Andrew “Weev” Auernheimer.
Image: pinguino/Flickr
A hacker sentenced to three and a half years in prison for obtaining
the personal data of more than 100,000 iPad owners from AT&T’s
unsecured website is about to go free, after a ruling today that
prosecutors were wrong to charge him in a state where none of his
alleged crimes occurred.
Andrew “Weev” Auernheimer was in Arkansas during the time of the
hack, his alleged co-conspirator was in California, and the servers that
they accessed were physically located in Dallas, Texas and Atlanta,
Georgia. Prosecutors therefore had no justification for bringing the
case against Auernheimer in New Jersey, a federal appeals panel ruled
this morning.
The appeal was closely watched in cyber law and civil liberties
circles, and Auernheimer had a powerhouse legal team that handled his
case pro-bono.
“Venue in criminal cases is more than a technicality; it involves
‘matters that touch closely the fair administration of criminal justice
and public confidence in it,’”
the judges wrote in their opinion
(.pdf). “This is especially true of computer crimes in the era of mass
interconnectivity. Because we conclude that venue did not lie in New
Jersey, we will reverse the District Court’s venue determination and
vacate Auernheimer’s conviction.”
The vacation means that the larger issue raised by the conviction of
Auernheimer and raised by his appeal attorneys — that the Computer Fraud
and Abuse Act under which Auernheimer was convicted was wrongfully
applied — may never be addressed.
It’s unclear if federal prosecutors in another state will attempt to try him again in a different venue.
Auernheimer, of Fayetteville, Arkansas, was found guilty in New
Jersey in 2012 of one count of identity fraud and one count of
conspiracy to access a computer without authorization.
He and Daniel Spitler, 26, of San Francisco, California, were charged
after the two discovered a hole in AT&T’s website in 2010 that
allowed anyone to obtain the email address and ICC-ID of iPad users. The
ICC-ID is a unique identifier that’s used to authenticate the SIM card
in a customer’s iPad to AT&T’s network.
AT&T provided internet access for some iPad owners through its 3G
wireless network, but customers had to provide AT&T with personal
data when opening their accounts, including their email address.
AT&T linked the user’s email address to the ICC-ID, and each time
the user accessed the AT&T website, the site recognized the ICC-ID
and displayed the user’s email address.
Auernheimer and Spitler discovered that the site would leak email
addresses to anyone who provided it with a ICC-ID. So the two wrote a
script – which they dubbed the “iPad 3G Account Slurper” — to mimic the
behavior of numerous iPads contacting the web site in order to harvest
the email addresses of iPad users.
According to authorities, they obtained the ICC-ID and email address
for about 120,000 iPad users, including dozens of elite iPad early
adopters such as New York Mayor Michael Bloomberg, then-White House
Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, as
well as dozens of people at NASA, the Justice Department, the Defense
Department, the Department of Homeland Security and other government
offices.
The two contacted the Gawker website to report the hole, a practice
often followed by security researchers to call public attention to
security vulnerabilities that affect the public, and provided the
website with harvested data as proof of the vulnerability. Gawker
reported at the time that the vulnerability was discovered by a group
calling itself Goatse Security.
AT&T maintained that the two did not contact it directly about
the vulnerability and that the company learned about the problem only
from a “business customer.”
Auernheimer later sent an email to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data.
“AT&T needs to be held accountable for their insecure
infrastructure as a public utility and we must defend the rights of
consumers, over the rights of shareholders,” he wrote, according to
prosecutors. ”I advise you to discuss this matter with your family, your
friends, victims of crimes you have prosecuted, and your teachers for
they are the people who would have been harmed had AT&T been allowed
to silently bury their negligent endangerment of United States
infrastructure.”
Following his conviction in November 2012, Auernheimer tweeted to
supporters that he had expected the guilty verdict but planned to
appeal.
Auernheimer’s appeal was argued by Orin Kerr, a law professor at
Georgetown University. Kerr had argued the appeal primarily on grounds
that the CFAA was incorrectly applied in this case — since the
information Auernheimer and Spitler obtained was made publicly available
on the site by AT&T — and that even if Auernheimer was guilty of
exceeding authorized access on the AT&T web site, he should have
been convicted of a misdemeanor, not a felony.
“In the government’s view, visiting the URLs was an unauthorized
access of AT&T’s website. But I think that’s wrong. At bottom, the
conduct here was visiting a public website,” Kerr noted in the appeal.
“The fact that AT&T would not have wanted Spitler to visit those
particular URLs doesn’t make visiting the public website and collecting
the information a criminal unauthorized access. If you make information
available to the public with the hope that only some people would bother
to look, it’s not a crime for other people to see what you make
available to them.”
But Kerr had little chance to argue the finer points of his case
during the appeal, when judges interrupted him to focus on the venue
issue.
Ultimately, it was that simpler issue that got Auernheimer’s case vacated.
The judges noted in their ruling that Auernheimer had tried to get
the initial charges dismissed when he was first indicted — on grounds
that the CFFA was inappropriately applied and on grounds that the venue
was incorrect — but his motion was denied by a U.S. District Court.
The district judge had held that venue was proper because
Auernheimer’s disclosure of the email addresses of about 4,500 New
Jersey residents affected these victims in New Jersey and violated New
Jersey law.
Auernheimer’s defense attorney had broached the venue issue again
near the end of his trial when he asked the judge to instruct the jury
on the venue issue, but the judge declined, saying that prosecutors had
adequately argued that New Jersey was the correct venue.
In their ruling to vacate, the appeals court judges acknowledged that
there were other pressing issues in the case, but emphasized the
importance of proper venue.
“The founders were so concerned with the location of a criminal trial
that they placed the venue requirement … in the Constitution in two
places,” the judges wrote. “They did so for good reason. A defendant who
has been convicted ‘in a distant, remote, or unfriendly forum solely at
the prosecutor’s whim,’… has had his substantial rights compromised.
“Auernheimer was hauled over a thousand miles from Fayetteville,
Arkansas to New Jersey,” they continued. “Certainly if he had directed
his criminal activity toward New Jersey to the extent that either he or
his co-conspirator committed an act in furtherance of their conspiracy
there, or performed one of the essential conduct elements of the charged
offenses there, he would have no grounds to complain about his
uprooting. But that was not what was alleged or what happened. While we
are not prepared today to hold that an error of venue never could be
harmless, we do not need to because the improper venue here — far from
where he performed any of his allegedly criminal acts — denied
Auernheimer’s substantial right to be tried in the place where his
alleged crime was committed
