[msandford]

If you visit and internet cafe and someone's forgotten to log out of their bank account and you fiddle with it, that's probably a crime. Since in nearly all cases they probably didn't intend to do such a thing. We can surmise this by observing the banking website had a password to protect the account holder. This is evident by virtue of the "log out" link that's clearly visible and that the website is served over HTTPS and the normal convention that banking information is private.

Now imagine that you come upon a computer and that you click on one of the favorites. It's a banking website. No password, no HTTPS, no access controls at all. Who is responsible for the security breach? You or the bank?

I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"

They're prosecuting him for the digital equivalent of walking down a street and taking pictures of houses which don't display numbers on their mailbox.

[dopamean]

> You can't be unauthorized if there is no authorization.

This is really the main point to me and I'm really confused as to how the law doesn't agree with this. How can you claim unauthorized access to something when there are no systems in place to grant or deny authorization? Comparing this to walking into someone's home who left the door unlocked (as someone in this thread has done) is bogus to me. Private property is private property and social norms (as well as the law) dictate that you don't just stroll into someone's home even if the door is open. The internet does not work that way and never has.

[daenz]

> Private property is private property

Except in many cases the private property is being made accessible. Imagine going to an open house and the owner accidentally left the basement unlocked. You open the door and walk down, then get arrested for breaking and entering.

[MacsHeadroom]

More applicably, imagine there is no door, not even hinges where a door should be; just an opening to the basement.

But you get arrested for walking down there anyway. Then the police tell you you're under arrest because "The owner didn't intend for you to go there."

[IanCal]

If you wander in shouting "Lol guys, we totally shouldn't be allowed in here! Their security is awful! Quick, take pictures of all their documents and we'll post them to a news site" then you've got a more reasonable analogy.

[ivanhoe]

well, all these analogies are interesting, but hackers don't get there by accident. They don't just spot the door, because these doors are invisible to regular visitor, right? You have to actively look for "doors", which implies that you have a premeditated intent of finding the "secret doors". And you also know very well that owner didn't want you in there...

[victorf]

Both of your scenarios are inapplicable because physically entering a property is totally unlike communicating with a public machine in the way it was intended to be communicated with.

[recursive]

There is a system in place. It's called HTTP status codes.

[bigiain]

I wonder if there's some way to make a useful legal argument along the lines of: Since there's a well defined HTTP Status code for "Unauthorized" (401), then it's clear that ant request responded to with a Status code of "200 OK" is, by definition, being declared by the webserver (and it's operators) as "authorized".

[mylorse]

> If you visit and internet cafe and someone's forgotten to log out of their bank account and you fiddle with it, that's probably a crime.

That can be construed as impersonation without unauthorized access, which is in some jurisdictions is illegal.

But that is not what AT&T did, which is more like a open brothel with conference rooms and private bedrooms. They just let in anyone that looked in one type of attire, and had some numbered badge come into one of the reserved conference rooms. IoW, the security person did not ask for ID, or a password to enter. The fault lies on the brothel, not the visitor. For all we know, anyone could have come in looking with that attire, and a matching badge out of coincidence (maybe there was a costume party, who knows, still the brothel did not do a good job of securing the reserved conference rooms).

> No password, no HTTPS, no access controls at all. Who is responsible for the security breach? You or the bank?

The bank, they are not complying with the legal statues, and more than likely violating their own privacy policy, if any exist.

> I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"

That is correct. In that analogy, it would be an open business, like store or malls. It follows jurisdictions of private properties, with some business statues, but overall, since it is an open-doors business, there are no authorization requirements.

> They're prosecuting him for the digital equivalent of walking down a street and taking pictures of houses which don't display numbers on their mailbox.

No. Like in the example above, they are charging him of wearing an attire with a numbered badge, and coming into the reserved conference room, and learning the attendants names or addresses (which should not be there in the first place, esp. with no security protocols). The worst they can charge him is for impersonation. However, what can incriminate him is if the pages he visited clearly displayed or linked the Term of Services or EULA, which does detail this scenario, and he violated it in some way.

