GoatSec iPad Hacking Case Underway, Ruling Could Address Ancient Computer Law

Editor’s note: Ansel Halliburton is a lawyer at ComputerLaw Group, a boutique law firm in Palo Alto specializing in intellectual property litigation and entrepreneurship. Follow him on Twitter.

In the summer of 2010, a group called Goatse Security (or GoatSec) discovered a security hole in an AT&T website catering to users of the recently launched iPad with 3G connectivity. Depending on who you ask, GoatSec is either composed of trolls in it for the lulz or grey-hat hackers.

GoatSec found that when a user visited the site from an iPad, the user’s email address was pre-populated. AT&T accomplished this by using a unique number associated with the hardware in individual 3G iPads, called ICC-IDs. If the website received a valid ICC-ID, it would serve a login page with an iPad owner’s email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners. GoatSec wrote an “account slurper” script that tried thousands of possible ICC-ID numbers and recorded the email addresses the website leaked — ultimately getting more than 100,000 of them.

After talking about what to do with the vulnerability and the list of email addresses, GoatSec eventually decided to take it to the media, as they had done with other vulnerabilities they’d discovered in the past. Gawker published the story on June 9, 2010, along with blacked-out snapshots of the list of email addresses. The next day, GoatSec’s members agreed to delete their copies of the email address list. The full list never leaked to the public. Gawker got a lot of traffic, the press went nuts briefly, AT&T issued a lame apology for its lame vulnerability and disabled the pre-filling “feature,” and the FBI started an investigation.

Auernheimer’s Prosecution

That investigation bore fruit after just a few months. In January 2011, the government filed a case in New Jersey federal court against two GoatSec members, Andrew Auernheimer (aka “weev”) and Daniel Spitler (aka “JacksonBrown”). Spitler was arrested in California and Auernheimer was arrested in Arkansas, at which point the case was unsealed. Auernheimer was charged with two crimes: conspiracy to access a computer without authorization (i.e. conspiracy to violate the Computer Fraud and Abuse Act) and fraud in connection with personal information. It’s worth noting here that the first charge is merely for conspiracy to violate the CFAA — which, perhaps, signals weakness in the government’s case.

In June 2011, Spitler reached a plea deal with the government. Spitler pled guilty and agreed to cooperate in the remaining case against Auernheimer.

Since then, there has been little news about the case. Auernheimer’s new lawyer, Tor Ekeland, filed a motion to dismiss the case this September, which U.S. District Judge Susan Wigenton denied, issuing a 12-page opinion on October 26.

After a delay because of Hurricane Sandy, Auernheimer’s trial began last Tuesday, November 13. The government rested its case on Wednesday, and the defense then began to present its case. Mr. Ekeland said he expects to wrap up Monday or Tuesday, at which point the case will go to the jury. Because of the approaching Thanksgiving holiday, the jury will be motivated to work quickly, so a verdict could well come down next week.

The CFAA And Auernheimer’s Path To The Supreme Court

When it passed the Computer Fraud and Abuse Act of 1986, Congress intended to crack down on computer hacking. In 1986, hacking typically required dialing into a single computer with a modem at 1200 bits per second; Tim Berners-Lee wouldn’t invent HTTP and the web for several more years. Today, you might read this article on a pocket computer that connected to the global Internet at several million bits per second.

But the CFAA’s advanced vintage isn’t its only problem. It also fails to define some key terms, and its scope is, for many, far too broad. Auernheimer, for example, is charged with participating in a conspiracy to violate the FAA by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]…information from [a] protected computer.” But what exactly does that mean?

The language comes from 18 U.S.C. § 1030, which defines “protected computer” broadly as either a government or bank computer, or as any computer “which is used in or affecting interstate or foreign commerce or communication.” Maybe that worked in 1986 when not that many computers were networked in interstate commerce (remember, Congress wrote this law pre-Internet) but in 2012, it covers almost anything with a microprocessor.

Auernheimer’s bigger problem, and perhaps his best shot on appeal, is that the CFAA doesn’t define at all what “access[ing] a computer without authorization” means. Was GoatSec “without authorization” to send guessed ICC-IDs to the login page of AT&T’s server, which it made available openly on the Internet? An important fact in the case is that the GoatSec’s slurper script never entered anything into the password field of the login page; it just collected the emails the page offered up to it. Who decides who is “without authorization”? The government? The website operator? How do you know the website operator deems you to be “without authorization”? The CFAA gives no answers.

This isn’t a new argument. Orin Kerr, a law professor at George Washington University, made it in an academic paper in 2003. Auernheimer’s lawyer also made it in his motion to dismiss. Judge Wigenton disagreed, which is why the case went to trial. But if the jury finds Auernheimer guilty, this will almost certainly be the core of his argument at the Third Circuit.

There is also a real possibility the case could go all the way to the Supreme Court. This April, the Ninth Circuit adopted a narrow interpretation of “exceeds authorized access,” which the Fourth Circuit joined in July. The Eleventh, Fifth, and Seventh Circuits have taken a much broader view. Auernheimer will likely force the Third to be the sixth circuit to take a position. This kind of circuit split in interpreting a federal law is one of the main reasons the Supreme Court decides to take cases.

Will Another Shoe Drop?

Taking a page from WikiLeaks, shortly after the arrests in January 2011, GoatSec posted an encrypted 132-megabyte “insurance file” and threatened to release the keys if Auernheimer and Spitler were both convicted. Spitler already pled guilty, so if Auernheimer is convicted, GoatSec’s remaining members might release the keys soon. Whether they will actually do it, and what the file actually contains, are both unknown — although they say it’s unrelated to the iPad hack. On the other hand, after potentially seeing two of their compatriots go to federal prison, they might decide they’d rather not draw any more attention.