Three years ago, hacker Andrew Auernheimer embarrassed AT&T by exposing its questionable security practices.
Specifically, Auernheimer publicly called out AT&T for posting the email
addresses of iPad users online, without protecting the information via passwords. Auernheimer, better known as “Weev,” and another hacker, Daniel Spitler, figured out that AT&T had
placed iPad users' email addresses on pages that could be called up by anyone who had the correct URLs. (The URLs all began with the same block of characters but went on to include particular iPads'
serial numbers.)
After discovering that AT&T had left the data unsecured, Auernheimer and Spitler obtained around 114,000 e-mail addresses of iPad users, including New York Mayor Michael
Bloomberg and former White House chief of staff Rahm Emanuel. Auernheimer sent the findings to Gawker, which reported on the security glitch.
AT&T was not amused. Neither were the federal
authorities, who prosecuted Auernheimer for violating the Computer Fraud and Abuse Act by allegedly accessing AT&T's computer without authorization. Auernheimer also was prosecuted for identity
theft, for sharing the email addresses with Gawker.
Auernheimer was convicted of both counts and sentenced to 41 months in prison. He was also ordered to pay AT&T $71,167 -- the amount of
money the telecom spent notifying iPad users, via snail mail, that their email addresses had been discovered.
This week, Auernheimer's legal team filed an appeal with the Third Circuit Court
of Appeals. Auernheimer's lawyers rightly argue that he didn't exceed his “authorized access” when the information he obtained was available to anyone with an Internet connection.
“The fundamental question in this case is whether it is a crime to visit a public website,” they write. "AT&T published the e-mail addresses of its customers on a public website ...
Because AT&T chose to make the information available to the public, visiting the AT&T website to collect the e-mail addresses was authorized and legal.”
They also ask the
appellate court to reject the idea that Auernheimer's guilt hinges on whether AT&T wanted the emails kept secret. “At trial, the government argued that using the program was unauthorized
because AT&T did not approve of what Spitler and Auernheimer did... This argument misstates the law,” they argue. “Although AT&T did not wish that outsiders would collect the
information, the law does not criminalize visiting a website in ways that owners find dissatisfying.”
Auernheimer himself is hardly a sympathetic defendant. He has a long history as an
online troll, and has made some dumb comments about his case. The night before his sentencing, he posted the following statement on Reddit: "My regret is being nice enough to give AT&T a chance to
patch before dropping the dataset to Gawker. I won’t nearly be as nice next time.”
But, sympathetic or not, his conviction should be vacated. Allowing the verdict to stand poses a
real threat to Web users -- not to mention independent security researchers, who often use methods similar to Auernheimer's in order to discover vulnerabilities.
"I have little respect for
Weev, but we should all be terrified that guessing a URL can get you 3.5 years of jailtime," tech entrepreneur Anil Dash tweeted the day Weev was sentenced.
Electronic Frontier Foundation
attorney Hanni Fakhoury, who is among Auernheimer's lawyers, adds in a Wired
op-ed that convicting someone of computer fraud for accessing public data “allows companies ... to dictate what is and isn’t criminal behavior, and to do so in arbitrary
ways.”
He adds: “How’s a person surfing the internet supposed to know when they can or can’t view information if there’s no technical barrier to access?
If Wired decided only people from the U.S. could read its otherwise publicly available Opinion pieces, and someone tries to access the site from the U.K., get ready for a prison
jumpsuit.”