You: Can you provide me with Angela Smith's email address?
Librarian: Sure, here you go.
Later,
Librarian's manager: You weren't supposed to give out that information!
Librarian: Oops. I had the wrong access rules.
Librarian's manager: Let's call the cops on that guy.
It's his fault that you gave him the information he wasn't
supposed to have.
As is often the case, and is often ignored, the key is intent.
There is a difference between:
You: Can you give me the email address of user 50?
Librarian: Sure, here you go
Librarian: Oh balls, I wasn't supposed to hand that over, that could have been anyone!
And
You: Can you give me the email address of user 50?
Librarian: Sure, here you go
You: Hmm
You-irc: Hey guise! The librarian is giving out everyones email addresses, this is totally breaking privacy laws right?
You-irc: lols, I'm going to get all of them! This could be used for a massive phishing operation
You-irc: or even make their stock price drop, we could short it
You: Hey librarian, can you give me the email address of user 51?
Librarian: Sure, here you go
You: Hey librarian, can you give me the email address of user 52?
Librarian: Sure, here you go
You: Hey librarian, can you give me the email address of user 53?
Librarian: Sure, here you go
...
You: Hey librarian, can you give me the email address of user 1023821?
Librarian: Sure, here you go
He didn't grab one or two, then send the information to AT&T to get them to fix it. He deliberately collected a significant amount of data he knew was personal information and gave it to someone else. That alone would be enough. If he just wanted to verify that the attack worked, get the code of someone else who gives you permission, show that they can be easily generated and you're done. You don't need more than a few to prove the point.
The service was clearly not intended to be a directory of email addresses for people to use. It was clearly there to return the email address to the user of the iPad with that ICC-IDC code (which, unlike my example, aren't obviously guessable)
I'm not going to say anything about the sentence, but I do think he was guilty.
This is the issue I have with all of this. Everybody is defending HOW he did what he did with no thought as to WHAT he actually did - as if it shouldn't matter.
He knew what he was doing was illegal and didn't care, he got caught and tried to justify his actions by blaming AT&T for having a faulty configured server.
How he did it absolutely does matter. He did not know what he was doing was illegal because that is the expected interaction with an HTTP server. He certainly knew it was immoral but we give Wall Street a pass on that.
Suppose I write a scraper with user agent "I am a teapot" and I discover AT&T emits personal data when I access with that user agent. What is the arbitrary cutoff for number of things downloaded before I am a criminal?
There are in fact actual criminal charges that can be brought for identity theft, we don't need the US courts to be more aggressive with the CFAA by considering thoughtcrime in their deliberations.
Yes. If you accidentally stumble upon something you shouldn't and don't exploit it or sell it to someone when you know you clearly shouldn't be you will be fine. It is pretty straightforward.
Everyone here keeps purposefully ignoring intent, but in the context of the law this is impossible. So no matter how much you hate it, this isn't something that can be a binary yes/no illegal/legal question based on some computer response to your query.
He didn't exploit it or sell it and he's fucked. We're ignoring intent because a crime has yet to be committed. Intent doesn't matter without a crime. If intent is the only dividing line, you are in favor of thoughtcrime.
Well...his crime actually was that he intentionally accessed data he knew he should not have been accessing. That is a crime. Thus he was found guilty. I'm not sure why this is so hard to reconcile or is being purposefully ignored just because this crime is one of many that involves a computer.
Please show me the section of US legal code regarding intentional access of data one knows one should not be accessing; without mentioning trespass, which he did not do, and without mentioning causing a computer to act in a manner the owner does not desire, which he also did not do.
Sorry no legal code offhand, but you can surely break the law without trespassing and "causing a computer to act in a manner the owner does not desire". This shouldn't be hard to comprehend.
The law involves intent. They proved he intended to act in bad faith while gathering that data and he was rightfully found guilty.
The law requires intent and a crime. If you cannot tell me which specific crime, your argument is invalid.
Why you are having a hard time understanding that "we put him in jail because we don't like what he did" is wrong I have no idea. You must be a troll disagreeing on purpose.
His crime was obtaining information he knew he shouldn't have been accessing. He didn't get out in jail because someone didn't like what he did, he got put in jail because he broke the law.
> Later, when I crack your bank password,
> Me: Can you provide me with all of guelo's money?
> Bank: Sure, here you go.
For me this is rather a good argument against using home banking (which I indeed don't use for security reasons - and as a computer scientist I'm surely not technologically backward).
UPDATE: if money is lying around on the street you are not be allowed to keep it (the same as I should not be allowed to keep the "money lying around in the internet"), but you can claim for getting the legitimate finder's reward.
> UPDATE: if money is lying around on the street you are not be allowed to keep it (the same as I should not be allowed to keep the "money lying around in the internet"), but you can claim for getting the legitimate finder's reward.
It's actually a bit more complicated than that. Property (chattels) can be lost, mislaid, or abandoned. The distinction between lost and mislaid is that you mislay something when you intentionally put it somewhere but forget to retrieve it. That doesn't really apply to currency in the street -- it's unlikely that someone would intentionally leave money in the street.
So we are dealing with lost property. At common law the rule was that the finder of a chattel in a public place had a superior title to anyone except the true owner, and that if such a possessor knew or could reasonably ascertain the owner's identity he had a duty to notify the owner. A breach of that duty could result in either tort or criminal liability or both. In the case of fungible currency in the street, I'd say there's a good argument that it is not reasonable to ascertain the true owner.
However this common law rule has been modified in most jurisdictions by statute. Illinois has a typical such statute:
(765 ILCS 1020/27-8)
Sec. 27. If any person or persons find any lost goods, money, bank notes, or other choses in action, of any description whatever, such person or persons shall inform the owner thereof, if known, and shall make restitution of the same, without any compensation whatever, except such compensation as shall be voluntarily given on the part of the owner. If the owner is unknown and if such property found is of the value of $100 or upwards, the finder or finders shall, within 5 days after such finding file in the circuit court of the county, an affidavit of the description thereof, the time and place when and where the same was found, that no alteration has been made in the appearance thereof since the finding of the same, that the owner thereof is unknown to the affiant and that the affiant has not secreted, withheld or disposed of any part thereof. The court shall enter an order stating the value of the property found as near as the court can ascertain. A certified copy of such order and the affidavit of the finder shall, within 10 days after the order was entered, be transmitted to the county clerk to be recorded in his estray book, and filed in the office of the county clerk. ...
Sec. 28. In all cases where such lost goods, money, bank notes or other choses in action shall not exceed the sum of $100 in value and the owner thereof is unknown, the finder shall advertise the same at the court house, and if the owner does not claim such money, goods, bank notes or other choses in action within 6 months from the time of such advertisement, the ownership of such property shall vest in the finder and the court shall enter an order to that effect.
If the value thereof exceeds the sum of $100, the county clerk, within 20 days after receiving the certified copy of the court's order shall cause a notice thereof to be published for 3 weeks successively in some public newspaper printed in this county and if the owner of such goods, money, bank notes, or other choses in action does not claim the same and pay the finder's charges and expenses within one year after the advertisement thereof as aforesaid, the ownership of such property shall vest in the finder and the court shall enter an order to that effect.
