[derleth]

> I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"

Or is it like walking into someone's private home because they left the door open? Or merely unlocked?

The law likes to operate on analogies, because analogous situations are ones for which we have precedent, and precedent makes the law predictable. The sad thing is, precedent goes back to the pre-computer era, too, and isn't necessarily overturned just because new technology with new social expectations is involved. Maybe in a couple generations.

[cortesoft]

I don't think it is like walking into a private home because the door is unlocked... this is more like someone walking into a store, looking around, and then getting in trouble for looking at a specific display shelf that was in the back corner. The shelf wasn't labeled as off limits, you just were wondering around where you were supposed to and happen to see it. The store can't get mad and say "well yeah, but we put it in the back corner where most people don't go... and we put sensitive stuff back there! How dare you look at it!"

Well it was right in the same store you invited me in to! There was no sign or lock or anything saying not to look at the shelf.

This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.

[res0nat0r]

>This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.

Unfortunately none of these excuses are valid. He knew he was accessing something he shouldn't have been. If he did it once or twice and stopped that is one thing, intent is a major part of the law, and he intended to exploit something he knew he should not have been. That is why he is being found guilty.

[msandford]

If I find a $50 bill on a sidewalk I can INTEND to steal it as much as I want. But no matter how badly I WANT to steal it I cannot because at that point it's not a thing that can be stolen. There is no way to trace it back to it's former owner and as such, the first person to find it is legitimately the new owner.

Weev might have said that he "stole" the information or that he "intented" to perform an unauthorized access but ultimately that doesn't matter. There was no access control to prevent the internet's default of "everything is visible" so that's precisely what happened. It's not a hack no matter how badly he or the government want it to be. Intent matters not one iota.

[res0nat0r]

Of course intent matters. If I run over someone with my car and kill them and it was deemed just a terrible but unfortunate accident, that is 100% different than if I drove over them because I intended to run them down and kill them.

The same applies to this case. He intended to access something he knew he shouldn't have had access to. Thus why he is guilty.

[legutierr]

Yes, but in your example (where someone is killed) there is rather obviously an underlying act that may or may not be criminal depending on the intent. There are infinitely many acts that cannot be considered crimes regardless of how malicious the intent behind them may be.

Furthermore, just because someone feels that they have done something wrong does not make what they have done a crime. The law also must consider that action to have been illegal.

Hopefully, the appeals court will determine that accessing a public unrestricted URL cannot be considered illegal, regardless of the mindset of the person who might choose to access it.

[tedunangst]

Depending on what you find and where you find it, actually, you may have a legal obligation to attempt to return it to the owner. The law is not quite as simple as finders, keepers.

[Robin_Message]

Ahem, http://en.wikipedia.org/wiki/Theft_by_finding

[msandford]

Ahem, there are no less than three examples in the wikipedia page you're trying to cite that back me up:

and cases where the circumstances were held to show no larceny: R. v. Wood (1848) 3 Cox C. C. 277 (banknote found on open land) R. v. Dixon (1855) 7 Cox C. C. 35, 25 L. J. M. C. 39 (lost note without mark) R. v. Shea (1856) 7 Cox C. C. 147; R. v. Christopher (1858) Bell C. C. 27, 169 E. R. 1153 (unmarked notes and purse found in public place)

I used a $50 bill (which is implied to be unmarked) purposefully.

[bigiain]

If we want to stretch analogies beyond sense, how about this.

You walk into a cake shop that has cupcakes with names written on the icing:

You say "Can I have a cupcake with 'Iain' written on it?" They say "200 OK, here's a cupcake with Iain on it."

You say "Can I have that wedding cake?" They say "401 Unauthorized, Sorry that's someone elses' cake." You don't get a wedding cake.

You say "Can I have a cupcake with 'Alice' written on it?" They say "200 OK, here's a cupcake with "Alice' written on it."

You say "Can I have a birthday cake?" They say "402 Payment required, That'll be $15" You don't get a birthday cake.

You say "Can I have a cupcake with 'Bob' written on it?" They say "404 Not Found, sorry we don't have any cupcakes with 'Bob'."

You say "Can I have a cupcake with 'Carol' written on it?" They say "200 OK, here's a cupcake with 'Carol' in it."

