It's entirely up to the owner of an S3 bucket as to who they serve their static assets to. If the policies are so lenient that anyone can request the resources, then that is a configuration error—not unauthorized access.
Or, to extend the metaphor I made earlier, just because I left the door unlocked, it doesn't mean I meant to invite anyone in. And if they tricked my housekeeper to invite them in by falsely claiming I authorized them to come to pick up my broken laptop, they'd have no invitation defense, either. (Maybe they wouldn't be guilty of burglary, but certainly larceny.)
Unauthorized access can occur whether the bucket is public or not. The law does not require that sufficient measures (or any measures, really) be taken to protect the assets in question. We can disagree as to whether it should, but that's not how it's written today.
Before making comparative arguments here, it's a good idea to think about whether a judge would laugh at you or not. :-)
> Unauthorized access can occur whether the bucket is public or not. The law does not require that sufficient measures (or any measures, really) be taken to protect the assets in question. We can disagree as to whether it should, but that's not how it's written today.
Citation needed. Probably more than one. Web scraping is most certainly legal. Everything involved in the ridiculous "breaking and entering an unlocked residential door" is done a billion times a day by web scrapers as a matter of course. The act if doing GET / wraps up finding a home, evaluating its entrances, knocking, opening the door, and taking photos of the entryway. In 50ms.
I do agree with your last line. Definitely think about whether a judge would laugh at you or not...
It's a useful metaphor that gets people convicted. You might not like it or agree with it, but that's the way it is.
> Web scraping is most certainly legal. Everything involved in the ridiculous "breaking and entering an unlocked residential door" is done a billion times a day by web scrapers as a matter of course
Unfortunately you, like others, are ignoring the crucial element of consent. Web scraping is done lawfully only with the consent of the website scraped. When scraping is done non-consensually -- even if the website is public -- it can be considered trespass to chattels and might even constitute a CFAA violation. I know this because my company scraped eBay without their consent in the late 1990s/early 2000s and was shut down by a lawsuit. See, e.g., eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (not my specific employer at the time, but in the same business).
Ignore robots.txt at your peril, and treat the absence of one as a lack of consent. That's what Google and other search engines do.
So there's no intentional act by the owner either way. In the physical world, no crime would be committed. It seems this is further reinforced by the fact that AWS documentation repeatedly states that buckets can be accessed publicly or secured depending on the settings. Kind of like the government (in most states) saying people can walk through your property unless you take steps to prevent it.
Yes, judges will laugh at a defendant bringing this up, but will eat up whatever comparisons a prosecutor makes.
