i can see how the older generation is thinking though, they see it like leaving a window unlocked doesn’t mean you can
the laws are interpreted and applied by powerful people in a way that suits the way they think - that much i think could have been predicted (but not by a teenager)
did the weev ruling surprise anybody other than hackers?
It feels like the reduction of a nuanced problem into a simple one with a single victim and a single perpetrator, and only one acceptable narrative.
"It's not my fault I left my window open and you took advantage of it. I shouldn't have to keep my windows locked."
"If you see an unlocked window it's not an opportunity for you to take advantage of."
That's admittedly fairly obtuse, but you can see elements of this play out even in this thread, where it becomes a debate about the accuracy of the metaphor and not a discussion of the actual problem. It is so much easier to attack the language than it is to dig out the real concerns and talk about those, so you get a pro and anti situation or semantic nitpicking.
If you agree that the older generation can only think in the metaphorical sense and are practically stuck in the 50s with how they describe it, you also have to accept that it is so far out of whack with reality that it causes continual debate about what actually does reflect the situation and completely detracts from the problem at hand. It is beyond idiotic and it's symbolic of an unhealthy resistance to change.
As an aside, this happens in places like HN and Reddit all the time. A metaphor is introduced into a discussion and it totally derails it, and you're not talking about the source material any more, you're talking about the metaphor and how it can be more accurate. It's like the metaphor is more important than the problem itself sometimes and it's intensely sociopathic, because the linguistics take priority over the humanity.
It's not necessarily a problem that the older generation can only think about technology in a metaphorical sense, the problem is that the metaphors they are using are idiotic.
I think, by and large, people are constrained to thinking about things they can describe. To that extent, being able to accurately describe something is meaningful, and is therefore a linguistic issue.
Semantics are very important when you are dealing with minutiae, and the law hinges on comparisons and extremely complex semantic arguments.
To that extent, it makes sense that we argue about the metaphors.
No OP has a point, we shouldn't talk in metaphors so much... It's not necessary.
The web is in many ways a huge collection of resources that reference each other. Some of these references are explicit in links, others in text, and some are available for programmatic access.
In fact many resources can be discovered by programmatic access, and there is no inherent reason to think this is wrong. Just because an API isn't documented doesn't make using it illegal.
For example, many URLs are actually permalinks, you can bookmark them, or send them to a friend. While most websites don't document this API, it's very common.
Lots of people configure search keywords in Firefox by injecting queries in bookmarked URLs. Few of these URL patterns are formally documented, but that doesn't make their usage illegal.
> In fact many resources can be discovered by programmatic access, and there is no inherent reason to think this is wrong.
Agreed. There is no inherent or intrinsic reason to expect that any given document or any given URL ought to be restricted. However, a look at the documents could have provided some extrinsic reason to stop looking. For example, if I find a filing cabinet full of classified documents, I will not continue leafing through them after I see the first one. I will stop immediately and notify someone appropriate (after contacting my lawyer). I do not intend to access classified documents.
The question is one of intent. Did the individual intend to access documents that they knew or should have known that they ought not access. If the kid pulled down one classified document, took a look, realized what he was looking at, and deleted it and notified the authorities, then I'm with the crowd. Likewise if they pulled down the entire archive without looking at any of them. I'll be on the front lines with my pitchfork.
On the other hand, if they saw the first classified document, then pulled down the rest of the trove hunting for more, some amount of punishment is probably warranted. Even then, I would say fifteen years is too much. Maybe a few months of time and probation, depending on exactly how much willfulness was on display.
I imagine these are the kinds of questions that will be resolved during the trial.
> if they saw the first classified document, then pulled down the rest of the trove hunting for more..
Per the articles: nothing was "classified", it was an archive of public documents that the government published periodically. The issue is that a small subset weren't redacted properly - but there's no apparent reason the teen would have known that.
It appears that someone simply archived a bunch of documents they reasonably believed to be public information.
> In fact many resources can be discovered by programmatic access, and there is no inherent reason to think this is wrong. Just because an API isn't documented doesn't make using it illegal.
The license to access private property is based on the intent of the property owner. Where the intent is made express (through a sign), that governs. Where the intent is not made express, we try to figure out what a reasonable person would infer about the property owner's intent.
The method of access, therefore, is relevant insofar as it tells you about what the owner of the web server intended people to have access to. The fact that content on a website meant for the public to access is only accessible by "programmatic" means that ordinary users would not know, is strong evidence that the owners of the web server did not intend for people to access those documents.
> The fact that content on a website meant for the public to access is only accessible by "programmatic" means that ordinary users would not know, is strong evidence that the owners of the web server did not intend for people to access those documents
Sorry, that is complete BS. Have you scanned the entire internet and sure sure there are no links to these files on other public pages?
Files publicly hosted by a web server (software explicitly designed and installed to make those files public) is in no shape or form private property.
Furthermore, in this specific case, there is an explicit statement saying the files are public and saying nothing about them not being accessible:
"The Access to Information website allows you to submit, pay and receive FOIPOP requests online. The Nova Scotia Government also posts responses to formal FOIPOP requests online on the Disclosure log. This is a free public repository of FOIPOP responses that have been approved for publication and have met a specific set of criteria (PDF file 800 KB)."
I can see where you're coming from but you're also describing the purpose of an API, documented or not. Ultimately, if you want to secure the boundaries of your property (whether that's your app or your domain or your honest to god physical land) it's up to you. If you find yourself in the position where other people are revealing information you or your company should have protected then you are accountable. You have to be accountable. The guy who found the problem or abused it is not accountable.
> If I forget to lock my door when leaving my house one morning it's still trespassing if you enter the house without my permission.
This doesn't seem like an apt analogy for the actual case described in the article, though. That case seems more like: you left a bunch of stuff at the curb with a sign that says "free for the taking", but didn't realize that you left some stuff there that you actually didn't want taken.
in this context i don't think your metaphor applies. your house isn't a freely accessible entity that has been declared as such which has certain areas of it that are off limits but never clearly defined as just that.
