That first sentence doesn't make sense. If a merchant screws up and manages to post a flat ASCII text file of credit card accounts with CVV numbers on a URL in a directory with an Apache index enabled, your argument says "well, sucks for the merchant and all their customers".
There are clearly cases where the mere fact that someone has left something somehow exposed to a web browser does not connote authorization to access it. Those are the cases where a reasonable person, seeing what the data is after stumbling across it, would understand the exposure to have been a mistake, and not an authorization.
I think the parent comment's first sentence makes sense -- simply accessing that information shouldn't be a crime. But if you then make a copy and either use or distribute that information illegally, that's something different.
To be clear, that's exactly what Weev did -- accessing AND keeping a copy for himself. But I think the parent comment's argument is talking specifically about access.
Creating a precedent where a "reasonable person" is expected to "understand" that the exposure was a mistake would create a huge legal gray area. Anything that's available on the public internet should be perfectly legal to access. What people do with that content is a different matter.
The law is full of judgements based on the actions of a "reasonable person". And, I agree with your first paragraph, but then, so does the CFAA; CFAA doesn't define a strict-liability crime.
If a merchant screws up and manages to post a flat ASCII text file of credit card accounts with CVV numbers on a URL in a directory with an Apache index enabled, your argument says "well, sucks for the merchant and all their customers".
Since that would be a clear and basic PCI violation, yeah, it sucks for the merchant and their customers. Why have PCI compliance at all if the merchant can just throw up their hands and blame it on "hackers?"
No, because then the collateral damage is everyone misidentified as a "hacker" because prosecutors don't know the difference between criminal actions and not because the internet is confusing to everyone who hasn't spent the last two decades staring at the underbelly. Also, prosecutors default to "criminal" because their job is to deal with criminals all day (c.f. aaronsw).
It's unreasonable for us to expect the legislature to get this right. Nothing here is criminal.
The criminal justice system deals with fraud in more complicated settings than computer hacking. For instance, it convicted ADM executives for price-fixing lysine. I don't recall anyone being up in arms at the time about how the prosecutors didn't fully understand the lysine industry.
True when you say that there can be data left out in public by mistake without public access authorization. However it is not the responsibility of the accessing entity to preserve this data private.
An analogy is if your bank left your money easily accessible on a table in front of the bank without security. We are used to the idea of ownership, but this issue is a matter of blame. Here AT&T is the one to blame for the lack of security, not someone who saw that AT&T lacks security.
Back to the bank analogy, it is not the public's duty to guard your money for the bank. Nor should someone else be jailed for money literally left outside on the table.
This is, literally, an argument that if you stumble across a text file full of credit card numbers, expiration dates, and CVV codes, it should be lawful for you to put it up on Pastebin.
What law would cover that, some implied duty to help protect something that could be intended to be kept secret? I'm pretty sure that duty doesn't exist.
"This is, literally, an argument that if you stumble across a text file full of credit card numbers, expiration dates, and CVV codes, it should be lawful for you to put it up on Pastebin."
Which, when carders are caught on forums doing the above, they are charged with wire fraud.
I agree with you completely that I don't think Weev's acts were wire fraud.
My impression is that the Pastebin'ed CC# example does not provide the charge, but evidence that helps prosecute the fraud through which they were acquired.
I'll walk back calling it a "textbook example" (because I suppose ultimately it's probably up to the quality of the lawyers involved), but the part of 18 USC 1343 that I think would be argued by the prosecution in the "pastebin cc numbers example" is:
"...or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice..."
I think the government would have a relatively easy time arguing that posting people's credit card information (specifically all the data necessary to make use of that person's funds) is a scheme for "obtaining money or property by means of false or fraudulent pretenses".
The defendant's attorney might argue that just posting the information isn't itself a scheme (in the same way that say, listing the home addresses of members of rival ethnic groups over the radio in Rwanda isn't an incitement to violence), but if I were that defendant, I wouldn't be sleeping easy.
We already have laws to prosecute people who misuse credit card numbers for gain. Either attack the edge (ppl who use the cc nums for fraud) or the root (the people who posted them on the public web).
Yeah but I was trying to show that the true problem was AT&T's negligence and not Weev pointing it out to the people. Probably not the most perfect analogy, but analogies have limits of expression.
There are clearly cases where the mere fact that someone has left something somehow exposed to a web browser does not connote authorization to access it. Those are the cases where a reasonable person, seeing what the data is after stumbling across it, would understand the exposure to have been a mistake, and not an authorization.