> I already play with urls that have possible id's in them out of habit
Do you jiggle door handles out of habit to see if they're unlocked? It's antisocial behavior. If you were supposed to have access to that document, it would be accessible from a link or search box on the main site.
Poor analogy. What he was doing (incrementing an ID to access a series of files) is more like leafing his way through a filing cabinet. A filing cabinet that was ostensibly filled with public-access files, and he was told he was allowed to be in the filing cabinet.
So while going to the filing cabinet to get the file he'd been directed to, he leafed through other files too. Why not? They're all public information, since they're sitting here in the unlocked filing cabinet with all of the other public information files.
Turns out some of them were mislabeled, and were private information in the public information filing cabinet.
Not so weird, not so antisocial, not his fault, shouldn't be his problem.
If someone told you that you could get a specific file from a filing cabinet, it would be antisocial of you to start flipping through the other files to see what was in there.
Here's another change-up in the analogy: it's like a public library, and you ask the librarian on where a certain book is located. They direct you to the book. You notice the other books on that bookshelf also may contain information relevant to your interests, so you check them all out.
Sure, it'd actually be like checking out every book in the library, but this is the age of the internet and it's an insanely useful skill to learn how to grep large amounts of text.
Also, the library was called the "Free Information" library.
IMO this looks like a company that did a poor job trying to cover their mistake by blaming "those hacker folks". I don't think it's inappropriate to confirm the kid was acting without malicious intent, but the subcontractor who setup the security for this site needs to be investigated thoroughly.
A link is not someone giving you permission, it's merely telling you where something else is. I can't think of how you even came to this conclusion. It's like you have this incredibly restricted view of the internet, limited to people clicking on a browser, and think that's enough for protecting files. It's not.
You don't seem to realize how bad of an idea this is. You're talking about making criminals of people. You know, I think I remember once reading about how chrome would try the address you type while you typed it (i.e. before pressing enter, it'd make a request for every character you typed). Users of chrome could become criminals because their software would do this.
I mean you are making a request using a uniform resource locator, and the web server is responding to that request.
Best analogy I can think up is an automated free vending machine, with a row covered up by a piece of cardboard. If you don't want someone drinking the cokes on the hidden bottom row, why did you put them in the machine in the first place?
I have a view of the Internet where “protecting files” has nothing to do with whether access to files is authorized or not. I shouldn’t have to lock my door, and I shouldn’t have to lock down my web server. (It may be prudent to do those things, but a trespasser shouldn’t escape penalty just because I didn’t do those things.)
There's understood conventions for when doors can/should be opened.
There's also understood conventions for when it's OK to access a resource served over HTTP.
If the response code is 200, it's OK. The response code (not to mention the transmission of the file) is literally permission from the system to have the resource.
If you don't want someone to come in your door, don't put up a sign that says "come in."
If you don't want someone to see a resource at a URL, don't send them a 200 response code or serve the resource. That's the convention for the web.
And I shouldn't have to pay an attorney to write legal contracts, while we're on the subject of fictional, idealized, romanticized, and imaginary realities.
This conversation has devolved into arguing against the analogy. This is the internet: everything on it is public unless care is taken to make it not so.
You may choose to argue whether or not that should be, but that's the way it is.
Your view of the internet only applies to things that aren't the internet. There exists no real governance or real ownership on the internet. These things do exist in some capacity, for the most part, in the physical world within national boundaries. Even still, if this were the physical world and some house existed, with an open door and outside the generally agreed upon distinction of what private property is, then you'd bet your ass I'd walk in and snoop around. If the owner came by and said "Hey! This is private propertay. I'll have you arrested!" then he'd certainly have the right to do so. I could then argue that there was no reason to think that this was private property because the door was open and it looked like public facility.
Trespassing is generally not a crime unless there is a clear indication that the person committing it should not go there, such as a fence or a sign or some form of explicit communication from the property owner. The fence or sign doesn't have to make it impossible for the person to access the property, but it does have to be there so that it is clear that they shouldn't enter the property.
The Internet should be treated the same. Anything put on the Internet should be presumed to be public unless there is some indication to the contrary.