[victorf]

That's an actual CFAA crime because you have literal unauthorized access to the laptop. No further explanation necessary.

[derleth]

> I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"

Or is it like walking into someone's private home because they left the door open? Or merely unlocked?

The law likes to operate on analogies, because analogous situations are ones for which we have precedent, and precedent makes the law predictable. The sad thing is, precedent goes back to the pre-computer era, too, and isn't necessarily overturned just because new technology with new social expectations is involved. Maybe in a couple generations.

[cortesoft]

I don't think it is like walking into a private home because the door is unlocked... this is more like someone walking into a store, looking around, and then getting in trouble for looking at a specific display shelf that was in the back corner. The shelf wasn't labeled as off limits, you just were wondering around where you were supposed to and happen to see it. The store can't get mad and say "well yeah, but we put it in the back corner where most people don't go... and we put sensitive stuff back there! How dare you look at it!"

Well it was right in the same store you invited me in to! There was no sign or lock or anything saying not to look at the shelf.

This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.

[res0nat0r]

>This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.

Unfortunately none of these excuses are valid. He knew he was accessing something he shouldn't have been. If he did it once or twice and stopped that is one thing, intent is a major part of the law, and he intended to exploit something he knew he should not have been. That is why he is being found guilty.

[msandford]

If I find a $50 bill on a sidewalk I can INTEND to steal it as much as I want. But no matter how badly I WANT to steal it I cannot because at that point it's not a thing that can be stolen. There is no way to trace it back to it's former owner and as such, the first person to find it is legitimately the new owner.

Weev might have said that he "stole" the information or that he "intented" to perform an unauthorized access but ultimately that doesn't matter. There was no access control to prevent the internet's default of "everything is visible" so that's precisely what happened. It's not a hack no matter how badly he or the government want it to be. Intent matters not one iota.

[res0nat0r]

Of course intent matters. If I run over someone with my car and kill them and it was deemed just a terrible but unfortunate accident, that is 100% different than if I drove over them because I intended to run them down and kill them.

The same applies to this case. He intended to access something he knew he shouldn't have had access to. Thus why he is guilty.

[legutierr]

Yes, but in your example (where someone is killed) there is rather obviously an underlying act that may or may not be criminal depending on the intent. There are infinitely many acts that cannot be considered crimes regardless of how malicious the intent behind them may be.

Furthermore, just because someone feels that they have done something wrong does not make what they have done a crime. The law also must consider that action to have been illegal.

Hopefully, the appeals court will determine that accessing a public unrestricted URL cannot be considered illegal, regardless of the mindset of the person who might choose to access it.

[tedunangst]

Depending on what you find and where you find it, actually, you may have a legal obligation to attempt to return it to the owner. The law is not quite as simple as finders, keepers.

[Robin_Message]

Ahem, http://en.wikipedia.org/wiki/Theft_by_finding

[msandford]

Ahem, there are no less than three examples in the wikipedia page you're trying to cite that back me up:

and cases where the circumstances were held to show no larceny: R. v. Wood (1848) 3 Cox C. C. 277 (banknote found on open land) R. v. Dixon (1855) 7 Cox C. C. 35, 25 L. J. M. C. 39 (lost note without mark) R. v. Shea (1856) 7 Cox C. C. 147; R. v. Christopher (1858) Bell C. C. 27, 169 E. R. 1153 (unmarked notes and purse found in public place)

I used a $50 bill (which is implied to be unmarked) purposefully.

[bigiain]

If we want to stretch analogies beyond sense, how about this.

You walk into a cake shop that has cupcakes with names written on the icing:

You say "Can I have a cupcake with 'Iain' written on it?" They say "200 OK, here's a cupcake with Iain on it."

You say "Can I have that wedding cake?" They say "401 Unauthorized, Sorry that's someone elses' cake." You don't get a wedding cake.

You say "Can I have a cupcake with 'Alice' written on it?" They say "200 OK, here's a cupcake with "Alice' written on it."

