>It should always be perfectly legal to access a remote computer system via a publicly accessible interface. It's up to that remote system to respond appropriately. In this case, it was working exactly as ATT intended.
The law can never be this black and white, it is all about context. Just because you may somehow access something on the web, doesn't mean it is automatically ok to do so.
You're right, the law can't. That's why we should let the final verdict for authorized/unauthorized lie IN THE CODE DEPLOYED BY THE OWNER, not the law (or the owner's retroactive statements).
It's pretty simple, really. This would be a non-issue if you programmed your cyborg to go pick up milk from the store and it started handing out $20s to strangers in the dairy aisle. Obviously that's no fault but your own.
Why is it different for a webserver?
It is massively unfair to expect someone to make assumptions about the intent of a remote system, programmed, configured, and deployed by people they have never met or communicated with, in order to avoid criminal liability.
I'm not sure what the problem is here. It seems like simple common sense to me.
So if a bank accidentally deposits $1bn in your account, that becomes yours? You're looking for a simple answer to a nuanced issue where one just doesn't exist.
That example is not at all the same as what's being discussed. The issue at hand is whether access to a public URL is authorized and who is responsible for determining that authorization.
Actually the analogy is OK, the interpretation is wrong. If you disagree with sneak you're saying the account holder should be prosecuted!
Claiming ownership of the money would be like weev selling the email list to spammers, which he didn't. What he did was reveal the defect - like the acoount-holder reporting the mis-deposit.
> That's why we should let the final verdict for authorized/unauthorized lie IN THE CODE DEPLOYED BY THE OWNER, not the law
I'm surprised to see this much victim blaming from such a passionate defender of personal liberties.
There is a stark difference between "AT&T deliberately decided to allow public access through this URL" and "AT&T improperly coded the authentication scheme for this URL".
From the outside the end result would be indistinguishable, which is why your binary logic can't be used in general. If we had it your way the only choice a potential victim would be legally allowed to ever make is "as strong a technical control as available (and don't screw it up, otherwise it's your fault)".
The only victims here are the people whose data ATT negligently mishandled, and even those are just civil claims.
ATT's reputational damage was earned, and was the consequence of facts that were disclosed about their terrible customer data handling practices.
There's nothing criminal at all at any point here. Even what ATT did was shitty, and they should probably get sued for being so careless and negligent, but no crimes were committed by anyone at any point along this chain.
The law can never be this black and white, it is all about context. Just because you may somehow access something on the web, doesn't mean it is automatically ok to do so.