Why does it have to be either/or? Why can't both people be responsible? Why can't AT&T be civilly liable for leaving a gaping hole on their application, and whoever abused that information be criminally liable?
Incidentally, every time you blame AT&T for what happened, you tacitly acknowledge that wrongdoing actually occurred, which harms your argument that the data was "published".
(In the interest of combating the fundamental attribution error: I'm not happy with Aurnheimer receiving a custodial sentence for what was pretty obviously just another dumb prank. We probably agree that the sentencing component of CFAA is absurdly constructed.)
There were neither "people's credit card numbers" nor "publishing" in this instance. It seems like you're being intentionally confusing.
We're talking about a list of email addresses (which I don't think should be protected data in any way, they're just email addresses) and a journalist running a blacked-out screenshot of a dozen of them.
I think you know I'm not being intentionally confusing; that's not who I am. I'm responding to part of your comment. I'm not writing a brief against Auernheimer. The way you know that is, my comments have repeatedly agreed with yours that his sentence is unjust.
I'm responding to the zero-sum nature of your comment above, about how the company harboring the vulnerability should be the one penalized for security incidents. And all I'm saying is, there's no reason why we can't penalize both: companies, when they're negligent, and people who exploit that negligence.
Also: we both know there's more to the story with Auernheimer than simply sending material to journalists.
Once again, we probably agree that Auernheumer doesn't belong in prison over this particular incident. He was overcharged and oversentenced. But I find the exact philosophy that drives you to that conclusion challenging, which is why I called it out.
> Also: we both know there's more to the story with Auernheimer than simply sending material to journalists.
Uhh, excuse me? They discussed what could have been done maliciously with the data, and then DIDN'T DO ANY OF THOSE THINGS. I honestly don't know what else you're alluding to.
To answer your main point:
I figured it out yesterday. I believe that sending packets over the internet, of any kind, with any content, is protected speech.
We're allowed to say what we want. It's the responsibility of a listener to determine how they respond.
This is how the world works, and it should be how the internet works, too.
Incidentally, every time you blame AT&T for what happened, you tacitly acknowledge that wrongdoing actually occurred, which harms your argument that the data was "published".
(In the interest of combating the fundamental attribution error: I'm not happy with Aurnheimer receiving a custodial sentence for what was pretty obviously just another dumb prank. We probably agree that the sentencing component of CFAA is absurdly constructed.)