So what you are saying is that what matters is the intent of the property owner and the general understanding of the population about what is typically public vs private property?
i would say that those things are certainly relevant, but it would be perhaps very myopic to say they are the only relevant concepts. one should also keep in mind the intent of the individual attempting to access the property, and the perception of what they're doing when they do within their mind as an expression of that intent, for instance. if i have been to led to believe that your property is public through a means that is debatably authoritative, such as a sign indicating it as such, then for all intents and purposes, anything i interact with inside of it in my mind is perfectly acceptable because it falls within the context of pre-established permissions. and if there are parts of your property that for some reason you would prefer private but they are not demarcated as such, am i really in the wrong to interact with them or go inside of them if i have no external information telling me that i should not?
in the context of the article and the problem at hand, the teenager downloaded a bunch of things that were supposed to be public access, but also accidentally downloaded some things that were confidential though not clearly marked as such (im assuming based on available information) and so the only real way he would have known they were confidential was if he actually perused the contents of them. that would be like having a room that is private property and off-limits, and it is marked as such, but the marking is inside the room and can only be seen by entering it and as such violating the private nature of said room. but really these are all just my thoughts on it and i certainly don't think i'm right or anything. it's just fun to talk ya know
I hear what you are saying about the intent of the actor, but that's tricky. What if the actor doesn't believe in private property? What if the actor accidentally misreads "private" as "public."? These things aren't really mitigating.
This is why the law tends to fall back on what a hypothetical "reasonable person" would think.
I'm not as much of a hardliner as rayiner on this particular case as I think there are some facts in favor of thinking of these documents as public:
- it was a government website
- it was specifically set up for the purpose of sharing foia requests
- the data in the documents was not easily identifiable as private
But when it comes to the general principle where some HNers seem to think "If the webserver responds with a 200 then it's perfectly fine." I have to disagree.
Imagine a different scenario in which we were talking about tax returns instead of foia requests. You're looking at yours at http://www.canadataxes.com/return?id=1234 and you realize that if you inc the ID you get the tax return of some other random Canadian citizen. In that case it would be immediately obvious that someone had made a mistake and you were accessing information you shouldn't. A "reasonable person" would understand that a mistake had been made. It would then be clearly illegal to write a script to scrape down the docs for every ID.
But what if someone had just moved to Canada from Norway and didn't realize that tax return information was supposed to be private? I think it's fair to put most of the responsibility on those who have implemented a system that serves private data in response to public http requests. Presumably this is the party that has both been entrusted with the private data and has the technological and legal resources to understand what can and cannot be served publicly and appropriately configure their systems to do so.
No doubt. I still would consider the implementors of said contrived-example-website to be far more liable than our hypothetical confused batch downloading Norwegian friend. Just like I don't yell at my toddler when she knocks over the glass of water I left on the floor.
I agree that the Canadian government has been negligent in the situation under discussion. It's not an either or situation though. Both can be guilty at once.
Let's say he picked his first random URL and got someone's tax documents. A reasonable person would probably report it and quit prying. But it sounds like the bad documents where mixed in with good documents that he was downloading programmatically, so a reasonable person probably would not have the time to read every single document to determine if it contained personal information.
I think that's a terrible analogy, a better (albeit not perfect) one in my opinion is:
If I request access to your house (send a HTTP request) and you grant me access (give me whatever I was requesting), I don't think I should be arrested for trespassing.
If I install a one of those new fancy IoT locks on my door but it has a bug and unlocks for you when it shouldn't, it's still trespassing if you enter my house.
Its not the lock that makes it illegal. Its the act. Somebody reaches into your pocket to take your wallet, its not 'ok' because you didn't lock your pocket, is it?
We're not yet to the point where its the victim's fault when victimized by a criminal. It may seem that way when there are so many active criminals. But some places its still possible to trust your neighbors. I live in one.
I grew up in a relatively small town. Literal years went by where my parents didn't lock the back door. It would have been illegal for someone to enter the house without their permission for that entire time period.
> Where the intent is not made express, we try to figure out what a reasonable person would infer about the property owner's intent.
We do. But if we fail to do so correctly, as people occasionally will, have we committed a serious crime for which we should be facing prison? Particularly in a case where societal custom is not well formed, and analogies to more familiar situations are all strained?
This young man, by his account, likes to archive stuff he finds on the Web. From the sound of it, he's done URL incrementation many times, and this is the first time he's gotten in trouble for it. Let's suppose for the sake of argument that that's true, and also that there really were no indications on this site that the information was unintentionally left accessible. Do you really want to send him to prison for that?
You might reply that as cruel as that seems, its deterrent value would make it worth doing. But I don't even want to live in a world where people without criminal intent are so succesfully deterred from experimenting with the Internet. In such a world, site owners would take even less responsibility than they do now for securing their information, and therefore actual criminals would have even more unfettered access to it.
A situation like this (security wise) isn't like leaving a window unlocked and having someone rob your house it's like
1. Leaving a pie on the window sill overhanging the side walk with paper plates and plastic utensils beside it.
2. A man knocking on your door, asking you for your bank account number without impersonating anyone of authority, you offering it up freely, then suing the man because you forgot to ask who he was first.
The problem is the metaphor itself. The metaphor avoids the problem by providing a more trivial or palatable debate, it takes the attention away from the teen in trouble to the definition of the problem and at that point you've stopped caring about the person, you're caring about the problem.
This guy facing prison doesn't give a shit about it feeling like a man stealing a pie from your window. It's nothing close to that because you can steal pies from windows and be held accountable in a much more reasonable way, and trying to reframe the situation only helps to an extent.
On reflection I think the metaphor itself is a red herring; we're always using them because they serve a great purpose. Tell an aspiring developer they can use goroutines to build a decently concurrent app, without much fuss, and they'll be delighted because the language provides a metaphor for it (way beyond a simple abstraction); tell them they have to understand mutexes, locks, processes, forks, and you've lost them.
What I see is a tendency towards the metaphor because that abstraction itself poses a challenge on top of the original one and the original problem itself is less interesting than the linguistic magic layered on top of it. You can talk at length about how bad the dog > animal OOP example is but you won't have much to say about OOP without that.
When somebody uses the "leave the window unlocked" comparison, I try to rephrase it as "imagine you have your satellite TV with thousands of channels. You browse through channels and realize that, on channel #12985 if you press the A button on your remote, the channel will broadcast you videos that were supposed to be private".
