[mcherm]

> A web server isn't an agent of the company and has no capacity to grant or deny permission.

Imagine I send a company a polite letter, requesting permission. The CEO hand-writes a letter (with his quill pen) telling me that I may access the information. After doing so, some critics on the internet start complaining that "A letter isn't an agent of the company and has no capacity to grant or deny permission."

Your claim is completely bogus. A web server DOES have the capacity to grant or deny permission because it is simply the mechanism by which the granting is delivered. Those who configured the server were the ones granting the permission.

I do not believe that the judge is claiming a web server cannot grant permission, I believe the judge is claiming that having to construct the URL by hand (rather than clicking on a link) is "a security measure" that has been "bypassed". For what it's worth (not much) I disagree strongly with this interpretation.

[teraflop]

By that reasoning, a lock has the capacity to grant or deny access to whatever is behind a locked door. And if I pick the lock, well, that just means I was sufficiently persuasive that the lock agreed to let me in, doesn't it? Clearly, by using a lock that opens in response to certain inputs, the owner is choosing to grant access to anybody who provides those inputs.

I'm not trying to argue that guessing sequential IDs in a URL is morally the same as picking a lock. I'm arguing that in both cases, there's no human in the loop, so it's not at all obvious to what extent a human should be assigned responsibility. In your example, the letter does not have agency, but the CEO certainly does; and if weev had written 110,000 letters to AT&T that were read and responded to by humans, I can't imagine how there would be any case against him.

See also: the debates surrounding Google's autonomous cars, or the Do-Not-Track header.