First, I would like to note that this post diverges from my original goals for this blog, but this is unfortunately an item that is necessary to explore, discuss, and understand. I am not a lawyer, do not have legal training, and am giving my thoughts and opinions regarding US law on these matters. This post entirely stems from https://twitter.com/jspilman/status/278284483990519808 and the linked article.
It is clear that reality and the law do not keep pace. I am going to cover the items listed in the article as part of the indictment against Brown. Please note that I am reading and referencing the linked indictment, but this is a scribd.com link and I have not verified the validity or accuracy of it. In any case my intent is not to make direct comments on this case but to use this as sufficient material to discuss how US law applies.
The first important aspect is one of jurisdiction. The indictment starts by establishing the jurisdiction on the basis of interstate commerce. Discard all common sense when it comes to US law and interstate commerce. There is case law for which the possibility of interstate commerce was sufficient to invoke federal jurisdiction, without the requirement that any intent or interstate commerce was shown. Right or wrong, this barrier to start a case has such a low bar that it is nothing but a formality.
For the first count, it is unclear if his offense is literally copying an url from one IRC channel to another. We could theorize that the defendant downloaded it, torrented it, and so on, but for the law simply passing the url around fits the requirement of making it available. The law makes no remarks here on if the defendant had a copy, sent copies, etc.
The second count addresses "intent to defraud" and intent is almost as laughable as establishing jurisdiction today. In some laws establishing intent is a high and difficult bar to establish, but in cases of unauthorized access devices the possession itself establishes intent to defraud based on current case law. Yes, this means that possession and intent are synonymous in this case.
Counts two through twelve simply allege the defendant "knowingly transferred and possessed without lawful authority..." some specific data. Here the standard of intent is even more of an afterthought. If the prosecution can prove that the defendant possessed the data, then this is essentially game over. The defense would have to prove the defendant did not have the data, or did not know he had it, or did not know it was unlawfully obtained, etc.
My primary intent in this post is to put everyone in a guarded and vigilant position when it comes to data leaks and US law. Most of these laws have no affirmative defense at all and ignorance is certainly not part of them. Jurisdiction and intent are quaint ideas that are codified but irrelevant to successful defense efforts.
Jeremy Spilman's original question/alluded question is whether or not these laws or similar laws can be used to go after people who have password lists. The answer is absolutely yes. Therefore, when it comes to free speech and research in the US, you had better be a full time university student or professor or you should expect zero legal protection. The discussion of the first amendment, free speech, and research is well out of the scope of this post.
What practical advice should you take from this? It is not a question of if password lists are next but when the indictments start, assuming they have not already.