The Government Responds to the DMLP Amicus Brief in United States v. Auernheimer

On Friday, the Department of Justice filed its appellee brief before the U.S. Court of Appeals for the Third Circuit in United States v. Auernheimer. We expect to see a lot of commentary on the case from others – the brief has already been called out for being almost double the limit allowed under the Federal Rules of Appellate Procedure – but I wanted to specifically mention the government's comments concerning the amicus brief that the DMLP filed in this case with help from our good friends at the Cyberlaw Clinic.

To quickly summarize our earlier coverage, the case concerns Andrew "Weev" Auernheimer, a well-known grey hat hacker and activist. Auernheimer was indicted in January 2011 after he and a partner discovered a critical security oversight in AT&T's website for for its iPad customers. The website allowed any person browsing the Internet to see AT&T customer email addresses when they entered a URL that included that user's iPad device ID number. Auernheimer's partner, Daniel Spitler, designed a script that would systematically generate such URLs, thus allowing them to build a database of all of the emails that AT&T disclosed through its data mismanagement.

Under the government's theory in this case, this access of AT&T's website constituted a misdemeanor under the Computer Fraud and Abuse Act ("CFAA"). This alone is quite a troubling interpretation of the statute (as many have said), but what prompted the DMLP to get involved in this case is what the government did next.

When Auernheimer obtained the list of addresses, he contacted the media website Gawker, explaining AT&T's security mismanagement and using the email addresses as substantiation of his discovery. He also used the emails he obtained to contact some media organizations whose emails were exposed directly, offering to share how he did what he did. (Gawker published a story based on this disclosure in June 2010, using the data Auernheimer provided to illustrate how dangerous AT&T's mistakes were.) In punishing Auernheimer for this, the government decided to adopt the unprecedented view that this disclosure transformed the misdemeanor into a felony, because the access was done in furtherance of another crime. The other crime he allegedly furthered? The New Jersey state equivalent of the federal CFAA, which is substantively identical to the CFAA, save the requirement that the intruder must also disclose the data he obtained to another.

In our amicus brief, the DMLP argued that this theory – taking a misdemeanor and turning it into a felony because he disclosed what he found to the press – mandated First Amendment scrutiny, and court precedent indicates that such escalation of punishment would be unconstitutional in this case.

As we explain in our brief, laws that govern access to private spaces and information, generally speaking, do not present a First Amendment problem like this one, as most laws in this space only punish unlawful access and assign punishment based on the intrusion alone. That said, in the rare instances where a party has tried to punish both unlawful access and disclosure of information at the same time, or tried to "count" damages based on the disclosure of unlawfully-obtained information when calculating the harm of the unauthorized access, courts have been careful to separate the two. As the Fourth Circuit and the Supreme Court of California have said before, courts should not punish the disclosure of information – even when obtained unlawfully – unless it is separately found that the speech in question is separately unprotected under First Amendment doctrine. These cases addressed persons who unlawfully obtained information (due to a breach of a duty of loyalty and intrusion upon seclusion), but in each case the courts declined to include the damage that flowed from the disclosure of the information when calculating the harm caused