This is probably a closer analogy as you are not physically trespassing, you are "committing the crime" from your couch, you are not "stealing private property" (as, the docs are still on the owner's servers) and it's mostly on the broadcaster side to transmit sensitive information on a channel that is for everyone to see.
Since it helps the older generation to think about digital content in metaphors, I'd argue that the kid was entering through an open window of a public building. Although a bit strange, no one would give this hypothetical person a third look.
I think the most precise metaphor is: a kid walked through the front door of a public library, borrowed a couple freely available books, then the government realized those books mistakenly included sensitive information.
In order to address that error, 15 police officers raided the kid's house.
That would be an accurate analogy if these documents were linked to from a publicly-accessible portion of the site. They were not. This is more like someone walking into an unlocked back room and grabbing books that hadn't been shelved.
These analogies are not helping. Here's what actually happened: the accused allegedly sent requests to a web server asking "may I please look at the document with id X?" for various values of X. Each time the web server had the option to say "no, you may not", or even "no, that document doesn't exist." Instead, it responded each time by sending the requested document.
That's all that happened: someone used HTTP in the way it's intended to be used, and inferred quite reasonably that the people who set up that web server knew what they were doing and meant to set it up that way. It turns out those people didn't know what they were doing, and they got embarrassed about it.
The computer is not a person and what it does only matters insofar as you may infer that the owner of the property programmed it to do what the owner intended.
As you admit, the property owners did not intend those documents to be accessible. So the only relevant question is: would a reasonable person infer that documents which could only be accessed by editing a URL (by "tricking the HTTP server," if you insist on anthropomorphizing a dumb machine) was intended or not intended to be accessed?
I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed. And that really is the end of the analysis.
I don't think you understand the web. I'm not anthropomorphizing anything. He literally sent a request for each document he wanted to look at and the server sent a response.
You keep referring to this hypothetical "reasonable person" who doesn't understand the very basic facts about technology, but the opinion you attribute to the "reasonable person" is just one you invented that happens to match your own.
> I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed.
How would anyone know if the documents could only be accessed by editing the URL? Others in this thread have pointed out that some of those documents were indexed by Google, so actually, editing the URL is not the only way to get to them.
Computers always do what you _tell_ them to do, not what you want them to do.
The onus for keeping computerized material private is on the owner, and the owner screwed up royally by wrongly allowing sensitive material to be placed unprotected on a _public_ web site. Whether or not it was indexed is irrelevant - it was on a publicly accessible site, permissions set to publicly accessible, and the entire site was meant to be publicly accessible. One can close the analysis until the cows come home, it will not change this fact.
Accessing that material is as illegal as finding a diamond ring (or personal files) while dumpster diving. Dumpster diving may be seen as tasteless or low-class, but as far as I know, it’s not illegal.
Do we prosecute reporters for ferreting out publicly available, yet embarrassing, information?
Dumpster diving is legal (in most places but not all) because the owners has, by putting something in the trash, expressed their intent to not own the item in question anymore.
A website isn't a trash can though.
If I accidentally leave a diamond ring (or personal files) in public somewhere and you take them that is absolutely theft.
A web server is a thing people use to make files publicly accessible - it has no other purpose. It has stronger expectations against privacy than a trash can.
As such, your analogies to situations (locked houses, unattended jewelry) with the opposite expectation just disprove your point. Assuming a file is private even though it's publicly accessible on a web server is as nonsensical as assuming an object is free for the taking even though it's an unattended diamond ring.
I mean, it's in the name, web server. It serves things to people when people asks:
- Hey, can I GET this drink?
- 200 OK, here it is pal.
- 204 Uh, the bottle appears to be empty
- 206 I have only half the ingredients for the mix
- 300 Stirred or shaken?
- 301 That drink is now called this, but here it is!
- 400 I can't understand what you say buddy, are you drunk?
- 403 I'm sorry, but I must refuse to serve you that drink
- 404 Oops, I can't seem to find the bottle
- 411 How much do you want?
- 413 That's too much drink!
- 418 I'm actually a teapot
- 503 Too busy right now!
You can't, because github hasn't made a mistake and accidentally made all private repos public.
If github screwed up one day and all private repos were temporarily made public it would be illegal for you to run a script that tried to scrape them all down to your personal hard drive.
But...you would have left the diamond ring by accident.
Files don't "accidentally" become publicly accessible via HTTP. i.e. you don't return to your computer one day to find everything is public.
Someone specifically took the steps to make this data public. The fact they didn't realize what they were doing isn't the fault of people that then view the data.
But as the person knows they are configuring a web server, I would say this is more carelessness / incompetence rather than an "accident" in the same way as losing a Diamond Ring would be.
These analogies involving valuable physical items are way off base. If I'm walking along the street and see a diamond ring lying there, I can only assume that it belongs to someone else and they've misplaced it (because it's very valuable and, crucially, there is no way for the owner to make use of its value if they've lost possession of it). I may not have any way to locate the owner, but I still recognize that it belongs to someone else and that for me to take it and keep it would deprive them of their property (probably, I should take it to the police).
If you insist on analogies involving lost rings, this situation is more like taking a picture of a ring someone lost in the street than it is like taking the ring.
No, that's a terrible analogy, because a picture of a diamond ring is worth much less than the ring. A copy of valuable information is generally worth just as much as the original. And while no-one would care if someone else had a picture of their diamond ring, they would care if someone else had a copy of their private information.
> Sure, but your carelessness doesn't absolve me of my crime.
If his carelessness meant communicating that you could take the ring without stealing it (say placing it in the donation basket instead of his wallet), that would absolve you of your crime.
> The onus for keeping computerized material private is on the owner
I don’t think that’s a sensible rule and at the end of the day, it’s not the one that’s going to prevail. The Internet will be sanitized and made safe for all the people who forget their passwords and write them in their monitors. The Internet is for ordinary people now, not curious teenager hackers. And ordinary people will make the rules to suit themselves.
> The Internet will be sanitized and made safe for all the people who forget their passwords and write them in their monitors.
