The findings spurred companies to change their practices, and also sparked public discussion -- and appeared to result in at least one Federal Trade Commission case.
But the researchers could just as easily have found themselves on the wrong side of computer fraud charges. That's according to computer scientist (and law school graduate) Jonathan Mayer and Stanford Law School's Jennifer Granick, who co-authored a friend-of-the-court brief seeking to vacate Andrew “Weev” Auernheimer's conviction for violating the Computer Fraud and Abuse Act. That brief, filed on behalf of the Mozilla Foundation, was the fourth separate friend-of-the-court brief filed with the Third Circuit Court of Appeals this week in the widely followed case.
Briefly, Auernheimer was convicted of violating federal laws after he discovered that AT&T had posted iPad users' email addresses on the Web. The URLs for those sites all began with the same block of characters but went on to include particular iPads' serial numbers. Auernheimer gathered 114,000 addresses and then sent the findings to Gawker, which publicly reported on the security glitch.
The government then prosecuted Auernheimer, arguing that he illegally accessed AT&T's servers without authorization. Auernheimer was also prosecuted for identity theft, for sharing the email addresses with Gawker. He is currently incarcerated, serving a sentence of 41 months in prison.
Auernheimer is appealing his conviction. This week, various groups and advocates filed four separate friend-of-the-court briefs on Auernheimer's behalf. One group of security researchers filed papers explaining why the information Auernheimer accessed was public; Harvard's Berkman Center also filed a brief, as did the National Association of Criminal Defense Attorneys.
Mozilla's papers provide several examples of how research into privacy and marketing techniques could be squelched by an order upholding Auernheimer's conviction.
That's because the government's theory hinges on the idea that Auernheimer exceeded his “authorized access” to AT&T's sites by visiting them in a way the company disapproved of.
But, as Mozilla points out, many researchers expose questionable practices by accessing sites in ways that the operators would not have wanted. The researchers who studied flash cookies are one example.
Another comes from a recent Wall Street Journal investigation into price discrimination at Staple's e-commerce site. “In order to determine whether online retailers engaged in price discrimination, the Wall Street Journal’s investigative team built custom software that enabled its test computer to simulate website visits from different computers,” the brief says.
“The Wall Street Journal used both automated website address manipulation and user agent modification to conduct its investigation. Again, if this Court holds that any of these activities, alone or in combination, meet the statutory definition of 'without authorization' or 'exceeding authorized access' ... the ruling endangers common means of accessing the Internet by researchers and the public alike.”