But that's the thing, there's no clear definition of 'exploiting' in the law right now, just a fuzzy mess that judges are supposed to sort out on some ad hoc basis. If you want to go back to physical property law, it'd be more like 'trespass to chattels' anyhow, which is not a good basis to decide these things.
The fact that users are supposed to just guess about what access sites have or have not authorized, with felony charges for anyone who gets it wrong, does not make sense to me when they have the means to express their rules for authorization in code.
That's why I say you should have to intentionally deceive those rules (or their people) to get in.
I don't understand the logic here at all. I can't make sense of it. I can be civilly, or even criminally, liable for negligently protecting property that other people rely on. But the person who abuses my negligence is also fully liable. Liability simply isn't zero sum.
We interact with computers in a very different way from how we interact with real world property. There are no clear property lines and no clear boundaries. Even when liability isn't zero sum, I think we've both seen companies blame the hackers fully and use that as a fig leaf for their own negligence. I really haven't seen companies punished beyond a few cost of doing business fines.
The idea that we should be deliberately vague about where the boundaries are and let people stumble into felonies doesn't make any sense to me. The idea that we should let someone write that into a thousand page ToS also doesn't sit well with me. I'd rather it be a question of fact.
Take the case about modifying the URL. It's normal to be able to type any URL I like. Why should it be a felony if I try other IDs? I'm simply making a request, it's up to them to decide what access I should or should not have, or even googlebot may end up being a felon. The fact is that much of the web is and always has been open by default. Anonymous FTP is normal... if you want authentication, you should configure that. The idea that someone could be a felon because they were somehow supposed to know that your misconfigured FTP server wasn't supposed to let them in is simply unreasonable and it only works out because prosecutions are rare.
That's why I want a proper boundary. If you're not deliberately hacking someone or social engineering someone and if the only thing you do is to report the bug you found to responsible parties (the site owner/operator or government) I'm not willing to charge someone with a felony for modifying a URL or logging into anonymous FTP or whatever else like that.
You're saying the same thing you said earlier. This doesn't clarify anything for me.
If you want to advocate for liability for software security negligence, I won't argue --- at least, not on a moral basis (I think "be careful what you ask for" but whatever).
But I do not see what any of this has to do with liability for intruders.
It's more a social than a legal problem on that front. If they can say "X was prosecuted for hacking us" it doesn't make them look as incompetent to the public at large as if they have to admit that a random person on the internet could see obvious flaws in their setup. You can see it as another way of encouraging responsible reporting, not unlike one of the goals of bug bounties.
I think people would start seeing more social costs for running businesses negligently if they couldn't point to iffy hacking prosecutions to justify themselves.
There's no liability because they aren't intruders, they're requesters.
If all it takes to get something is to request it, without any interaction and thus without any fraud, then it's public.
What's the difference between me calling a phone number and asking for a company's financials before they're publicly released, and checking the probable URL before they're publicly released?
I mean that you keep presuming that we're discussing intruders which implies guilt, but when viewed in a more realistic context, as requesters, your comments about liability aren't relevant.
Nobody is at fault for simply asking for a document in the real world and nobody should be online.
It's a little discourteous to jump into the middle of someone else's discussion and attempt to alter the premise. Reply somewhere else if you'd like to have a different discussion. Thanks!
Hah, HN police. It's my thread, look up. But I magnanimously grant you the right to post in it. You're welcome!
You're the one trying to move the goalposts and alter premises. You reframe everything in a violent physical metaphor even though you've been around long enough to know that it's the least useful thing to compare information to. I can't copy a house by looking at it so it's a crappy analogy for a website.
There's a world of difference between asking for a document and opening a door and taking it.
The fact that users are supposed to just guess about what access sites have or have not authorized, with felony charges for anyone who gets it wrong, does not make sense to me when they have the means to express their rules for authorization in code.
That's why I say you should have to intentionally deceive those rules (or their people) to get in.