I feel like there's two parts to the no fly list leak that are getting overlooked right now

1) the person in question has the handle "maia arson crimew" meaning media outlets have to cite "crimew" as the person they're quoting, which is amazing.

2) From everything I've read, crimew didn't actually commit a crime (in this case at least). According to crimew, the no-fly list was discovered on a publicly accessible server, totally unsecured. crimew was using Shodan which is a totally legal tool regularly used by a lot of the security community for research. Schools use and provide access to Shodan, it's a normal tool. Nothing crimew was doing was out of the ordinary. Her access and use of the file was most likely legal (or at least next to impossible to prosecute), given that it was publicly accessible.

crimew even notified CommuteAir of the data vulnerability. Which prevented more sensitive data from leaking, and was absolutely a sign of acting in good faith. Her obligation to even do that is a pretty gray area, but she did it anyways.

Now, crimew has gotten charged by the US in the past for other things, however, Swiss citizens cannot be extradited against their will. So the proceedings were suspended. She could only be charged under Swiss law, and given that the data is/was publicly accessible and the exposure was for public good, that's very unlikely to happen.

The people actually getting investigated by congress/the FBI/the TSA are the idiots at CommuteAir that were hosting the no fly list on an unsecured publicly accessible server. They're the ones who actually get in trouble for failing to have followed basic security protocols. They're the ones who had a legal obligation to safe guard that data, and they're the ones who fucked up.