The Electronic Frontier Foundation on Monday filed an appeal seeking to free Andrew “Weev” Auernheimer, the hacker and self-described internet troll who exploited a hole in AT&T’s publicly facing website to siphon the personal data of some 114,000 iPad owners.
Ultimately, Auernheimer was the catalyst behind AT&T fixing the gaping security hole he climbed through to get that information.
He’s currently serving a 41-month sentence at the Allenwood Federal Correctional Complex in White Deer, Pennsylvania, in the US.
That same law was used against Aaron Swartz, who committed suicide while facing extraordinarily severe punishments that may have included penalties of up to 35 years in prison and $1 million in fines, after he downloaded academic articles from a digital library at MIT University.
Auernheimer was sentenced in March after a court found him guilty of encouraging his co-defendant, Daniel Spitler, to collect about 114,000 email addresses through a security vulnerability on AT&T’s servers.
Spitler and Auernheimer had discovered that AT&T’s site would return valid email addresses for iPad 3G users if bombarded with ICC-ID codes – codes used internally to associate a SIM card with a particular subscriber.
Auernheimer and Spitler wrote a script, named the “iPad 3G Account Slurper”, to leverage the security hole by bombarding AT&T’s website service with thousands of requests using made-up ICC-ID codes.
Auernheimer handed over email addresses to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.
The investigation led to Auernheimer being charged with identity theft and with felony hacking under the CFAA.
Spitler pled guilty to breaking into AT&T’s systems and obtaining the email addresses of iPad users, entered into a plea agreement, and has not been sentenced.
Auernheimer pled innocent, likening his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.
In its brief, the EFF argues that Auernheimer didn’t violate the CFAA because visiting an unprotected, public webpage isn’t “unauthorized access”.
As it is, the CFAA doesn’t clearly define what unauthorized access is, critics have charged.
As the EFF’s Marcia Hoffman has written, prosecutors have taken advantage of that murkiness:
"Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like."
But even with the CFAA’s hazy language around “authorization,” Auernheimer couldn’t be found guilty, the EFF wrote in its appeal, given that AT&T hadn’t secured the email addresses:
AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as "theft." The company configured its servers to make the information available to everyone and thereby authorized the genreal public to view the information. Accessing the email addresses through AT&T's public website was authorized under the CFAA and therefore was not a crime.
Beyond that and a handful of other holes in Auernheimer’s conviction, the EFF writes, a $73,000 fine imposed by the court to compensate AT&T for the costs of mailing notifications to affected customers was wrongly imposed, for three reasons.
First, the government failed to prove that AT&T suffered such a loss. Second, the CFAA was never meant to include mailing costs as a loss.
Finally, there wasn’t a legal requirement to notify customers of the breach, and most certainly not by mail, given that email was sufficient.
Tor Ekeland, Auernheimer’s trial lawyer, said in the EFF release that the government was way out of line to use prosecution in this manner:
"Anyone who cares about the free flow of information on the internet should be concerned about this case. The government is criminalizing computer behavior that millions of Americans engage in every day. The government's reckless and myopic prosecution of Auernheimer for obtaining public information from a public website endangers that vital aspect of the internet and our national economy, which depends on the free flow of information."
I think he’s absolutely right.
The CFAA is lousy law, used to punish troll-like behavior by the likes of Weev, revered internet icons pursuing research areas like Swartz, and potentially any security researcher who simply probes a publicly accessible, unprotected site.
Weev is no hero. He doesn’t deserve to be compared to the likes of Swartz or white hat hackers.
What he does have in common with Swartz and any other security explorer is that CFAA can be, and was, used as a bludgeon against him.
The courts would be wise to listen to the EFF, which, as is often the case, is being a clear voice of reason.