This Hacker Is Getting Out of Jail — But Not For the Reason His Supporters Hoped

Prosecutors claim “Weev” stole thousands of email addresses from iPad users

Andrew Auernheimer
National Journal
Brendan Sasso
April 11, 2014, 1:54 p.m.

A fed­er­al ap­peals court struck a blow on Fri­day against the Justice De­part­ment’s cam­paign to crack down on com­puter hack­ing.

The Third Cir­cuit Court of Ap­peals over­turned the con­vic­tion of An­drew Auernheimer, bet­ter known by his on­line ali­as “Weev,” who was charged with steal­ing thou­sands of email ad­dresses from AT&T’s serv­ers.

His case be­came a ral­ly­ing cry for In­ter­net act­iv­ists, who ar­gue it is an ex­ample of pro­sec­utori­al over­reach and shows why Con­gress needs to re­form a vague anti-hack­ing law. Auernheimer’s sup­port­ers claim that all he did was point out a se­cur­ity vul­ner­ab­il­ity and that he didn’t break any laws.

The court threw out the case on jur­is­dic­tion­al grounds — say­ing pro­sec­utors brought charges in the wrong state. The fight over what’s ac­tu­ally il­leg­al un­der the Com­puter Fraud and Ab­use Act will have to wait for an­oth­er day.

The ba­sic facts of Auernheimer’s case aren’t in dis­pute. In 2010, Daniel Spitler, Auernheimer’s co-de­fend­ant, no­ticed a flaw in AT&T’s ac­count re­gis­tra­tion sys­tem for iPads. A per­son could enter any iPad ID num­ber, and the AT&T sys­tem would auto­mat­ic­ally re­veal the cor­res­pond­ing email ad­dress of the iPad’s own­er.

Spitler wrote a script to auto­mat­ic­ally guess ID num­bers, and he was able to col­lect about 114,000 email ad­dresses, ac­cord­ing to court doc­u­ments. Auernheimer then emailed the in­form­a­tion to a Gawker re­port­er, who pub­lished an art­icle that de­tailed the flaw and in­cluded re­dac­ted email ad­dresses of a vari­ety of celebrit­ies and gov­ern­ment of­fi­cials.

The Justice De­part­ment brought charges against both men un­der the Com­puter Fraud and Ab­use Act, which makes it a felony to ac­cess a com­puter “without au­thor­iz­a­tion.” Spitler pled guilty and re­ceived three years of pro­ba­tion. A fed­er­al jury in New Jer­sey con­victed Auernheimer in 2012, and he was sen­tenced to 41 months in pris­on.

Pro­sec­utors ar­gued that Auernheimer knew what he was do­ing was il­leg­al and that he was only try­ing to pro­mote his own “se­cur­ity re­search” busi­ness.

But Auernheimer’s case at­trac­ted at­ten­tion from di­git­al free­dom act­iv­ists at groups such as the Elec­tron­ic Fron­ti­er Found­a­tion. His sup­port­ers ar­gue that guess­ing ID num­bers on a pub­lic site shouldn’t qual­i­fy as “hack­ing” and that his pro­sec­u­tion could dis­cour­age se­cur­ity re­search­ers from com­ing for­ward when they dis­cov­er vul­ner­ab­il­it­ies.

The Third Cir­cuit Court of Ap­peals threw out the con­vic­tion on Fri­day, say­ing pro­sec­utors should have filed the case in Arkan­sas, where Auernheimer lived, in­stead of New Jer­sey. Just be­cause some of the email ad­dress own­ers lived in New Jer­sey wasn’t enough to make it an ap­pro­pri­ate ven­ue, the court ruled.

“Al­though this ap­peal raises a num­ber of com­plex and nov­el is­sues that are of great pub­lic im­port­ance in our in­creas­ingly in­ter­con­nec­ted age, we find it ne­ces­sary to reach only one that has been fun­da­ment­al since our coun­try’s found­ing: ven­ue,” the court wrote.

Orin Kerr, a law pro­fess­or at George Wash­ing­ton Uni­versity who is rep­res­ent­ing Auernheimer, ar­gued that the is­sue of the right ven­ue for a case is not a tech­nic­al­ity.

“It’s an im­port­ant prin­ciple of lim­it­ing gov­ern­ment power,” he said. “Be­cause if the gov­ern­ment has uni­ver­sal ven­ue, then any of­fice can charge any de­fend­ant any­where in the coun­try.”

