Argument 1, p29, argues that there was nothing wrong with collecting the email addresses because they were on a public website, not protected by a password; and merely using a public resource "in a way that the owners find dissatisfying" is not actionable.
I think the usual counter-argument to this is that your legal protection from theft is not predicated on locking your front door - even if someone finds your door is unlocked, they aren't legally authorized to take all your stuff on that basis.
(Sidebar: another argument might be that it isn't "theft" because the other party wasn't deprived of anything. Adapting the above analogy, if someone finds your door unlocked, enters your house, copies your bank account number/SSN/driver's license/etc, and passes those on to someone else who uses them for identity theft purposes, that's still not ok, right?)
But I don't think those are even all that relevant, since this seems to hinge on the question of what a password is. Sure, there's no interstitial screen with two separate text boxes, one for username and one for password (the latter only displaying stars when you type in it), before yielding the email address. But just hitting the bare URL gives you nothing. You have to supply an ICCID to learn an email address, and I can imagine an argument being made that the ICCID is, effectively, a password, since it's a secret only shared between the user of the iPad (by proxy) and AT&T.
"But wait", I hear you cry, "they issued them sequentially! Nobody generates password like that!"
Oh, grasshopper. If only that were the case. But even it were, again, it doesn't seem that the law should require that you issue good passwords to have legal protection. It should still apply even if the scheme is one an idiot would use for their luggage (but leave whoever came up with the scheme open to charges of neglect or incompetence or something).
There's a number of scraper-related cases cited as precedent, but they all appear to be following links from public information to (de facto) public information. I don't know, but I'm going to guess that the list of ICCIDs is not publicly available, and being able to generate one from another doesn't seem like the thing that would add you to the class of people authorized to access that information.
Again, analogies: if you happen to catch sight of a key, you could make a copy of it. But, for the purposes of legal access, it doesn't seem that that should put you into the same category as those who have received a physical key from an authorized person, no matter how easy the process might be.
The brief acknowledges that "[g]uessing someone else's password to gain access to another person's private account without permission constitutes a criminal act", so I guess their argument is that because the URL parameter that they were guessing was named "ICCID" rather than "password" makes it ok. I don't know if I find that enormously convincing.
Argument 2, p43, rings pretty true to me. There's one defense in there based on no password being guessed, which, per above, seems like splitting semantic hairs, but the rest of it seems reasonable, with one exception.
The second claim of part B of argument 2 states that New Jersey had no jurisdiction because the defendants, computers and information disclosure were outside the state. Somewhere earlier, I think, they alluded to NJ residents' email addresses being revealed as the jurisdictional basis.
On its own, that seems reasonable - if the defendants, computers and disclosure were entirely outside the country, would that mean no action could be taken by the US? Evidence suggests otherwise. So, if there were harm or the risk of harm down the road to NJ residents, it doesn't seem crazy that they'd have an interest in and argument for prosecuting there. It's probably not the best jurisdiction for it, but does that make it an invalid one? Dunno. Law is hard.
Argument 3, p49, seems solid (modulo, again, the password thing). It seems pretty obvious that there was no intent to commit identity theft, so it's hard to see why identity theft statues would apply.
Argument 4, p55, is a slam dunk. It's an extension of the jurisdictional points in argument 2, but cites law to support that if a jurisdiction isn't the best one (paraphrasing), it is indeed an invalid one.
Argument 5, p62, cites some pretty convincing precedent in support of its argument that the costs to AT&T should not have been considered. The costs were almost entirely due to a snail-mailed notice to customers that their information had been stolen, and there's a citation from "at least one district court" saying "determining and complying with customer security breach notification obligations" "do not qualify as loss under the CFAA."
It was a pretty interesting read. I'd been largely assuming that this was an Al Capone situation, where weev's proudly self-declared assholery came home to roost under flimsy legal pretenses, but now I'm not at all sure. The whole password analogy seems indefensible, and I'd expect him to get nailed for it, except that the jurisdictional challenge also seems equally indefensible. O'course, my technically-biased viewpoint on this means pretty much nothing to the system; I'm off to try to find what the legal minds filed or decided in response to this.