| I think there is a clear distinction that you can make between an SQL injection attack and the unsecured API that weev accessed. SQL injection attacks depend on inserting malicious code into an application in order to traverse that application and access systems that stand behind it. The point of SQL injection is to circumvent restricted permissions that the owner of the server has attempted to impose. What weev did was quite different in that he accessed this web service in exactly the way it was intended. Even if he was not the intended consumer of this data, his attempted access never exceeded the defined and expected parameters of the API he was accessing. Furthermore, he didn't circumvent [1] any access restrictions; rather, access restrictions were never imposed. weev had no information available to himself as to AT&T's intent to disclose or not disclose customer emails; as far as he was concerned, the existence of this API could have been a purposeful and not simply negligent disclosure on the part of AT&T. I think that the reason that the weev case rankles is that web developers do this kind of thing all the time. What is the difference between what weev did here and Padmapper did when it built a product on top of Craigslist's data? Despite Eric DeMenthon's protests to the contrary, a strong argument to could be made that Padmapper's intent was to cause severe commercial harm to Craigslist, which is conceivably why he got sued. In spite of the civil case, however, criminal charges are almost unthinkable. Also, how often do we read about someone's project being hampered when a private Google API is turned off? [2] Anyone that builds a commercial product on top of something like this would be deemed a fool, but I've never seen anyone accuse a developer who is using this kind of API of acting criminally. What is the difference, under the law, between someone accessing a private Google API and the private AT&T API that weev accessed? As a web developer with zero documentation, zero information beyond simply knowledge of the API URL's existence, there is no apparent difference beyond what content was being served by these APIs. So, if that is the case, at what point should web developers accessing undocumented APIs begin to be concerned about their criminal liability? [1] Shouldn't it be circumvention not authorization that that defines criminal access under the law? [2] Just the easiest-to-find example: https://news.ycombinator.com/item?id=4441677 |
So is a thief who walks through a door carelessly left unlocked "accessing it exactly in the way it was intended." It's what he does afterwards that makes the difference.
> What is the difference, under the law, between someone accessing a private Google API and the private AT&T API that weev accessed? As a web developer with zero documentation, zero information beyond simply knowledge of the API URL's existence, there is no apparent difference beyond what content was being served by these APIs. So, if that is the case, at what point should web developers accessing undocumented APIs begin to be concerned about their criminal liability?
When the content you get back from a URL is other people's private data, it doesn't take a genius to figure out that maybe there's some criminal liability there.