And how, exactly, is this "sanitization" going to occur? Are you saying that having 15 police officers raid a home and confiscate multiple computers (all but one of which had nothing to do with the incident in question), arresting a completely uninvolved person on his way to school, and taking no action at all against the stupid contractor who set up the website, is an acceptable form of "sanitization"?
> The Internet is for ordinary people now, not curious teenager hackers.
That's not what the police action described in the article is saying. It's saying the Internet is for government and corporations, and God help the ordinary people who get in their way. (Btw, I include "curious teenager hackers" in "ordinary people". Perhaps the fact that you don't is part of the problem.)
This can't work, for the simple reason that the Internet has global reach. Unlike other kinds of personal property, a Web server is accessible to the entire world. There are lots of people out there who have no reason to respect US or Canadian law, and there always will be. Prosecuting this young man, or Weev, may make some "ordinary" people feel better, but doesn't begin to deter any actual criminals.
The only solution is site owners taking responsibility for securing their sites, in accordance with the sensitivity of the information on them. The sooner "ordinary" people realize that, the better.
Ordinary young people today are probably even less computer literate than ordinary people my age (mid 30s). They grew up being spoon fed the Internet through the FB and Snapchat apps on iPhones.
Your entire argument is based on this idiosyncratic theory of widespread ignorance. This theory is simply wrong, as a matter of fact. Even if it were true, no historical case ever turned on the unprovable notion that most people are too dumb to understand the truth.
Since you didn't respond when I raised it elsewhere in-thread, I would highlight again the fundamental imbalance between the rules you would impose on Facebook etc. and those you would impose on users. Firms that spend billions of dollars developing their systems only have to be as smart as the most ignorant person we can imagine. Their users, in contrast, must be geniuses to keep up with their many changes to TOS, interfaces, and functionality, while simultaneously those genius users aren't allowed to notice that numbers follow each other in sequence. This is nonsense on its face, but then again authoritarian maneuvers are their own justification, aren't they?
If we're at the topic of wishful thinking, I wished ordinary people would understand basic things about the internet. The purpose of humanity as a whole shouldn't be to dumb things down for "ordinary people". It should be to better teach and educate new generations, so we won't be able to assume ordinary people are dumb.
Web scraping is a normal occurence on the internet not just limited to curious teenage hackers. When I grew up we didn't lock our doors because we knew and trusted our neighborhood. It's like you're asking 4chan to use polite vocabulary.
> I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed. And that really is the end of the analysis.
You do realize HN provides an API that allows you to request any item by using an ID? [1]
Stories, comments, jobs, Ask HNs and even polls are just items.
They're identified by their ids, which are unique integers, and
live under /v0/item/<id>.
If you really know better than everyone else who has replied to you on this story, why don't you point out the exact law that states accessing resources over HTTP is forbidden if not initiated from another resource originating from the target server? Otherwise, I'll assume your "analysis" is simply a subjective view on how you would like the web to work. A pretty limited and unrealistic view that wouldn't work in the real world.
1. I don't think you can access that story by starting from the front page, because scrolling for more stories only gets you to page 25. Does that mean the intention is the story is private?
2. You can now access it by using the DOM element generated for my comment. Does that mean it's public?
Not to mention there's more to things than HTTP. could be plenty of other sources. Maybe I like using netcat just for kicks. Maybe I like hand-typing HTTP.
While odd, `printf "GET / HTTP/1.0\r\n\r\n" | nc 104.20.44.44 80` gets you the HN home page as good as anything.
Unfortunately, the main counter argument in this thread, from what I gathered, is "ordinary people wouldn't do that". Including someone claiming that if your mom wouldn't do it (in this case), it's not legal: https://news.ycombinator.com/item?id=16854087
Sure, and the fact that HN has a note to that effect on its website is evidence that all of these items are intended to be publicly accessible. It's also obvious in any case that stories, comments, jobs, ask HNs and polls are intended to be public. In the case we're talking about here, it was far less obvious that the relevant documents were intended to be publicly available.
Of course they do. They consider whether or not to give me access. If they respond with 200, they are effectively telling me that the information is public and the request is approved. There's no law moral or legal that stops me from asking for information.
I could ask a law agent for classified information, but he's not going to prosecute me for asking questions. He could be suspicious and ask "how do you know a document with that number exists?". And I can reply "oh, I'm just asking for random numbers".
You can describe what a webserver does in anthropomorphic terms if you like, but it's not the webserver's "intentions" that are relevant. It's the intentions of the people who control the website and the intentions of the person who accesses it.
>There's no law moral or legal that stops me from asking for information.
I wouldn't be so confident of that if you haven't read up on the relevant laws. Many countries have prohibitions against unauthorized access that apply in circumstances where the access is not "unauthorized" in a technical sense relating to the details of the HTTP protocol. The law doesn't necessarily say what you would want it to say or what you would expect it to say. See e.g. the following example from the US. (I'm aware that the incident we're discussing occurred in Canada.)
> You can describe what a webserver does in anthropomorphic terms if you like, but it's not the webserver's "intentions" that are relevant. It's the intentions of the people who control the website and the intentions of the person who accesses it.
And how do you prove intent? This is a technical problem with technical protocols involved. Intent should be provided via the protocol. If the protocol says resources are public, unless otherwise stated, you can't rely on a human to answer, post factum, what resource is private.
I believe that’s something they teach you in law school. Lawyers have been working on that problem for a while! IANAL, but I don't think you are going to be able to find a concise answer to that question that goes beyond the immediately obvious.
>Intent should be provided via the protocol.
Sure, if you say so. That’s not how the law works, though.
Editing a url is not "tricking the web server", the web server is designed to respond to urls with the information they point to. Tricking the server would be doing something like sending malformed packets designed to cause the server to leak memory and display the contents of "hidden data" in an exposed field, ie causing it to behave in a way for which it was not intended.
You're being hugely disingenuous. The owner of these files set up their website, which includes deciding which files are and are not publicly accessible, and it is reasonable to expect that the files they made publicly accessible are the files they intended to be publicly accessible.
One can certainly make the counterargument that a lack of public links suggests the owner wanted them to be private, but you are pretending that there's no evidence whatsoever that the files were meant to be public, and that's plainly not true.
> I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed.
