If they use them in criminal investigations the usage eventually becomes part of the public record when entered into evidence. Using them for search and rescue ought to be non-controversial enough. "National Security" is of course the grey area, though there's a fair amount of overlap between National Security and criminal prosecutions, for offenses like espionage or terrorism, so a lot of that use would eventually make it into the public record as well.

That argument is bogus, insofar as an employee at Verizon could just as easily leak my call logs, yet few people take exception to Verizon storing such data.

You don't even have to do that. There's Free Fillable Forms, which are exactly what the title suggests. Electronic copies of all the relevant paper forms that you fill out online and E-File. It doesn't have the logic of Turbotax but it performs basic math checks and saves you the hassle of printing and mailing the forms.

I can't understand why anyone would pay a third party to do their taxes. The logic flow isn't that complicated, even when you throw capital gains and itemized deductions into the mix. I've filed the long form 1040 by hand in years when I had to deal with capital gains and losses and was able to complete it in under two hours. Who are the people who pay Intuit or H&R Block to do their 1040ez filings?

The metadata argument wears thin on me. If my phone number is two or three levels removed from a terrorist I really don't see why it's objectionable that the Government take a precursory look at my call logs. They'll quickly find that I'm a rather boring sort, whose connection with the terrorist was likely limited to ordering the same take out, and my privacy isn't significantly impacted by having someone review my call logs after obtaining a court order.

Traditional police investigative techniques would be at least as invasive, if not more so. Ever been interviewed by the police because you're one or two levels removed from a criminal suspect they're attempting to establish a case against?

If you're on NSA's radar you've got bigger problems than TrueCrypt's trustworthiness or lack thereof. The NSA doesn't have to have a back door into AES (or the other algorithms) when they have an arsenal of zero day exploits, side channel attacks, social engineering, and TEMPEST techniques at their disposal. The average user should be far more concerned about these attack vectors (from any source, not just NSA) than the security of the underlying encryption algorithm.

The Diceware FAQ sums up the problem rather succinctly: "Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day."

You're overlooking the part about purposefully manipulating the query in such a fashion as to trick the webserver into thinking you're someone else.

AT&T's mistakes do not excuse the actions of the accused.

There's no overly broad precedent here, unless you're trying to claim that prosecuting people for impersonation is a scary precedent.

How is the law being abused here? Go read the evidence in this case. AT&T set up a system that was designed to automatically populate an e-mail field for the convenience of their customers. They did this by matching two different variables, the user-agent of the iPad web browser and the ICC-ID number from the SIM card contained therein. Two people then discovered that they could fake both of those variables to obtain the personally identifiable information (PII) of AT&T customers. They did this in a deliberate manner while discussing ways of using the obtained information for profit, with ideas ranging from spamming (direct marketing ofiPad accessories to people who obviously owned iPads) to securities fraud (they floated the idea of shorting AT&T's stock when news of the security breech broke) to the enhancement of their own reputation (look how awesome of a security guy I am, I broke into AT&T, buy my consulting services!)

AT&T's failings are not really relevant here. The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption. No reasonable person would conclude that they were entitled to access the PII of AT&T's customers. No reasonable person would discover this security flaw then write a script to automate the collection process while exploring methods of using the obtained information for personal financial gain.

Your whole argument can be distilled to three words: Blame the victim.

That's some selective quoting right there, chopping it off at "or any overt act in furtherance of the conspiracy in New Jersey". They didn't conclude that he didn't commit the crime, they concluded that no actions taken in furtherance of the offense were performed in New Jersey.

It was keyed to only populate the e-mail field when both of the following were present: The user-agent of an iPad's web browser and a valid ICC-ID code belonging to an AT&T customer. They used these two items of information to impersonate AT&T customers and steal their personally identifiable information. Of course, your point is irrelevant either way, because the law doesn't care about "authorization process", it only cares that you accessed information you were not authorized to access. No reasonable person would conclude that they were authorized to access PII under these circumstances, wherein they had to trick AT&T's server into thinking they were somewhere else to obtain the information.

If this goes to trial again he will be convicted. If he has half a brain he'll cut a plea deal with the US Attorney, save everybody the hassle of another trial, and likely walk away with time already served. Frankly I doubt he'll do that, because he strikes me as exceedingly arrogant, but perhaps he's humbled after some time behind bars.

You should familiarize yourself with the term "personally identifiable information"

A better analogy would be calling AT&T and saying "I'm Bob, can you tell me when my bill is due?" You've impersonated Bob and used it to obtain access to personally identifiable information, you'd be guilty of a number of different crimes in such a circumstance.

My understanding is it wound up New Jersey simply because the Federal authorities there have more experience with these types of cases. However it happened, I'd concur that it was improper venue. The Feds should have charged him in his own Federal District at the very least, though I'd go further than that and argue that the body of evidence should have been turned over to the authorities in Arkansas for a state level prosecution. Either way, he was entitled to be tried in the jurisdiction where the law was broken, not trucked halfway across the country for the convenience of Uncle Sam.

Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.

And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.

Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER.

He's still guilty of violating CFAA. They just tied it to another State level offense to enhance the underlying charge into a felony. They could have done that with any underlying state law though, so it's kind of moot whether or not he violated the NJ law. He's also guilty of violating Arkansas' computer trespass law, emphasis mine:

A person commits computer trespass if the person intentionally and without authorization accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.

Had he been charged under that statute I highly doubt this would have become a national news story. This really shouldn't have become a Federal case, and if the Feds were hell bent on taking it they should have charged him in his home district. Carting him halfway across the country was a dick move, done purely for the convenience of the Federal Government, and it's made a martyr out of a common criminal that nobody would ever have heard of if this matter had been handled at the State level.

You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"? That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer. Then he wrote a script to automate the process and repeated it ~140,000 times.

I really don't understand why people defend this kid's actions. The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.

It's not a public facing web page when you have to impersonate someone else in order to access it.