If the web server was configured so that it displays a listing of all the files in that directory, and you happen to satisfy your curiosity by clicking on these files--or even downloading them to your computer--is this considered a crime in the US?

No.
posted by jayder at 5:38 PM on June 14, 2011

If it's browsable from the web, it's fair game. Their web server is making it visible. It's no more "hacking" than picking up a dollar someone dropped on the sidewalk.
posted by sonic meat machine at 5:41 PM on June 14, 2011

On the flip side, using the images that you find in this fashion would clearly violate copyright.
posted by clone boulevard at 5:46 PM on June 14, 2011

If there is a terms of use policy posted on the web site, things can get murkier. The ToS might prevent you from doing that.
posted by about_time at 5:57 PM on June 14, 2011

This is so far from hacking it's laughable. Hacking requires, e.g., exploiting an error in code in order to gain access to something which one is normally prohibited from accessing. Your example does not involve exploiting an error in code. It involves browsing a filesystem in the way filesystems were meant to be browsed: access restrictions aside, most filesystems default to allow read access to any user for most files/directories.

Knowing this does not makes one a hacker; it makes you knowledgeable about a very basic feature of computing technology.
posted by matlock expressway at 6:08 PM on June 14, 2011 [2 favorites]

Is it still trespassing if you come in my unlocked front door without permission?

The sad reality is that often cops and courts will often side with the company doing the accusing, regardless of how easy the hack was. Unauthorized access is unauthorized access as far as they see it, and their ignorance could be 'your' loss.
posted by nomisxid at 6:17 PM on June 14, 2011

Ethically: no problem. Maybe. Would you want someone to exploit a loophole like this to view content that you thought was private?

Legally: that could technically fall under this law, depending on the site. And there may be state laws that are more broad, that may encompass ALL computer systems.

Hacking: There is no fundamental difference between an easy hack and a difficult hack. If you are attempting to access something that hasn't been explicitly published, you are hacking.
posted by gjc at 6:19 PM on June 14, 2011 [1 favorite]

Thanks, Doc. If the CMS is properly designed, you should not be able to browse the folder holding the images. Search engines are all over the web, indexing content. You may find my dumb picture because you googled for an image, not because you tweaked your search. It's not quite the same as entering an unlocked house.

If it's your web site, don't put content out there that you don't want someone to see. I'm kind of paranoid about my personal content. This is why.
posted by theora55 at 6:37 PM on June 14, 2011

Depending on what you find and what you do with it, this could possibly be a violation of the federal computer fraud and abuse act.
posted by J. Wilson at 7:18 PM on June 14, 2011

In support of ook's answer, most people are really misunderstanding how the internet works here. This is a very cut and dry issue. Every single file on a server has access permissions that are explicitly set, as ook noted.

People are assuming that a link sets access permissions when in fact the file itself has access permissions attached. It is an explicit act of allowing accessibility to publish a file to the web with permissions set to allow anyone to access it. (See chmod, for more info). The link is only a pointer, an indicator of where that publicly accessible file is.

Therefore, an accessible file, regardless of what it takes to access that file, is not like an "unlocked door" -- it's more like a location on a public roadway (ahh information superhighway analogies - how I miss the 90s). Providing a link to that file is analogous to providing directions to that location. Just because you don't have directions doesn't mean it's impossible to get there.

If I build a house on a public lot and accidentally forget to make walls, doors, or a roof, I can't very well get mad that people are walking through my house, even though I haven't provided them with directions.
posted by lesli212 at 10:00 PM on June 14, 2011 [2 favorites]

This type of hacking -- URL hacking, basically -- got some people rejected by a few colleges when it happened at a third-party vendor's site in 2005.

My feeling is that the technical nature of how the web works precludes the mere act of visiting a publically viewable URL from being a crime in any way.

