Weev's Case Flawed From Beginning to End

As Andrew "Weev" Auernheimer finishes his third month in a federal penitentiary, we filed our appeal of the computer researcher's conviction and 41-month prison sentence for violating the Computer Fraud and Abuse Act (CFAA) and identity theft statute on Monday.

Auernheimer's case is the latest chapter in the ongoing battle over the breadth of the CFAA, the sweeping federal anti-hacking law that has been stretched to cover all sorts of non-hacking behavior. Intended to go after malicious, criminal hacking, the CFAA has been aggressively used to prosecute behavior like creating a fake MySpace page, misusing employer data and, in the case of Aaron Swartz, downloading scholarly articles he was actually entitled to access.

Weev's conviction is a prime example of how the CFAA threatens security researchers with prison sentences for discovering security vulnerabilities.

Here's the back story. In 2010, Weev's co-defendant Daniel Spitler discovered AT&T configured its website to automatically publish an iPad user's e-mail address when the server was queried with a URL containing the number that matched an iPad's SIM card ID. In other words, if anyone typed in the correct URL with a correct ID number, the e-mail address associated with that account would automatically appear in the login prompt. Spitler wrote a script that attempted to emulate the IDs by entering random numbers into the URL and, as a result, ultimately collected approximately 114,000 e-mail addresses. Auernheimer sent a list of the e-mail addresses to several journalists to prove the security problem, and Gawker published a story about the vulnerability. 

Although Auernheimer's actions helped motivate AT&T to fix the hole, he was rewarded with a federal indictment instead of a bounty. Federal prosecutors in New Jersey claimed that Weev and Spitler accessed data—the e-mail addresses—without authorization under the CFAA despite the fact AT&T made the information publicly available over the Internet. After Auernheimer was convicted and sentenced, we joined his appeal team and in our brief to the 3rd U.S. Circuit Court of Appeals, we give five reasons why Auernheimer's conviction and sentence must be reversed. 

No Crime Occurred in New Jersey?

The place where a criminal case is brought—a concept known as "venue"—is typically where the crime occurred. At the time Spitler discovered the hole in AT&T's website, he was in California. Auernheimer was in Arkansas. AT&T's servers were in Georgia and Texas. Yet the government indicted Auernheimer in New Jersey. Its rationale? Of the 114,000 e-mail addresses, 4,500 of them, all of 4 percent, belonged to New Jersey residents. 

Since neither Auernheimer or Spitler were in New Jersey, no computers were accessed in New Jersey and there was no evidence that any of the script's Internet traffic travelled through New Jersey, there was nothing connecting this crime to the Garden State. The government's theory about there being "victims" in New Jersey meant Weev could have been prosecuted in any state where a resident had an e-mail address taken.

This is a problem unique to the CFAA and other computer crime statutes. Given the Internet's ability to connect people and computers, this expansive theory of venue under the CFAA means criminal defendants could be dragged in to any court in any state. It allows prosecutors to "forum shop," or bring the case before the court most likely to support the government's case.

That seems to be what happened here, as part of the government's motivation in charging Weev in New Jersey was to use the state's computer crime law to elevate his conduct from a misdemeanor into a felony.

No Double-Counting

Accessing data without authorization under the CFAA is generally a misdemeanor but becomes a felony if done in furtherance of another