Commentary

Hacker' Who Exposed AT&T's Shoddy Security Sentenced To 41 Months

'In 2010, hacker Andrew Auernheimer, better known as "Weev," exposed an AT&T security flaw that left iPad users' email addresses vulnerable.

AT&T had posted iPad users' data on the Web, where the information could be accessed by anyone who figured out the correct URLs. Auernheimer and another hacker did so, and sent some of the email addresses to Gawker, in hopes of persuading AT&T to patch the hole. Gawker reported on the security glitch and published some of the information.

For these acts, Auernheimer was convicted of computer fraud and identity theft. Today, he was sentenced to 41 months in federal prison.

Auernheimer anticipated that a judge would send him to jail. Immediately before today's sentencing hearing he said as much at a press conference, where he reportedly told reporters, "I'm going to jail for doing arithmetic."

Auernheimer admittedly isn't the most sympathetic defendant. In addition to a long history as an online troll, he's made some pretty stupid comments about his case. Consider, last night, he posted the following statement on Reddit: "My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time.”

But regardless of how anyone feels about Auernheimer personally, prosecuting him for blowing the whistle on AT&T's poor security practices doesn't serve to protect consumers from fraud. If anything, it will have the opposite effect, given that many independent security researchers arguably violate the computer fraud law in the course of investigating flaws.

"I have little respect for Weev, but we should all be terrified that guessing a URL can get you 3.5 years of jailtime," tech entrepreneur Anil Dash tweeted this morning.

Wired adds that numerous researchers have used Auernheimer's methods to expose vulnerabilities.

And countless computer-savvy people have uncovered security flaws by "hacking" into sites without calling their findings to public attention. Consider, Twitter founder Jack Dorsey acknowledged last night on the TV show "60 Minutes" that he landed a job after finding a security hole in a company's site, and then notifying them of it.

"Is that the same thing as hacking?" Lara Logan asked Dorsey.

Dorsey acknowledged that it was, but denied that he committed a crime.

"Hacking for a job application is not a crime?" Logan asked.

"No, no, no, no, no. No, not a crime at all," he said.

Meanwhile, digital rights advocates say that Auernheimer's prosecution offers yet more proof that the computer fraud laws need to be updated.

"Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone," EFF senior staff attorney Marcia Hofmann said today in a blog post. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them.

EFF attorney Hanni Fakhoury added: "Congress should amend the CFAA to make sure we don't have more Aaron Swartzes and Andrew Auernheimers in the future."

Earlier this year, Aaron Swartz's suicide spurred a movement to revisit those laws. Swartz was facing trial for hacking into servers run by the Massachusetts Institute of Technology in order to download academic articles. He hanged himself after plea negotiations broke down.

Auernheimer is appealing his conviction to the 3rd Circuit Court of Appeals. The EFF will help represent him on appeal.

3 comments about "Hacker' Who Exposed AT&T's Shoddy Security Sentenced To 41 Months".
Check to receive email when comments are posted.
  1. ken jones from 9starman9, March 18, 2013 at 10:16 p.m.

    we all need to help fight this! Did his lawyer no that he was doing i dont think so. This new law need to be changed. Before you know it getting any inf. from the net they dont want you to have will put you in jail. Even the FBI has persons doing crimes. Who but us can point that out. Now its a crime to help out? and do whats right. how do you know where's the line? Call them and ask.

  2. Pete Austin from Fresh Relevance, March 20, 2013 at 2:13 p.m.

    @ken jones: The Computer Fraud and Abuse Act is not a new law. Rather appropriately, it dates from 1984.
    http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

  3. Zachary Cochran from CPXi, April 10, 2013 at 4:36 p.m.

    I wish there was a more prevalent conversation online about when it's OK to hack, when it's not, when you should tell someone about a vulnerability, and when you shouldn't.

Next story loading loading..