[dragontamer]

They were marked "deleted".

Which means the privacy question is a bit ambiguous. They were public at one point, but at the time they were leaked out, they had a deleted flag and clearly were meant to be private.

IANAL, but I'd expect it to be illegal to grab data marked "deleted". If you were a few hours earlier and archived them before they were deleted, that probably would be legal.

[gknoy]

If I walk up to someone's house and say, "Hey can I have a copy of the seventh book in the third drawer of your nightstand" (e.g. `/api/books/03/07`), and you say "Sure here you go", it seems like it should be hard to argue that you have any expectation of privacy (for things that you are giving out freely) -- even if that book was something like your diary. HTTP codes for denying access exist specifically for this reason.

Of course, the iteration of accounts that Weev was convicted of was nearly exactly this, so we know that this doesn't always hold true, but it really is baffling why.