Hacker Appeals Sentence; Says Went to Jail for Doing Arithmetic
Andrew Auernheimer is best known to people as “weev”, his online handle. The notorious hacker was sentenced to 41-months in prison for conspiring, with Daniel Spitler, to violate the Computer Fraud and Abuse Act (CFAA). He was convicted of federal identity theft and conspiracy to commit unauthorized access to a protected computer in November 2012. Spitler, “weev’s” co-defendant, has not been sentenced, as he entered a plea agreement.
Before sentencing, Auernheimer stated: “I’m going to jail for doing arithmetic.” On July 1, Auernheimer filed an appeal to the Third Circuit Court of Appeals raising questions regarding the scope and interpretation of CFAA. Auernheimer’s attorneys were joined by the Electronic Frontier Foundation (EFF), Marcia Hoffman and Orin Kerr, Internet attorney and law professor.
Did “weev” really commit identity theft?
The facts that led to the conviction are not in dispute; instead, the Third Circuit must determine whether the application of the CFAA to this fact pattern was proper. Here's what happened ...
Spitler found a security vulnerability in AT&T's iPad registration system used to register new iPad users with AT&T's 3G service. Each iPad's micro-SIM card has a unique identifier embedded into it, an ICC-ID. A script on AT&T's servers would accept an ICC-ID and reveal that users email address. Spitler opined that ICC-IDs followed a predictable pattern and developed a program called "account slurper" to gather email addresses in bulk. So where does Auernheimer come in?
Andrew Auernheimer assisted and encouraged Spitler, and here's the biggie -- he disclosed the security vulnerability and email addresses to media organizations. In his appeal, Auernheimer contends that he was convicted for obtaining public information from a public website because AT&T had not password protected the information. He argues that anyone with the correct url could type it in and get the same information.
The big question for the Third Circuit will be defining "unauthorized access" to a computer under the CFAA. This will be especially interesting since Aaron's Law has been recently introduced to Congress.
The law, named after Internet activist Aaron Swartz, was drafted in response to Swartz's suicide when faced with over thirty years of prison for violating JSTOR's terms of service. Aaron's Law seeks to clarify the CFAA and exclude certain actions from the scope of the CFAA. Specifically, Aaron's Law would require a breach of security,- either physical or virtual, (password or encryption cracking) and reduce penalties.
Who knows? If Aaron's Law is passed, the Third Circuit may not have to decide this issue, Congress may decide for them. In the mean time, "weev" will make his thoughts known from prison. One way or another.
- Andrew Auernheimer's Appelate Brief Filed with the U.S. Third Circuit Court of Appeals (Tor Ekeland, P.C., Attorneys Filing Brief)
- Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (FindLaw's Cases and Codes)
- Rep. Zoe Lofgren Introduces 'Aaron's Law' to Amend CFAA (FindLaw's Technologist blog)
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.