Someone who snatched a purse out the hand of someone else isn’t “doing anything special” either. The illegality doesn’t hinge on the difficulty of the action. Why is that so hard to grasp for technical crowds?
If you find a car with the keys in the ignition and the door unlocked, you won’t get away with driving it a block down the road by telling the judge: “Oh, but it was obviously insecure, and I was just testing to see if I could steal it”.
The data that's available isn't the school, it's student data! The school left the students "cars unlocked" and no one holds them accountable. They just say that people shouldn't steal cars.
They left the car unlocked in the same sense that your home is unlocked. With the right tools, it’ll take me 5 minutes to gain entry. I could then claim that it’s your own fault I gained entry because you don’t have a metal enforced door, steel bars across windows, and a lock that can’t be easily or Hardily picked...
Yes, someone technically minded with the right tools and access can break in. But that’s less than 5% of the population, very similar to the percentage who could easily pick even a complicated lock, but Of cause near 90% will be able to take an ax to a door or kick in a window.
Even with that house analogy, I'd argue that you shouldn't store large volumes of other people's sensitive personal data in a house that has the bare minimum security.
The issue is organisations being reckless with our data and then blaming hackers when they lose it. It should be common sense that if you have sensitive information then it needs an appropriate level of security but someone companies have convinced everyone it's not their fault
I think this is where analogies between physical theft/trespass and digital access break down.
Pressing the handle down, maybe even opening a door, but not walking in and not taking anything. No theft, no trespass. AFAIK in my local laws trespass requires entry and theft requires carrying-off. Indeed -- apparently -- you're legally allowed to enter abandoned properties if you don't break-in.
That to me is equivalent to access, maybe even duplication (proving access with no 'alarms'), of digital data. When it becomes immoral is when you use that data, or make it available for use by others.
Of course the CMA(UK)/CFAA(USA) don't see things this way they both seem to make the equivalent of 'looking in the direction of a door and noticing it's open' into an illegal act.
> When it becomes immoral is when you use that data, or make it available for use by others.
That's logically consistent but shockingly permissive. And to be frank, I don't believe for a second this is really a principled opinion on your part, it's an excuse.
You'll get behind the hacker linked on HN out of solidarity or for some other personal reason (maybe you hate schools, or java). You'd never forgive someone for walking in and lifting your photo history due to a security lapse by Facebook, even if they never "used" the data nor "made it available for use by others". And that is why this behavior is criminal.
This is apparently a curious student that discovered a vulnerability and, judging by the way that blog post is written, is unsure how to properly disclose it. If this was your Facebook analogy, they'd have a relatively visible path to disclose that. Here, they have to potentially fear being reprimanded or criminally charged.
Under the premise that yes, granted, all that might technically qualify for some criminal act: The aspect of intent and malice are, imho, important in these discussions and should be for the corresponding laws. They found a vendor negligently handling student data, instead of dumping it somewhere, making a fuzz in the press or using it for something they try to disclose it (at least I'd hope so). It's not like the author abused that data, they tried out a proof of concept to see if access to other users could be gained. Not just out of solidarity that's something we should applaud and shield, instead of branding it as criminal behaviour.
For me this is more akin to past cases of people being reprimanded for trying to change URL parameters that are not sufficiently protected, while I see that it might be a philosophical standpoint rather than a legal one, I think the fine in these cases should go to the negligent company, not some curious individual without malicious intent.
Your post to me is a bit like how people said "you feel violated, don't you" when we had burglars. I didn't feel violated, nor particularly care I'd had unknown people in my house -- what I cared about was the nuisance of making insurance claims.
>You'd never forgive someone for walking in and lifting your photo history //
Someone who looked at one of my photos to prove they could, or downloaded one - never shared it, never re-published it?? I wouldn't ever know, for one thing.
If they downloaded all my photos and never used them? Am I supposed to be angry?
>it's an excuse //
What do you think I'm excusing?
You mention school, so say someone hacks the school network, they don't share any of the info ever with anyone, don't use it in any way -- except perhaps the only result is they anonymously inform the school they have a breach -- what's immoral there? (Yes, practically you move the legality toward the easily measurable act of making access assuming immoral intent, I understand that.)
> Why is that so hard to grasp for technical crowds?
Because laws concerning actual theft are objectively defined, and are logically consistent with themselves and other laws.
Laws about 'hacking', where the crime is simply a message, not a physical action, are extremely subjective. It revolves around intent more than the action.
For example: If a user goes to the website of theirbank.com and the root page is a list with all the credit card numbers of all the clients. Is he committing a crime? He used computers to get information that he shouldn't be allowed to see. Most people would say: no, he only wanted to visit the website.
If I see that the bank's API has no security, am I committing a crime?
If I use SQL injection to see all the users data, am I committing a crime?
Most people would say that it depends on intent, but intent is extremely subjective, and IMO a pretty bad way to define laws.
Someone who snatched a purse out the hand of someone else isn’t “doing anything special” either. The illegality doesn’t hinge on the difficulty of the action. Why is that so hard to grasp for technical crowds?
If you find a car with the keys in the ignition and the door unlocked, you won’t get away with driving it a block down the road by telling the judge: “Oh, but it was obviously insecure, and I was just testing to see if I could steal it”.