Orin Kerr has announced that he is taking on a CFAA case pro-bono. The case seems to have all sorts of procedural and substantive defects on which I am not qualified to comment, but there is one substantive issue about which I know enough to have an opinion: Do Andrew Auernheimer’s actions constitute “unauthorized access”. Orin Kerr says no. But I think that when you understand the way the Web works, you will have reason to doubt Orin’s conclusion. I will try to explain the technological reasons that make me doubt Orin’s conclusion.
For a longer summary of the facts, go read the blog post’s first few paragraphs. I tend to trust what Orin Kerr says, so I will just operate under the assumption that he is right. But let me summarize just the part that interests us.
There were a number of web pages which one could access using addresses that must have looked something like this: http://example.com/<some_id> or like this http://example.com/page?id=<some_id>. These are called URLs (Universal Resource Locator) and if you have found my blog, you’ve probably seen thousands of things like these. Orin’s client wanted to compile a list of the information provided on each of these pages (email addressees here) so he wrote a program which tried lots and lots of values for <some_id> and visited the web pages. Orin’s argument is simple: whatever information you get when you visit such a page is on the “public internet”. Surely, visiting a publicly-accessible web page cannot be “unauthorized access” or “exceeding authorized access”. That sounds reasonable, but let’s pop the hood and find out what happens when you visit such a web page.
The first thing that happens is that your computer analyzes the URL to find something called the domain name. Here, it is “example.com”. It then uses a directory (the Domain Name System or DNS) to find an Internet Protocol Address. (IP Address or just IP for short) The IP address is like a phone number which allows your computer to call somebody else’s computer over the Internet. (Here, it was a web server run by AT&T) Once that call has been placed and a connection between the two computers has been established, the two computers need to speak a common language. Here, they will speak a language called the HyperText Transfer Protocol or HTTP. (Yes, when you see http:// somewhere, that’s what it refers to: the language the two computers will speak to each other.) Now, your computer will send a message which will ask for the web page and in return, the web server will send the web page which your computer will draw on your screen. Let’s look at what the message sent to the web server will look like assuming <some_id> is 1234567890:
GET /1234567890 HTTP/1.1
Now, you might feel that this is not much of an argument and it’s not. But now, let me show you something else. This is the sort of message your computer will send to Facebook or a variety of other similar sites when they want to get the information in your account such as your private emails.
GET /my_secret_account_info HTTP/1.1
Some variant of that is also the way you send your password when you log on. Now, look at the two things above. I just don’t see how the difference between the two messages should make the difference between lawful authorized access and unlawful unauthorized access. I just don’t think Orin Kerr’s “on the public internet” argument can make much sense.