[drdec]

This principle is clear if you apply a real world analogy. Just because you happen to have keys to a building doesn't mean you can enter without authorization from the owner. (E.g. you may have kept copies after a lease expires or a sale, it maybe you found them, etc.)

[whamlastxmas]

Considering it’s a API available without any authorization, the better comparison would be walking around on unfenced private land. There’s nothing to indicate they don’t want people on it but it’s also obvious it’s private land.

[ryathal]

It doesn't matter. It's still just as illegal to get into an unlocked car or one with wide open doors without permission. The same premise applies to computers in a lot of places, access controls don't matter. If you access something on a computer not indented to be accessible, it's considered a crime.

[paledot]

Is it illegal, in fact? If a cop saw you, you'd be arrested and prosecuted for attempted auto theft, and your "I just wanted to see how comfy the driver's seat was" defense would ring hollow in court. But sitting in an unoccupied car without authorization isn't trespassing unless it's parked on the owner's land, and I'm not sure what other laws would apply to that specific act.

[hunter2_]

Walking around isn't usually a big deal until told to leave (verbally or by way of conspicuously posted signs), since that is a prerequisite to trespassing. Otherwise, delivery people would operate in a gray area which would be very problematic for them, since not all deliveries are requested by the recipient/owner.

However, although you are free to walk around in search of the front door, you can't start eating the fruit off the trees. Perhaps that's the better analogy: the trees are happy to serve up a delicious treat for anyone requesting something of it, but that doesn't mean the tree sets the rules. Just because fences preventing this are popular doesn't make them compulsory.

[moralestapia]

I get the unauthorized access argument.

But how does it become fraud?

[esrauch]

Defeating access control by using credentials that aren't yours is fraud.

Like, if you found a company badge laying around, go to that office and flash the badge to the security guard and go in. You've committed fraud by tricking the guard into thinking you're authorized to enter when you weren't.

[moralestapia]

I see, thanks.

No credentials involved here, though.

[hunter2_]

TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.

The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.

[nkrisc]

The question a judge (or jury) would answer is: would a reasonable person think they had permission to access it?

API documented on the website under a section called “For Developers”? Probably, yes. API reverse engineered by intercepting requests? Probably not.

Note that the blog was taken down before I could read it myself.