Al­though the judges did not base their rul­ing on the scope of the Com­puter Fraud and Ab­use Act, they hin­ted in a foot­note that they are skep­tic­al of the Justice De­part­ment’s claim that Auernheimer com­mit­ted any crime.

To have vi­ol­ated the law, Auernheimer would have to had cir­cum­vent a “code- or pass­word-based bar­ri­er to ac­cess,” the judges wrote.

“Al­though we need not re­solve wheth­er Auernheimer’s con­duct in­volved such a breach, no evid­ence was ad­vanced at tri­al that the ac­count slurp­er ever breached any pass­word gate or oth­er code-based bar­ri­er,” they wrote in the foot­note. “The ac­count slurp­er simply ac­cessed the pub­licly fa­cing por­tion of the lo­gin screen and scraped in­form­a­tion that AT&T un­in­ten­tion­ally pub­lished.”

It’s un­clear wheth­er the gov­ern­ment will re-file charges against Auernheimer in a dif­fer­ent court. Matt Re­illy, a spokes­man for the U.S. At­tor­ney’s Of­fice in New Jer­sey, said the gov­ern­ment is re­view­ing its op­tions in the case.

Kerr ar­gued that fa­cing an­oth­er tri­al would vi­ol­ate Auernheimer’s con­sti­tu­tion­al right to be pro­tec­ted from “double jeop­ardy.”

Kerr claimed that even if pro­sec­utors do bring the case again, the ap­peals court already “tipped its hand” that Auernheimer didn’t com­mit a crime. Lower courts gen­er­ally de­fer to the leg­al opin­ions of high­er ones.

Some law­makers want to nar­row the lan­guage of the Com­puter Fraud and Ab­use Act to pro­tect against pro­sec­utori­al over­reach. Rep. Zoe Lof­gren, a Cali­for­nia Demo­crat, in­tro­duced a re­form bill last year after Aaron Swartz, an In­ter­net act­iv­ist, com­mit­ted sui­cide while fa­cing hack­ing charges. But the le­gis­la­tion has gone nowhere in the House Ju­di­ciary Com­mit­tee.

Auernheimer might not be the best face for a polit­ic­al move­ment. He was fam­ous for mak­ing of­fens­ive com­ments on on­line for­ums and be­fore his sen­ten­cing, he wrote on dis­cus­sion site Red­dit that his only re­gret was no­ti­fy­ing AT&T of the is­sue. “I won’t nearly be as nice next time,” he warned.

What We're Following See More »
IF HE’LL JUST LISTEN…
Many GOPers Still Think Trump Can Be Brought to Heel
16 minutes ago
THE DETAILS
INCLUDING CLINTON
Trump Finance Guru Has History of Contributing to Dems
1 hours ago
WHY WE CARE

"Like Donald Trump himself, the Trump campaign’s new national finance chairman has a long history of contributing to Democrats—including Hillary Clinton. Private investor Steven Mnuchin, Trump’s new campaign fundraising guru, has contributed more than $120,000" to candidates since 1995, about half of which has gone to Democrats.

Source:
AT LEAST NOT YET
Paul Ryan Can’t Get Behind Trump
18 hours ago
THE LATEST

Paul Ryan told CNN today he's "not ready" to back Donald Trump at this time. "I'm not there right now," he said. Ryan said Trump needs to unify "all wings of the Republican Party and the conservative movement" and then run a campaign that will allow Americans to "have something that they're proud to support and proud to be a part of. And we've got a ways to go from here to there."

Source:
STAFF PICKS
Trump Roadmapped His Candidacy in 2000
19 hours ago
WHY WE CARE

The Daily Beast has unearthed a piece that Donald Trump wrote for Gear magazine in 2000, which anticipates his 2016 sales pitch quite well. "Perhaps it's time for a dealmaker who can get the leaders of Congress to the table, forge consensus, and strike compromise," he writes. Oddly, he opens by defending his reputation as a womanizer: "The hypocrites argue that a man who loves and appreciates beautiful women (and does so legally and openly) shouldn't become a national leader? Is there something wrong with appreciating beautiful women? Don't we want people in public office who show signs of life?"

Source:
‘NO MORAL OR ETHICAL GROUNDING’
Sen. Murphy: Trump Shouldn’t Get Classified Briefigs
19 hours ago
THE LATEST
×