You say "Can I have a birthday cake?" They say "402 Payment required, That'll be $15" You don't get a birthday cake.

You say "Can I have a cupcake with 'Bob' written on it?" They say "404 Not Found, sorry we don't have any cupcakes with 'Bob'."

You say "Can I have a cupcake with 'Carol' written on it?" They say "200 OK, here's a cupcake with 'Carol' in it."

You say "Can I have a cupcake with 'Dave' written on it?" They say "200 OK, here's a cupcake with 'Dave' on it."

You walk out with 4 cupcakes. Then the cake shop owner comes out and says "You stole the three cupcakes! I didn't intend for you to have them!"

Did you do anything wrong? Do you deserve to go to jail for it?

[IanCal]

> Did you do anything wrong?

Possibly, it depends on intent. Add in:

    You: Hahaha, guys I can get anybodies cake!
    You: Looool their security is awful!
    You: Hahah, we could short this companies stock!

Then you clearly knew what you were doing and therefore did something wrong.

[bigiain]

But an equally valid interpretation of what's going on is:

Cool, free cupcakes! They want you to pay for birthday cakes and pre-order wedding cakes, but they'll give you any cupcake you ask for if they've got one available!

[IanCal]

Do the IRC transcripts sound like he thought that this information should have been shared by the server? Your interpretation would have weev thinking that AT&T intended to make this information public, that having it public was fine, and there was no complexity in what he did to get it.

[victorf]

If knowing that you are doing something immoral makes it a crime why isn't all of Wall Street in prison?

[IanCal]

1) Generally they do things that are harder to prove illegal, harder to show were doing something they knew was wrong and don't send messages in IRC channels 'joking' about shorting stock when releasing bad news. In essence, they are smarter about it.

2) Some are.

3) Not everyone involved in investment is doing something immoral.

[msandford]

Yeah that's the immediate counter analogy to what I'm suggesting.

I think the way I would go about arguing against it is that people on the street/sidewalk have no expectation of privacy. There are literally no access controls of any kind. Anyone can walk on the street; billionaires and homeless alike. There are no societal conventions that privacy is assured on the street and if you end up in someone else's picture it's your fault, not theirs.

Houses are not the street. They are private property. We do have a reasonable expectation of privacy there (NSA notwithstanding) and a part of privacy is access control. So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.

The real question is this: Is the internet like the street or a house? The answer, in my opinion, is that "it depends" because websites can act both ways depending on how they are designed and implemented.

HN is basically a street in that it has no access controls to view content. Very nearly every page on HN can be accessed by the public (linked to or not) without being logged in. The URL of your comment is https://news.ycombinator.com/item?id=6434945 for which I didn't have to type in a password. What about comment https://news.ycombinator.com/item?id=6434944 or https://news.ycombinator.com/item?id=6434946? Should they be "protected" by virtue of them not being displayed on the webpage right now?

My credit union's website is a bit of public street and a lot of house. I can view their promotional materials without any authorization but in order to get to the good stuff I have to enter both a username and a password, then pass a captcha. That is an access control.

What is the case with the AT&T website? Did they do anything to secure the content with a technological access control like a username/password? Did they filter the service such that the webservice would only return an email address if it was accessed by the same MAC address of the iPad that was sold to the customer? No, they did none of these things. Their only "access control" was a user-agent string which isn't guaranteed ANYWHERE to be accurate.

EDIT: changed a couple of words

[icambron]

I don't understand your argument. You seem to agree that the reason the unlocked house is not like the street is shared social conventions. That house across the street is definitely private property whether it's signed that way or not, and I'm expected to know that because, duh, it's a house. At least, that's how I understood this:

> So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.

Then you discuss the technical and interface features of websites that differentiate them as analogs of houses and streets, respectively, like whether they have access control (locks). But we just agreed that the technical and design features of the door aren't what make a house not like the street. The differentiating feature of a house is not the security of its door, or even whether it has one; it's that it's a house and we're expected to know it's private. I don't get how that difference is analogous to access controls on a website. What's the social convention that's appropriate for determining whether a piece of information on the internet can be fairly accessed or not?

