is still a violation of the CFAA if someone can convince a court that such access was "unauthorized".
That's crazy.
And the prosecutor would probably proceed to call the above command "software". As in "the defendant wrote software..." Makes for a compelling narrative doesn't it? But the truth is, Daniel Stenberg wrote the software and included this feature for a reason. Was that reason to assist users with criminal intent? C'mon.
I can't help but think of all the many sources of exposed email addresses on the internet, whether they are exposed through ambivalence toward users' privacy or simply incompetence (as with AT&T).
Such sources are constantly mined by email marketers. WHOIS data comes to mind. Correct me if I'm wrong, but the information this defendant accessed was nothing more than email addresses. Is that right?
How many businesses on the web fail to adequately protect their customers' email addresses? Many more than just AT&T. And how many businesses sell their customers' email addresses to email marketers? Doesn't AT&T require customers to opt out lest their email address and other personal info be shared with AT&T "marketing partners". I don't know but I wouldn't be surprised.
I have no opinion on the guilt or innocence of this defendant. Maybe he deserves to be prosecuted.
But anyone with half a brain should be disturbed that a CFAA prosecution can proceed on a set of facts such as these. AT&T had to literally create "damage", by racking up a $7000 postage bill. Did the defendant "cause" money to be spent on postage? No, that expense was caused by AT&T's carelessnes in exposing email addresses and their subsequent decision to notify customers of their mistake by postal mail. Whatever happened to mitigation of damages?
I guess there's probably much I don't understand about this case. But reading the brief, the interpretation of the statute sounds incredibly one-sided. With this sort of loose interpretation, how can anyone defend himself against a CFAA prosecution?
If a party wants to claim some access to their computer was "unauthorized", then maybe they need to set up a proper mechanism for authorization. Usually, that's a password. The URL's this defendant accessed, where he found email addresses, were not password protected. Putting confidential information at URL's that you don't think anyone will guess does not seem to me to be a proper system for authorization. Claiming that anyone who stumbles on these URL's is making "unauthorized" access seems a like a weak argument. Apparently it'll do just fine.
is still a violation of the CFAA if someone can convince a court that such access was "unauthorized".
That's crazy.
And the prosecutor would probably proceed to call the above command "software". As in "the defendant wrote software..." Makes for a compelling narrative doesn't it? But the truth is, Daniel Stenberg wrote the software and included this feature for a reason. Was that reason to assist users with criminal intent? C'mon.
I can't help but think of all the many sources of exposed email addresses on the internet, whether they are exposed through ambivalence toward users' privacy or simply incompetence (as with AT&T).
Such sources are constantly mined by email marketers. WHOIS data comes to mind. Correct me if I'm wrong, but the information this defendant accessed was nothing more than email addresses. Is that right?
How many businesses on the web fail to adequately protect their customers' email addresses? Many more than just AT&T. And how many businesses sell their customers' email addresses to email marketers? Doesn't AT&T require customers to opt out lest their email address and other personal info be shared with AT&T "marketing partners". I don't know but I wouldn't be surprised.
I have no opinion on the guilt or innocence of this defendant. Maybe he deserves to be prosecuted.
But anyone with half a brain should be disturbed that a CFAA prosecution can proceed on a set of facts such as these. AT&T had to literally create "damage", by racking up a $7000 postage bill. Did the defendant "cause" money to be spent on postage? No, that expense was caused by AT&T's carelessnes in exposing email addresses and their subsequent decision to notify customers of their mistake by postal mail. Whatever happened to mitigation of damages?
I guess there's probably much I don't understand about this case. But reading the brief, the interpretation of the statute sounds incredibly one-sided. With this sort of loose interpretation, how can anyone defend himself against a CFAA prosecution?
If a party wants to claim some access to their computer was "unauthorized", then maybe they need to set up a proper mechanism for authorization. Usually, that's a password. The URL's this defendant accessed, where he found email addresses, were not password protected. Putting confidential information at URL's that you don't think anyone will guess does not seem to me to be a proper system for authorization. Claiming that anyone who stumbles on these URL's is making "unauthorized" access seems a like a weak argument. Apparently it'll do just fine.