Re: "The use of Metadata in URIs" and UK law

Henry Story wrote:
> To me, unauthorised resources should be protected by Access control
> mechanism, not by the shape of the url.

To me too, but apparently not to the lawyers in this case.

The key question is, in my view, what the meaning of a GET request
is.  Is it "give me a representation of this resource which I assert
I am authorized to access" or is it "please give me a representation
of this resource if you think that the user name, password, referer,
or whatever, of this request entitles me to it"?

I think most people who have much understanding of the web would
choose the second interpretation.  Unfortunately, RFC 2616 section
9.3, GET, does not make this explicit and actually seems to
indicate that the request is only conditional on other aspects.

> I suppose case law can be shown to be wrong too.

I hope so.

Henry S. Thompson wrote:
> This is misleading.  It seems likely Cuthbert was the victim of a
> miscarriage of justice [I at least am still waiting to see the
> transcript of the actual judgement, rather than 3rd-hand summaries by
> journalists], as a result of bad law, but his actions appear to have
> gone somewhat beyond anything suggested or encouraged by the draft
> finding, in that it's alleged that he constructed a URI with more '..'
> stages than there were steps in the published URI he started from.

Indeed, the two examples are not quite the same but I think
the idea is that any use of a computer which has not been
authorized is illegal (I'm talking about in the UK, of course),
which presumably would include accessing Boston's weather when
the advert only described how to get to Chicago's.

I wrote:
>> 1. Should this TAG finding note this point?

Henry S. Thompson replied:
> Perhaps, but only if we have hard facts beyond press reports about the
> actual judgement.

This particular case is only an illustration so we need not get
too involved in the details.

As an aside, however, what's not clear to me is whether or
not Cuthbert actually accessed a directory three levels up from
the given URI, or whether it was the server logs of his failed
attempt which which caused the visit from the plod.  I.e., is
accessing an unauthorized resource required or just the attempt
to do so.  These sort of details of British law are somewhat
beside the point, though.

I asked:
>> 2. Can a TAG finding define or change the meaning of a URL,
>>     an HTTP access or other protocol element in such a way
>>     as to change the interpretation of the law in a country?

Henry S. Thompson replied:
> Certainly not (but IANAL).

I'm not so sure.  After all, the GET request only has any meaning
beyond being a sequence of voltage levels traveling down the wire
because of various standards published by the IETF, W3C, ITU, etc.
It's only in the light of that meaning that there's any case at
all.

I asked:
>>> 1. Should this TAG finding note this point?

Dan Connolly replied:
> I think we already have...
> 
> "Deep Linking" in the World Wide Web
> TAG Finding 11 Sep 2003
> http://www.w3.org/2001/tag/doc/deeplinking-20030911

Good reference.  Thanks.  However, while that finding says that
attempts to circumvent access control policies pass from the
domain of technology to that of public policy, it does not say
anything about manipulation of URIs in ways which are not meant
to circumvent access control policies.  This is what I am
suggesting could be usefully included in the Metadata finding.

Of course, there's the not too simple question as to what URI
manipulations would fall into which class.

Ed Davies.

Received on Friday, 10 November 2006 19:39:02 UTC