It seems to that the real villain is AT&T, for making this private data entrusted to its care freely available to the public. What criminal and civil liabilities will it face?
That's disingenuous. "Freely available" implies that AT&T desired to give this data away or advertised it knowingly. Clearly they didn't.
What Auernheimer did, with intent, was to bypass AT&T's intended use of the system.
What AT&T did was incompetent or perhaps even negligent by a reasonable notion of corporate coding standards. You'd need to dig a bit more to learn how systemic the incompetence/negligence was before attempting to sign appropriate blame, though. Maybe some contractor got into the system and made the change that made that exploit possible the day before and deployed it without following AT&T release guidelines. I dunno. Knowing that kind of info matters, though.
Let's not twist the facts of what happened in order to justify different outcomes.
Disagreed. The facts are indeed that AT&T made this freely available... my definition of making something available is that it is readily available for the taking, whether I desired to give it away or not. If I leave my front door open due to negligence, I probably don't desire to be burglarized, but it is true to say that I have made my house contents freely available. If my house contents include a laptop full of people's private data, then I think it's reasonable I should face some penalties.
As to your other point, AT&T is responsible for the actions of its contractors as well as for its full-time employees.
For anyone with a little knowledge about locks and basic tools, no conventional door lock prevents entry. So by your logic, nearly all house contents are freely available.
Regarding AT&T, it's not a question of responsibility - it's a question of a level of fault that is negligent. At some level, it's your responsibility because you gave AT&T your data, right? At some level, it's your responsibility because you have an email address, right?
Without a detailed assessment of many factors, just throwing out there that AT&T is negligent seems to be fairly irresponsible.
Nah. If I give any website my email address, I have a reasonable expectation it won't be published on that website in a public manner ripe for harvesting. Unless of course the Ts&Cs I'm signing explicitly say it will (somewhere prominent, preferably in bold red with flashing letters).
What Auernheimer did, with intent, was to bypass AT&T's intended use of the system.
What AT&T did was incompetent or perhaps even negligent by a reasonable notion of corporate coding standards. You'd need to dig a bit more to learn how systemic the incompetence/negligence was before attempting to sign appropriate blame, though. Maybe some contractor got into the system and made the change that made that exploit possible the day before and deployed it without following AT&T release guidelines. I dunno. Knowing that kind of info matters, though.
Let's not twist the facts of what happened in order to justify different outcomes.