AT&T put this information on a public interface and relied on obscurity of serial integers to protect it, then cried foul when someone crawled their unprotected data and claimed felony unauthorized access to a computer system because they didn't explicitly authorize him to download the contents of those publicly-accessible pages.
If I discovered that someone hadn't locked a filing cabinet, and then I rifled through it, found a whole bunch of names and social security numbers, recorded all of them, and then went to talk to a news organization with this list without ever notifying the people whose filing cabinet I'd gone through, do you think that would be OK?
Because that's pretty much the equivalent of what happened here. You say "AT&T put this information on a public interface and relied on obscurity of serial numbers to protect it"; this phrasing puts the blame on AT&T. Yes, they should not have done that. But that's about equivalent to forgetting to lock a file cabinet; it's a mistake that someone made. Weev then took advantage of that mistake to violate the privacy of thousands of people, providing their personal information to a news organization.
Now, I don't necessarily think that they should have been convicted of everything they were convicted of. Unless there are facts that I haven't seen, they haven't come anywhere close to committing identity theft. But you do have to admit that Weev did not exactly handle this responsibly, and did invade people's privacy.
The metaphor doesn't really hold up; it's rather like you went to the administrative desk of AT&T 1000 times, asked the person behind the desk "Can I please have document 001?" and they simply handed it over without questions each of the 1000 times. That employee should have stopped handing over documents, but it didn't.
In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.
If he would have used it with the pure intention of showing that the system is insecure, he would have been right and nobody would have been able to blame him of improper conduct.
Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.
Bingo. I think it was a dick move to go running to Gawker with it, rather than practicing responsible disclosure. But even then, I'm having a hard time with the idea of criminal charges for that; he didn't steal this data, AT&T happily handed it to him. He basically ran around saying "Haha, what a moron the guy at the administrative desk is, I just kept asking him for files and he just kept on handing them to me". And while that's distasteful, is it criminal?
Honestly, to me, it feels like he's being run down because someone got embarrassed, and he's being railroaded with archaic laws that can be applied in vague and nebulous ways to make just about anyone a criminal if it's useful.
No, that analogy suggests that there was someone actively paying attention, who should have noticed something awry, but was instead granting permission without thinking. In this case, they just left an unsecured program running; it was a passive mistake. Just like leaving a door unlocked and someone comes in and goes through your papers. The door being unlocked does not mean that someone gave permission for you to go through it.
> In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.
I think that the fact that he requested a hundred thousand records probably didn't work in his favor. If he had requested just a dozen or so, to confirm that the problem existed, it would have been one thing; once he hit thousands, it makes you wonder if he had ulterior motives. Past the first dozen or so, there was nothing left to prove about the security flaw.
> Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.
Yes, this was the biggest mistake. And I don't remember the source, but I recall that someone mentioned that he had considered selling the information as well, before deciding to just give it to Gawker.
Of course, in some ways I don't blame him for not going to AT&T first; there have been researchers who have discovered flaws, and disclosed them to the company, only to have the company accuse them of criminal acts for having even tested for the flaw in the first place. That kind of behavior creates a catch-22, and a very chilling effect on security research.
You forgot to mention that this filing cabinet was not only unlocked but left unattended, near the road, day and night for months. Yes it had AT&T logo on it and opening and looking inside might be impolite. But a crime? Hardly.
Crime is leaving such a file cabinet in such manner, especially if it contains private data of your clients.
It does not matter on what AT&T relied. As long as it was clear that this information is not intended to be public and he was doing something the system was not intended to do and circumventing access controls, however easy it was - and anybody with half a brain would know it was not intended to be public and he is circumventing access controls - the only right thing to do was to notify the admins, delete all the data and stay away. Bruteforcing the access and keeping the massive amount of data could not lead to any other outcome but him being considered a criminal.
This is old, but some people seem to misunderstand it still. If your neighbor has a weak lock, telling him about it is OK. Picking the lock, coming in and going through his private things, while keeping some copies of his bank statements, credit card numbers, etc. - is not OK and has a high chance of landing you in jail. And no, "he had a sucky lock" is not a good defense. You knew it wasn't your property and it wasn't a public place.
If he had to write a script to take the addresses and bruteforce the IDs, there was a lock. A weak one, but still a lock. If there were just a public page that lists all the emails and IDs, the case would be different. I can see no legitimate reason to download a massive list of names - if you wanted to show a vulnerability, one or two emails would be enough. If he stopped when he found a hundred emails or found an algorithm that can generate an ID and guess an email and published that - this would be very different. Even if he created a demo script that would find emails but would not record them (or record sha1 hashes of them - so it can be proven they were true ones but not possible to actually use it for any malicious purpose) - it would still be different.
URLs are not a lock. They are a mechanism for locating a resource. AT&T made no attempt to obscure the resource location, or to mathematically hide the location of a given resource like the rest of the sane world does. Publishing something on a predictable interface and then saying "oopsie, that's private, you're a felon for looking at it" is insane.
You again ignore the facts. He didn't just "look" at it. He wrote a script - a purposeful action - to generate specific sets of IDs based on his guesses about geographic distribution, etc. and used it to download more than 100K email addresses. You here sound like spammers saying "what you want from me, I just sent an email, now it's a crime?". That stopped working long ago. There's a difference between looking at one page and writing a tools that scans through millions of IDs (most of which would be rejected by the access controls) to bruteforce the protection and download 100K of emails. I don't believe anybody can be genuinely so obtuse as not to understand the difference between the two.
You are ignoring or ignorant of the other facts of the case and his other actions. Looking solely at the technical side ignores realities. Furthermore gaining access to sensitive data does not install you with special rights for that data.
Should this not be a crime?