Andrew “Weev” Auernheimer is a good American, smart and tech savvy. Lawyers representing a man jailed after he accessed customer information on an AT&T website appeared in a federal appellate court this week with the hopes of overturning his conviction.
No computer hacking took place when 28-year-old Andrew “Weev” Auernheimer and another man gathered email addresses of AT&T customers from a public website several years ago, a defense attorney argued before the Third Circuit Court of Appeals on Wednesday.
Auernheimer, who has been incarcerated at a federal prison since last March, was not granted permission to attend the hearing.
During the trial prosecutors argued that Auernheimer had violated the Computer Fraud and Abuse Act (CFAA) when he discovered he could change portions of a URL to reveal customer email addresses on AT&T’s website. The email addresses were associated with iPad users who had purchased Internet service through AT&T.
By modifying portions of a URL address for AT&T’s website, Auernheimer and Daniel Spitler, 28, were able to obtain thousands of email addresses, including some that purportedly belonged to celebrities, politicians and government officials. AT&T acknowledged the exploit only after the website Gawker published a story on it based on information supplied by the two men.
Both Auernheimer and Spitler were arrested following an FBI investigation. At trial, Spitler testified against Auernheimer as part of a plea agreement to avoid jail time. Auernheimer was found guilty in November 2012 on one count of identity theft and one count of unauthorized access to a protected computer.
As they did at trial, lawyers for Auernheimer argued on Wednesday that he did not access a protected computer belonging to AT&T because the information he and Spitler obtained were found on websites that AT&T did not secure.
“A great deal of what’s on the world wide web is private, but it’s protected by a password,” law professor Orin Kerr said in court. “That’s how you introduce privacy on the world wide web: you introduce some authentication method that says only one person knows this information.”
Auernheimer and Spitler were able to access the email addresses of AT&T customers because the telephone company did not require anyone visiting their website to enter a password, Kerr argued.
“In this case, there was no private account information that was accessed,” Kerr said. “The only information that was collected [were] from public website addresses.”
Assistant U.S. Attorney Glenn Moramarco admitted he wasn’t sure how Auernheimer and Spitler accessed the email addresses, but that the complexity of both men’s activities warranted computer hacking charges.
“I’m flabbergasted that this could be called anything other than a hack,” Moramarco said on Wednesday. “He had to decry — he had to download the iOS system on his computer, he had to decrypt it, he had to do all sorts of things I don’t even understand what they are.”
Tor Ekeland, who represented Auernheimer at trial and is again representing him on appeal, speculated that the case was heard in New Jersey either because the state had a large criminal division dedicated to computer crimes or because AT&T’s corporate headquarters were there.
“Almost the entire thing (appeal) was about venue,” Ekeland told VICE Magazine reporter Brian Merchant. “Nothing happened in New Jersey. No victims, no possession.”
The government asserted that venue was irrelevant given the nature of the crime. Merchant observed that the appellate judges did not appear to be persuaded by that argument.
While venue likely plays a crucial role in whether or not Auernheimer’s conviction is overturned, it’s not what has captivated security researchers, technology enthusiasts and law scholars. There are many people who don’t like Auernheimer for his past antics, but support him and his appeal because they’re worried the government could arbitrarily criminalize viewing a public website.
“Auernheimer’s case is the latest chapter in the ongoing battle over the breadth of the CFAA, the sweeping federal anti-hacking law that has been stretched to cover all sorts of non-hacking behavior,” Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, wrote in a blog post last July. “Accessing data on a public website isn’t criminal, even if the website owner doesn’t like how their data is being used.”
(Disclosure: Attorney Tor Ekeland represents the author of this story in an unrelated legal matter.)