Good find. I left a comment. I'm not sure if they'll publish it, as it is too lengthy.
It seems rather disingenuous to compare Weev-and-Gawker with any sort of legitimate, responsible behavior. There were so very many failures:
1.Weev could have tried to contact AT&T. I understand the reasons for not doing so. One of them is the legitimate fear of being accused of wrong-doing oneself! I know that can happen. Or one may be ignored entirely. I have seen that too, on many professional and not-so-professional information security researchers' websites. One should try though. Otherwise, what was the point in pen testing, beyond self-serving or malicious intent?
2. Weev did not need to provide Gawker with the entire list of 114,000 user IDs. For all practical purposes, 100 or 10 or 1 would have been sufficient, for Gawker's purposes.
3. Gawker behaved in a grossly irresponsible manner, in accepting the list.
I am sympathetic, and find plausible, the argument that Gawker was equally culpable as Weev. If Weev is prosecuted, deemed guilty and sentenced, the same should apply to Gawker, or whomever made the decision to proceed. It isn't an issue of "Freedom of the Press". Gawker is no Wikileaks. Gawker was crucial in disseminating personal, private information, thus victimizing 114,000 people who had committed no wrong.
I guess that it is easier to argue in favor of Weev, instead of against Gawker. I remain unconvinced that this action. taken by the illustrious group of computer scientists and researchers via the Amicus brief, is the correct way to proceed. Who will file an Amicus brief in defense of any individual who, for example, hacks Google servers, and discloses 114,000 account names and passwords to... I was going to say Al Jazeera or The Jerusalem Post or FARS. But I don't believe that we'd have anything to fear or be concerned about, as Al Jazeera, Jerusalem Post, FARS, any and every decent major or minor media outlet with any professional (or amateur!) code of ethics would not facilitate such a betrayal of trust.
Part of e-discovery, as practiced in the legal profession, includes the tenet that one should only accept and keep the bare minimum necessary of data required to do one's work. Accepting and keeping information creates an obligation and responsibility to do the right thing with it, to safeguard it. In this case, it is the data disclosure that caused damage. The only way to require companies to report breaches is through regulatory law. Is that what the end goal is, in this Amicus? I don't know.