[betterunix]

I would prefer if the system punished people for what they did with their access to data, not simply for having that access; organizations that hold private or sensitive information should be punished if unauthorized people can access it by any means. Having email addresses or credit card numbers should not be the crime, regardless of how you obtained that information. Committing credit card fraud or selling credit card information to other unauthorized people should be crimes (or failing to secure your computer where you store said information).

So Weev should not be punished for downloading the email addresses. AT&T should be punished for making the list available to him (and likewise, if Weev made the list available to others, he should be punished for that).

[twoodfin]

Apologies for crossing threads, but aren't you pretty upset that the NSA simply has Verizon phone records, despite a lack of evidence they're planning on doing anything nefarious with them?

Anyway, as I understand it, weev did speculate about selling the information. And would you be so sanguine if this were health records or private photographs? I'm not seeing a plausible guiding principle here.

[betterunix]

We hold the government to a different standard. I am free to forbid atheists from entering my home, and nobody can complain about it beyond calling me an asshole. The government cannot ban atheists from its buildings. Many people have pointed out that the NSA was collecting information that privacy industry already had -- yet we are still angry about the NSA having it.

I also draw a line between what makes me upset and what should be a crime. I do not think that everything that makes me upset should be illegal. Frankly, while I would be angry at Weev if he downloaded hospital records, I would be much more angry at the hospital that failed to secure those records. I believe that the law should draw the line at how the information is secured and how it is used, not how it is obtained.

[xyandnoz]

@betterunix-- seriously? It's OK with you if they get your private data, no matter how they acquire it? Spoken like someone who has never had exposure of private data used as a THREAT... something weev is known for. If someone uses illegal means to obtain your private data, they can exploit/weaponize that acquisition without having to then use the private data to commit a different crime. (different from the crime -- usually fraud -- in how they obtained it).

Weev has taught many of us that acquiring your private data is enough to make you wonder when, exactly, he will decide to use it. Or in my case, to publish it and encourage the whole WORLD to use it. And don't get me started on medical records... If you honestly believe that acquiring private data shouldn't be illegal until it is used in a crime, you have obviously never been threatened with exposure from someone who did just that. (but again, I don't think this applies to the AT&T case) -- Kathy Sierra

[betterunix]

Blackmail and harassment are both crimes, you know. If someone is threatening to expose your private data, it makes no difference how they acquired it -- it is a crime regardless of whether or not they were authorized to have it.

The problem with charging hackers for having information they are not supposed to have is that it takes the responsibility to keep data secure away from those who are entrusted with it. Take medical records as an example. Yes, we want them to be kept private, but that should be the responsibility of hospitals, doctors, etc. If some hacker downloads those files, the hospital should be punished for their failure to keep the files secure. If we want to believe that hackers are magicians and that any Internet-connected system can be compromised, don't connect systems with medical records to the Internet.

What is wrong with making it the responsibility of anyone who has private information to keep that information private? If a hacker downloads a hospital's records, I think it is fair to expect that hacker to keep those records private, and to prosecute the hacker if they are revealed to anyone for any reason (even if the hacker is himself a victim of another hacker).

People should not have to be afraid to run a web crawler out of their own house. Yes, a web crawler is going to find private information that was not properly secured. That should not make the person running the crawler a criminal.