Re: "The use of Metadata in URIs" and UK law (and deepLinking-25)

On Nov 8, 2006, at 12:30 PM, Henry Story wrote:
> On 8 Nov 2006, at 14:20, Ed Davies wrote:
>
>>
>> Section 2.2 of The use of Metadata in URIs
>>
>>    http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061107.html
>>
>> incites the manipulation of URLs to obtain access to resources
>> which has not been specifically authorized.  In the UK such
>> access would be a contravention of the Computer Misuse Act
>> 1990.  I know it's idiotic, but there's case law to support
>> it.  Google for Daniel Cuthbert for a relevant case.
>
> To me, unauthorised resources should be protected by Access control 
> mechanism, not by the shape of the url.

You're not alone...

> I suppose case law can be shown to be wrong too.
>
>
>> Questions:
>>
>> 1. Should this TAG finding note this point?

I think we already have...

"Deep Linking" in the World Wide Web
TAG Finding 11 Sep 2003
http://www.w3.org/2001/tag/doc/deeplinking-20030911


>> 2. Can a TAG finding define or change the meaning of a URL,
>>     an HTTP access or other protocol element in such a way
>>     as to change the interpretation of the law in a country?

Possibly; it's hard to say how legal institutions will
treat TAG findings, but in developing the 2003 finding
cited above, I think the TAG's discussion may have had
some impact on public policy.

>> 3. Should a TAG finding define...?
>>
>> This is all rather silly but if the TAG can word this document
>> in a way that makes it clear that not only is it true that:
>>
>>> Still, the ability to explore the Web informally and experimentally 
>>> is very valuable, and Web users act on such guesses about URIs all 
>>> the time.
>>
>> but also that it is an implicit part of running a web server
>> to accept that such experimentation is legitimate then they'd
>> be doing all of us a favour.

There's a grey line between experimentation and abuse,
as noted in the deep linking finding...

"Unethical parties could, of course, attempt to circumvent such 
policies, for example by programming software to transmit false values 
in various request fields, or by stealing passwords, or any number of 
other nefarious practices. Such a situation has clearly passed from the 
domain of technology to that of policy. Public policy may need to be 
developed as to the seriousness of such attempts to subvert the system, 
the nature of proof required to establish a transgression, the 
appropriate penalties for transgressors, and so on."


-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/

Received on Wednesday, 8 November 2006 19:55:06 UTC