An appellate court struck a big blow to the Department of Justice on Friday in the case of an Arkansas man who was convicted two years ago for his role in collecting over the Internet thousands of email addresses belonging to AT&T customers.
The Third Circuit Court of Appeals ruled on Friday that Andrew “Weev” Auernheimer, 28, was improperly convicted of computer hacking offenses in the state of New Jersey, even though Auernheimer and his co-conspirator had no ties to the Garden State and no residents there were considered victims of their activity.
Auernheimer was convicted by a federal jury of violating the Computer Fraud and Abuse Act (CFAA) in November 2012. Auernheimer and a colleague, 28-year-old Daniel Spitler of California, were said to have discovered a flaw on AT&T’s website that granted access email addresses of iPad users by modifying certain parts of AT&T’s web address.
AT&T acknowledged the exploit only after Auernheimer and Spitler gave a log of thousands of email addresses to a reporter at Gawker, the news organization that first made the security flaw known.
Spitler agreed to plead guilty and testify against Auernheimer at trial in exchange for three years probation. Auernheimer decided to fight the charges on the basis that the men did not gain “unauthorized access to a protected computer” under the CFAA because AT&T did not secure the information they obtained with a password.
Auernheimer’s lawyers also argued at trial that prosecuting the case in New Jersey was improper because neither Auernheimer or Spitler were from New Jersey, no victims were located there and no AT&T servers were accessed in the state.
Prosecutors argued that Auernheimer was better served in New Jersey because, among other things, the hacker was able to secure pro bono representation from New York-based attorney Tor Ekeland.
But the appellate court sided with Auernheimer on Friday, saying prosecutors should have tried the case in an appropriate venue, and that committing a crime over the Internet does not give legal license for the Justice Department to prosecute a case wherever it deems appropriate.
“Venue in criminal cases is more than a technicality; it involves matters that touch closely the fair administration of criminal justice and public confidence in it,” Circuit Judge Michael Chagares wrote in the court’s opinion. “Cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.”
The court’s decision to vacate Auernheimer’s conviction does not grant the man full appeal — the decision leaves open the opportunity for prosecutors to potentially retry the case in another venue.
A Justice Department spokesperson in New Jersey told reporters that prosecutors were reading the court’s decision and “reviewing our options.”
The decision on Friday also did not address concerns about the criminal charges that were applied against Auernheimer. Legal scholars and tech enthusiasts that had rallied around the hacker expressed concern that computer experts may not disclose security flaws if they faced being prosecuted under the CFAA as Auernheimer was.
But even if the court decision wasn’t the one his supporters wanted, it was the one Auernheimer needed.
On Friday, a judge ordered him freed from federal prison under the conditions of his pre-trial release. He arrived in New York City early Saturday morning.
(Disclosure: Attorney Tor Ekeland represents the author of this story in an unrelated legal matter.)