> Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary.
And everyone who doesn't have wool for brains knows to not carry large rolls of cash around in a bad part of town, but we can still hold the mugger at fault.
>People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.
That's literally the current state of things.
Are you sure? I seem to remember people getting burned for publicly disclosing security vulnerabilities after stubborn agencies refused to fix them for years. Stuff like, exposing thousands of SSNs through a public gateway... We are literally having this discussion on URLs because of famous cases where people DID face unfair treatment. I don't recall any actual fix for this legal chicanery either. If you do, I would be very interested.
> I seem to remember people getting burned for publicly disclosing security vulnerabilities after stubborn agencies refused to fix them for years. Stuff like, exposing thousands of SSNs through a public gateway..
This has never happened in the US on the federal level. Unless your definition of "getting burned" is a nasty email from a clueless non-LE government worker.
> We are literally having this discussion on URLs because of famous cases where people DID face unfair treatment
I don't think any reasonable person can read through the court filings in those (Auerheimer, Swartz) cases and agree with the claim that there was unfair treatment wrt the application of the CFAA, or that the CFAA was unfair because it covers those cases.
I totally understand how someone who has not spent time familiarizing themselves with the actual details of the cases might be under the opposite impression; they are frequently misrepresented by people with agendas and nerds who mistakenly understand judicial process as a "Captain Kirk vs Computer" scenario.
There's a trend in communities like HN to claim that the CFAA is bad because Swartz deliberately broke the law while he engaged in some pretty cool civil disobedience. That's not reasonable. Two things can be true at once: what Swartz did was in fact cool and laudable, it still shouldn't be legal. Similarly, a reasonable person might consider it cool and laudable to punch a nazi, doesn't mean it should be legal.
In any case, there's also a trend of misrepresenting the potential penalties involved. On HN, you'll see people posting about how Swartz was facing 30 years in prison, which is an outright lie. Swartz had, in fact, behaved as described in the indictment; he had two plea deals on the table. One for 6 months with the opportunity to argue for further leniency from the judge, and another for 4 months outright. Lawyers familiar with the case have stated that it was very likely that he wouldn't have gone to prison at all.
Swartz killed himself, so the CFAA must be bad, but it's probably realistic to assume that Swartz did not kill himself because he was scared of spending a few months in prison. He was likely seriously mentally ill, and a victim of the poor state of the US healthcare system, not of the CFAA or the DOJ.
Nevertheless, URLs are as public as door knobs. If someone is merely observing that a door is unlocked and they have not stolen anything, they have done nothing wrong. People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.