Well, I don't think AskMe gets to decide what is and isn't a crime. I think most geeks would laugh at the idea, but try to explain that you accessed a hidden area of a website to a jury.
posted by dhartung at 11:03 PM on June 14, 2011

Accessing information that's online rather than on someone's hard drive may still qualify as accessing a protected computer under the CFAA. The fact that you had to URL hack to get there means that you likely did so without or in excess or authorization. You've already said you're doing this with intent. And if by doing so you obtain any information or anything of value... that's probably illegal.

I really think it's more likely than not a CFAA violation, if the things set forth above happen.

This doesn't speak to the question of whether "ethically" this is "hacking." But you can't figure out whether behavior is lawful based on the instincts of computer-savvy people on MeFi. And when, as here, there's a statute on point, arguments by analogy to things like theft and trespassing aren't helpful.

People who write laws aren't always familiar with the technical nature of how the web works, by the way. So even if a law doesn't make sense in that regard, well, tough.
posted by J. Wilson at 4:53 AM on June 15, 2011

In support of ook's answer, most people are really misunderstanding how the internet works here. This is a very cut and dry issue. Every single file on a server has access permissions that are explicitly set, as ook noted.

People are assuming that a link sets access permissions when in fact the file itself has access permissions attached. It is an explicit act of allowing accessibility to publish a file to the web with permissions set to allow anyone to access it. (See chmod, for more info). The link is only a pointer, an indicator of where that publicly accessible file is.

Therefore, an accessible file, regardless of what it takes to access that file, is not like an "unlocked door" -- it's more like a location on a public roadway (ahh information superhighway analogies - how I miss the 90s). Providing a link to that file is analogous to providing directions to that location. Just because you don't have directions doesn't mean it's impossible to get there.

If I build a house on a public lot and accidentally forget to make walls, doors, or a roof, I can't very well get mad that people are walking through my house, even though I haven't provided them with directions.

Well, you can't build a house on a public lot because it isn't yours. Assuming it is your lot, those people are still trespassing.

Your analogy still bases itself on the "is an unlocked door an invitation to trespass" concept, with the addition of the false assumption that if the owner has installed a lock on the door and then hasn't locked it, that it MUST have been on purpose, and the further false assumption that the purpose is to let ME in. Ethical arguments cannot be based on presuming the other person hasn't made a mistake. "Why, that wallet on the ground MUST be there for me, because nobody would leave it there otherwise."

All of these rationalizations are just that- rationalizations and the ability to convince oneself that relative ease = permission, and the "well, that's what they get for not preventing me from acting" mindset. Which might be a good guiding principle for the owner of the website, but it isn't true from the perspective of the person doing the act.

Storing a file on a computer is not giving permission to access it. The only explicit permission a user of a website has is entering a published URL or clicking on a link published somewhere on the site. The only ethical assumption is: if they wanted me to look at this, they would have published a link to it. THAT is how the web works.
posted by gjc at 6:56 AM on June 15, 2011 [1 favorite]

I think dhartung's answer is right on. To some extent, the law is what the courts say it is. On the one hand, you are simply traversing the webserver's directory tree in exactly the manner it was designed to be used, as matlock expressway points out. But if anybody every made an issue of this and it somehow wound up in court, you'd need to convince the jury of that.

Analogies with streets and doors are problematic because it's not always clear what the best analogy is, and analogies can obscure real differences. If I leave my front door wide open and you poke your head inside, have you committed a crime? I feel that's an appropriate analogy to browsing unsecured directories, but even that's not quite right. I have intentionally set up an unsecured directory on my site where I toss up random files. There's nothing in there that I don't want anyone to see. This doesn't fit neatly with any street-and-door analogy—unless perhaps it makes me an exhibitionist?

So some people leave directories open by accident (relying on security through not-very-obscurity), and get upset when people make reasonable guesses about their directory structure. Other people leave directories open on purpose. When you browse a website, how are you supposed to know which kind of person the site operator is? I think this might be a basis for a defense if it ever went to court, but IANAL.
posted by adamrice at 7:58 AM on June 15, 2011

if they wanted me to look at this, they would have published a link to it.

