Notorious troll and hacker Weev has conviction overturned

Filed Under: Featured, Law & order

Photo of 'Weev'Weev is free.

On Friday, the Third US Circuit Court of Appeals reversed and vacated the conviction of internet troll and hacker Andrew "Weev" Auernheimer on grounds that surprised nobody: namely, venue.

Weev was serving a sentence of 41 months after being found guilty in 2013 of violating the Computer Fraud and Abuse Act (CFAA).

On 19 March 2013, Weev, then 27 years old, was sentenced to 41 months in prison for the federal crimes of obtaining the email addresses of some 114,000 iPad users from AT&T's publicly accessible website and disclosing them to a Gawker reporter.

Auernheimer, who spent most of his sentence in solitary confinement, and co-conspirator Daniel Spitler, had found a security hole in AT&T's servers in 2010. Gawker subsequently published the email addresses in redacted form.

Auernheimer was convicted of a felony under the CFAA for conspiracy to access AT&T's servers against the company's will.

Auernheimer's lawyers filed multiple appeals of his conviction, the most recent being in March 2014.

Now, his conviction has been overturned without the courts having to deal with the sticky subject of the CFAA.

It's not that the court doesn't recognize the importance of the issues raised by Weev's lawyers during multiple appeals, the circuit judges wrote in their opinion.

It's just that the question of venue is large enough that they didn't need to address those issues:

Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.

Assistant US Attorney Glenn Moramarco had maintained that New Jersey was a suitable venue under the law because there are 4,500 New Jersey residents whose emails were identified in the iPad address breach and that "there is jurisdiction throughout the United States because [Auernheimer] chose to have victims in every state."

However, the appeals court pointed out in Friday's decision to overturn his conviction, Weev was charged with violating elements of the CFAA, but none of the crucial actions that fell under the CFAA took place in New Jersey.

The CFAA specifies intentional access of a computer without authorization or exceeding authorized access in order to obtain information from any protected computer.

Spitler and Weev accessed servers in Dallas, Texas and Atlanta, Georgia, and they did so while Spitler lived in San Francisco, California and Weev in Fayetteville, Arkansas. In other words, none of the action happened in New Jersey.

Regardless of the court's focus on venue, though, the judges were clearly skeptical of the hacking charges, as noted on Twitter by EFF lawyer Kurt Opsahl:

Weev, licensed under Creative CommonsKnown as a security researcher to some, to others as a guy who did the e-equivalent of walk down a public street and write down street addresses, and to almost everybody as an internet troll, Weev had become a poster boy for prosecutorial overreach and a case study for what's wrong with the vagueness of the law used to convict him.

The CFAA was also used against internet activist and innovator Aaron Swartz, who apparently committed suicide while facing charges.

In July 2013, the Electronic Frontier Foundation (EFF) filed an appeal on the basis that Auernheimer didn't violate the CFAA, since visiting an unprotected, public webpage isn't "unauthorized access".

As it is, the CFAA doesn't clearly define what, exactly, unauthorized access is, critics have charged.

As the EFF's Marcia Hoffman has written, prosecutors have taken advantage of that murkiness:

Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like.

Beyond that, the EFF said in its brief, AT&T hadn't even secured the email addresses, so there's no way to say that the hackers didn't have the "authorization" to which the CFAA so hazily refers:

AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as "theft." The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the email addresses through AT&T's public website was authorized under the CFAA and therefore was not a crime.

Though this point wasn't what ultimately decided the overturning of Weev's conviction, the court evidently agreed with the EFF's logic.

Hopefully, this decision will influence future outcomes involving the CFAA, whether it's a prosecutor picking up the heavy legislative club or a court getting another chance to examine this widely loathed law.

, ,

You might like

9 Responses to Notorious troll and hacker Weev has conviction overturned

  1. "Notoroious"

  2. Ben · 537 days ago

    So, if I notice that somebody's door lock didn't quite latch all the way, and will open if I push really hard (and I find this out only after I start pushing), it's totally cool for me to go in and rummage through their stuff to search for their friends' and family's addresses and phone numbers. Good to know.

    • Machin Shin · 537 days ago

      In this case it was more like wandering around a store and finding an open door that goes to a room full of other customers info. Your in a public place and have only gone through open doors, so is it illegal?

    • Concerned Citizen · 536 days ago

      If you leave a clipboard nailed to the side of your mailbox on the sidewalk with names and email addresses of all your friends you better believe someone is going to take a peek. The big question is what does that someone do with that info. The fact that that kid just spent a year in solitary confinement is appalling and cruel and unusual punishment and extreme overreach and way too common place nowadays.

    • jet86 · 536 days ago

      No, but this is a very poor analogy. AT & T's publicly facing website is made publicly facing by them intentionally. A better analogy would be putting out some old household items on your front lawn under a sign saying "free to good home," and then accidentally putting one or more items under that sign that you didn't mean to.

    • Thomas · 536 days ago

      Using your analogy, the unlocked door in question didn't belong to just "somebody", it belonged to a business whose duty it was to protect confidential information. And it wasn't "friends' and family's addresses and phone numbers", it was the email addresses of customers who believed their information was indeed confidential.

      The person who found the unlocked door had no personal interest in all that information, and no intention to sell it or otherwise profit from it. But he did think it was important that the business secure their premises. Knowing the historical reputation of that business, he knew it was more concerned with profits derived from their customers than with protecting their confidentiality. The person believed a two-pronged approach was necessary to correct this situation.

      One was to notify the business of their carelessness. They could ignore it, of course, so the person made a copy of those email addresses in case it was necessary to prove to those customers that their information was at risk. After all, if the business wouldn't take his notification seriously, maybe they would take complaints by their customers seriously.

      So he notified the business of it's careless security, and waited. No action was taken so he redacted personally identifiable information from those email addresses and passed them on to a publication that reported stories of interest to businesses and consumers alike. From there, it was picked up by mainstream media where it was widely distributed to the general public. The business in question was embarrassed, but instead of admitting it's carelessness and taking immediate remedial action, it pressed the government to prosecute under a statute that was unclear, open to various interpretations, and abused in this situation.

      Whether you agree with the Weev's actions to remedy the situation or not, remember that you are looking at it in hindsight. Personally, I'd rather have him find weaknesses in what are supposed to be secure environments than the criminals that are wrecking so much havoc on our economy.

    • Steve · 536 days ago

      Conceptually, you have a valid point. But this isn't a philosophical matter but a legal one, and the laws applicable to this case and to your hypothetical instance differ from one another.

    • That analogy isn't accurate. We are talking about doing a simple query on public facing web servers that don't require authentication to perform the operation. AT&T wanted it to be easy for ipad users to login and by doing so wrote some shitty code to implement this.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.