You say "Can I have a cupcake with 'Dave' written on it?" They say "200 OK, here's a cupcake with 'Dave' on it."

You walk out with 4 cupcakes. Then the cake shop owner comes out and says "You stole the three cupcakes! I didn't intend for you to have them!"

Did you do anything wrong? Do you deserve to go to jail for it?

[IanCal]

> Did you do anything wrong?

Possibly, it depends on intent. Add in:

    You: Hahaha, guys I can get anybodies cake!
    You: Looool their security is awful!
    You: Hahah, we could short this companies stock!

Then you clearly knew what you were doing and therefore did something wrong.

[bigiain]

But an equally valid interpretation of what's going on is:

Cool, free cupcakes! They want you to pay for birthday cakes and pre-order wedding cakes, but they'll give you any cupcake you ask for if they've got one available!

[IanCal]

Do the IRC transcripts sound like he thought that this information should have been shared by the server? Your interpretation would have weev thinking that AT&T intended to make this information public, that having it public was fine, and there was no complexity in what he did to get it.

[bigiain]

You're right - weev was being a dick, and he knew he ws at the time.

BUT…

I personally think AT&T should also be held to account for their part in what happened. They put all that data up on the public internet, with no authentication required to get it. I think they're at least as culpable here as weev is. (and I don't think _either_ of them should get off scott free - they both played fast and loose with other people's data.)

[victorf]

If knowing that you are doing something immoral makes it a crime why isn't all of Wall Street in prison?

[IanCal]

1) Generally they do things that are harder to prove illegal, harder to show were doing something they knew was wrong and don't send messages in IRC channels 'joking' about shorting stock when releasing bad news. In essence, they are smarter about it.

2) Some are.

3) Not everyone involved in investment is doing something immoral.

[victorf]

I know the US has decided to start prosecuting thoughtcrimes, such as jokes on FB, but that's actually unconstitutional. Accessing a server is not a crime, the user agent is not meant for authorization, and what he did was immoral, not illegal. The only difference between what weev and Aaron Swartz did is the type of content downloaded and the quality of the person downloading.

You're arguing to put this douchebag in prison, but not for an actual crime. Remember that the next time they use the CFAA to crucify someone who doesn't deserve it.

[msandford]

Yeah that's the immediate counter analogy to what I'm suggesting.

I think the way I would go about arguing against it is that people on the street/sidewalk have no expectation of privacy. There are literally no access controls of any kind. Anyone can walk on the street; billionaires and homeless alike. There are no societal conventions that privacy is assured on the street and if you end up in someone else's picture it's your fault, not theirs.

Houses are not the street. They are private property. We do have a reasonable expectation of privacy there (NSA notwithstanding) and a part of privacy is access control. So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.

The real question is this: Is the internet like the street or a house? The answer, in my opinion, is that "it depends" because websites can act both ways depending on how they are designed and implemented.

HN is basically a street in that it has no access controls to view content. Very nearly every page on HN can be accessed by the public (linked to or not) without being logged in. The URL of your comment is https://news.ycombinator.com/item?id=6434945 for which I didn't have to type in a password. What about comment https://news.ycombinator.com/item?id=6434944 or https://news.ycombinator.com/item?id=6434946? Should they be "protected" by virtue of them not being displayed on the webpage right now?

My credit union's website is a bit of public street and a lot of house. I can view their promotional materials without any authorization but in order to get to the good stuff I have to enter both a username and a password, then pass a captcha. That is an access control.

What is the case with the AT&T website? Did they do anything to secure the content with a technological access control like a username/password? Did they filter the service such that the webservice would only return an email address if it was accessed by the same MAC address of the iPad that was sold to the customer? No, they did none of these things. Their only "access control" was a user-agent string which isn't guaranteed ANYWHERE to be accurate.

EDIT: changed a couple of words

[icambron]

I don't understand your argument. You seem to agree that the reason the unlocked house is not like the street is shared social conventions. That house across the street is definitely private property whether it's signed that way or not, and I'm expected to know that because, duh, it's a house. At least, that's how I understood this:

> So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.

