It definitely has a good chance at being illegal. So does your grandmother clicking a link in the email if she has any hint of an idea that she's not supposed to click that link (e.g. if the email said "you are not permitted to access this link" it suddenly could be illegal to intentionally visit it).
It's called the "Computer Fraud and Abuse Act"[0].
The exact portion is: "Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer" is guilty of a criminal offence.
This user of Gmail obviously surmised this was debug information he was not meant to see. As soon as he clicked that debug link or the detail link, he was intentionally accessing information without authorized access. He knew he was not supposed to access that information and he did so anyways.
The CFAA has been used before for things not too far off for this. 3Tap[1] was found guilty of CFAA abuse when it scraped Craigslist after its IPs were banned.
Weev[2] was prosecuted under the CFAA for accessing unprotected AT&T customer data that was hidden behind a url with an incrementing integer ID (no password, no username, just a perl script to increment a url parameter in a get request).
This is a fairly well documented law that has been used a number of times and it's almost certain that the author is guilty under it, as written. It's one hell of a broad law.
That there is no legal definition of "authorized access" is the problem with the CFAA. One could argue that if the website is sending the data to your computer, you're authorized to access it, and that's the end of it. That'd definitely be the most favorable interpretation for the tech community. Unfortunately, in many cases, extrapolations like those you've invoked are used instead: "He knew he wasn't supposed to have it", "we told him to go away", etc.
Looks like the user was accessing his own browser on his own computer, so he probably had authorization to do that, and it's unlikely that his own computer was 'protected' against him obtaining information from it.
Would you say that everyone who has ever clicked 'view source' is a criminal? (despite the fact that the source was sent to them in plain-text with the knowledge that a 'view-source' function is available to them)
Weev was also accessing AT&T's servers from his own computer using his own software.
This user was accessing Google's debug servers and debug information. Did you read up on the Weev case? It's not that dissimilar.
It seems like you're being intentionally obtuse in saying "his computer was not protected from him", well, no, Google's debug servers and information were meant to be.
If someone accesses the source code of a website while knowing that the website author intends them to not access it, then yes, they're potentially exceeding their authorized access and breaking the law under the CFAA.
I don't think the law is good nor makes sense, but explaining why it's dumb logically to me doesn't help. You're preaching to the choir. I know it's dumb and doesn't make sense. This law was created by people who do not understand technology or the internet except by analogies to it being "kinda like a supermarket" or such.
I gave suitable evidence that this is quite possibly illegal because of a dumb law. You've told me that it's dumb for this to be illegal (yes it is dumb) as if that means it can't be illegal. That's not a rebuttal to the links and statements I provided and, without a meaningful counter argument that isn't you intentionally being obtuse about what I said, you aren't furthering this discussion.
Perhaps I missed something. I don't see anything about the user accessing Google's protected debug servers that require authorization. I see 'mail.google.com' then 'about:blank' in the url bar, which indicates that he's accessing a public server and then probably accessing data already on his machine. Data that they chose to send to him and present to him within his browser with controls that were displayed to him to allow him to access it because they decided he was authorized to see it.
I don't know much about weev's case except that it sounds like it was information that AT&T had decided that the public was authorized to access without any authentication or protection. They screwed up. I agree that a lot of legal people are tech-illiterate, and they screw up, too. Which may be why they eventually bailed on a venue technicality rather than address the actual case.
But your point was: "Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer" (which doesn't really sound that dumb on its own)
My point is that you're authorized to access your own computer and it isn't protected from you, so that would not apply (unless the legals involved couldn't figure it out). Is clicking the 'About' button in the help menu of an application and accessing the version number a crime? Seeing the Gmail debug info in chrome is just that with more detail. Try putting "chrome://about" in your Chrome url bar. Ooh, there's data. Lots of debug data. Are you a criminal now? No, it's your system and you're authorized to use it. And the makers of Chrome chose to give you access to that data. Just for fun, try chrome://quit/
In this case there is no action at all on the users part.
> As soon as he clicked that debug link or the detail link, he was intentionally accessing information without authorized access
No he was not, he was accessing information because he did not know what it was (not explicit enough) and have been authorized to do it by Gmail. In both cases you are quoting, there is work done on the user part to access the information, in this case there is not.
That was work. For example, he clicked the skull and crossbones icon after already knowing it was likely to give debug information. After seeing that it did, he looked at more information.
The initial load had no intent, but all exploration afterwards probably did. He stated himself that he thought it was debug information. If he only realized that Google did not intend him to have that information after he finished screenshotting everything, maybe he's in the clear for intent.
Again, this is similar to Weev. Weev found a url which AT&T gave him that had a number in it. He knew AT&T didn't intend him to change the number (just like this author knew Google didn't intend him to see the links), but he changed the number anyways (and this user clicked the links anyways).
It's called the "Computer Fraud and Abuse Act"[0].
The exact portion is: "Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer" is guilty of a criminal offence.
This user of Gmail obviously surmised this was debug information he was not meant to see. As soon as he clicked that debug link or the detail link, he was intentionally accessing information without authorized access. He knew he was not supposed to access that information and he did so anyways.
The CFAA has been used before for things not too far off for this. 3Tap[1] was found guilty of CFAA abuse when it scraped Craigslist after its IPs were banned.
Weev[2] was prosecuted under the CFAA for accessing unprotected AT&T customer data that was hidden behind a url with an incrementing integer ID (no password, no username, just a perl script to increment a url parameter in a get request).
This is a fairly well documented law that has been used a number of times and it's almost certain that the author is guilty under it, as written. It's one hell of a broad law.
[0]: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
[1]: https://en.wikipedia.org/wiki/Craigslist_Inc._v._3Taps_Inc.
[2]: https://www.eff.org/deeplinks/2013/07/weevs-case-flawed-begi...