Let's ignore the site in question for a moment, and ask the more general question: is this approach legally defensible?
While it seems reasonable to presume that non-password protected files can be freely accessed until one learns otherwise, it's doesn't seem reasonable to continue presuming this after reading an explicit prohibition. Is there a legal requirement that says one must attempt to physically restrict access if one wants to assert usage restrictions?
I presume if I had an unattended roadside vegetable stand with a cash-box, that I'd be able to prosecute someone who took vegetables without paying, certainly if they also made off with the cash-box. Why is this different on the web? And if a written prohibition has no legal standing, why do so many companies pay lawyers to write click-through "terms of service" agreements?
Let's go through what happens when I visit a web site. I type a URL in my bar, and hit enter. My web browser makes a request via http to a server, and the server inspects the request, determines if I should see the content or not, and returns either a 200 if I am allowed, and a 403 if I'm not. So, by viewing their pages, I'm literally asking permission, and being allowed.
It sounds to me like a misconfiguration of their server; it's not doing what they want it to.
Maybe. It all depends on how you're phrasing it. The server response is just a machine giving you permission; it's not the actual person. How is this different than saying "I asked for permission to the vegetable stand cash box by pressing the open button. The cash box gave me permission when it responded to my button press by opening." (Assume, if you want, that this was a button that could only be used to access paid cash, not for making payments.)
I would agree with your line of reasoning, except that it's not really convention: a cash register doesn't have a customer-facing interface. A web server is an explicit interface to those outside an organization.
I have easy access to the tip jar in restaurants. How do I know that this money which I have easy access to is not free to take? Convention. How do I know that I can take from the penny dish? Convention.
That a web server is an explicit, external interface is a technical reason. How we expect to use that interface is a social reason.
Exactly, so the answer to the question "why is this different on the web?" this has nothing to do with the act of giving permission, as such. It just has to do with convention.
I presume if I had an unattended roadside vegetable stand with a cash-box, that I'd be able to prosecute someone who took vegetables without paying, certainly if they also made off with the cash-box. Why is this different on the web?
I think it's mostly based on society's expectations. It is generally understood that the merchandise at a roadside stand belongs to somebody and another person should not take possession of it, while it is generally understood that something posted online where everyone can see it was posted with the intent of letting everyone see it. Given that, it would make sense that posting something everyone can see implies a grant of permission for everyone to see it.
And if a written prohibition has no legal standing, why do so many companies pay lawyers to write click-through "terms of service" agreements?
IANAL, but I would expect the "click-through" part makes a difference. A visitor to the site may not see a simple written prohibition, whereas accepting the click-though agreement at least indicates acknowledgment that those rules are there (even if they turn out not to be enforceable).
it is generally understood that something posted online where everyone can see it was posted with the intent of letting everyone see it
Yes, but it seems fair to add "in the absence of evidence to the contrary". I think a clearly written prohibition would constitute such evidence.
whereas accepting the click-though agreement at least indicates acknowledgment that those rules are there
I think this is probably right, but I'd love a better legal opinion. This also leaves open the question of whether a simple Javascript popup would satisfy the same requirement: "Clicking OK signifies that you agree to read only one page without payment." My guess is that it wouldn't, but I'm not sure how a submit button gains a different legal status.
A physical equivalent is a parking lot with two entrances on different roads, such that going in one entrance and out the other forms a substantial shortcut. In my neck of the woods (MI), you will find the owners have a way of blocking off one entrance temporarily, and that blockage is done periodically (once a year?), so that the parking lot does not become a road by fiat.
In this physical case, in order to assert usage restrictions (i.e. this is not a road), one must physically restrict access even if temporarily and infrequently.
that blockage is done periodically (once a year?), so that the parking lot does not become a road by fiat.
This from a common law doctrine that makes private roads public rights of way. It must be blocked off one day per year to prevent it becoming a public right of way. Once it's a public right of way it's really hard to make it private again, it must be unused for 7 years or something.
While it seems reasonable to presume that non-password protected files can be freely accessed until one learns otherwise, it's doesn't seem reasonable to continue presuming this after reading an explicit prohibition. Is there a legal requirement that says one must attempt to physically restrict access if one wants to assert usage restrictions?
I presume if I had an unattended roadside vegetable stand with a cash-box, that I'd be able to prosecute someone who took vegetables without paying, certainly if they also made off with the cash-box. Why is this different on the web? And if a written prohibition has no legal standing, why do so many companies pay lawyers to write click-through "terms of service" agreements?