Then you discuss the technical and interface features of websites that differentiate them as analogs of houses and streets, respectively, like whether they have access control (locks). But we just agreed that the technical and design features of the door aren't what make a house not like the street. The differentiating feature of a house is not the security of its door, or even whether it has one; it's that it's a house and we're expected to know it's private. I don't get how that difference is analogous to access controls on a website. What's the social convention that's appropriate for determining whether a piece of information on the internet can be fairly accessed or not?

To be clear, I'm not saying there aren't good answers here (e.g. a house has walls which imply privacy, so you need some analog for walls on your site [1]). Or you could argue that the analogy is bogus (e.g. houses and streets just aren't like the internet). Or you could even argue that technical safeguards are the analogous social convention to private homes (I don't get it, but it's noncrazy). Or you could argue those conventions simply haven't been established yet, and that we should consider there to be no such thing as unlocked houses on the web. I'm just saying you have haven't made any of those arguments.

[1] completely off-the-cuff and, like my other suggestions here, in need of some substance.

[msandford]

Basically I'm trying to draw out the differences and similarities.

In meatspace private property is default-closed (with certain exceptions) but some ability to in good faith. For example I can walk on your land to walk up to your front door and knock. You could then tell me I need to leave or you'll call the police. This is how it's worked for a long time and thus we think it's normal. You have this right even without building a fence around your property. Again, default-closed.

On the 'net the same rules of private property don't apply because the default on the 'net tends to be default-open. What I mean by this is that the simplest configuration for any webserver tends to have no access controls. So it'll serve up whatever it can to whoever asks. Furthermore the default on the internet for a long time was everyone can access everything since it was originally designed for precisely that purpose: sharing knowledge. The internet defaults to a street.

If you want to make your internet site NOT like a street (which is what it defaults to) you have to take steps to make that happen because HTTP doesn't have the mechanisms built in to do so. You have to build your access control on top of HTTP. If you do not, I would argue that we are right to assume that you meant for it to be a street for two reasons. First is that's how HTTP works and we've got some 20 years of history backing this up. Second is that to argue otherwise would place an incredible burden on everyone to have to divine the intent of the person/organization that served up the page.

What I'm getting at is to argue that weev "should have known better" strikes me as really nuts. In meatspace it would be like secretly passing a new law that divvied up all the roads to the landowners that border them so that I own the street in between my lot-lines and up to the middle of the road. Nobody knows about this so everyone keeps driving and nobody's the wiser. Then a real douchebag drives down the road in front of a rich guy's house. He hates it so he calls the cops and because he's rich and influential the DA manages to dig up this secret law and prosecute the douchebag with it.

If that law were to become non-secret and enforceable it would turn the world upside down in the US as nobody would be able to drive anywhere, walk anywhere, or generally do anything without the express permission of all the millions of people who now own the streets, sidewalks, etc. Even if you live in a big city and you could take the subway (which perhaps is still public) you wouldn't be able to walk to it unless the entrance happened to be on your land.

I think this would clearly be insanity as it would turn however many hundreds or thousands of years of convention on it's head. And to me, this is what the prosecutors are trying to argue. I understand that they probably don't really understand the technical aspects of it but to me it's really clear and their arguments sound like nonsense. But that's because we're looking at it from completely different viewpoints.

[legutierr]

> Or is it like walking into someone's private home because they left the door open? Or merely unlocked?

It's more like if you were to walk into a retail establishment where the employees left the door unlocked after heading home for the day.

You can't buy anything because the cash register is locked, and taking something would clearly be stealing, but if sign posted says "we're open", can you be faulted for looking around?

[mylorse]

Correct, and thank you.

[bandushrew]

its like walking into someone's home, that had signs up over a bunch of open doors along a wall saying 'come in, all visitors welcome'. After wandering around a bit, you notice another door in the same wall has been left open, but there is no sign. Curious - you look in.

BANG. Jail Time.

[mylorse]

No, because AT&T is a open Business, which needs to be in business zones, following business statues, not personal computers connected to ISP servers. It's more like the brothel analogy I just made: https://news.ycombinator.com/item?id=6435769

[tikhonj]

I think it's more like walking onto your neighbor's private land when they don't have fences or a "keep-out" sign, but also don't have any obvious sign allowing people in either. Still a crime, but not particularly severe or abhorrent; whether it merits serious punishment probably depends on particular details.

[mylorse]

Read above. Linked just in case: https://news.ycombinator.com/item?id=6435845