I think most people don't have an intuitive understanding of this at all, which means you can get them to give any answer you want by crafting your description of the problem appropriately. That doesn't make such a procedure reasonable.
> would a reasonable person infer that documents which could only be accessed by editing a URL
Except there's no way to know whether that's the only way to access those documents. That's what access control is for. They could be linked from elsewhere for all you know, and it's perfectly reasonable to assume that if you can access the document by punching in a URL, then it is so accessible.
Just curious, not trying to trip you up: In your perspective, would it be trespassing to make a new website which has links to the original site with the edited URLs, without actually accessing those edited URLs? If such a website with links containing edited URLs already existed, would it be trespassing to follow those links?
Just curious about which one, or both, of those are trespassing in your perspective.
That's not true at all, for instance a number of the records that are part of the download were indexed by Google.[1]
So it's more like going in to your library, using the card stack, learning about a book, going to the shelf it is on, and then looking at all the books on the same shelf.
Somebody noticed that you were looking at all the books and called the cops on you. The cops break in and arrest you for looking at books. They tell you that the bookshelf is off-limits and has personal information.
Sure, the library creates it's own card stack and google is an external service; however if you design websites for a living you expect google to perform that functionality.
I mean, I designed a service where we wanted to make it easy to share private information, so we didn't use authorization. However I realized that if I wanted the data to be private I should use a suitably long non-consecutive random ID for the resource. If anyone is guilty of criminal misconduct, it's the person who designed this asinine system or the executive who allowed it to be used on the internet.
Hell, I'd go so far as to say that the fact that the exact same system is still being used across the US is a sign that the company who runs the system is criminally negligent.
I think that's a bit harsh. The documents at that URL were understood to be freely available to the public.
As I physical analogy, I'd think about it more as one of those restaurant straw dispensers. He got tired of pressing the button each time for a new straw, and instead opened the lid and grabbed a bunch out.
> It did, however, damage the privacy of various Canadian citizens.
Did it? I understand that the stupid contractor who put this data on the website did (potentially--but note that nobody is saying that anyone has actually suffered harm because of that data being accessible). But did the teenager who got this bomb dropped on him damage anyone's privacy? As I understand it, he downloaded the data, put it on his hard drive, and left it there; it never went anywhere else.
Can you please send me a copy of your last 3 tax returns? My email address is in my HN profile.
I don't know you have don't particularly care about your financial situation, so I'm not gonna read them or share them with anyone else. I'll just keep them on my hard drive.
> Can you please send me a copy of your last 3 tax returns?
Options:
A) Sure, here you go. Oh wait! I didn't mean to send you those. You tricked me and stole my information. I'm going to send 15 police officers round to arrest you and then you're going to prison for years.
A) is not comparable to the current situation because you are the one initiating the action. I can't stop you from sending me an email so it can't be a crime on my part if you do so.
No, you are initiating the action by requesting the file from me. You did request the file didn't you? Even though you should have known it wasn't public information?
That's not a correct counter argument, the information he got was understood to be public and there was no reason to expect or think there was any private information on there.
If the site had said "This site provides tax returns" then there would be reason to expect the files would contain private information.
The site in question gave no indication there would be private information in those files.
Also, technical nitpick, there are some countries where tax information is public so probably not the best thing to go with.
That may be so, but did he intend to damage their privacy? Probably not.
He can't be faulted for accidentally downloading some private information that was improperly mixed in with a bunch of public information that he was trying to download. He had no indication that the information he was retrieving was not supposed to be public.
It's more like the restricted section of the public library, and they left the door open. He just walked in, and started reading the books on the shelves, and photocopied all of the books.
If there were books in this section that shouldn't have been in there, that's not his fault. That's the librarian's fault.
No, it's much more like calling the government on the phone and asking a series of questions. Or like sending them a series of letters. Or entering a government office during business hours and conducting business there. We don't need a metaphor, there are already laws in place governing how we speak to our public servants and how they respond.
If my car runs you over, and you sue me, what does the court do? It tries to figure out my intent. Did I intentionally run you over? If yes, I'm guilty of vehicular assault (not my car). Or did the brakes fail and I had no intent to hurt you? If yes, I'm not guilty of anything.
Likewise, what the computer does is irrelevant, except insofar is it tells you about the owner's intent. So the question is not "did the computer let you access the file." But "what does how the computer let you access the file tell you about what the computer owner intended?"
The car is still a dumb object that you own that hurt me, and as a result someone is still paying my hospital bills. You might blame your mechanic, if he did a poor job of brake maintenance. When he attempts to defend himself, how is this "intent" mishmash going to fly? "Your honor, please ignore that there are several RFCs defining how one installs calipers, none of which I followed! It was clearly my intent for the brakes to work!"
Also, I'm not sure your analogy works at all. In the first paragraph, you seem to analogize the car to the accused "hacker", while in the second you're talking about the supposedly "hacked" host. To be clear, the point of the car example is that a machine's intelligence has no bearing on how its actions affect the duties of its operators.
The web server sends a response code with each response.
The best, and most accurate, way of determining if the resource you requested is meant to be accessible, is to check to see if you got a 200 OK response or a 403 Forbidden response.
Given the numerous articles about documents inadvertently being exposed through URL ID incrementing, clearly response codes do not accurately convey what people meant.
I didn't say it was perfectly accurate, just that it was the best.
So your argument is that a better way to check this is to crawl the entire web looking for links to a resource to determine if it was meant to be publicly accessible?
> Given the numerous articles about documents inadvertently being exposed through URL ID incrementing, clearly response codes do not accurately convey what people meant.
Your intent argument is really shallow. People do bad things with good intentions all the time. Doesn't mean their actions are good or legal.
> If my car runs you over, and you sue me, what does the court do? It tries to figure out my intent. Did I intentionally run you over? If yes, I'm guilty of vehicular assault (not my car). Or did the brakes fail and I had no intent to hurt you? If yes, I'm not guilty of anything.
Or you failed to follow the rules, were careless, and hit him by mistake. Was your intention to kill him? No. Was it your fault? Yes.
The open window metaphor implies that the rest of the building's facade was a wall. I don't think that is an accurate description of a website.
