The gist of some various laws around the world is that simply obtaining credentials does not authorize you to access the system, and accessing it without authorization is the illegal part.
This principle is clear if you apply a real world analogy. Just because you happen to have keys to a building doesn't mean you can enter without authorization from the owner. (E.g. you may have kept copies after a lease expires or a sale, it maybe you found them, etc.)
Considering it’s a API available without any authorization, the better comparison would be walking around on unfenced private land. There’s nothing to indicate they don’t want people on it but it’s also obvious it’s private land.
It doesn't matter. It's still just as illegal to get into an unlocked car or one with wide open doors without permission. The same premise applies to computers in a lot of places, access controls don't matter. If you access something on a computer not indented to be accessible, it's considered a crime.
Is it illegal, in fact? If a cop saw you, you'd be arrested and prosecuted for attempted auto theft, and your "I just wanted to see how comfy the driver's seat was" defense would ring hollow in court. But sitting in an unoccupied car without authorization isn't trespassing unless it's parked on the owner's land, and I'm not sure what other laws would apply to that specific act.
Walking around isn't usually a big deal until told to leave (verbally or by way of conspicuously posted signs), since that is a prerequisite to trespassing. Otherwise, delivery people would operate in a gray area which would be very problematic for them, since not all deliveries are requested by the recipient/owner.
However, although you are free to walk around in search of the front door, you can't start eating the fruit off the trees. Perhaps that's the better analogy: the trees are happy to serve up a delicious treat for anyone requesting something of it, but that doesn't mean the tree sets the rules. Just because fences preventing this are popular doesn't make them compulsory.
Defeating access control by using credentials that aren't yours is fraud.
Like, if you found a company badge laying around, go to that office and flash the badge to the security guard and go in. You've committed fraud by tricking the guard into thinking you're authorized to enter when you weren't.
TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.
The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.
Interestingly enough, the very lawsuit-happy nature of a major german party has "backfired" quite a bit recently. A security researcher was found not guilty of circumventing security measures or accessing authorized computer systems or resources without authorization, because there were no security measures or authorization on the API to circumvent.
Though note that this would not help one if one started to use or abuse the API to get free food or cause financial damage to a restaurant through fake orders. For example, ordering the corn soup through the API could really backfire if someone wants to present it as good old fraud or theft, or if the recipient of the unexpected soup got into trouble and started to look for someone to hand the damages to.
People have been convicted of hacking for merely editing URL strings, under the theory that were knowingly accessing systems in ways that they were not supposed to. This would be similar.
Whether or not that seems reasonable to us is a different matter, but basically it boils down to the fact that "they left the door unlocked" doesn't make it legal to walk in.
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network
- (a) accesses or secures access to such computer, computer system or computer network or computer resource;
- (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
[...]
- (e) disrupts or causes disruption of any computer, computer system or computer network;
[...]
- (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
If any person, dishonestly or fraudulently, does any act referred, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
====
Though, I prefer a lot the poster of the blog post than the company...
He wasn't prosecuted for logging in and looking around. He overtly did copyleft type things like finding ways to take copyrighted journal articles and release them into the public domain. Overzealous prosecution for sure regardless.
> On July 11, 2011, he was indicted by a federal grand jury on charges of wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.
> On November 17, 2011, Swartz was indicted by a Middlesex County Superior Court grand jury on state charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network.
> On September 12, 2012, federal prosecutors filed a superseding indictment adding nine more felony counts, increasing Swartz's maximum criminal exposure to 50 years of imprisonment and $1 million in fines.
The only civil copyright proceedings were JSTOR settling with him out of court.
He accessed their computers to access purchase information of other people (e.g. his friend) and business data. I guess making it public, thereby damaging the companies reputation and potentially getting sued by their lawyers is one way to find out, whether he was "unauthorized" to do so.
Pissing off the company, whose systems you accessed without authorization, is one way of getting to experience the full force of the justice system.