A reader writes:
The analogy made by your software developer reader is misleading. The vulnerability is not like forgetting to lock your door, allowing someone to rummage around in your house. It’s like having a household policy that anyone who calls you on the phone, and asks for a specific family member’s email address, can have it. You don’t publicize the number, but millions of people have the number in their phones. So Auernheimer’s friend called the number millions of times, guessing at family names, and gave Auernheimer the resulting emails, which he then publicized. If you use a database to look up the emails when someone calls, is the caller illegally “accessing” (much less “hacking”) your database? Should someone who publicized those emails go to jail for several years?
Your reader misses the point about the nature of the data. This was not AT&T’s data; it was the data of their customers. Companies have an extra responsibility when it comes to data of their customers. They should be held liable for loosing that data, just as your insurance company will not pay out when you leave your door unlocked. Experience also shows that companies like AT&T would have done shit if Auernheimer had politely pointed out the security leak. Naming and shaming is the only way that works. He provided a public service – for free – and got jailed for it. Meanwhile, AT&T has not been held accountable for its lack of care of its customer’s data. Is that right?
Your reader’s analogy to “locking your house” is ridiculous, as most analogies between digital and physical spheres are.
AT&T didn’t forget to lock the door; they publicly posted the emails in a way that anyone could access them, and that anyone with computer know-how could copy them all. There were no passwords or other security that would prevent someone unauthorized from accessing the email addresses. Nothing was hacked. Weev accessed ill-designed public websites in a way that AT&T didn’t like. Think the opening scenes from The Social Network, only Zuckerberg is going to jail for several years and we never get Facebook.
The ability of the government to turn anything that a website owner doesn’t like into a felony is a problem with the computer crime laws, not a fun feature. Beyond whether what Weev did in this case was right, the government shouldn’t be able to turn accessing public information or any misuse of a website into a crime, as it just opens up a whole can of worms criminalizing ordinary conduct. Giving a site a fake email address? Jumping on another computer so you don’t have to worry about your “read more” limit? All potential felonies under an expansive view of the CFAA. If this is a crime, it’s an example of why we need to reform the CFAA, and so far the government has moved in the opposite direction.
For more on the case and the technical/legal details look at this post by Orin Kerr, a computer crime expert representing him on appeal pro bono. There are lots of other serious issues with the government’s theories, including a fun way of interpreting the law to make every CFAA violation a felony, despite Congress explicitly including a distinction between misdemeanor and felony violations.