This Hacker Is Getting Out of Jail — But Not For the Reason His Supporters Hoped

Prosecutors claim “Weev” stole thousands of email addresses from iPad users

Andrew Auernheimer
National Journal
Brendan Sasso
Add to Briefcase
Brendan Sasso
April 11, 2014, 1:54 p.m.

A fed­er­al ap­peals court struck a blow on Fri­day against the Justice De­part­ment’s cam­paign to crack down on com­puter hack­ing.

The Third Cir­cuit Court of Ap­peals over­turned the con­vic­tion of An­drew Auernheimer, bet­ter known by his on­line ali­as “Weev,” who was charged with steal­ing thou­sands of email ad­dresses from AT&T’s serv­ers.

His case be­came a ral­ly­ing cry for In­ter­net act­iv­ists, who ar­gue it is an ex­ample of pro­sec­utori­al over­reach and shows why Con­gress needs to re­form a vague anti-hack­ing law. Auernheimer’s sup­port­ers claim that all he did was point out a se­cur­ity vul­ner­ab­il­ity and that he didn’t break any laws.

The court threw out the case on jur­is­dic­tion­al grounds — say­ing pro­sec­utors brought charges in the wrong state. The fight over what’s ac­tu­ally il­leg­al un­der the Com­puter Fraud and Ab­use Act will have to wait for an­oth­er day.

The ba­sic facts of Auernheimer’s case aren’t in dis­pute. In 2010, Daniel Spitler, Auernheimer’s co-de­fend­ant, no­ticed a flaw in AT&T’s ac­count re­gis­tra­tion sys­tem for iPads. A per­son could enter any iPad ID num­ber, and the AT&T sys­tem would auto­mat­ic­ally re­veal the cor­res­pond­ing email ad­dress of the iPad’s own­er.

Spitler wrote a script to auto­mat­ic­ally guess ID num­bers, and he was able to col­lect about 114,000 email ad­dresses, ac­cord­ing to court doc­u­ments. Auernheimer then emailed the in­form­a­tion to a Gawker re­port­er, who pub­lished an art­icle that de­tailed the flaw and in­cluded re­dac­ted email ad­dresses of a vari­ety of celebrit­ies and gov­ern­ment of­fi­cials.

The Justice De­part­ment brought charges against both men un­der the Com­puter Fraud and Ab­use Act, which makes it a felony to ac­cess a com­puter “without au­thor­iz­a­tion.” Spitler pled guilty and re­ceived three years of pro­ba­tion. A fed­er­al jury in New Jer­sey con­victed Auernheimer in 2012, and he was sen­tenced to 41 months in pris­on.

Pro­sec­utors ar­gued that Auernheimer knew what he was do­ing was il­leg­al and that he was only try­ing to pro­mote his own “se­cur­ity re­search” busi­ness.

But Auernheimer’s case at­trac­ted at­ten­tion from di­git­al free­dom act­iv­ists at groups such as the Elec­tron­ic Fron­ti­er Found­a­tion. His sup­port­ers ar­gue that guess­ing ID num­bers on a pub­lic site shouldn’t qual­i­fy as “hack­ing” and that his pro­sec­u­tion could dis­cour­age se­cur­ity re­search­ers from com­ing for­ward when they dis­cov­er vul­ner­ab­il­it­ies.

The Third Cir­cuit Court of Ap­peals threw out the con­vic­tion on Fri­day, say­ing pro­sec­utors should have filed the case in Arkan­sas, where Auernheimer lived, in­stead of New Jer­sey. Just be­cause some of the email ad­dress own­ers lived in New Jer­sey wasn’t enough to make it an ap­pro­pri­ate ven­ue, the court ruled.

“Al­though this ap­peal raises a num­ber of com­plex and nov­el is­sues that are of great pub­lic im­port­ance in our in­creas­ingly in­ter­con­nec­ted age, we find it ne­ces­sary to reach only one that has been fun­da­ment­al since our coun­try’s found­ing: ven­ue,” the court wrote.

Orin Kerr, a law pro­fess­or at George Wash­ing­ton Uni­versity who is rep­res­ent­ing Auernheimer, ar­gued that the is­sue of the right ven­ue for a case is not a tech­nic­al­ity.

“It’s an im­port­ant prin­ciple of lim­it­ing gov­ern­ment power,” he said. “Be­cause if the gov­ern­ment has uni­ver­sal ven­ue, then any of­fice can charge any de­fend­ant any­where in the coun­try.”

Al­though the judges did not base their rul­ing on the scope of the Com­puter Fraud and Ab­use Act, they hin­ted in a foot­note that they are skep­tic­al of the Justice De­part­ment’s claim that Auernheimer com­mit­ted any crime.

To have vi­ol­ated the law, Auernheimer would have to had cir­cum­vent a “code- or pass­word-based bar­ri­er to ac­cess,” the judges wrote.