If we have to resort to metaphors, then let's describe this section of the site as a ring binder, and each FOIPOP publication as a single page in the ring binder. What the kid did, then, is to take out the entire stack of pages and feed it to an automatic copier, put back the originals in the binder and left with the copied stack.
There is no indication that the "perpetrator" even looked at any page in that stack. And since the binder was clearly labeled as "free public repository of FOIPOP responses that have been approved for publication", the act of copying the entire stack is no reason to assume foul play.
>I'd argue that the kid was entering through an open window of a public building.
Given that he tried to sequentially download all possible documents by sequentially incrementing document ID in URL it's more like trying to open every window in the public building and see what happens.
It's more like having a 'Please take these unwanted items' bin and sending people to prison when they take something that you mistakenly put in the bin.
A HTTP server may as well equate to a public building with a sign outside saying "Come in and take whatever you want from any room at any time, unless the room's door is locked!" (locked = authentication)
The Nova Scotia govt forgot to lock one of those doors and are now furiously trying to shift blame. I haven't seen them apologize or address their own internal incompetence in any of the news articles I am seeing about this.
The "older generation" does not use metaphors because they are limited in their thinking. They do it to illustrate the principles underlying law. A basic principle of private property is that you don't have to secure it. The burden is on the would-be trespasser to figure out what rights she has with respect to the property and act accordingly. Snooping around private property out of "curiosity" is illegal, whether or not there are locks preventing you from doing so. (This is an idea teenagers have had trouble with long before the Internet, but we manage to beat it out of them every generation).
Those principles apply equally well to the Internet. Ordinary law-abiding people don't go fiddling with URLs, just like law-abiding people don't jiggle door handles or peak into windows to satisfy their curiosity.
This is absurd. This is not private property. Ordinary law-abiding people do walk into government offices and ask questions, and when they get answers, do continue asking questions and getting answers. Ordinary law abiding people to browse all the products on display at a store. Ordinary law abiding people do flip through all the pages of a catalog that is sent to their home.
This Orwellian attitude that looking at anything is criminal if the government retroactively decides they didn't want you to see it, is terrifying.
But as usual when it comes to authoritarian overreach by government, you're not de-facto wrong about the government sees things, but you are eloquently defending a morally horrific attitude.
Government documents and web servers are private property. (The information within might be public, but it's illegal to access private property in an unauthorized way to get public information). Ordinary law-abiding people do the things that property owners expect them to do (or what they reasonably infer the property owners intend them to do). If there are signs (literal or figurative) that the property owner doesn't want you doing something, then you don't do it--and you're charged by the law with heeding those signs.
That's not Orwellian or authoritarian--it's a basic part of "social" behavior in a society with private property.
However, when you make those files available through a web server, you make the "public".
You then have the ability to limit the access to those files through any one of a large number of techniques to make them private again. Now if there were evidence that they tried (and failed) to use one of these techniques or that the teenager in question deliberately circumvented these techniques, then you would have a point.
One (not particularly good) way of limiting access to files without verifying identity would be to create a hash (say using the requesters email address and the request ID) and use this in the url to access the document (similar to how google docs implement sharable document links).
If they had done this, then perhaps you could legitimately claim that there was evidence of intent to restrict access.
An incremented ID is the opposite. It is a sign that you wanted people to be able to easily predict the correct url to download the next file from. Using an incremented ID is in fact evidence that this information was intended to be public.
Except this teenager was explicitly authorized to access all those files.
He literally asked the web server "can I have these files" and it responded with "yes, you are authorized, here you go".
If he wasn't authorized, the server should have responded with a 403 Forbidden!
Web servers are built around authentication and access rights! It is not the teen's fault that the government doesn't know how to configure them properly.
Ummm... You put your furniture on the curb or your trash, then accuse someone for stealing it? If it's private it shouldn't be on the curb. Anything on the curb is considered public. Clicking a picture of anything on your curb is also considered public. If you wanted to keep it a secret, you should have bought a box and kept it in the locker.
Edit: after few days you realize that the trash on your curb shouldn't have been there. Then you raid the trash company because your brother is a cop.
Sorry- I edited. What I’m saying is that the server represents its owner, so when the server grants someone access in normal operation it’s not intrusion.
> Making a mistake doesn't revoke someone's property rights.
This is a non-sequitur, nobody is saying anything about anyone's property rights being revoked.
The teen asked for access, and the content owners, via the permissions they had configured, granted it. Sure they can later decide that this was a mistake, but that doesn't make it theft for the teen to have asked for access.
Making a mistake doesn't revoke someone's property rights.
They made a mistake when configuring their web server. It's obvious that this was a mistake because some of the documents contained private information from Canadian citizens.
> They made a mistake when configuring their web server. It's obvious that this was a mistake because some of the documents contained private information from Canadian citizens.
Per the tech article, it was an open archive of public documents that the government published periodically. The reasonable assumption is that the files were all public, and there's no reason to suspect the teenager in this case thought otherwise. The fact that ~3% of the files weren't properly redacted (whatever that means) is hardly "obvious".
> Making a mistake doesn't revoke someone's property rights.
Putting it out on the curb with a "FREE INFORMATION" sign, however, does. And this kid is being thrown under the bus for taking it all because it was on a site labeled FREE INFORMATION.
> If there are signs (literal or figurative) that the property owner doesn't want you doing something
But there weren't in this case. The express purpose of the site was to make that information publicly accessible. If you leave stuff out at your curb with a sign that says "Free to all takers", and someone takes something you didn't mean to put there, how are they supposed to know you didn't want them to take it?
What literal or figurative signs were there that he should not have accessed the private information? By all accounts, most of the information he retrieved was clearly intended to be public so there would have been no way for him to know that he wasn't supposed to access the small portion that wasn't intended to be public.
> This Orwellian attitude that looking at anything is criminal if the government retroactively decides they didn't want you to see it, is terrifying.
This is the big problem here. There's no way the way the Freedom of Information Act in Canada is written the way it is because of the democratic wishes of Canadians. Every day our government moves further away from governing according to the will of Canadians and more toward the will of.....I don't even know. Saying it is the will of politicians doesn't explain some of the strange behavior we've been seeing in this country for quite some time.
