Andrew Auernheimer Appeals Hacking Conviction in This Internet Law Case

By: Ifrah Law

Earlier this week, attorneys for convicted computer hacker Andrew “Weev” Auernheimer filed their opening brief in their appeal to the U.S. Court of Appeals for the Third Circuit to have his conviction overturned.

In 2010, Auernheimer’s co-defendant Daniel Spitler, who agreed to plead guilty in 2011, discovered a flaw in AT&T’s iPad user database, that he used to collect 114,000 email addresses. Auernheimer then disclosed those email addresses to Gawker, who published a redacted form of some of the account information. The disclosure of the email addresses attracted significant media attention and ultimately forced AT&T to change their security protocols.

Last November, Auernheimer was found guilty by a jury after a five day trial of violating the Computer Fraud and Abuse Act (CFAA) and conspiracy to gain unauthorized access to a computer without authorization. He was sentenced in March to 41 months imprisonment to be followed by three years of supervised release.

Auernheimer’s appellate brief focuses on the argument that he did not violate the CFAA because visiting an unprotected public website is not unauthorized access which is required under the statute. Spitler’s program visited the publicly accessible websites and collected the information that was available on those sites. The email addresses that were collected by Spitler’s program were published on publicly accessible websites that did not employ security measures such as passwords. Auernheimer’s lawyers argued that it is irrelevant that AT&T “subjectively wished that outsiders would not stumble across the data.” Spitler’s program did not access any private accounts and according to Aurenheimer’s lawyers, it did not even violate any written prohibitions or Terms of Use on AT&T’s website. His lawyers also stated that no data was taken, deleted or destroyed.

The CFAA prohibits accessing a computer without proper authorization, which is the same statute that Internet activist Aaron Swartz was convicted of violating. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service. Last month “Aaron’s Law” was introduced in Congress, which would amend the CFAA to prevent prosecutors from charging an individual with violation a company’s terms of service and from bringing multiple charges against an individual for the same act.

The government’s brief is due on July 22 and Auernheimer will then have the opportunity to file a reply brief by August 5.

We will know in a matter of months how the Third Circuit will rule on Auernheimer’s appeal and whether his conviction and sentence will be upheld. This case raises some very interesting issues on the scope of computer crime laws and prosecutorial discretion. Is the conduct of Auernheimer the type that we need to devote government resources to send a person with no criminal record to prison for a significant period of time?