In this case, most of the information he accessed was clearly intended to be public, so there was no reasonable way for him to know that there was some private information improperly co-mingled with the public information, so he can't be faulted for not realizing that he shouldn't have accessed some of the information.
Yeah, but if you staple a note to a telephone pole you shouldn't get angry if people copy its contents. To portray a simple web crawler "trespasser" is a poor analogy. Do you have any proof that the owner of www.zombo.com has given anyone permission to view its contents? If not, should people be persecuted if they visit the site?
Elsewhere in this thread, people have pointed out that Google has crawled (and cached) at least some of the pages that were supposedly criminally accessed.
Think of it like so: you have a robot that anybody can ask anything and that will answer any and all questions truthfully. Whose fault is it if you deliberately tell the robot non-public information?
Why the content receiver? That would be like a musician suing viewers for listening to their copyrighted music playing in the background of Youtube videos. It's the responsibility of people disseminating content to ensure they have the right to do so. That's why file sharing cases focus on the sharing, not the downloading per se.
I agree that you shouldn't have to lock your door, but a web server is nothing like a house. You should be expected to put a fence around your playground equipment in a grassy field if you don't intend for people to use it as a public park. Even more to the point, you should lock the utilities shed at the public park you run lest someone mistake it for the public loo.
It's not just a single file that you have been invited to access. This 'someone' has told the world that all of their public documents are in this filing cabinet. And here is how to find a few specific files. It's not a stretch to think the every other file in the (unlocked) cabinet is also public.
I completely agree with rayiner, and am a little concerned he’s being downvoted so heavily
But no, it shouldn’t be illegal. Yet what he said still completely applies to stuff like fiddling with ids on a site where you suspect it might lead to content you shouldn’t be able to access
Unless you’re whitehatting and plan to inform them of the security issue (probably anonymously because the world is fucked up and whitehatting can lead to jail time -_-)
Just because what you're doing is legal, doesn't mean you're not an asshole
If they're my door handles, then yes. If they're public doors, then yes. Why, just yesterday, I tried the door of my favorite coffee establishment where the Open light was on but, unbeknownst to me, they had closed early.
The kid got documents on a public facing server. He did nothing wrong.
A bit more complicated than that but I am sympathetic to this persons plight. What complicates this is if the website had a Terms of Use policy, if not then outside of existing statutes I can't see how he is guilty. Even if their are terms of use, I think these are useless if I have not agreed before entering the site. All very confusing.
The blame truly lies on the government for allowing such porous security. They should be glad a seemingly benign teenager discovered their flaw and not some more nefarious actor.
This example is not entirely equivalent. My understanding is that the opinion of the court was that authorisation (for the definition of "without permission") cannot be decided based on method of access. I.e. if you have granted a user access to data, you can't later say they accessed it without permission because they used a proxy or bot to access it (in violation of your TOS).
A terms of service can not define law, but it can make explicit what data a provider is authorising a user to access.
I don't see any terms of use anywhere else, and it looks like the side is down now, but the official links to this site describes it:
"The Access to Information website allows you to submit, pay and receive FOIPOP requests online. The Nova Scotia Government also posts responses to formal FOIPOP requests online on the Disclosure log. This is a free public repository of FOIPOP responses that have been approved for publication and have met a specific set of criteria (PDF file 800 KB)."
I also have a huge problem with the stance that violating the "Terms of Use" policy of a website can result in criminal charges when accessing publicly available information.
Its more like a bunch of books on a shelf at the library with one 'special' book, unmarked, in the middle where they charge you with theft if you grab it.
A "link" is a DOM element in a web page which references a URL, but a URL is not itself a link. To point a finer point on it: the fact that a URL is referenced in a link means that a user is supposed to see and access it.
"Security" is irrelevant--there is no obligation to "secure" private property. Obscurity, on the other hand, implies that the property owner did not intend for people to access certain property. That is what matters.
Sequential numbers are not obscure. They're commonly used for pagination and collections, to the point where popular browsers have extensions to simplify navigating them.
> Obscurity, on the other hand, implies that the property owner did not intend for people to access certain property. That is what matters.
It implies the exact opposite. The owner may have intended it to be private, but making it publicly available, without security checks on a publicly accessible server, implies the property owner intended for people to access that property.
The fact that Nova Scotia might have violated a separate obligation to secure sensitive information doesn't make accessing that information not trespass.