If our fate is to ultimately live under a quasi-dictatorship masquerading as a democracy, then so be it, but I wish we could just be honest about it. This objectively false "Canada is a democratic nation" claim is infuriating to me.
> A basic principle of private property is that you don't have to secure it.
That’s not even true. Trespassing requires that you be told not to be on the property, that’s why people post signs. You can’t be charged with trespassing because you went hiking and wandered onto unfenced land with no signs, it doesn’t matter if the dumb owners thought nobody would ever hike over there.
You are saying that ordinary people don't know what a URL actually is. This is ridiculous. It takes a certain level of computer illiteracy to never notice that you can access stuff by typing into the address bar directly, or by modifying what's already there.
It also doesn't take a computer whiz to use DownThemAll to enumerate URLs and download them all. They even have a dedicated function for this!
Yes, one does have to have some computer literacy to be able to do that. No, they don't have to be out of the ordinary.
Well, some people believe being curious and trying things out is not what "normal people" do so it's "antisocial" and you shouldn't do it.
I remember a teacher yelling at me for trying some slightly advanced features in a hardware design language. I was really proud I could implement something I didn't thought possible, but her reaction was along the lines "Do you want attention? Why can't you just stay quiet and do what the rest of the class does without showing off?".
Stifling creativity and curiosity, especially in children, encouraging them to be mediocre "like ordinary people" is disgusting and counter productive.
Reminds me the first time I got to touch a word processor. We were supposed to insert a picture with the "clip art" feature. I made a mistake and inserted a "graph" instead. An empty graph, with grey hashed borders, that I didn't know how to delete or undo at the time. So I asked for help.
> Aaahh, he crashed my computer!
Went the teacher. Which then swiftly closed my unsaved document. 15 minutes of work, gone. As well as any remaining trust I had for her. I had done something unexpected, and she was afraid.
I don't think I was quite able to articulate it at the time, but she would have made a fine witch hunter. I do recall a sense of unpredictability though, and reminded myself not to step on that tiger's tail ever again.
Whether it is common knowledge or not has no bearing on whether it’s criminal, so I wasn’t using ordinary to mean “of normal computer literacy”. If you want to use some specific definitions that turn your claim into something trivially obvious, please define them ahead of time.
But lots of things are legal or not based on what typical people would do or think. "Battery" is contact a normal person would find offensive. So touching someone's shoulder to get their attention is not battery, but poking someone in the rib might be. More relevantly, implied licenses to access property are defined by reference to what a normal person would consider implied. So an invitation to enter a store implies a license to access the parts a normal person would assume they can access, and not parts a normal person would assume they are not supposed to access.
It's not a technical shell game. If you asked your mom, "hey, do you think they meant to have people be able to access those documents, where you can only get to them by editing numbers in the URL," she would say "no." That's what defines what is legal or not in this context.
Google, that hotbed of criminal activity, is displaying links to and even accepting paid advertising for these illegal devices that can access telecommunications systems reachable only by editing numbers!
If you asked your mom, "Am I free to access all the
public-facing information on the Government Freedom of Information server", what would she say? The technical details of how to make the connection are irrelevant. My mother doesn't know how to connect to a BBS, does that mean that anyone accessing a BBS is breaking the law?
> If you asked your mom, "hey, do you think they meant to have people be able to access those documents, where you can only get to them by editing numbers in the URL," she would say "no."
No, she would say "I don't know what you're talking about, can you put that in plain English?" And then you could get her to give any answer you wanted by phrasing the plain English appropriately.
> But lots of things are legal or not based on what typical people would do or think.
Good thing computers use unambiguous protocols to communicate explicit intent.
> If you asked your mom, [...] That's what defines what is legal or not in this context.
I'm really terrified of a world where the law is made by asking laypeople what they think. Just like we don't define borders by asking random strangers on the street where countries are, I don't see how it's a good idea to define laws for technical services and protocols by asking people who barely understand computers what they think.
> Ordinary law-abiding people don't go fiddling with URLs
That's complete nonsense. I've often changed a URL because it didn't work and had a typo. It's right there at the top of the web browser asking everyone to fiddle with it. If you were right, the URL bar would not be editable in web browsers, so you should be complaining to Google, Apple, MS, Mozilla for leaving this criminal-use-only feature so prominently on their products.
A consideration of real property illustrates nothing about URLs. Speech is a much more apt comparison, in that one host says one thing, and then another, if it freely chooses to do so, responds by saying something else. (In Canada, though, the speech comparison might not help much?) This comparison is much more cogent than anything involving a "trespasser". Of course, authoritarians prefer the stupid comparison.
Computers are dumb pieces of property. They are not capable of speech (though people might use them for speech), nor are they capable of "choos[ing]" to do anything. Analogies that anthropomorphize computers are nonsensical.
The only people here are the teenager and the property owner. And the intent that matters is the intent of the property owner. Did the property owner intend those documents to be publicly accessible? Would a reasonable person have assumed that those documents were not intended to be publicly accessible, because they could only be accessed by editing a URL?
Phones, bullhorns, billboards, postcards, bumper stickers, guitars, TV transmitters, etc. are dumb pieces of property that people use to communicate. (Why don't I have to get permission to look at your billboard?) Computing devices are different from most of these in a single respect: they can act autonomously, as their operators intend. In fact it is customary that they do so, just as it is customary that billboards are viewed by the public. Jeff Bezos doesn't have to stay at the console approving everything whizzing in and out of AWS. There's nothing anthropomorphic about recognizing that intent may be coded in such a way that a computer obeys that intent. In future please consider reading more charitably.
You post often enough on this topic that we all know your position, before you post. Consider, if you will, whether your preferred position is one that will lead to improvements. I posit that it will not. Your position, if adopted, would lead more faceless totalizing organizations to amass, against our will, more of our personal data, and to be less careful stewards of the same. We have far more to fear from those organizations than from 19yos.
> There's nothing anthropomorphic about recognizing that intent may be coded in such a way that a computer obeys that intent.
What a computer does may be evidence of intent, just as a lock (or lack thereof) may be evidence of intent. But just like an unlocked door is not evidence of intent to make something accessible, neither is an unlocked computer.
> Consider, if you will, whether your preferred position is one that will lead to improvements.
