Do you really buy this line of argument? How many banking applications configure themselves so that they rely on the intended meanings of HTTP verbs and authorization headers as their primary overt security mechanism? And of those, how many do so correctly?
I get why Bratus would testify. The defendant here needs all the help he can get and is morally entitled to the best case he can possibly present. I respect and admire everyone who is trying to help him out. But presuming he's not guilty of a real conspiracy to defraud anyone, I have a hard time believing it's because AT&T's web application vulnerability entitled the public to their database.
I think it's reasonable for them to argue that AT&T's server's willingness to give them the e-mail addresses means that obtaining the addresses was not illegal, and that despite mulling over the darker possibilities available to them, by choosing not to put the e-mail addresses to illegal use they committed no crime. They could argue that they should not be convicted of conspiracy because they ultimately decided not to abuse the list of addresses.
I would like it to be harder than it seems to be to prove conspiracy to commit fraud.
I don't think I'd like it to be harder than it seems to be to prove unauthorized access.
I know that's the opposite of what most nerds like me want, but I think we're well served by a very broad definition of unauthorized access, and we're poorly served by vague conspiracy laws in more places than just online.
Note that under the US Code, you need both elements. Just plain unauthorized access isn't a federal crime; you need an intent to defraud.
I know that's the opposite of what most nerds like me want, but I think we're well served by a very broad definition of unauthorized access, and we're poorly served by vague conspiracy laws in more places than just online.
I do agree with you regarding conspiracy, but you are right that I would in principle prefer to have every Internet-facing system as robustly secured as if it had been independently reviewed by you, cpercival, and the people who wrote the space shuttle's software. A small part of the reason I want this is so that absolutely anybody can confidently write and deploy scraping software that collects and analyzes information in new ways (e.g. IBM Watson, better search engines, or some other as yet undiscovered idea).
The CFAA does not in practice prevent search engines from scraping pages. In order to be charged under the CFAA, you must willfully access specific information on a website in furtherance of a fraudulent scheme, which in turn means you must be making specific representations as to your identity or actions that a website could reasonably rely on in order to trick that website into doing something it wouldn't have done otherwise. In CFAA cases, the prosecution must prove not only unauthorized access (which is easy) but also fraud (which is not as easy).
I do. If there is any crime here (I don't think there is even one, FYI) it's AT&T not taking adequate measures to safeguard their customers' PII.
I don't think trafficking in any information should be a crime, though (unless it's the government - an asymmetry is necessary there), so I don't think a criminal trial is in any way justified.
