Re: "The use of Metadata in URIs" and UK law

Hash: SHA1

Ed Davies writes:

> Section 2.2 of The use of Metadata in URIs
> incites the manipulation of URLs to obtain access to resources
> which has not been specifically authorized.  In the UK such
> access would be a contravention of the Computer Misuse Act
> 1990.  I know it's idiotic, but there's case law to support
> it.  Google for Daniel Cuthbert for a relevant case.

This is misleading.  It seems likely Cuthbert was the victim of a
miscarriage of justice [I at least am still waiting to see the
transcript of the actual judgement, rather than 3rd-hand summaries by
journalists], as a result of bad law, but his actions appear to have
gone somewhat beyond anything suggested or encouraged by the draft
finding, in that it's alleged that he constructed a URI with more '..'
stages than there were steps in the published URI he started from.

> Questions:
> 1. Should this TAG finding note this point?

Perhaps, but only if we have hard facts beyond press reports about the
actual judgement.

> 2. Can a TAG finding define or change the meaning of a URL,
>     an HTTP access or other protocol element in such a way
>     as to change the interpretation of the law in a country?

Certainly not (but IANAL).
>> Still, the ability to explore the Web informally and experimentally
>> is very valuable, and Web users act on such guesses about URIs all
>> the time.
> but also that it is an implicit part of running a web server
> to accept that such experimentation is legitimate then they'd
> be doing all of us a favour.

If I'm wrong and that's all Cuthbert did, then we should indeed say
more, but see above about establishing the facts before jumping in.

- -- 
 Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
                     Half-time member of W3C Team
    2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
            Fax: (44) 131 650-4587, e-mail:
[mail really from me _always_ has this .sig -- mail without it is forged spam]
Version: GnuPG v1.2.6 (GNU/Linux)


Received on Thursday, 9 November 2006 11:30:41 UTC