The Internet belongs to ordinary people, not folks who have read the HTTP spec. (It's their world, we just live in it.) "Improvements" will be had when the rules comport with what ordinary people want and expect. Ordinary people don't think about computer security; they expect that, like in the real world, people won't go into places that don't look like they're meant for the public just because there's no locks to prevent them from doing so. The law should reflect those expectations.
Laws exist to create social norms. HN users are preoccupied with data security, but ordinary people hate security measures and are bad at it. So it seems completely backward to me to codify in the law the idea that accessing data should be presumed to be permissible just because the owner of the data didn’t secure it.
Sending a packet in response to some other packet is something "a computer does". Back when "ordinary people" thought that witch-dunking was an "ordinary" security measure, "ordinary people" were wrong. Improvements came not when the courts surrendered to ignorance, but when they corrected it.
Very few "ordinary people" would describe websites as "places", anyway. They don't say they're "at" Facebook, they say they're "on" it, much like they could be "on the phone" or "on TV". Maybe this hasn't always been the case, but the courts aren't tied to 1990s-era metaphors. No one on a jury remembers those silly "Welcome to the BatCave, Come on in if you Dare" geocities pages.
Incidentally, Facebook and its ilk hold ordinary people to much more complicated standards of behavior than those to which you and they would hold sites, all the time. Oh, you didn't read all 50 pages of TOS and then update the (hidden) configuration, every week? Silly user, that's why we gave all your data to the English!
Meanwhile, you don't think Facebook should have to understand how HTTP works, just because one person working at the company might not. Interesting, that the benefits go one direction and the duties go the other.
I think your arguments are well-reasoned, but I also think that you, along with others here making analogies to libraries/filing cabinets/etc. are too eager to equate physical access to internet access.
In the physical world, one can accidentally walk into a room they shouldn't have, perhaps mistaking it for the bathroom, and then leave without having committed any transgression. Entering a room you shouldn't be in doesn't mean you've automatically taken the contents of the room. On the internet, however, visiting a URL means just that. There's no "oh, it looks like I shouldn't be here" opportunity.
URLs are not doors. They aren't rooms. The same reasoning can't be applied to them, as they behave in fundamentally different ways.
There was no sign that the supposedly private documents were intended to be private. I’ve often fiddled with URLs on public sites because I’ve had the intuition that something hasn’t been indexed that perhaps should have been indexed, or because of a dead link.
If those sensitive documents were on a _public_ website intended to be browsed by the _public_, who presumably did not require authentication, and the documents did not cause an “Authorization required” response when accessed, it feels rather totalitarian to treat that as a crime.
Most of the metaphors I’ve seen about this are not fitting. As excessive as the barrage of metaphors may be, allow me to add my own:
As part of a free treasure hunt, a person gives you the address of their house and says, “Whatever is not locked up is fair game for you to look over, take photos, or copy.”
You go there and have a great time. Then the homeowner has a fit because you discovered a hidden cellar full of pornography, which was apparently off limits but the door was inadvertently left unlocked. Now the homeowner is charging you with breaking and entering, saying you should have known better and it was common sense.
Of course a computer doesn't choose to do anything, but its actions do represent the choices of its operator. If I put a sign on my door the onus is on me to check if it says "All members of the public are welcome here" or "No trespassing".
At what point does the owner or their agents find themselves posessing the onus to clearly communicate their will?
The answer, even in the realm of physical property, is clearly not 'never', so where is it, and what leads you to believe its threshold was not crossed here?
> At what point does the owner or their agents find themselves posessing the onus to clearly communicate their will?
The law is that the onus falls on the owner or their agents at the point where a reasonable person would not be able to infer the scope of the implied license from the circumstances.
I posit that a reasonable person (not an HN reader) would infer from a document being only accessible by editing a URL that it was not intended to be publicly accessible.
>I posit that a reasonable person (not an HN reader) would infer from a document being only accessible by editing a URL that it was not intended to be publicly accessible.
Do you view 'a HN reader' as a reasonable representation of someone skilled in the art [of creating and serving websites]?
Unless I'm missing something, the only conclusion that I can see following this line of reasoning is that skill in the art is inversely proportional to a person's 'reasonableness' in this matter.
If a quorum of experts are coherently proposing that certain actions are reasonable, even if you find them distasteful, at what point is 'reasonable' no longer reasonable?
For what it's worth, despite sounding like a rhetorical question, I am truly interested to know your thoughts on that last matter.
Except in certain limited areas (e.g. “the reasonable doctor” standard for medical malpractice), the standard is the “reasonable person,” not the “reasonable person skilled in the art.”
People on HN are not representative, because they know about computer security and HTTP access codes. We don’t live in a world where those people get to make the rules. We live in a world where the rules are set by reference to ordinary people. My mom gets to set the rules for what’s “reasonable” (what are the social norms everyone has to follow). Not you or me.
My point is that a reasonable layman would assume that if a document was not linked or indexed from a public portion of the site, it was not meant to be accessed. That makes sense, because if the document was meant to be accessed, it would be made accessible in a way a reasonable lay person would know how to access it.
> My point is that a reasonable layman would assume that if a document was not linked or indexed from a public portion of the site, it was not meant to be accessed.
And others point out that editing a URL to increment an ID which is obviously sequential is absolutely a reasonable way of browsing the web. That doesn't mean a lay person has to know how to do it, but that they wouldn't think anything criminal was happening if they watched someone else do it.
This is more to the likes of your friend inviting you over but telling you to not open a certain door in their house. It's not illegal to then open that door, but it would be to break or pick the door's lock and then open it.
It's worse than that. It's the friend saying "open any unlocked doors you want", then after you do it, he remembers he left some secret things in his unlocked bedroom and wants you arrested because he didn't know the lock was broken.
It might be hard to prosecute, but just because I invite you over to my house I have absolutely not granted you permission to enter any room you want.
If you, for example, went into my office and started rifling through my file cabinet that would be a huge invasion of my privacy despite the fact that I (like many people) do not have a physical lock on my office or filing cabinet.
the laws are interpreted and applied by powerful people in a way that suits the way they think - that much i think could have been predicted (but not by a teenager)
did the weev ruling surprise anybody other than hackers?