> When it becomes immoral is when you use that data, or make it available for use by others.
That's logically consistent but shockingly permissive. And to be frank, I don't believe for a second this is really a principled opinion on your part, it's an excuse.
You'll get behind the hacker linked on HN out of solidarity or for some other personal reason (maybe you hate schools, or java). You'd never forgive someone for walking in and lifting your photo history due to a security lapse by Facebook, even if they never "used" the data nor "made it available for use by others". And that is why this behavior is criminal.
This is apparently a curious student that discovered a vulnerability and, judging by the way that blog post is written, is unsure how to properly disclose it. If this was your Facebook analogy, they'd have a relatively visible path to disclose that. Here, they have to potentially fear being reprimanded or criminally charged.
Under the premise that yes, granted, all that might technically qualify for some criminal act: The aspect of intent and malice are, imho, important in these discussions and should be for the corresponding laws. They found a vendor negligently handling student data, instead of dumping it somewhere, making a fuzz in the press or using it for something they try to disclose it (at least I'd hope so). It's not like the author abused that data, they tried out a proof of concept to see if access to other users could be gained. Not just out of solidarity that's something we should applaud and shield, instead of branding it as criminal behaviour.
For me this is more akin to past cases of people being reprimanded for trying to change URL parameters that are not sufficiently protected, while I see that it might be a philosophical standpoint rather than a legal one, I think the fine in these cases should go to the negligent company, not some curious individual without malicious intent.
Your post to me is a bit like how people said "you feel violated, don't you" when we had burglars. I didn't feel violated, nor particularly care I'd had unknown people in my house -- what I cared about was the nuisance of making insurance claims.
>You'd never forgive someone for walking in and lifting your photo history //
Someone who looked at one of my photos to prove they could, or downloaded one - never shared it, never re-published it?? I wouldn't ever know, for one thing.
If they downloaded all my photos and never used them? Am I supposed to be angry?
>it's an excuse //
What do you think I'm excusing?
You mention school, so say someone hacks the school network, they don't share any of the info ever with anyone, don't use it in any way -- except perhaps the only result is they anonymously inform the school they have a breach -- what's immoral there? (Yes, practically you move the legality toward the easily measurable act of making access assuming immoral intent, I understand that.)
That's logically consistent but shockingly permissive. And to be frank, I don't believe for a second this is really a principled opinion on your part, it's an excuse.
You'll get behind the hacker linked on HN out of solidarity or for some other personal reason (maybe you hate schools, or java). You'd never forgive someone for walking in and lifting your photo history due to a security lapse by Facebook, even if they never "used" the data nor "made it available for use by others". And that is why this behavior is criminal.
Be real.