In November 2012, notorious hacker, troll, and general nuisance Andrew “Weev” Auernheimer was convicted in federal court on conspiracy and identity theft charges. Auernheimer had been charged for his role in a scheme to exploit a security hole in AT&T’s 3G network and harvest the email addresses of over 114,000 iPad users, ostensibly in order to drum up business for his computer security firm. This afternoon, a federal judge sentenced Auernheimer to 41 months in prison—at the high end of the guidelines prosecutors had sought—followed by three years of supervised release. He was also hit with a $73,000 fine.
The government’s charges against Auernheimer are centered around an ostensible violation of the Computer Fraud and Abuse Act (CFAA), the vague and inadequate computer crime statute that I’ve criticized here before. Specifically, the indictment charged that, by conspiring to deploy a computer script that queried AT&T’s database for iPad users’ email addresses, Auernheimer unlawfully accessed or exceeded authorized access to a protected computer. (Under the CFAA, “protected computer” essentially means any computer with an Internet connection.) Once his culpability under the CFAA had been established, the DOJ could then charge him with the conspiracy and identity theft counts.
This is the third big CFAA-related case I’ve covered lately, the other two being those of Internet activist Aaron Swartz and Reuters deputy social media editor Matthew Keys. While the specifics of the charges in each case differ, all three illustrate the unfortunate plasticity of the CFAA, and how it can be shaped and contorted to cover almost any computing-related actions. (Did you fill out an NCAA bracket from your work computer today? Congratulations! Depending on your office’s computer use policies, you may have violated the CFAA!)
But Auernheimer’s case hasn’t elicited as much outrage or sympathy as the others have. This is likely because Auernheimer is a huge jerk. He has a long history of race-baiting and malicious trolling. “I hack, I ruin, I make piles of money. I make people afraid for their lives,” Auernheimer told Mattathias Schwartz in a 2008 New York Times Magazine piece about online trolling. In that same story, Auernheimer admitted to harassing a blogger named Kathy Sierra—or, as he described her in an email that also included her home address and Social Security number, “a cockholster chugged full of cum that isn't even worth giving the time of day.”
Not surprisingly, people aren’t exactly lining up to sign “Free Weev” petitions. On Sunday night, Auernheimer did an “Ask Me Anything” q-&-a session on Reddit, and was met with general disdain, with many people suggesting that the sentence was karmic payback for Auernheimer’s years of trolling. In an informal pre-sentencing brief to Judge Susan D. Wigenton, the U.S. Attorney’s office essentially echoed these sentiments in arguing that Auernheimer deserved a substantial prison sentence. “His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,” wrote U.S. Attorney Paul Fishman, who went on to note the “atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access.”
But just because you’re a jerk doesn’t mean that you’re a criminal. And in this case, it’s not clear that Auernheimer committed any actual crime. As Jeff Blagdon at The Verge put it, Auernheimer “cracked no codes, stole no passwords, or in any way ‘broke into’ AT&T’s customer database—something company representatives confirmed during testimony.” The defense argued that AT&T’s database security was flawed, and Auernheimer’s actions were tantamount to walking through an open door.
You could certainly argue that Auernheimer’s actions “exceeded authorized access”—an open door isn’t always an invitation to come inside. But the term “authorized access” is very, very vague, and it gives prosecutors far too much latitude to bring charges and threaten outlandishly long sentences for relatively minor violations. Congress ought to clarify the statute and better define its terms, before more people get caught up in it. If the CFAA is a bad law, then it’s a bad law, regardless of whether it’s being used against a malicious troll like Andrew Auernheimer or a secular saint-in-the-making like Aaron Swartz.