Verizon's Shoddy Security Shows Need To Reverse 'Weev' Conviction
Auernheimer, who goes by “Weev,” was convicted for helping to publicize how an AT&T security glitch left iPad users' email addresses exposed on the Web. He is now serving 42 months in federal prison.
Specifically, he and another hacker figured out where AT&T was storing iPad users' email address online. The URLs for the sites with users email addresses all began with the same block of characters, followed by particular iPads' serial numbers. Auernheimer gathered 114,000 email addresses and then sent the findings to Gawker, which reported on the security lapse.
Auernheimer has appealed his conviction, arguing that he didn't commit a crime by visiting publicly available Web sites and retrieving the information that AT&T placed there. The computer fraud law makes it a crime to exceed “authorized access” to a Web site.
Auernheimer argues to the 3rd Circuit Court of Appeals that he couldn't have exceeded authorized access by visiting sites that anyone with a Web connection could also have visited -- without needing passwords. A coalition of security experts, browser company Mozilla, Harvard's Berkman Center and the National Association of Criminal Defense Attorneys are backing his appeal.
Among other arguments, Auernheimer's supporters rightly point out that security experts use the same techniques that he did in order to investigate glitches.
Consider, one high-profile example involving Verizon came to light just last week, when it emerged that the company stored data about people's SMS messages online -- on sites with URLs that included users' phone numbers, and were not password-protected.
The researcher in that case went to Verizon with his findings, and not to Gawker. But the techniques used were the same, and government theoretically could have charged the security researcher who investigated Verizon with computer fraud.
That outcome makes no sense for anyone. Hopefully, the Third Circuit will realize that AT&T, not Auernheimer, was the one that exposed users' information.