Andrew Auernheimer, the infamous hacker and Internet troll imprisoned for revealing a security flaw in AT&T's website, will soon be walking free after more than a year behind bars. Today, the 3rd Circuit Court of Appeals in New Jersey vacated Auernheimer's conviction under the Computer Fraud and Abuse Act, a decades-old anti-hacking law which has been increasingly used to prosecute things that don't really seem like “hacking” at all.
In 2011, Auernheimer (aka “weev”) and his partner Daniel Spitler discovered that by simply incrementing an iPad serial number and entering the results into AT&T's website, they were able to obtain the personal data of 114,000 AT&T iPad customers, including celebrities and government officials. Last year, he was sentenced to 41 months in federal prison on counts of identity theft and “unauthorized access to protected computer,” despite that the sensitive data in question was readily available from AT&T's website. As weev has put it on multiple occasions after his conviction, “I'm going to jail for doing arithmetic.”
But the reasoning behind the court's reversal today didn't have anything to do with the nature of the charges, or computer crime law in general. Neither did it touch on Auernheimer's off-putting attitude and controversial trolling, which was an intense focus for the prosecution prior to his conviction. The case was vacated on the basis that the New Jersey venue was improper, because neither AT&T's server nor Auernheimer was physically located there.
Interestingly, a footnote in the court opinion points out that New Jersey law would have specifically required prosecutors to prove that Auernheimer “circumvented a code- or password-based barrier to access”—a task that given the facts would have been challenging, to say the least. This would have been made more difficult, given that the government doesn't seem to understand what Auernheimer actually did. During a recent appellate hearing in Philadelphia, assistant U.S. attorney Glenn Moramarco argued that what Auernheimer and Spitler did was “hacking” because they “had to download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don't even understand." Later, he compared weev's actions to blowing up a nuclear power plant.
Auernheimer's legal team, led by the firm Tor Ekeland, P.C. and attorneys from the Electronic Frontier Foundation, has announced that they are seeking his immediate release, which could come as early as Friday night. But what happens next depends on whether the Department of Justice decides to retry the case in a different legal venue. That scenario would be bad for weev, who has spent much of his sentence in solitary confinement. But if the case ends here, it would also be a lost opportunity to for courts to finally clarify the vague laws governing what constitutes “hacking.”
On the other hand, it's not like there aren't other questionable CFAA cases to choose from. Former Reuters employee Matthew Keys faces up to 25 years in prison under the statute, for giving a password to the Los Angeles Times website to a member of Anonymous, which led to a headline being defaced for 30 minutes. (The court has bizarrely charged the act as “transmission of malicious code.”)
Auernheimer may be free, but the more important legal question of what separates petty mischief and security research from “hacking” remains unanswered—at least for now.