This might be a controversial opinion here, but intent does matter. If I see a bunch of stuff sitting the sidewalk and I take some because I think it's free, that's a reasonable thing to do. But going into someone's house and taking their tv is not. "It's their own fault for not locking the door" isn't a valid legal defense, and I would prefer not to live in a country where victim-blaming becomes a get-out-of-jail-free card.
Based on what little I've read thus far, the teenager does indeed seem to have good intent. If that's the case, I'm cautiously optimistic that the court system will set him free without any consequences. But if the prosection can prove that he was aware of the data's confidentiality and was acting with malicious intent, then he deserves a conviction. Let's let the legal system run its course, before gathering our pitchforks.
A publicly accessible HTTP web server is not analogous to a locked home.
The kid sent a request to the server for a document and Nova Scotia's web server graciously provided the content with a "200 OK" response code. The Nova Scotia government doesn't know how the internet works.
That analogy assumes a lot about how hard/hidden obvious id numbers in URLs are. I'd counter that this situation is more like "putting your stuff on the curb and being mad when people take it". Rather than scapegoat the kid, the government should be investigating themselves for criminal negligence.
> "That analogy assumes a lot about how hard/hidden obvious id numbers in URLs are"
Well, I did give 2 different analogies, and without knowing more specifics, I'm not taking a stand on which analogy better fits this case. Depending on the specific design the government used, and the steps the teenager took to access the content, either analogy could be applicable.
> "Rather than scapegoat the kid, the government should be investigating themselves for criminal negligence."
That's a false dichotomy. Investigating government officials for negligence shouldn't preclude prosecuting a (hypothetical) malicious hacker.
I get what you're saying and I don't disagree with your premise, I just don't think it is applicable in a situation where the purpose of the website he was visiting was to access information. Not _that_ particular information, but if I accidentally put my wife's jewelry out on the curb with the old Nordic Trac it'd be pretty crazy to charge the people who took it off of the curb as jewel thieves.
That's because we know what a "house" is - a bunch of private property with a wall around it (even if the wall is not locked). Usually comes in sets with other bunches of private property with walls around it. And we know the default - you aren't welcome in those walled forts unless you are welcomed in by the owner.
Not at all clear that files on a public webserver look very much like a private house.
I agree with you but I don't think the law does. The CFAA says that if access isn't authorized, it's no good. Now we can say that if the system was programmed to give it up (200) instead of telling you you aren't authorized (403/401) then you are authorized, but I think the law is more about whether a human intended to authorize you. Accidentally programming the authorization is (however stupid it may be) not what it's about.
I guess because the unauthorized thing isn't linked. Giving you the link is like giving you a password... They're both just strings although one is considered to be more secret than the other. Guessing at links is like guessing at passwords: it's overcoming the fact that you weren't provided with the string that gets the server to respond with the stuff.
I don't like this but I think it's how it legally could play out.
He didn't walk in and take something, he sent a request (via HTTP) and they responded with the content he requested.
If I sent them a dead tree letter requesting a document and they replied with a copy of that document, would you consider this the equivalent of going into their house and taking their TV?
There is one difference which makes analogy irrelevant. You can easily distinguish houses where you are allowed to come from houses where you are not. There are simple rules and we are all know them.
URLs have no way to classify them to legal and illegal ones. You can propose a plan to w3c and to government to mark URLs with string 'illegal' in them, if they are illegal to visit without special permissions. It will make them distinguishable from legal URLs, and then it would be normal to charge for visiting illegal URLs. But this rule should be a widely known social norm, not a local rule of some site hidden on some obscure page that easy to miss.
It would be logical to assume that as the files have specifically been made public via HTTP then no laws are being broken by viewing them unless a warning message appears saying otherwise.
The 'locking the door' metaphor is just flat-out incorrect. A public-facing webserver is simply not a place to store your shit..
A closer analogy would be two tables out the front of your house covered in fruit, with a sign saying "Free Fruit" on one table and then expecting people not take fruit from the other table.
I like this analogy a lot. But I think even better would be someone setting up a store in an area advertised like "everything is included with the price of admission" (admission being your ISP fee) and taking from the store without realizing it's not truly all inclusive. The store needs to be a vending machine, not a shelf.
Based on what little I've read thus far, the teenager does indeed seem to have good intent. If that's the case, I'm cautiously optimistic that the court system will set him free without any consequences. But if the prosection can prove that he was aware of the data's confidentiality and was acting with malicious intent, then he deserves a conviction. Let's let the legal system run its course, before gathering our pitchforks.