[literallyaduck]

It was more than "View Source". It was decoding viewstate.

Reading someone's postcard in the mailbox is like looking at the source.

He opened the letter that was in the encoded viewstate.

The envelope doesn't offer any real security but it is illegal to open someone else's mail, and decoding a site's viewstate might technically be illegal as well, but unless you tell someone you did it no one will know.

The reporter should have notified them directly, anonymously, or kept their mouth shut.

If you send information to the client, it is your responsibility to make sure it doesn't contain private information.

The reporter should probably not be prosecuted, pardoned if convicted, and we should repeal the laws that make using anything sent to client illegal.

If you are sent something you didn't order in the mail the FTC says you don't have to pay:

https://www.consumer.ftc.gov/articles/what-do-if-youre-bille...

"By law, companies can’t send unordered merchandise to you, then demand payment. That means you never have to pay for things you get but didn’t order. You also don’t have to return unordered merchandise. You’re legally entitled to keep it as a free gift."

This reporter was gifted some viewstate because it came to his computer.

Edit:

To the person claiming it is "another language", I don't know anyone that does Base64 decoding in their head, and this is clearly not meant for human consumption.

Here is what viewstate is:

http://www.nullskull.com/articles/20060208.asp

There are many tools for consuming it through decoding and deserializing but that doesn't make it legal. There are tools for decoding DVDs which meet this same category.

[jazzyjackson]

What is this “encoded viewstate” of which you speak?

It’s my impression that the reporter didn’t have to go so far as thumbing over to the network tab or otherwise open any envelopes, the social security numbers were instead embedded in HTML, just not visible in the painted layout. Kudos for attempting a framing for the prosecution, but I don’t think there are laws against opening mail addressed to me.

Edit: just saw the comment about .net using base64 encoded state, so I understand your argument better now. In that case, if a ROT13 encrypted message was sent to me without the key, being trivial to crack doesn’t imply I have the right to share state secrets… agreed the case is a little more complicated than journalists have made it appear, go figure.

[roywiggins]

People publish stuff they find in improperly redacted documents fairly frequently. Sometimes what happens is that the black bars covering the text in a PDF are just cosmetic, and the text is still there. Even if there's a state secret under there, it's not something people get prosecuted for (in the US). You generally have the right to publish state secrets that fall into your lap, even if they were obscured and might have required some technical spelunking inside a document.

[tragictrash]

This is an incorrect assessment. The analogy is a postcard written in a language you don't understand.

The outside of the letter is a kind of lock, like encryption.

You don't violate the laws for translating the French on the back of the postcard to English if you happen to see it right?

Opening the letter is illegal, and breaking that lock is where the act becomes a crime. He didn't do that. He only translated what was delivered to him.

[tshaddox]

The main difference is that the postcard is addressed to someone else and the law is very clear that you can’t open mail addressed to someone else. Also, I don’t really buy that “decoding” counts as an additional step, since all the contents of every web page are already decoded by the browser.