[rayiner]

In your analogy, the only reason it's okay is the presumed consent that arises from my just handing you the pictures, and the fact that you can reasonably infer that I consent because I handed you the pictures.

You can't anthropomorphize the web server like that. You cannot say this guy reasonably inferred that AT&T intended him to have access to these e-mail addresses. It's a dumb piece of equipment--a broken door lock. An unlocked door does not mean you are invited to come in.

[revelation]

There is no lock, not even a broken one. There is a machine (the webserver) that is handing out private data to everyone who asks and then probably even makes a note that he did so. I'm not anthropomorphizing that part, that is how the protocol works. "GET .." ("200 OK" | "403 Forbidden")

Now the server provider is responsible for having not adequately secured the customers information, and the guy who asked for that information is responsible for what he does with that information. What I won't accept is that you criminalize the mere request for said information and the retrieval of whatever response is returned.