>if you started wilfully sharing that data or details about how to access it with persons other than the owners of the system then you could start to get into the problematic zone
Here I disagree, assuming we are still talking about the USA. There are strong freedom of speech implications when you make sharing the fact that some company left their S3 bucket world-readable a criminal offense. Would the New York Times be open to criminal prosecution for publishing such information on their front page?
Very tightly-defined, personally-identifiable data I can see being protected. Things like financial and medical records, sensitive search queries etc. but general disclosure of security issues should not be something that is criminal.
So look at the general gist of what I wrote and think about the principle a bit. I did say 'start to get into the problematic zone' so I am not saying here is an abrubt transition between not-crime and crime-with-terrible-punishment.
So you find a company leaves their S3 bucket world-readable by accident and it contains personal information that the persons concerned would reasonably consider private (from medical records all the way to my real identity on a forum). The correct course of action is not to exercise your free speech by going first to the New York Times so they can publish a story about it allowing all and sundry to access that information, but to go to the company and tell them that this is open and that information they are responsible for is leaking. This is your responsibility to your fellow citizens whose data is leaking! However, if the company do not fix it in a reasonable time then you can report them to the relevant authorities who can decide what action to take and now the criminal aspect of this data leakage will now be attached to the owners of the company which has not fixed the problem and you are free to exercise your free speech rights.
If I sell (for money, fame, fake internet points or smug satisfaction) access to your personal data without your consent how can I claim that is my free speech? I think the USA has the concept of limits to freedom, ably illustrated by the phrase "Your Freedom To Swing Your Fist Ends Where My Nose Begins"
Here I disagree, assuming we are still talking about the USA. There are strong freedom of speech implications when you make sharing the fact that some company left their S3 bucket world-readable a criminal offense. Would the New York Times be open to criminal prosecution for publishing such information on their front page?
Very tightly-defined, personally-identifiable data I can see being protected. Things like financial and medical records, sensitive search queries etc. but general disclosure of security issues should not be something that is criminal.