This Hacker Is Getting Out of Jail — But Not For the Reason His Supporters Hoped

Prosecutors claim “Weev” stole thousands of email addresses from iPad users

Andrew Auernheimer
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
April 11, 2014, 1:54 p.m.

A fed­er­al ap­peals court struck a blow on Fri­day against the Justice De­part­ment’s cam­paign to crack down on com­puter hack­ing.

The Third Cir­cuit Court of Ap­peals over­turned the con­vic­tion of An­drew Auernheimer, bet­ter known by his on­line ali­as “Weev,” who was charged with steal­ing thou­sands of email ad­dresses from AT&T’s serv­ers.

His case be­came a ral­ly­ing cry for In­ter­net act­iv­ists, who ar­gue it is an ex­ample of pro­sec­utori­al over­reach and shows why Con­gress needs to re­form a vague anti-hack­ing law. Auernheimer’s sup­port­ers claim that all he did was point out a se­cur­ity vul­ner­ab­il­ity and that he didn’t break any laws.

The court threw out the case on jur­is­dic­tion­al grounds — say­ing pro­sec­utors brought charges in the wrong state. The fight over what’s ac­tu­ally il­leg­al un­der the Com­puter Fraud and Ab­use Act will have to wait for an­oth­er day.

The ba­sic facts of Auernheimer’s case aren’t in dis­pute. In 2010, Daniel Spitler, Auernheimer’s co-de­fend­ant, no­ticed a flaw in AT&T’s ac­count re­gis­tra­tion sys­tem for iPads. A per­son could enter any iPad ID num­ber, and the AT&T sys­tem would auto­mat­ic­ally re­veal the cor­res­pond­ing email ad­dress of the iPad’s own­er.

Spitler wrote a script to auto­mat­ic­ally guess ID num­bers, and he was able to col­lect about 114,000 email ad­dresses, ac­cord­ing to court doc­u­ments. Auernheimer then emailed the in­form­a­tion to a Gawker re­port­er, who pub­lished an art­icle that de­tailed the flaw and in­cluded re­dac­ted email ad­dresses of a vari­ety of celebrit­ies and gov­ern­ment of­fi­cials.

The Justice De­part­ment brought charges against both men un­der the Com­puter Fraud and Ab­use Act, which makes it a felony to ac­cess a com­puter “without au­thor­iz­a­tion.” Spitler pled guilty and re­ceived three years of pro­ba­tion. A fed­er­al jury in New Jer­sey con­victed Auernheimer in 2012, and he was sen­tenced to 41 months in pris­on.

Pro­sec­utors ar­gued that Auernheimer knew what he was do­ing was il­leg­al and that he was only try­ing to pro­mote his own “se­cur­ity re­search” busi­ness.

But Auernheimer’s case at­trac­ted at­ten­tion from di­git­al free­dom act­iv­ists at groups such as the Elec­tron­ic Fron­ti­er Found­a­tion. His sup­port­ers ar­gue that guess­ing ID num­bers on a pub­lic site shouldn’t qual­i­fy as “hack­ing” and that his pro­sec­u­tion could dis­cour­age se­cur­ity re­search­ers from com­ing for­ward when they dis­cov­er vul­ner­ab­il­it­ies.

The Third Cir­cuit Court of Ap­peals threw out the con­vic­tion on Fri­day, say­ing pro­sec­utors should have filed the case in Arkan­sas, where Auernheimer lived, in­stead of New Jer­sey. Just be­cause some of the email ad­dress own­ers lived in New Jer­sey wasn’t enough to make it an ap­pro­pri­ate ven­ue, the court ruled.

“Al­though this ap­peal raises a num­ber of com­plex and nov­el is­sues that are of great pub­lic im­port­ance in our in­creas­ingly in­ter­con­nec­ted age, we find it ne­ces­sary to reach only one that has been fun­da­ment­al since our coun­try’s found­ing: ven­ue,” the court wrote.

Orin Kerr, a law pro­fess­or at George Wash­ing­ton Uni­versity who is rep­res­ent­ing Auernheimer, ar­gued that the is­sue of the right ven­ue for a case is not a tech­nic­al­ity.

“It’s an im­port­ant prin­ciple of lim­it­ing gov­ern­ment power,” he said. “Be­cause if the gov­ern­ment has uni­ver­sal ven­ue, then any of­fice can charge any de­fend­ant any­where in the coun­try.”

Al­though the judges did not base their rul­ing on the scope of the Com­puter Fraud and Ab­use Act, they hin­ted in a foot­note that they are skep­tic­al of the Justice De­part­ment’s claim that Auernheimer com­mit­ted any crime.

