What if someone makes a typo entering their SSN in the form that leads to this page, are they also a hacker? By your definition, they would be.
If your data is on the internet and not secured, it is being scraped by robots constantly for a start, some of which might iterate counters, so some responsibility lies with those who maintain the website. There isn't a clear line like the threshold of a dwelling we can point to, because it's not always clear which urls are authorised for a user and which are not. Ultimately you're not going to stop the curious, and bots, from scraping the web, so if there are no access controls on your payroll you can expect data to leak, even if you come down hard on every single person you find accessing it without authorisation.
I think the emphasis here should be on intent, as shown by the data taken, and what was done with it, not on trying public urls. If someone shows intent to steal information by changing urls, then downloads the info, then uses it for identity theft or sells it on, that's clearly a crime, and unless they have mitigating circumstances, perhaps it deserves a fine or a very short jail sentence for serious cases. I do think the sentences today are excessive for this sort of activity.
If they simply access a URL as you propose above, I don't think you can show intent. Even if they access several urls, was their intent to explore, or to steal information, or did they just follow a bad set of links or make a mistake with their web crawler?
You've missed the point. Making a typo and accessing the page once with the wrong SSN using the submit buttons on the web page provided has absolutely no intent.
Using an automated script bypassing the webform to cycle through as many as possible clearly shows intent to access something you're not supposed to.
People don't just access urls at random, they will never type a url with query strings into the browser.
They click links or submit forms.
Someone pen testing a website will be deliberately circumventing those methods.
It's like running wireshark on a public unsecured network, there's likely no good reason for you to be doing it and you know what you're doing if you're running that tool.
That's intent.
Note: I'm personally very pleased that they're fighting this. Just wanted to clarify what they mean by intent.
"It's like running wireshark on a public unsecured network, there's likely no good reason for you to be doing it and you know what you're doing if you're running that tool."
I for one don't really see what the issue with that is.
If you plug into an internet gloryhole whose infrastructure you don't control or trust, well, that's on you.
Running wireshark only shows packets that are delivered to your network interfaces. If people didn't want you to have that data, why did they route it directly into your computer's network port?
Using tcpdump after setting your wireless card into promiscuous mode will store all packets going over the air nearby. So, wireshark can easily be used to view tye contents of traffic that was not routed to your machine.
People set up radios and broadcast data completely indiscriminately? I would argue that is like yelling a conversation and then being shocked that people might overhear you. (Also it only gets certain packets depending on what network you're joined to, what channel you're listening on, etc.)
I agree about the yelling part. But, to clarify, you don't have to join a network, and you can always scan channels. Although chances are that most people around (e.g., at a coffe shop or airport) are broadcasting on a specific channel.
I disagree visiting a link, or links, is enough to give you intent, it's just not enough information, is too similar to normal web activity and would mean the potential criminalisation of all sorts of innocent activity.
What kind of intent do they have to prove? That he intended use this method to see if could access the information or that he intended to gather the information for other purposes?
They have to prove the criminal intent behind the CFAA. They have to prove that you knew you shouldn't have access to the data; that you in effect deliberately lied to the computer. They have to make their case on both mens rea and actus reus.
Not every criminal statute works that way (there are "strict liability crimes", like statury rape), but most do.
If your data is on the internet and not secured, it is being scraped by robots constantly for a start, some of which might iterate counters, so some responsibility lies with those who maintain the website. There isn't a clear line like the threshold of a dwelling we can point to, because it's not always clear which urls are authorised for a user and which are not. Ultimately you're not going to stop the curious, and bots, from scraping the web, so if there are no access controls on your payroll you can expect data to leak, even if you come down hard on every single person you find accessing it without authorisation.
I think the emphasis here should be on intent, as shown by the data taken, and what was done with it, not on trying public urls. If someone shows intent to steal information by changing urls, then downloads the info, then uses it for identity theft or sells it on, that's clearly a crime, and unless they have mitigating circumstances, perhaps it deserves a fine or a very short jail sentence for serious cases. I do think the sentences today are excessive for this sort of activity.
If they simply access a URL as you propose above, I don't think you can show intent. Even if they access several urls, was their intent to explore, or to steal information, or did they just follow a bad set of links or make a mistake with their web crawler?