This week, a coalition of security experts weighed in on Auernheimer's behalf, arguing that not only is he innocent, but that he performed a public service by bringing AT&T's privacy glitch to light. “Auernheimer’s 'crime' was to discover that a public corporation was giving anyone access to private consumer information,” the security experts argue in their papers, filed with the Third Circuit Court of Appeals. “The court should not condone the metaphorical shooting of a messenger who acted for the safety and security of all.”
Auernheimer came to AT&T's attention when he disclosed that the company had posted the email addresses of iPad users online, on sites that lacked password-protection. Auernheimer and another hacker, Daniel Spitler, figured out pages with iPad users' email addresses could be called up by anyone who had the correct URLs. Those URLs all began with the same block of characters but went on to include particular iPads' serial numbers.
Auernheimer went about gathering 114,000 e-mail addresses, including those of figures like New York Mayor Michael Bloomberg and former White House chief of staff Rahm Emanuel, and sent his findings to Gawker. The Web site then publicly reported on the security glitch.
The federal government subsequently prosecuted Auernheimer for violating the Computer Fraud and Abuse Act by allegedly accessing AT&T's computer without authorization. Auernheimer also was prosecuted for identity theft, for sharing the email addresses with Gawker.
Auernheimer was convicted of both counts and sentenced to 41 months in prison. He was also ordered to pay AT&T $71,167 -- the amount of money AT&T spent to notify iPad users, via snail mail, that their email addresses had been discovered.
The security researchers argue in their brief that Auernheimer didn't do anything wrong by visiting the Web sites where AT&T had left the information. “It is crucial to realize that AT&T gave the webserver its instructions: they explicitly told it to respond with consumers’ private information to anyone who gave the server a valid number,” the security researchers argue. “With this action, AT&T deliberately made the information public to anyone who asked, set no limits whatsoever on who could ask or how often, and required no verification before handing out ostensibly private information to all comers.”
The friend-of-the-court brief also points out that sharing the email addresses with Gawker was a legitimate way to expose AT&T's poor practices. “AT&T was improperly safeguarding the personal information of hundreds of thousands of consumers. When Mr. Auernheimer discovered this fact, he publicized it, in precisely the same way that Consumers Union, publisher of Consumer Reports, does with each consumer-safety violation that it uncovers: he made it available to the press.”
The federal authorities are expected to file a response later this month.