Yesterday, the EFF filed a formal appeal with the Third Circuit US Court of Appeals to overturn the conviction of Andrew “weev” Auernheimer, who is currently serving a 41-month sentence at Allenwood Low Federal Correctional Institute in White Deer, Pennsylvania.
Auernheimer, a hacker and self-described Internet troll, was sentenced in March. The court found him guilty of encouraging his co-defendant, Daniel Spitler, to collect about 114,000 e-mail addresses through a security vulnerability on AT&T's servers. The two defendants found that AT&T was running a script that would return an iPad user's e-mail address if the iPad's ICC-ID was entered into a URL that AT&T was using to auto-populate its website with account holders' addresses for easy log-in. Because ICC-ID's come in a predictable range, Spitler was able to gather these e-mail addresses en masse using a program he wrote called the “account slurper.” Auernheimer then disclosed the information that Spitler obtained to Gawker. In doing so, he was charged with identity theft and with felony hacking under the Computer Fraud and Abuse Act (CFAA).
Spitler entered into a plea agreement and has not been sentenced.
In the appeal, the lawyers representing Auernheimer took issue with sentencing the hacker for gathering data that was unprotected by AT&T. “First, Auernheimer’s conviction on Count 1 must be overturned because visiting a publicly available website is not unauthorized access under the Computer Fraud and Abuse Act... AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers.”
The appeal also makes reference to some of the unflattering chat logs that the prosecution presented to the court in November to discredit Auernheimer's motives. “It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a 'theft.' The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information.”
The CFAA, which was instated in 1986, has been the center of debate since the death of Aaron Swartz, who was charged under the same law. There has been some momentum in Congress to reform the law, and the success or failure of this appeal may prove instructive as to how the CFAA will be applied in the future.
reader comments
53