[dopamean]

> You can't be unauthorized if there is no authorization.

This is really the main point to me and I'm really confused as to how the law doesn't agree with this. How can you claim unauthorized access to something when there are no systems in place to grant or deny authorization? Comparing this to walking into someone's home who left the door unlocked (as someone in this thread has done) is bogus to me. Private property is private property and social norms (as well as the law) dictate that you don't just stroll into someone's home even if the door is open. The internet does not work that way and never has.

[daenz]

> Private property is private property

Except in many cases the private property is being made accessible. Imagine going to an open house and the owner accidentally left the basement unlocked. You open the door and walk down, then get arrested for breaking and entering.

[MacsHeadroom]

More applicably, imagine there is no door, not even hinges where a door should be; just an opening to the basement.

But you get arrested for walking down there anyway. Then the police tell you you're under arrest because "The owner didn't intend for you to go there."

[IanCal]

If you wander in shouting "Lol guys, we totally shouldn't be allowed in here! Their security is awful! Quick, take pictures of all their documents and we'll post them to a news site" then you've got a more reasonable analogy.

[ivanhoe]

well, all these analogies are interesting, but hackers don't get there by accident. They don't just spot the door, because these doors are invisible to regular visitor, right? You have to actively look for "doors", which implies that you have a premeditated intent of finding the "secret doors". And you also know very well that owner didn't want you in there...

[victorf]

Both of your scenarios are inapplicable because physically entering a property is totally unlike communicating with a public machine in the way it was intended to be communicated with.

[recursive]

There is a system in place. It's called HTTP status codes.

[bigiain]

I wonder if there's some way to make a useful legal argument along the lines of: Since there's a well defined HTTP Status code for "Unauthorized" (401), then it's clear that ant request responded to with a Status code of "200 OK" is, by definition, being declared by the webserver (and it's operators) as "authorized".