To be clear, I'm not saying there aren't good answers here (e.g. a house has walls which imply privacy, so you need some analog for walls on your site [1]). Or you could argue that the analogy is bogus (e.g. houses and streets just aren't like the internet). Or you could even argue that technical safeguards are the analogous social convention to private homes (I don't get it, but it's noncrazy). Or you could argue those conventions simply haven't been established yet, and that we should consider there to be no such thing as unlocked houses on the web. I'm just saying you have haven't made any of those arguments.

[1] completely off-the-cuff and, like my other suggestions here, in need of some substance.

[msandford]

Basically I'm trying to draw out the differences and similarities.

In meatspace private property is default-closed (with certain exceptions) but some ability to in good faith. For example I can walk on your land to walk up to your front door and knock. You could then tell me I need to leave or you'll call the police. This is how it's worked for a long time and thus we think it's normal. You have this right even without building a fence around your property. Again, default-closed.

On the 'net the same rules of private property don't apply because the default on the 'net tends to be default-open. What I mean by this is that the simplest configuration for any webserver tends to have no access controls. So it'll serve up whatever it can to whoever asks. Furthermore the default on the internet for a long time was everyone can access everything since it was originally designed for precisely that purpose: sharing knowledge. The internet defaults to a street.

If you want to make your internet site NOT like a street (which is what it defaults to) you have to take steps to make that happen because HTTP doesn't have the mechanisms built in to do so. You have to build your access control on top of HTTP. If you do not, I would argue that we are right to assume that you meant for it to be a street for two reasons. First is that's how HTTP works and we've got some 20 years of history backing this up. Second is that to argue otherwise would place an incredible burden on everyone to have to divine the intent of the person/organization that served up the page.

What I'm getting at is to argue that weev "should have known better" strikes me as really nuts. In meatspace it would be like secretly passing a new law that divvied up all the roads to the landowners that border them so that I own the street in between my lot-lines and up to the middle of the road. Nobody knows about this so everyone keeps driving and nobody's the wiser. Then a real douchebag drives down the road in front of a rich guy's house. He hates it so he calls the cops and because he's rich and influential the DA manages to dig up this secret law and prosecute the douchebag with it.

If that law were to become non-secret and enforceable it would turn the world upside down in the US as nobody would be able to drive anywhere, walk anywhere, or generally do anything without the express permission of all the millions of people who now own the streets, sidewalks, etc. Even if you live in a big city and you could take the subway (which perhaps is still public) you wouldn't be able to walk to it unless the entrance happened to be on your land.

I think this would clearly be insanity as it would turn however many hundreds or thousands of years of convention on it's head. And to me, this is what the prosecutors are trying to argue. I understand that they probably don't really understand the technical aspects of it but to me it's really clear and their arguments sound like nonsense. But that's because we're looking at it from completely different viewpoints.

[legutierr]

> Or is it like walking into someone's private home because they left the door open? Or merely unlocked?

It's more like if you were to walk into a retail establishment where the employees left the door unlocked after heading home for the day.

You can't buy anything because the cash register is locked, and taking something would clearly be stealing, but if sign posted says "we're open", can you be faulted for looking around?

[mylorse]

Correct, and thank you.

[bandushrew]

its like walking into someone's home, that had signs up over a bunch of open doors along a wall saying 'come in, all visitors welcome'. After wandering around a bit, you notice another door in the same wall has been left open, but there is no sign. Curious - you look in.

BANG. Jail Time.

[mylorse]

No, because AT&T is a open Business, which needs to be in business zones, following business statues, not personal computers connected to ISP servers. It's more like the brothel analogy I just made: https://news.ycombinator.com/item?id=6435769

[tikhonj]

I think it's more like walking onto your neighbor's private land when they don't have fences or a "keep-out" sign, but also don't have any obvious sign allowing people in either. Still a crime, but not particularly severe or abhorrent; whether it merits serious punishment probably depends on particular details.

[mylorse]

Read above. Linked just in case: https://news.ycombinator.com/item?id=6435845