[josteink]

Following that logic breeds bizarre results.

What if you find this magic token because it was embedded in some client-side, javascript login-form? Are you a hacker for viewing the source?

Securing content on the internet is easy. If you don't want it accessible to anyone, don't give the content to anyone who provides an unauthenticated HTTP request.

Why are we putting the legal responsibility of maintaining security on that content on everyone except the ones actually in position to do so?

[robmurrer]

If I look under your doormat, and there is a key, and I use it to open your front door...

[josteink]

Rather if you leave a (possibly classified) document under your doormat, am I a criminal if I find them and read them?

[rapala]

Depends on the document and jurisdiction. If I remember correctly, some levels of military classifications here in Finland require you to not read the document and return it to the officials. Of course the one who left the document would also get reprimanded at least.

Using someones password without permission is as illegal whether you shoulder surfed it, cracked it or red it from a post-it note.

[nitrogen]

A house's front door implies an expectation of privacy. A web server implies an expectation of public access.