Originally Posted by
historiclurker
I've been a longtime lurker on FT and I've been following this AP redemption problem for a while. I'm also a PE at FAANG, working in applied security that's sat through takedown proceedings before. There are some ridiculously funny takes being presented here with unfounded confidence that I'd like to point out.
Have we worked together on a case before? You sound exactly like someone I have.
Originally Posted by
RatherBeInYOW
It is exactly technically correct. Open an incognito browser and do a search for award visibility on ac.com and tell me what you see. This information is made available publicly by Air Canada on the open internet. This is black and white.
If you put data on the internet without requiring authentication then people can come and get it. If Air Canada wants to restrict this information then they can put it behind authentication. There is not some magic solution here, nor have I pretended there is one. This website is not "knowingly and fraudulently present identification to misrepresent who you are, such as stealing someone else's credentials and logging in with them" - it is hitting a public endpoint that AC makes available and collecting the resulting data.
It's evident that there's a significant disconnect in our understanding of the nuances around APIs and data access. Allow me to clarify some critical points:
Firstly, let's address the misconception that API data is equivalent to publicly available information. An API, or Application Programming Interface, facilitates structured interactions with an application's database. These transactions occur through designated queries and culminate in data being returned upon a verified request. This is fundamentally different from data freely available on the internet for public consumption.
Secondly, the assertion that anything on the internet is "public" is an oversimplification that overlooks the intricacies of data access and ownership. While an API endpoint may be accessible online, it is in no way an invitation for unbridled public use. Companies establish these interfaces for specific interactions and have the absolute right to regulate access.
Finally, when a company explicitly blocks access to its servers and communicates that certain activities are unauthorized, persisting in those activities crosses clear ethical, moral, and legal boundaries. Actively circumventing these blocks, especially while publicly acknowledging them, leaves no room for ambiguity: it's unauthorized access.
It's concerning that these points have been either mischaracterized or misunderstood in the discussion thus far. Whether this stems from a lack of understanding or other motives, it's crucial to align the conversation with technical and legal realities.
Last edited by Adam Smith; Oct 20, 2023 at 6:35 am
Reason: Merge consecutive posts by same user