October 22, 2017

Intentia vs. Reuters: A (Slightly) Contrarian View

The recent dispute between Intentia and Reuters has gotten lots of online attention, most of it scornful of Intentia’s position. I think Intentia is wrong, but it’s a closer call than most online commentators seem to think.

Here’s the factual background, as far as I can tell: Intentia, a Swedish company, prepared their earnings report, and put that report on its web site, at a “hidden” URL to which there were no links anywhere. A Reuters reporter guessed the URL, accessed the earnings report, and published a story about it, all before Intentia intended for the information to be released. Now Intentia is suing Reuters in Swedish court, charging that Reuters accessed Intentia’s computers illegally and without authorization.

As a non-Swede and non-lawyer, I won’t opine on what Swedish law says about this. Anyway, the more interesting question is what what the law should say about this case. Or to put it another way, how should we draw the line between proper and improper access to a computer system?

Most people seem to feel that what Reuters did was legitimate. That’s my gut feeling too. But it’s not as easy as you might expect to explain why.

One common argument is that because Intentia put the file in a place where it was easily accessed, Intentia should have known that people would access it there, so Reuters cannot be faulted for doing so. This has intuitive appeal, but I don’t think it’s right to argue entirely from technical capabilities. That is, the mere fact that Reuters knew how to access the file cannot be enough to show that the access was proper.

Consider a hypothetical in which Intentia puts the file on its site, protected by a password. Is it proper for Reuters to guess the password and access the file? I don’t think so. I’m not comfortable with a rule that would legalize arbitrary file access via password-guessing.

Now from a technical standpoint, there is little difference between using a secret URL and using a secret password. Both rely on the user typing a secret text string; both send that string across an unencrypted HTTP connection; and both provide the requested file only if the string has been entered correctly. Both provide the same level of security. So if password guessing is improper, then why isn’t URL guessing improper?

The answer, I think, is that using a password sends different signals about Intentia’s intentions than using a URL. If a system challenges you to enter a password, it’s clear that the system’s owner is not authorizing you to continue. But if you just type a URL into a browser and the system supplies you with a file, the owner’s intentions are not clear. If, in fact, the URL was something obvious like “3rd_quarter_earnings.pdf,” then a reasonable person might have concluded that Intentia meant it to be accessed by the public.

Ultimately, this depends on the law recognizing social norms about the Net: that accessible files are by default meant to be accessed; that people use a password if they want to restrict access; and that the lack of a password mechanism is taken to imply that public access is allowed.