by the system and had your clearly defined rights violated (even when a civil rights lawyer agrees that it was a violation but that the courts don't care). The system does not care about justice or doing what's right. You can't call it justice when it's estimated 2-10% of incarcerated individuals were wrongly convicted. The system cares only about itself and its privileged participants as evidenced by such travesties as the privacy of judicial complaints trumping ones right to exculpatory evidence. The basis they give for this privacy is that the public would lose trust in the system, which is only true if incompetence and misconduct was common and not appropriately dealt with. The judges ruling on these topics are not impartial and simply granting themselves additional privileges.

"The law is not read literally in most cases"

The law has to be sufficiently defined so that people can know it. Ambiguity is supposed to benefit the defendant under strict construction and reasonable explaination/doubt because the law is unknowable because it is not defined. There is also precedent stating that laws cannot be interpreted contrary to their language. Sure, interpretation can take place as to what the spirit of the law is, but it cannot violate the letter in doing so. Unfortunately we see this precedent violated in other rulings (I've seen it personally in applying non-scienter absolute liability to an offense that explicitly applies a reasonable standard of care).

'“Breaking and entering” is a perfect example'

How so? The title of the crime might not encompass the totality of its application, but the actual elements of the offense should be defined under the section and applied consistent to that definition.

"... but it’s not how lawyers think and operate."

Based on this and other parts of your conversation, it sounds like you may be involved in and benefiting from the system. It seems you may not be impartial and are likely exhibiting some bias to quell the cognitive dissonance of participating in a flawed system so that you can maintain the status quo that is beneficial to you.

[otterley]

I think we are in violent agreement that the system is imperfect and that it could use some fixing, and that there have been some serious travesties of justice that we should all be ashamed of. (I’m personally of the opinion that a prosecutor who intentionally withholds potentially exculpatory evidence from a defendant should be fined, disbarred, and banned from running for or holding a public office ever again.) By all means, advocate those fixes, and make your case to your representatives who are in the best position to address your concerns.

But we are pretty far afield from the basic question here, which is about keeping out of other people’s stuff without consent. If we can’t agree on the basic morality of that, and whether people should be punished when they intentionally don’t, then I guess there’s no place to go.

(We don’t know the facts of this case. But even if the OP only discovered and communicated the locations of files, they could still be guilty of a crime if they conspired with someone else to actually use the referenced data without authorization. Conspiracy is a powerful tool in a prosecutor’s belt.)