[beryllium]

It's a bit absurd. A chilling effect, even; now, instead of responsible disclosure (which weev seemed to think meant scraping 100K examples of the data and giving it to a Gawker reporter), we'll be left with irresponsible disclosure (anonymously reporting it or selling it on the black market).

That said, I don't think AT&T would necessarily have reacted well to an attempt at real responsible disclosure.

For an example of the ideal scenario for how this should be handled, there's the Steam data leak that Ars Technica found: http://www.gibsonindex.org/blog/2013/02/06/steam-leak/ - I rated it as a Level Zero event on my cyber attack ranking blog, because of the proper resolution.

I agree that the blame in this case lies mostly with AT&T. It's their responsibility to protect the data. They build the program so that if anyone asked it for anyone else's info, it went "OK, sounds good, here you go."

Weev was the one who asked. AT&T should be on the hook for answering.

[narayanb]

But from a pure legal standpoint, any API developer can face jail term if they suddenly change their terms/conditions.

[anywhichway]

I'm not a lawyer, but violating terms, conditions, or other contacts in non malicious ways generally aren't going to be criminal offenses. They are civil offenses for which the main recourse is only for the company to sue.