Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’

Andrew “Weev” Auernheimer. Image: pinguino/Flickr

A hacker sentenced to three and a half years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T’s unsecured website is about to go free, after a ruling today that prosecutors were wrong to charge him in a state where none of his alleged crimes occurred.

Andrew “Weev” Auernheimer was in Arkansas during the time of the hack, his alleged co-conspirator was in California, and the servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Prosecutors therefore had no justification for bringing the case against Auernheimer in New Jersey, a federal appeals panel ruled this morning.

The appeal was closely watched in cyber law and civil liberties circles, and Auernheimer had a powerhouse legal team that handled his case pro-bono.

“Venue in criminal cases is more than a technicality; it involves ‘matters that touch closely the fair administration of criminal justice and public confidence in it,’” the judges wrote in their opinion (.pdf). “This is especially true of computer crimes in the era of mass interconnectivity. Because we conclude that venue did not lie in New Jersey, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.”

The vacation means that the larger issue raised by the conviction of Auernheimer and raised by his appeal attorneys — that the Computer Fraud and Abuse Act under which Auernheimer was convicted was wrongfully applied — may never be addressed.

It’s unclear if federal prosecutors in another state will attempt to try him again in a different venue.

Auernheimer, of Fayetteville, Arkansas, was found guilty in New Jersey in 2012 of one count of identity fraud and one count of conspiracy to access a computer without authorization.

He and Daniel Spitler, 26, of San Francisco, California, were charged after the two discovered a hole in AT&T’s website in 2010 that allowed anyone to obtain the email address and ICC-ID of iPad users. The ICC-ID is a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.

AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their email address. AT&T linked the user’s email address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user’s email address.

Auernheimer and Spitler discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of iPad users.

According to authorities, they obtained the ICC-ID and email address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.

The two contacted the Gawker website to report the hole, a practice often followed by security researchers to call public attention to security vulnerabilities that affect the public, and provided the website with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security.

AT&T maintained that the two did not contact it directly about the vulnerability and that the company learned about the problem only from a “business customer.”

Auernheimer later sent an email to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data.

“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” he wrote, according to prosecutors. ”I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”

Following his conviction in November 2012, Auernheimer tweeted to supporters that he had expected the guilty verdict but planned to appeal.

Auernheimer’s appeal was argued by Orin Kerr, a law professor at Georgetown University. Kerr had argued the appeal primarily on grounds that the CFAA was incorrectly applied in this case — since the information Auernheimer and Spitler obtained was made publicly available on the site by AT&T — and that even if Auernheimer was guilty of exceeding authorized access on the AT&T web site, he should have been convicted of a misdemeanor, not a felony.

“In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website,” Kerr noted in the appeal. “The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.”

But Kerr had little chance to argue the finer points of his case during the appeal, when judges interrupted him to focus on the venue issue.

Ultimately, it was that simpler issue that got Auernheimer’s case vacated.

The judges noted in their ruling that Auernheimer had tried to get the initial charges dismissed when he was first indicted — on grounds that the CFFA was inappropriately applied and on grounds that the venue was incorrect — but his motion was denied by a U.S. District Court.

The district judge had held that venue was proper because Auernheimer’s disclosure of the email addresses of about 4,500 New Jersey residents affected these victims in New Jersey and violated New Jersey law.

Auernheimer’s defense attorney had broached the venue issue again near the end of his trial when he asked the judge to instruct the jury on the venue issue, but the judge declined, saying that prosecutors had adequately argued that New Jersey was the correct venue.

In their ruling to vacate, the appeals court judges acknowledged that there were other pressing issues in the case, but emphasized the importance of proper venue.

“The founders were so concerned with the location of a criminal trial that they placed the venue requirement … in the Constitution in two places,” the judges wrote. “They did so for good reason. A defendant who has been convicted ‘in a distant, remote, or unfriendly forum solely at the prosecutor’s whim,’… has had his substantial rights compromised.

“Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey,” they continued. “Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened. While we are not prepared today to hold that an error of venue never could be harmless, we do not need to because the improper venue here — far from where he performed any of his allegedly criminal acts — denied Auernheimer’s substantial right to be tried in the place where his alleged crime was committed.”

Provided from: wired.