To have vi­ol­ated the law, Auernheimer would have to had cir­cum­vent a “code- or pass­word-based bar­ri­er to ac­cess,” the judges wrote.

“Al­though we need not re­solve wheth­er Auernheimer’s con­duct in­volved such a breach, no evid­ence was ad­vanced at tri­al that the ac­count slurp­er ever breached any pass­word gate or oth­er code-based bar­ri­er,” they wrote in the foot­note. “The ac­count slurp­er simply ac­cessed the pub­licly fa­cing por­tion of the lo­gin screen and scraped in­form­a­tion that AT&T un­in­ten­tion­ally pub­lished.”

It’s un­clear wheth­er the gov­ern­ment will re-file charges against Auernheimer in a dif­fer­ent court. Matt Re­illy, a spokes­man for the U.S. At­tor­ney’s Of­fice in New Jer­sey, said the gov­ern­ment is re­view­ing its op­tions in the case.

Kerr ar­gued that fa­cing an­oth­er tri­al would vi­ol­ate Auernheimer’s con­sti­tu­tion­al right to be pro­tec­ted from “double jeop­ardy.”

Kerr claimed that even if pro­sec­utors do bring the case again, the ap­peals court already “tipped its hand” that Auernheimer didn’t com­mit a crime. Lower courts gen­er­ally de­fer to the leg­al opin­ions of high­er ones.

Some law­makers want to nar­row the lan­guage of the Com­puter Fraud and Ab­use Act to pro­tect against pro­sec­utori­al over­reach. Rep. Zoe Lof­gren, a Cali­for­nia Demo­crat, in­tro­duced a re­form bill last year after Aaron Swartz, an In­ter­net act­iv­ist, com­mit­ted sui­cide while fa­cing hack­ing charges. But the le­gis­la­tion has gone nowhere in the House Ju­di­ciary Com­mit­tee.

Auernheimer might not be the best face for a polit­ic­al move­ment. He was fam­ous for mak­ing of­fens­ive com­ments on on­line for­ums and be­fore his sen­ten­cing, he wrote on dis­cus­sion site Red­dit that his only re­gret was no­ti­fy­ing AT&T of the is­sue. “I won’t nearly be as nice next time,” he warned.

What We're Following See More »
North Dakota Pipeline Protests Turn Violent
19 minutes ago

The protest over the construction of the Dakota Access Pipeline turned violent overnight as the police and National Guard sought to remove the protesters, surrounding them with assault vehicles and officers in riot gear. The law enforcement officers used pepper spray and fired bean bags for more than six hours. In response, the protesters "lit debris on fire and threw Molotov cocktails in retreat." One woman pulled out a gun and fired at officers, narrowly missing before being arrested. The protesters claim the pipeline would be constructed on land belonging to the Standing Rock Sioux Tribe.

House Leadership Elections Slated for Nov. 15
25 minutes ago

The House has scheduled leadership votes for Nov. 15, the day after members return from their election recess. "Since mid-September, members of the House Freedom Caucus have weighed whether they should ask leadership to push back the elections so they can see how House Speaker Paul Ryan performs at the end of the year," but leaders don't seem inclined to grant their request.

Feds Announce Rapid GDP Growth in Q3
28 minutes ago

Gross domestic product "expanded at a 2.9% annual clip from July through September. That’s a marked improvement from the first half of the year when the U.S. grew just barely over 1%." The robust numbers make it more likely that the Federal Reserve hikes interest rates at its next meeting.

Oregon Militiamen Found Not Guilty
30 minutes ago

"A federal jury on Thursday found Ammon Bundy, his brother Ryan Bundy and five co-defendants not guilty of conspiring to prevent federal employees from doing their jobs through intimidation, threat or force during the 41-day occupation of the Malheur National Wildlife Refuge. The Bundy brothers and occupiers Jeff Banta and David Fry also were found not guilty of having guns in a federal facility." In a strange "coda" to the decision, Bundy's attorney Marcus Mumford was tackled and tasered by marshals in the courtroom as he argued that Bundy should be free to go.

Clinton Eyes Biden for Secretary of State
31 minutes ago

Hillary Clinton is eyeing Vice President Joe Biden to be her secretary of state, and her campaign is trying to figure out the best way to broach the idea with Biden. Biden has a lifetime of foreign policy experience, serving as chairman of the Senate Foreign Relations Committee; he can also put eight years as vice president on his foreign policy resume. Biden has previously stated that he would not work in a Clinton administration, so it might be a tough sell for the Clinton camp.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.