Weev is free.
On Friday, the Third US Circuit Court of Appeals reversed and vacated the conviction of internet troll and hacker Andrew “Weev” Auernheimer on grounds that surprised nobody: namely, venue.
Weev was serving a sentence of 41 months after being found guilty in 2013 of violating the Computer Fraud and Abuse Act (CFAA).
On 19 March 2013, Weev, then 27 years old, was sentenced to 41 months in prison for the federal crimes of obtaining the email addresses of some 114,000 iPad users from AT&T’s publicly accessible website and disclosing them to a Gawker reporter.
Auernheimer, who spent most of his sentence in solitary confinement, and co-conspirator Daniel Spitler, had found a security hole in AT&T’s servers in 2010. Gawker subsequently published the email addresses in redacted form.
Auernheimer was convicted of a felony under the CFAA for conspiracy to access AT&T’s servers against the company’s will.
Auernheimer’s lawyers filed multiple appeals of his conviction, the most recent being in March 2014.
Now, his conviction has been overturned without the courts having to deal with the sticky subject of the CFAA.
It’s not that the court doesn’t recognize the importance of the issues raised by Weev’s lawyers during multiple appeals, the circuit judges wrote in their opinion.
It’s just that the question of venue is large enough that they didn’t need to address those issues:
Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.
Assistant US Attorney Glenn Moramarco had maintained that New Jersey was a suitable venue under the law because there are 4,500 New Jersey residents whose emails were identified in the iPad address breach and that “there is jurisdiction throughout the United States because [Auernheimer] chose to have victims in every state.”
However, the appeals court pointed out in Friday’s decision to overturn his conviction, Weev was charged with violating elements of the CFAA, but none of the crucial actions that fell under the CFAA took place in New Jersey.
The CFAA specifies intentional access of a computer without authorization or exceeding authorized access in order to obtain information from any protected computer.
Spitler and Weev accessed servers in Dallas, Texas and Atlanta, Georgia, and they did so while Spitler lived in San Francisco, California and Weev in Fayetteville, Arkansas. In other words, none of the action happened in New Jersey.
Regardless of the court’s focus on venue, though, the judges were clearly skeptical of the hacking charges, as noted on Twitter by EFF lawyer Kurt Opsahl:
Important footnote in Weev opinion: NJ hacking law requires circumventing code- or password- based barrier to access. pic.twitter.com/tfJJ2nhKdn
— Kurt Opsahl (@kurtopsahl) April 11, 2014
Known as a security researcher to some, to others as a guy who did the e-equivalent of walk down a public street and write down street addresses, and to almost everybody as an internet troll, Weev had become a poster boy for prosecutorial overreach and a case study for what’s wrong with the vagueness of the law used to convict him.
The CFAA was also used against internet activist and innovator Aaron Swartz, who apparently committed suicide while facing charges.
In July 2013, the Electronic Frontier Foundation (EFF) filed an appeal on the basis that Auernheimer didn’t violate the CFAA, since visiting an unprotected, public webpage isn’t “unauthorized access”.
As it is, the CFAA doesn’t clearly define what, exactly, unauthorized access is, critics have charged.
As the EFF’s Marcia Hoffman has written, prosecutors have taken advantage of that murkiness:
Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like.
Beyond that, the EFF said in its brief, AT&T hadn’t even secured the email addresses, so there’s no way to say that the hackers didn’t have the “authorization” to which the CFAA so hazily refers:
AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as "theft." The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the email addresses through AT&T's public website was authorized under the CFAA and therefore was not a crime.
Though this point wasn’t what ultimately decided the overturning of Weev’s conviction, the court evidently agreed with the EFF’s logic.
Hopefully, this decision will influence future outcomes involving the CFAA, whether it’s a prosecutor picking up the heavy legislative club or a court getting another chance to examine this widely loathed law.Follow @NakedSecurity