Well, if it comes to that, an indexed open folder is a collection of published links to its contents; it's an HTML page containing links to files. The HTML is generated by the webserver rather than by a CMS or static page, but that's the only difference.

For that matter the act of associating a file with an open URL, which requires no authorization to access, could itself arguably be considered permission to access that file. You keep referring to "published URLs" as a standard, as though there were some big registry somewhere for them to be published in; if you mean that it should be a crime to visit any page unless there's a link to it elsewhere on the site, then accessing (for example) a site's robots.txt, favicon, many RSS feeds, .htaccess, etc., are de facto criminal acts. Heck, just visiting a site for the first time is a potentially criminal act, since you can't be certain there are links to the page you're looking at unless you've already looked at the site to see if there are links!

Storing a file on a computer is not giving permission to access it. The only explicit permission a user of a website has is entering a published URL or clicking on a link published somewhere on the site.

"Storing a file on a computer" is not the same thing as "placing a file in publicly accessible web space, associating it with a URL, and making it available for download without requiring authentication or authorization of any kind."


All that said, I tend to agree that the laws are poorly written enough^* and the public understanding of this stuff vague enough that in any real case it'd likely come down to whoever has the most expensive lawyers. What else is new, right?

^* The CFAA's definition of unauthorized access is near tautological:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

...so does "with authorization" mean with some sort of authentication, e.g. a password or other token? Or are we supposed to guess at the site owner's intent as to whether we're 'authorized' to download a particular file?
posted by ook at 8:07 AM on June 15, 2011 [1 favorite]

Permission, when it comes to computer files are rather explicit. If their is public view permissions set, then yes you have permission to view them and there is nothing wrong about viewing them. This isn't an unlocked door on a private residence. This is going to the front desk of a library and asking for a book, the librarian checks to see if you have permission to look at the book, if so they give it to you. If you fail to tell the librarian who to give the book to and who not to, that is not the librarian or the users fault. You chose to put it in the library and did not restrict access to it.

Now, if you misrepresent your identity to make the librarian think you are some who does have access when you don't have access then you are doing something wrong.
posted by MrBobaFett at 8:08 AM on June 15, 2011

or even downloading them to your computer--is this considered a crime in the US?

Are we talking about child porn or bomb-making instructions?

Because if so, then yes, I believe this is enough to get you in trouble, and the server log of you viewing/downloading those images (the log looks the same either way) may very well be enough probable cause to justify any number of future invasions of your own privacy, searches of your home and computer, and lord knows what else in these days of slippery danger.
posted by rokusan at 11:10 AM on June 15, 2011

With the last paragraph of my original answer, I was trying to help people who are stuck in the "doors and windows" mindset out, but those who pointed out that it's not a good analogy are correct. I probably should have just left it out entirely. The internet isn't a house or a superhighway (or tubes), the internet is itself.

That said, many here are still very, very incorrect:

For instance, I never said that "relative ease = permission". What I in fact said was PERMISSION = PERMISSION. The file ITSELF has permissions. A link is NOT PERMISSION; a link is an indicator, or a direction.

It's also correct that storing a file on a computer is not giving permission. But that's not how the internet works, either. Any file stored on a SERVER (which is a computer that is set to serve files to visitors), has a set of permissions attached to it. If those permissions are such that anyone can view the file, then the file is public. It is, literally speaking, a fact that the person who set up the server is giving permission for anyone to view the file. Whether they have provided directions to the file in the form of a link is completely irrelevant.
posted by lesli212 at 5:32 AM on June 17, 2011

lesli212 is exactly correct. The act of placing a file in a directory being served on the web is permission to view it.
posted by sonic meat machine at 8:02 PM on July 2, 2011

This thread is closed to new comments.