Wasn't it just email addresses that he published? I'm all for protecting personal information, but I find it hard to believe it's a felony for collecting a list of email addresses.
The crime in question was accessing a computer system in an unauthorized fashion to collect e-mail addresses.
Yes, the distinction is relevant. Taking photos of my wife in public and publishing them? Creepy but not illegal. Walking through my door (locked or unlocked, it doesn't matter) to take photos of my wife in my house? You're lucky if you don't get shot.
What good reason do you have to be poking around in my /hiddenstuff directory? If I leave my car door unlocked, do you take it as an invitation to look through my CD's?
Correct analogies help. Stuff in the internet doesn't just "exist", clients receive it by asking servers. So the analogy here would be a guy coming up to your door, asking for a photo of your wife. If you then hand it to him, and continue doing so as he keeps coming back for more photos, how can you claim it was unauthorized? You made the choice, after all!
In your analogy, the only reason it's okay is the presumed consent that arises from my just handing you the pictures, and the fact that you can reasonably infer that I consent because I handed you the pictures.
You can't anthropomorphize the web server like that. You cannot say this guy reasonably inferred that AT&T intended him to have access to these e-mail addresses. It's a dumb piece of equipment--a broken door lock. An unlocked door does not mean you are invited to come in.
There is no lock, not even a broken one. There is a machine (the webserver) that is handing out private data to everyone who asks and then probably even makes a note that he did so. I'm not anthropomorphizing that part, that is how the protocol works. "GET .." ("200 OK" | "403 Forbidden")
Now the server provider is responsible for having not adequately secured the customers information, and the guy who asked for that information is responsible for what he does with that information. What I won't accept is that you criminalize the mere request for said information and the retrieval of whatever response is returned.
But, in this case - didn't he just spoof a user agent and toss fairly guessable CCID numbers?
Certainly hacking, and given that he doesn't work for, or is associated with AT&T - some type of criminal trespass - but, we're talking community service here, not a felony. Slap the hand, don't cut it off.
I would hope we can all agree that there is a pretty big difference between a pervasive attack where someone spear-phishes a user inside a company, plants a trojan, and uses that to acquire sensitive intellectual property for financial gain, and/or do damage - versus what weev did - trying some pretty obvious numbers on the public website with an iPad user agent.
> Certainly hacking, and given that he doesn't work for, or is associated with AT&T - some type of criminal trespass - but, we're talking community service here, not a felony. Slap the hand, don't cut it off.
I agree, but he's not being charged with felonies for simply poking around. He's being charged with felonies for what he claims he was going to do with the information.
The defense seems to be that he wasn't actually going to do that, but it's the domain of the jury to decide his intentions based on his actions.
When you send packets to an internet-connected device, and that device sends some packets back to you, that is not "trespass". You haven't "gone" anywhere, and you certainly didn't cross any "property lines". Much in the way that the copyright mafia wants to redefine "piracy" from "murder and plunder on the high seas" to "listening to a friend's MP3", numerous other bad people will be thrilled when the public accepts "SYN,SYN-ACK,ACK" as a new meaning of "trespass".