When accessing a document on the web, you ask the server if you can have it. The server then says "yes" or "no" based on a set of rules. In this case, he asked and the server said "yes".
This is like going to a library, asking the librarian if you can check out a book, being told yes, and then later being arrested because they meant to say "no".
Couldn’t the same analogy be used if I left my front door unlocked? The door would happily say: “yes, you may enter” to anyone trying the handle.
I think the real question here is: did the website provide enough information for the user to have been assumed to understand that what they were accessing wasn’t meant to be public (e.g. did the door look like a door to a private property)? And did the user cease to access the data once they understood it (e.g. did they close the door and leave)?
That analogy would be more accurate if you also operated a cafe out of your living room, with a big "open" sign on the front door, and someone accidentally used your personal bathroom because you failed to stick a "private" sign on it. In that case, it would be unreasonable to sue someone for trespass.
This isn't even the case though. The site specifically says that the documents, all of them, are public. They just happened to have noticed they screwed up and published some they shouldn't have, and are now going after someone who downloaded the entire set. This was not prohibited in any way that was documented on the site,and the language that was on the site made it sound like it was allowed. Since the theme is analogies how about this one: someone puts a box labeled "free stuff" in front of their house. You dig through it and find something of value. You take it and go home. A few days later your house is raided because the owner of the house put in something valuable by mistake and is now claiming they never intended for anyone to take anything that wasn't visible from the street. Since you dug through the box, they are charging you with theft.
You're correct, but I strongly suspect this is a case of the government trying to deflect blame from their horrendous security to "those young hackers" and that this whole situation could probably be resolved peaceably by ensuring the data in question is deleted from the dude's computer.
A link is nothing of the sort, it's a colloquial term that connects one point to another. It is not unique to HTML or programming in the slightest. In those terms a URL is always a link because the only practical reason for inventing the concept of a universal resource locator is to link one thing to another without them coming into conflict. There is no reason for a URL to exist except for it to be a link and it has nothing to do with the DOM.
> In computing, a hyperlink, or simply a link, is a reference to data that the reader can directly follow either by clicking, tapping, or hovering. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text with hyperlinks. The text that is linked from is called anchor text. A software system that is used for viewing and creating hypertext is a hypertext system, and to create a hyperlink is to hyperlink (or simply to link). A user following hyperlinks is said to navigate or browse the hypertext.
The URL in the abstract is not a "link." A link is an element in hypertext.
a "link" is something that connects two entities together in some arbitrary way. a chain link for instance connects the constituent entities of a chain (other links) together. a link in a linked list connects different nodes together. and a hypertext link connects two hypertext resources together. what you're doing is picking one specific definition and applying it liberally to all potential interpretations and contexts of said word. this is why i tend to espouse the virtues of generality over specificity; when you get too specific, you start eliminating the actual utility and flexibility of language. a link in terms of computing is most certainly NOT just a hypertext link, that is only one very specific interpretation of the concept at hand that you're falling back on to try and further your argument. liberally ignoring all the other possible interpretations is quite intellectually dishonest imo. still, you're entitled to perceive things how you want and argue it whatever way you desire. just know that the majority of reasonable and educated individuals will disagree with you. you're up shit creek and you keep denying every paddle that's offered to ya m8
If it helps, the Oxford English dictionary has updated the definition of “literally” to literally include “used for emphasis while not being literally true.”
Whether we like it or not, language evolves. If “literally” can, then literally any other word can too.
Let's say you are reading a free manual online and every page is stored as a different webpage with a common URL and only the last number changing (E.G. page 1 is book/1 page 2 is book/2 and so on).
The only way to go to a certain page is with a "next page" link from the previous one. You read the index at page 1 and see that you cant find the information you need but page 500 is missing, a printing error in the index perhaps.
Instead of clicking 499 times on the page links to see if the information you need is on page 500 you simply change book/1 to book/500.
OH NO, the link on page 499 brings you to page 501 and it's not in the index because page 500 contains the truth about aliens so now you read it and are going to prison.
Do you jiggle door handles out of habit to see if they're unlocked? It's antisocial behavior. If you were supposed to have access to that document, it would be accessible from a link or search box on the main site.