“Al­though we need not re­solve wheth­er Auernheimer’s con­duct in­volved such a breach, no evid­ence was ad­vanced at tri­al that the ac­count slurp­er ever breached any pass­word gate or oth­er code-based bar­ri­er,” they wrote in the foot­note. “The ac­count slurp­er simply ac­cessed the pub­licly fa­cing por­tion of the lo­gin screen and scraped in­form­a­tion that AT&T un­in­ten­tion­ally pub­lished.”

It’s un­clear wheth­er the gov­ern­ment will re-file charges against Auernheimer in a dif­fer­ent court. Matt Re­illy, a spokes­man for the U.S. At­tor­ney’s Of­fice in New Jer­sey, said the gov­ern­ment is re­view­ing its op­tions in the case.

Kerr ar­gued that fa­cing an­oth­er tri­al would vi­ol­ate Auernheimer’s con­sti­tu­tion­al right to be pro­tec­ted from “double jeop­ardy.”

Kerr claimed that even if pro­sec­utors do bring the case again, the ap­peals court already “tipped its hand” that Auernheimer didn’t com­mit a crime. Lower courts gen­er­ally de­fer to the leg­al opin­ions of high­er ones.

Some law­makers want to nar­row the lan­guage of the Com­puter Fraud and Ab­use Act to pro­tect against pro­sec­utori­al over­reach. Rep. Zoe Lof­gren, a Cali­for­nia Demo­crat, in­tro­duced a re­form bill last year after Aaron Swartz, an In­ter­net act­iv­ist, com­mit­ted sui­cide while fa­cing hack­ing charges. But the le­gis­la­tion has gone nowhere in the House Ju­di­ciary Com­mit­tee.

Auernheimer might not be the best face for a polit­ic­al move­ment. He was fam­ous for mak­ing of­fens­ive com­ments on on­line for­ums and be­fore his sen­ten­cing, he wrote on dis­cus­sion site Red­dit that his only re­gret was no­ti­fy­ing AT&T of the is­sue. “I won’t nearly be as nice next time,” he warned.

What We're Following See More »
TRUMP CONTINUES TO LAWYER UP
Kasowitz Out, John Dowd In
2 days ago
THE LATEST

As the Russia investigation heats up, "the role of Marc E. Kasowitz, the president’s longtime New York lawyer, will be significantly reduced. Mr. Trump liked Mr. Kasowitz’s blunt, aggressive style, but he was not a natural fit in the delicate, politically charged criminal investigation. The veteran Washington defense lawyer John Dowd will take the lead in representing Mr. Trump for the Russia inquiry."

Source:
ALSO INQUIRES ABOUT PARDON POWER
Trump Looking to Discredit Mueller
2 days ago
THE LATEST

President Trump's attorneys are "actively compiling a list of Mueller’s alleged potential conflicts of interest, which they say could serve as a way to stymie his work." They plan to argued that Mueller is going outside the scope of his investigation, in inquiring into Trump's finances. They're also playing small ball, highlighting "donations to Democrats by some of" Mueller's team, and "an allegation that Mueller and Trump National Golf Club in Northern Virginia had a dispute over membership fees when Mueller resigned as a member in 2011." Trump is said to be incensed that Mueller may see his tax returns, and has been asking about his power to pardon his family members.

Source:
INCLUDES NY PROBE INTO MANAFORT
Why Yes, Mueller Is Looking into Trump Businesses
2 days ago
THE LATEST

In addition to ties between Russia and the Trump campaign, Robert Mueller's team is also "examining a broad range of transactions involving Trump’s businesses as well as those of his associates, according to a person familiar with the probe. FBI investigators and others are looking at Russian purchases of apartments in Trump buildings, Trump’s involvement in a controversial SoHo development in New York with Russian associates, the 2013 Miss Universe pageant in Moscow, and Trump’s sale of a Florida mansion to a Russian oligarch in 2008, the person said. The investigation also has absorbed a money-laundering probe begun by federal prosecutors in New York into Trump’s former campaign chairman Paul Manafort."

Source:
Mueller Expands Probe to Trump Business Transactions
2 days ago
THE DETAILS

Special Counsel Robert Mueller's team is "is examining a broad range of transactions involving Trump’s businesses as well as those of his associates", including "Russian purchases of apartments in Trump buildings, Trump’s involvement in a controversial SoHo development with Russian associates, the 2013 Miss Universe pageant in Moscow and Trump’s sale of a Florida mansion to a Russian oligarch in 2008."

Source:
ANALYSIS FROM CBO
32 Million More Uninsured by 2026 if Obamacare Repealed
2 days ago
THE LATEST

"A Senate bill to gut Obamacare would increase the number of uninsured people by 32 million and double premiums on Obamacare's exchanges by 2026, according to an analysis from the nonpartisan Congressional Budget Office. The analysis is of a bill that passed Congress in 2015 that would repeal Obamacare's taxes and some of the mandates. Republicans intend to leave Obamacare in place for two years while a replacement is crafted and implemented."

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login