But this is assuming that the server has more agency than it does. Servers don't have minds and they don't make authorization decisions. This is more like someone giving you key to a filing cabinet in order to retrieve some documents and while you're there you snoop on the ones next to yours.
Is this system more trusting of people than it should be? Probably. Does that mean you're allowed to snoop on other people's documents -- nope.
The humans who administer the server have agency. They went and purchased an apparatus for publishing information to the world. They connected it to the world. They pointed it at that information. They turned it on.
A printing press also isn’t sentient and can’t guess whether its operators really mean to share every sentence on the plate. But browsers and readers of printed materials (that are left in public places) have no obligations to the publisher’s state of mind. Why should browsers of digital materials?
> This is more like someone giving you key to a filing cabinet in order to retrieve some documents
No. It's like someone asking you what you need, you telling them "I want all my documents and the ones from my neighbours because I feel like it", and them proceeding to hand you everything you asked for neatly collected in a folder.
You’re still ascribing agency and authority to a fancy vending machine. The server has absolutely zero authority to grant you authorization to the documents. It can only grant you access. The servers are not representatives of the government or the site-owners, they are just machines. And just because the vending machine is broken and works without you paying doesn’t make it not stealing.
The fact that the server cannot make decisions that were not predetermined is exactly why the responsibility for its behaviour lies with the people running it. They make the rules, they are the ones whose job it is to read the manual. And when someone makes a technically valid request (instead of, say, SQL injection attacks) it's not the user's fault for an incorrect response. They might not even be aware that they're not allowed to do a specific request: it's reasonable to assume IDs in the URL are not sensitive information, as URLs are public and unprotected by default.
Of course it's on the user if they know they're not supposed to have access to some info and they use it to their advantage regardless. If they're a nice person they'll even report the issue (though less likely after news like this).
> just because the vending machine is broken and works without you paying doesn’t make it not stealing
So if it's broken and doesn't work despite me paying, does that make my payment a donation? No.
Though it probably is theft if I knowingly abuse the error for profit.
I feel like I'm taking crazy pills here. We're specifically talking about someone who knew that they weren't supposed to access other business' data and did purposefully for their own gain. How is that not abusing the error for profit?
Like you can say "URLs aren't sensitive by default" up until the guy admits that he knows it's an error and he's accessing the private data he's not supposed to see. That changes the situation completely.
Right. The server is not liable. The people who set up the server to serve application data for every client to any client is.
Just like the IRS admin assistant in the example was, the agent to cause the transfer. The filing cabinet/server is not the agent, simply the repository responding to the system and practices in place.
But this is assuming that the server has more agency than it does.
No, it merely assumes the server is acting on authority of the organization identified by the domain name. It doesn't assume agency, only representation.
Which also seems nuts. Like they’re servers. How anyone assumes that some Ruby code can be acting as an authoritative representative of the government is silly.
Yes, how could anyone assume that the ATM down the street can be acting as an authoritative representative of your bank when you insert your card? That's just silly.
But that’s exactly right! It’s not. If the machine has a bug and reports the wrong balance or gives you too much or not enough money on withdrawals it’s explicitly not authoritative and you can get it corrected by an actual representative of the bank.
If you give me the key to the files and don’t explicitly forbid me then it certainly does mean I’m “allowed” to look at the documents. You literally and explicitly just allowed me to do so by granting me access.
