I didn't find the user-agent and responsible disclosure points particularly compelling
I think you may be right from a legal perspective but I find it troubling that the law is so structured. I think it's important that when dealing with a system that's designed to serve some information to the public, but not other information, it's critical that there be no ambiguity about what a given person is allowed to access.
I do not mean to say that all security mechanisms must be effective, else the issue of unauthorized access would be moot, but that no reasonable, technically adept person would think the security mechanism is not a security mechanism. In the case of a website or web service, a number of well-known industry-standard mechanisms exist, and it's reasonable to expect people to use them.
I think you may be right from a legal perspective but I find it troubling that the law is so structured. I think it's important that when dealing with a system that's designed to serve some information to the public, but not other information, it's critical that there be no ambiguity about what a given person is allowed to access.
I do not mean to say that all security mechanisms must be effective, else the issue of unauthorized access would be moot, but that no reasonable, technically adept person would think the security mechanism is not a security mechanism. In the case of a website or web service, a number of well-known industry-standard mechanisms exist, and it's reasonable to expect people to use them.