Auernheimer, whose pugnacious online persona is Weev, is up on two counts, each with the potential to land him with five years in jail. One alleges that by being in possession of the e-mails from AT&T’s leaky system he handled “identification information” in breach of a law intended to protect against identity theft, USC 1028. It’s worth noting that so far there appears to be no indication that Weev had plans to use the e-mails collected for anything more than proof that AT&T was leaking its customers’ data.
The more concerning charge to online activists watching Weev’s case is based on the Computer Fraud and Abuse Act, which forbids “unauthorized access” to a computer. Weev and a fellow hacker who originally uncovered AT&T’s mistake and collected the e-mails didn’t ask the company for permission to access the Web addresses that shared iPad users’ private information. But those Web addresses weren’t hidden behind password prompts or any kind of protection – they were publicly accessible. Getting AT&T’s system to spit out a customer’s e-mail address simply required visiting an AT&T web address with a particular – and easy to guess – code tagged onto the end.
Slashdot from 2010 fills it out a bit more:
Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T’s web apps.