It's not the incrementing the integer that was the problem. It was the knowingly accessing records that you know you shouldn't have access to. If judyrecords had a method of crawling pages that involves incrementing integers, that isn't a problem on its own. If they were using that method with a good faith belief that they were accessing data they had the right to access, that's fact is what makes it an entirely different scenario than what happened with weev.
Agreed, however if a government official says “These records are confidential, please don’t look at them” and then they leave them on a park bench in front of you, then it is a felony to for you to look at them.
In this case, it would be like going through the UI and trying to access the record and getting denied because of a client side access block, so you make a direct call to the backend instead to retrieve the record. You’re making a perfectly legitimate HTTP request but for something you know you shouldn’t be able to access: illegal.
Obviously. But I was responding to a particular argument. Why is "knowingly accessing records that you know you shouldn't have access to" so different in this case? There's no trespassing or equivalent; the computer itself was set up for public access.
And "protected computer" is basically all computers. Imagine if the records were on a kindle; that shouldn't change the legality and if the CFAA does so that's a bad thing.
A phone is a personal device and I'd like that to be treated differently in many ways.
A public web server doesn't have such direct privacy issues.
When it comes to records on a bench vs. a non-personal kindle on a bench, I think they should have equal and low protection. Abusing the data should face penalties, but not poking around.
Why should you have any right to “poke around” a kindle you find on a park bench? Beyond any general rights you might have permitting you to take ownership of lost property, that is.
I don’t see any obvious reason as to why this should be allowed, but it’s trivial to come up with a whole plethora of reasons for why you shouldn’t be allowed to poke around such devices.
Most states use the MPC's classification for various mentes reae. The MPC organizes and defines culpable states of mind into four hierarchical categories:
1. acting purposely - the defendant had an underlying conscious object to act
2. acting knowingly - the defendant is practically certain that the conduct will cause a particular result
3. acting recklessly - The defendant consciously disregarded a substantial and unjustified risk
4. acting negligently - The defendant was not aware of the risk, but should have been aware of the risk
Thus, a crime committed purposefully would carry a more severe punishment than if the offender acted knowingly, recklessly, or negligently. The MPC greatly impacted the criminal codes of a number of states and continues to be influential in furthering discourse on mens rea.
Some have expanded the MPC classification to include a fifth state of mind: "strict liability." Strict liability crimes do not require a guilty state of mind.
What does "shouldn't have access to" mean? The web server has a permissions system that determines what access level to grant in response to any request. If you are granted access to a valid request then what other interpretation can there be apart from the server decided you "should have" access?
I remember an old HN comment about this, but can’t find it right now. It went something like this (but obviously worded far more eloquently):
Hackers love to think that they’re captain Kirk outsmarting the computer, but real life isn’t Star Trek and judges are very much humans and don’t look kindly on such stunts.
A reasonable person would know that you aren’t authorized to dump AT&Ts customer database by incrementing an integer on their site.
A reasonable person wouldn't build a house with no walls to store their secrets in, and then put the house in a public place and give access to the public.
Or I guess I can just start up a website at "youre-unauthorized.com", so a every reasonable person is duly noticed that they aren't authorized to see it, put my secrets there, set the web server to allow access to all requests everywhere, and then file a criminal complaint on everyone who accesses my secrets that I put out in public.
A reasonable person knows intuitively that only crime committed was that of embarrassing the rich and/or well connected.
> A reasonable person wouldn't build a house with no walls to store their secrets in, and then put the house in a public place and give access to the public.
That's obviously true under some formulations, but it doesn't matter, because they won't be on trial. The person who performed the unauthorized access will be.
> A reasonable person knows intuitively that only crime committed was that of embarrassing the rich and/or well connected.
I consider myself a reasonable person and I'm perfectly happy to have unauthorized access punishable under the law. I value the fact that society takes an onion-like approach to information security. There are incentives for private organizations to secure data, but when they fail to, the risk of criminal sanctions probably prevent some breaches that would otherwise occur. I also do not value the ability to look at computer systems on an unauthorized basis -- i.e. I do not think it brings any value to society -- so by my lights, I lose nothing by it being illegal.
> I also do not value the ability to look at computer systems on an unauthorized basis -- i.e. I do not think it brings any value to society -- so by my lights, I lose nothing by it being illegal.
Not only that, but despite what views borderline-ASD hackers might hold, courts do make decisions about vague things like “intent” on a daily basis.
> A reasonable person wouldn't build a house with no walls to store their secrets in, and then put the house in a public place and give access to the public.
A reasonable person might fail to properly lock their door. Try that defense in front of a judge, odds are you’ll end up in prison.
Does a reasonable person still have an expectation of privacy if not only does he leave the door open, he sits by while a supposed intruder walks in and out not once, not twice, but one hundred thousand times (in addition to unknown numbers of other intruders multiplied by unknown numbers of more times)? Not only was the organization so derelict in their affairs that they failed to protect sensitive customer data, they didn't even notice the "crime" had taken place (a hundred thousand times), and in fact, would never have noticed, and would prefer not to have noticed, had they not been forced by the threat of public disclosure.
Nobody is sitting by these servers, looking at packets as they pass by.
> Not only was the organization so derelict in their affairs that they failed to protect sensitive customer data, they didn't even notice the "crime" had taken place
None of this would reduce the intruders liability. Perhaps the company should be tried separately for their failure to protect customer data, but that’s a different issue.
It means the intent of the person who created or operates the system. If I forget to lock my front door that doesn’t mean you should have access to my house. Appropriately, it does at least mean you can’t be accused of breaking into it, so the analogy holds up fairly well.
It means that the stakeholders of the system, normally its owners, do not mean for you to have access. Here's one way you can estimate whether the owners intend that you should have access:
Imagine an in-person conversation with the owner or controller of the data, or their most knowledgeable representative. If you asked them verbally whether you may access the data, and they said "no," then you "shouldn't" have access to the data.
> If you are granted access to a valid request then what other interpretation can there be . . .
See above. This is also the interpretation that will be relevant in court if you are sued or arrested, so mark it carefully.
This is like reading a article without looking at the table of contents. If something shouldn't be part of the article, you don't hide it by removing it from the table of contents, and you can't blame me for paging through the article page-by-page and therefore getting pages not in the table of contents.
