I have a pretty good understanding of what he actually did, and when I think about the implication of immunizing every similar action by anyone on the Internet --- any vulnerability triggered by a preauth GET handler --- I have no trouble seeing why what he did was illegal. You can safely monkey around with other people's systems under that reading of the CFAA. But, once you find yourself getting private information about other users, you know something's wrong, and you need to stop right away. He didn't. Coming into that knowledge and then continuing to exploit the system is the crux of the prosecution's case here, not the nature of URLs.
But, again: I think this case didn't deserve to be prosecuted, and I think CFAA's sentencing should be revised to ensure that in the future prosecutors have no incentive to push pointless cases like it.
But, again: I think this case didn't deserve to be prosecuted, and I think CFAA's sentencing should be revised to ensure that in the future prosecutors have no incentive to push pointless cases like it.