In the first case, I've connected to someone else's server and actively done the damage of deleting their data.
In the second case, I've provided instructions on how to destroy the data, said "don't do this", and then someone has done it anyway. _They_ have destroyed their data, and it's now up to them to justify why that's my fault.
If we want to get into legal territory about it, which I'm sure we're both woefully underqualified to comment on... the CFAA is all worded around "intentionally accesses a protected computer...". How exactly do you show intent to access a protected computer here? The developer never took any sort of positive step to access _any_ specific computer. The best I could see would be negligence where a reasonable person would have to have known someone would run this on a protected computer, but that still feels like something a good lawyer would find a way out of.
In the second case, I've provided instructions on how to destroy the data, said "don't do this", and then someone has done it anyway. _They_ have destroyed their data, and it's now up to them to justify why that's my fault.
If we want to get into legal territory about it, which I'm sure we're both woefully underqualified to comment on... the CFAA is all worded around "intentionally accesses a protected computer...". How exactly do you show intent to access a protected computer here? The developer never took any sort of positive step to access _any_ specific computer. The best I could see would be negligence where a reasonable person would have to have known someone would run this on a protected computer, but that still feels like something a good lawyer would find a way out of.