So, is doing a zone transfer the same as, for example issuing a "ping" command or a "whois" lookup? Are you entitled to "look around" at any computer and computer network and see whatever it is you can see?

Let’s try more real-world analogies.

Walking around a house, and noting things like your street number, house color, or other "publicly observable" facts is not trespass, provided I don’t enter the property. Walking to the front door and ringing the doorbell is probably OK too.

But what if I jiggle the doorknob on the front, back, and side doors, and then check all the first floor windows to see if they are locked? What about looking through a window? If you didn’t configure the window to prevent me from peering in, then you must have "authorized" me to look in your house, and therefore whatever I see is "public," no? What about climbing on a ladder and looking in a window? Merely being able to do these things does not mean that I am permitted or "authorized" to do them. And even if I am authorized to do them for some purposes, I may overstep my authorization by trying to do them for other purposes.

Say you go to a lengthy, but publicly accessible link, or uniform resource locator (URL), and are greeted with a 404 error message. You truncate the URL and are taken to a root file directory, which gives you access to files, folders or a directory structure which the owner may not have intended to make available, but by configuration (or lack thereof) made accessible to anyone who typed the correct URL. Is your access "unauthorized?"

In the real world, say you go to a movie theater and notice next to the ticket line that there is an open side door which you can enter and watch the movie for free. You suspect that the movie theater operator is unaware of the open door, but then again, maybe -- just maybe, they left it open for you to see the movie for free. How do we settle any ambiguity in the issue of "authorization?"

Ultimately the question is, what are you authorized to do on someone else’s machine without their authorization? Certainly there are "public" and "private" areas of their website or even parts of their domain exposed to the Internet. Merely being "exposed" to the Internet does not make the site "public" or even "publicly accessible." And the mere fact that a configuration (or misconfiguration) "exposed" the information does not make the access "authorized."

One commentator on Slashdot has noted that:

What the judge has done is, effectively, to say that each person who asks a public server for information that it is explicitly designed to provide to all and sundry needs to get specific permission for that content from that publisher. This is completely at odds with how the Internet works. The Internet is designed in such a way that servers provide content to anyone who asks, unless the owner has configured the server not to do so.

Sierra could easily have prevented zone transfers from their name servers if they so chose. If they did not do so, then the presumption is that they intended to allow it. There are many very good reasons why a service provider would want their zone to be transferrable, and by configuring their nameservers in that way, they were, in effect, doing the same thing as someone leaving a stack of maps out in public, for all to take at their leisure.

Again, is failing to prevent something the same as authorizing it?