As Andrew "Weev" Auernheimer finishes his third month in a federal penitentiary, we filed our appeal of the computer researcher's conviction and 41-month prison sentence for violating the Computer Fraud and Abuse Act (CFAA) and identity theft statute on Monday.
Auernheimer's case is the latest chapter in the ongoing battle over the breadth of the CFAA, the sweeping federal anti-hacking law that has been stretched to cover all sorts of non-hacking behavior. Intended to go after malicious, criminal hacking, the CFAA has been aggressively used to prosecute behavior like creating a fake MySpace page, misusing employer data and, in the case of Aaron Swartz, downloading scholarly articles he was actually entitled to access.
Weev's conviction is a prime example of how the CFAA threatens security researchers with prison sentences for discovering security vulnerabilities.
Here's the back story. In 2010, Weev's co-defendant Daniel Spitler discovered AT&T configured its website to automatically publish an iPad user's e-mail address when the server was queried with a URL containing the number that matched an iPad's SIM card ID. In other words, if anyone typed in the correct URL with a correct ID number, the e-mail address associated with that account would automatically appear in the login prompt. Spitler wrote a script that attempted to emulate the IDs by entering random numbers into the URL and, as a result, ultimately collected approximately 114,000 e-mail addresses. Auernheimer sent a list of the e-mail addresses to several journalists to prove the security problem, and Gawker published a story about the vulnerability.
Although Auernheimer's actions helped motivate AT&T to fix the hole, he was rewarded with a federal indictment instead of a bounty. Federal prosecutors in New Jersey claimed that Weev and Spitler accessed data—the e-mail addresses—without authorization under the CFAA despite the fact AT&T made the information publicly available over the Internet. After Auernheimer was convicted and sentenced, we joined his appeal team and in our brief to the 3rd U.S. Circuit Court of Appeals, we give five reasons why Auernheimer's conviction and sentence must be reversed.
No Crime Occurred in New Jersey
The place where a criminal case is brought—a concept known as "venue"—is typically where the crime occurred. At the time Spitler discovered the hole in AT&T's website, he was in California. Auernheimer was in Arkansas. AT&T's servers were in Georgia and Texas. Yet the government indicted Auernheimer in New Jersey. Its rationale? Of the 114,000 e-mail addresses, 4,500 of them, all of 4 percent, belonged to New Jersey residents.
Since neither Auernheimer or Spitler were in New Jersey, no computers were accessed in New Jersey and there was no evidence that any of the script's Internet traffic travelled through New Jersey, there was nothing connecting this crime to the Garden State. The government's theory about there being "victims" in New Jersey meant Weev could have been prosecuted in any state where a resident had an e-mail address taken.
This is a problem unique to the CFAA and other computer crime statutes. Given the Internet's ability to connect people and computers, this expansive theory of venue under the CFAA means criminal defendants could be dragged in to any court in any state. It allows prosecutors to "forum shop," or bring the case before the court most likely to support the government's case.
That seems to be what happened here, as part of the government's motivation in charging Weev in New Jersey was to use the state's computer crime law to elevate his conduct from a misdemeanor into a felony.
No Double-Counting
Accessing data without authorization under the CFAA is generally a misdemeanor but becomes a felony if done in furtherance of another crime. Here, the government charged Weev with a felony CFAA violation because they claimed he violated the federal computer access crime in furtherance of violating the state of New Jersey's computer access crime.
But Congress never intended to allow prosecutors to essentially double-count one course of conduct. In 2011, we successfully argued to the 4th Circuit in United States v. Cioni that the government can't take one set of actions and stretch it into two different federal statutes to transform a CFAA misdemeanor into a felony. We've asked the 3rd Circuit to reach a similar decision when the feds use a state statute to increase punishment for a similar federal statute based on the same underlying conduct. Given the tough CFAA penalty scheme, it's important to reserve the toughest punishment for the most serious crimes.
Accessing Data on a Public Website Isn't A Crime
The problems in Weev's case aren't just matters of procedure; there is a significant problem with the government's entire theory of liability under the CFAA. It makes visiting a public website a crime.
In essence, the government claims that Auernheimer and Spitler obtained the e-mail addresses "without authorization" under the CFAA because AT&T didn't want them to have the addresses, despite putting absolutely no technical roadblock—such as requiring a login with a username and password—in their way. As we've warned before, accessing data on a public website isn't criminal, even if the website owner doesn't like how their data is being used. The way to prevent people from accessing data is to restrict access to that data, not to claim some people who visit a website are "authorized" and others aren't without any clear mechanism for distinguishing between the two.
An Identity Theft Charge Missing Unlawful Activity and Theft
The identity theft statute criminalizes anyone who unlawfully possesses, transfers or uses a means of identification in connection with another crime. But the government's theory is missing the unlawful activity needed in the statute. First, Auernheimer didn't unlawfully possess the e-mail addresses under the CFAA, meaning there was no underlying crime to hinge the identity theft statute on in the first place. Second, Auernheimer didn't possess or transfer the e-mail addresses in connection with a crime involving conduct separate from the act of obtaining the e-mail addresses. When he accessed the e-mail addresses under the CFAA, he necessarily possessed them under the identity theft statute too. And just like the government can't rely on one set of conduct to create a felony crime under the CFAA, it can't do the same under the identity theft statute either.
Unreasonable Mailing Costs Isn't CFAA "Loss"
Finally, the 41-month sentence was based on an improper determination of what AT&T's "loss" was as a result of the e-mail addresses being disclosed. After it learned its website was leaking e-mail addresses, AT&T closed the hole and sent an e-mail to its customers, notifying them about what happened. That e-mail notice was very effective; it reached 98% of all affected customers. But AT&T decided to also send the same notice through the postal mail. That cost AT&T $73,000; it also cost Auernheimer a significant sentencing increase.
That $73,000 loss amount was used to more than double Auernheimer's recommended sentence. Yet "loss" under the CFAA must be tied to a computer and these mailing costs weren't. And even if the mailing costs did count as "loss" under the CFAA, the effectiveness of the e-mail notice meant duplicating that notice with a physical mailing made AT&T's costs unreasonable.
Its Not Just About Weev
We expect oral argument in the case to be sometime in the fall. We hope the appeals court will see the many problems in Auernheimer's case and realize these issues go beyond his specific case. Allowing AT&T to pass the blame for its poor security onto Auernheimer only discourages security researchers from sharing their discoveries and arms prosecutors with aggressive legal theories to prosecute computer crimes anywhere they want based on information freely available to the public.
Meanwhile in DC, there's growing scrutiny of the CFAA. A recently introduced bipartisan fix of the CFAA called "Aaron's Law" is a step in the right direction towards meaningful CFAA reform. The legislation makes clear that CFAA liability is only triggered with actual improper access and eliminates the government's ability to count one set of actions multiple times to increase punishment. You can let your voice be heard by sending an e-mail to your elected representative asking them to support common sense changes to the CFAA.