DOJ Asks Court To Uphold Hacker's Conviction For Exposing Security Glitch
He is appealing his conviction, arguing that he didn't commit computer fraud by visiting publicly available Web sites and retrieving the information that AT&T had made unwittingly made accessible. The computer fraud law makes it a crime to exceed “authorized access” to a Web site.
Auernheimer argues to the 3rd Circuit Court of Appeals that he couldn't have exceeded authorized access by visiting sites that anyone with a Web connection could also have visited -- without needing passwords. The URLs for those sites all began with the same block of characters but went on to include particular iPads' serial numbers.
Outsiders, including a coalition of security experts, browser company Mozilla, Harvard's Berkman Center and the National Association of Criminal Defense Attorneys are backing his appeal.
Not surprisingly, the government disagrees that the conviction should be reversed. The government's main argument: The email addresses were not publicly available because accessing the site was technologically complicated. Auernheimer was only able to get the information because an alleged conspirator figured out where AT&T stored iPad data. The government says that most Web users would never have puzzled that out for themselves.
“If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to,” the government argues in one of the key passages of its 100-plus page appellate brief.
That argument is deeply flawed, for many reasons. One of the most obvious is that the government makes this contention about “typical” users without any empirical evidence. The criminal appellate attorneys who wrote the DOJ's brief might not be especially technologically savvy, but that doesn't mean that no one else is. Besides, even if a “typical” judicial law clerk couldn't replicate Auernheimer's actions, that doesn't mean a typical engineering student couldn't. Frankly, some high school students who know how to code, and have time on their hands, might be able to figure it out.
Besides, the standard for deciding when a Web site is public shouldn't depend on any one visitor's technological expertise. It should turn on whether a Web publisher has taken steps to prevent people from accessing the data. Had AT&T password protected the information, things might have turned out very differently.
The government also contends that security experts who use the same techniques as Auernheimer won't necessarily violate the computer fraud law. “The 'white hat' computer hacking community has nothing to fear from this prosecution,” the DOJ asserts in its brief.
The prosecutors elaborate -- again without presenting any empirical evidence -- that there's a difference between “ethical” hackers and people like Auernheimer. “The government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA,” the prosecutors argue.
In other words, Auernheimer acted “unethically” -- and, therefore, illegally -- because he took his findings to the media. Apparently, the DOJ would have preferred that Auernheimer quietly approached AT&T in order to let the company fix the glitch before it was publicly embarrassed.
It might not be surprising that the DOJ doesn't like whistle-blowers, but it would be a mistake for the courts to adopt that view. Hopefully, the 3rd Circuit Court of Appeals will make clear that computer experts who bring poor security practices to light aren't criminals for doing so.