In a legal context there’s also the concept of a “reasonable expectation of privacy”. The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I’m not saying what these ass holes did was right, I’m saying that the company weakened their legal position by not protecting the data.
Terrible analogy. You have permission to read books in a library.
Forgetting to lock your door isn’t granting permission to people enter your house, and it doesn’t grant people permission to take your valuables. It may be neglectful to leave your door unlocked, but it doesn’t imply granting permission to enter your house.
Same goes with computer security. Leaving your computer insecure may be neglectful, but it does not imply someone has permission to take your data.
If I’m clicking around on a website and find a gallery of images, that’s something I’m supposed to have access to. If I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to. If I’m doing this with the intent of getting data and distributing to others, then yeah that would be illegal.
The law allows for someone to exercise judgement. The people who do this are not so coincidentally called Judges. If the 4chan guys had have been white hat and reported the issue to the site owners, then they’d be fine. But it’s obvious to anyone their intent was to get private information, they poked around to find some private information, and then distributed that private information to others causing a privacy violation. Yes, it was easier to do than it should have been, but it’s obvious they had malicious intent and it’s obvious they were accessing information they weren’t supposed to access.
A crime being really easy to commit doesn’t make it no longer a crime. Many times I’ve seen things that I could easily steal, but I don’t steal things when I have an opportunity to do so because a) stealing is wrong and b) saying “they just left this thing out there in a place anyone could steal it” would not be any kind of legal defense. Simply because you’re presented an opportunity to do a crime doesn’t mean it’s acceptable to do a crime, both legally and morally speaking.
A better analogy is putting your journal in a public library and getting mad when someone reads it.
Good analogy indeed. I’d go one step further and add: it’s like promising others you’ll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
@SpaceCowboy @JackbyDev
In a legal context there’s also the concept of a “reasonable expectation of privacy”. The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I’m not saying what these ass holes did was right, I’m saying that the company weakened their legal position by not protecting the data.
Terrible analogy. You have permission to read books in a library.
Forgetting to lock your door isn’t granting permission to people enter your house, and it doesn’t grant people permission to take your valuables. It may be neglectful to leave your door unlocked, but it doesn’t imply granting permission to enter your house.
Same goes with computer security. Leaving your computer insecure may be neglectful, but it does not imply someone has permission to take your data.
@SpaceCowboy
Then how do I know what I am not allowed to access?
In this specific case there was no (formal) indication that the data was out of bounds.
I can’t put 10 pdf files in a web dir and claim 5 are public and 5 are private, then charge you with a crime for viewing them.
You can’t have “unauthorized access” when there’s no authorization at all
If I’m clicking around on a website and find a gallery of images, that’s something I’m supposed to have access to. If I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to. If I’m doing this with the intent of getting data and distributing to others, then yeah that would be illegal.
The law allows for someone to exercise judgement. The people who do this are not so coincidentally called Judges. If the 4chan guys had have been white hat and reported the issue to the site owners, then they’d be fine. But it’s obvious to anyone their intent was to get private information, they poked around to find some private information, and then distributed that private information to others causing a privacy violation. Yes, it was easier to do than it should have been, but it’s obvious they had malicious intent and it’s obvious they were accessing information they weren’t supposed to access.
A crime being really easy to commit doesn’t make it no longer a crime. Many times I’ve seen things that I could easily steal, but I don’t steal things when I have an opportunity to do so because a) stealing is wrong and b) saying “they just left this thing out there in a place anyone could steal it” would not be any kind of legal defense. Simply because you’re presented an opportunity to do a crime doesn’t mean it’s acceptable to do a crime, both legally and morally speaking.
Good analogy indeed. I’d go one step further and add: it’s like promising others you’ll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
@iii
Yeah the internet by design is a public space, and we must be responsible and treat it as such when handling sensative data.
Again, it was very wrong for people to take that data and especially to post like that.
The company also has to do their part and produce at least some kind of barrier to the data.
Even using UUIDs and making sure the data wasn’t query-able would have been something.
The web is a public space by design. The internet? I don’t think you can make that case well. Https and all that. Private infra abounds.