recommended reading

This Hacker Is Getting Out of Jail -- But Not For the Reason His Supporters Hoped

Andrew Auernheimer, better known by his online alias "Weev," who was charged with stealing thousands of email addresses from AT&T's servers.

Andrew Auernheimer, better known by his online alias "Weev," who was charged with stealing thousands of email addresses from AT&T's servers. // Flickr user pinguino k

A federal appeals court struck a blow on Friday against the Justice Department's campaign to crack down on computer hacking.

The Third Circuit Court of Appeals overturned the conviction of Andrew Auernheimer, better known by his online alias "Weev," who was charged with stealing thousands of email addresses from AT&T's servers.

His case became a rallying cry for Internet activists, who argue it is an example of prosecutorial overreach and shows why Congress needs to reform a vague anti-hacking law. Auernheimer's supporters claim that all he did was point out a security vulnerability and that he didn't break any laws.

The court threw out the case on jurisdictional grounds—saying prosecutors brought charges in the wrong state. The fight over what's actually illegal under the Computer Fraud and Abuse Act will have to wait for another day.

The basic facts of Auernheimer's case aren't in dispute. In 2010, Daniel Spitler, Auernheimer's co-defendant, noticed a flaw in AT&T's account registration system for iPads. A person could enter any iPad ID number, and the AT&T system would automatically reveal the corresponding email address of the iPad's owner.

Spitler wrote a script to automatically guess ID numbers, and he was able to collect about 114,000 email addresses, according to court documents. Auernheimer then emailed the information to a Gawker reporter, who published an article that detailed the flaw and included redacted email addresses of a variety of celebrities and government officials.

The Justice Department brought charges against both men under the Computer Fraud and Abuse Act, which makes it a felony to access a computer "without authorization." Spitler pled guilty and received three years of probation. A federal jury in New Jersey convicted Auernheimer in 2012, and he was sentenced to 41 months in prison.

Prosecutors argued that Auernheimer knew what he was going was illegal and that he was only trying to promote his own "security research" business.

But Auernheimer's case attracted attention from digital freedom activists at groups such as the Electronic Frontier Foundation. His supporters argue that guessing ID numbers on a public site shouldn't qualify as "hacking" and that his prosecution could discourage security researchers from coming forward when they discover vulnerabilities.

The Third Circuit Court of Appeals threw out the conviction on Friday, saying prosecutors should have filed the case in Arkansas, where Auernheimer lived, instead of New Jersey. Just because some of the email address owners lived in New Jersey wasn't enough to make it an appropriate venue, the court ruled.

"Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue," the court wrote.

Orin Kerr, a law professor at George Washington University who is representing Auernheimer, argued that the issue of the right venue for a case is not a technicality.

"It's an important principle of limiting government power," he said. "Because if the government has universal venue, then any office can charge any defendant anywhere in the country."

Although the judges did not base their ruling on the scope of the Computer Fraud and Abuse Act, they hinted in a footnote that they are skeptical of the Justice Department's claim that Auernheimer committed any crime.

To have violated the law, Auernheimer would have to had circumvent a "code- or password-based barrier to access," the judges wrote.

"Although we need not resolve whether Auernheimer's conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier," they wrote in the footnote. "The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published."

It's unclear whether the government will re-file charges against Auernheimer in a different court. Matt Reilly, a spokesman for the U.S. Attorney's Office in New Jersey, said the government is reviewing its options in the case.

Kerr argued that facing another trial would violate Auernheimer's constitutional right to be protected from "double jeopardy."

Kerr claimed that even if prosecutors do bring the case again, the appeals court already "tipped its hand" that Auernheimer didn't commit a crime. Lower courts generally defer to the legal opinions of higher ones.

Some lawmakers want to narrow the language of the Computer Fraud and Abuse Act to protect against prosecutorial overreach. Rep. Zoe Lofgren, a California Democrat, introduced a reform bill last year after Aaron Swartz, an Internet activist, committed suicide while facing hacking charges. But the legislation has gone nowhere in the House Judiciary Committee.

Auernheimer might not be the best face for a political movement. He was famous for making offensive comments on online forums and before his sentencing, he wrote on discussion site Reddit that his only regret was notifying AT&T of the issue. "I won't nearly be as nice next time," he warned.

(Image via Flickr user pinguino k)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.