He accessed data belonging to other people that he should not have, and knew he should not have. (And then went on to make very unwise statements about his intentions of how to handle that data.)

That's all that really matters to the judge and jury. The technical aspects don't matter much to them.

Also: If ease of access to information means anyone can take it, do you mean to say the NSA should take whatever they want because people don't encrypt their data?

If that information is so valuable, then shouldn't some burden be placed on AT&T for negligence? If this had been health care records, AT&T would have been required to notify users and possibly pay a fine. Perhaps it makes sense to have similar laws in place to protect all data, as Europe does (see ECHR).

The point here is, if we want to nail weev to a cross, AT&T should be nailed up right next to him.

Some blame should surely be placed at AT&T's feet too, but IMO not as much. Going back to the door analogy, whoever leaves it carelessly unlocked will definitely get less sympathy (e.g. insurance may decline to cover the loss), but that does not mean they're anywhere as guilty as the thief who actually committed the burglary.

I don't think the door analogy entirely works here. Here's why:

For a typical burglary, person A leaves their door unlocked, and person B walks in. The items clearly belong to person A, and when person B takes them and walks out, theft has clearly occurred.

In this case, person A walks near person B's house, and sees that person B has laid the possessions of person C all over the sidewalk. Person A brings out their duplicator machine, creates mirror images of all person C's items, takes those mirror images, and walks away.

While there is a question of whether person A should have duplicated those items, person C is sitting across town clueless as to what's going on. There's also the question of whether person B should have left things all over the sidewalk, or should have placed the things behind the door.

If we begin comparing accessing a website to opening a door, that creates a lot of legal confusion. IANAL, but IIRC, the current legal understanding is that a computer on a network falls under the jurisdiction of the network. If that's the case, and we consider the Internet to be a public place, then a web server placed on the internet becomes public, unless there's a password on it. If, instead, we consider web servers to be like doors, where you need permission to access them, then anyone who spiders a website might be considered guilty of attempted breaking and entering. For another example, does it make more sense to allow allow smartphone apps to have full access to your phone by default, or should permission be granted for special capabilities? AFAIK, consent in this area is not very well defined.

In the traditional sense of theft, there is an object that I once had in my possession and it has now been taken from me. That doesn't really work so well with digital media where the supply issue goes away.

There's a lot more to this discussion, but I'm curious what the next response will be :)

I have a pretty good understanding of what he actually did, and when I think about the implication of immunizing every similar action by anyone on the Internet --- any vulnerability triggered by a preauth GET handler --- I have no trouble seeing why what he did was illegal. You can safely monkey around with other people's systems under that reading of the CFAA. But, once you find yourself getting private information about other users, you know something's wrong, and you need to stop right away. He didn't. Coming into that knowledge and then continuing to exploit the system is the crux of the prosecution's case here, not the nature of URLs.

But, again: I think this case didn't deserve to be prosecuted, and I think CFAA's sentencing should be revised to ensure that in the future prosecutors have no incentive to push pointless cases like it.

We aren't arguing about what he did. We are arguing about why he did it. Did you seriously just not read the entire conversation above the comment? The technical aspects of exactly what he did aren't important.