A team of venerable computer crime defense lawyers has filed an appeal in New Jersey asking a court to overturn the conviction and sentence of a 27-year-old "gray-hat" hacker who discovered a vulnerability in AT&T's public website.
Andrew "Weev" Auernheimer was sentenced in March to 41 months in prison following his conviction last year for discovering and exploiting a weakness on the website of AT&T that allowed him and a co-conspirator to obtain data on roughly 120,000 Apple iPad users, including politicians and celebrities, without actually bypassing any security controls. They subsequently shared some of the information with Gawker.
The case has fueled debate over what many believe is the broad and excessive reach of the federal anti-hacking statute known as the Computer Fraud and Abuse Act (CFAA). Soon after his conviction, a highly regarded legal team formed, which included Orin Kerr, a professor of law at George Washington University; New York lawyer Tor Ekeland and current and former staff attorneys at the Electronic Frontier Foundation.
According to a 63-page brief filed Monday in the 3rd U.S. Circuit Court of Appeals, the lawyers' major argument is that Auernheimer didn't violate the CFAA because he only visited an unprotected web page. (pdf)
Auernheimer has argued that he merely tricked a publicly available site, with the help of a script written by fellow researcher Daniel Spitler (who previously pleaded guilty), into divulging the iPad user information. Auernheimer didn't use any classic hacking techniques, like brute force or SQL injection. Additionally, he never sought to profit off the information he discovered, only to shame a major corporation like AT&T for poor security practices, he said.
"The fundamental question in this case is whether it is a crime to visit a public website," the lawyers said in their appeal. "AT&T published the email addresses of its customers on a public website...AT&T programmed its website to return the email addresses of users when anyone visited the correct web page at AT&T's website."
Kerr said that prosecuting Auernheimer, who according to reports has been placed in solitary confinement because he tweeted from prison, under the CFAA amounts to making it a crime to surf the web.
The attorneys contend that because AT&T didn't password protect a portion of its site, the information was available to the public, thus visiting the website "to collect email addresses was authorized and legal."
The appeal also argues that if Auernheimer is indeed guilty under the CFAA, his conviction, according to New Jersey statute, should have been for a misdemeanor, not a felony; that he never possessed or transferred any email addresses "in connection with" unlawful activity; that he shouldn't have been tried in New Jersey because no AT&T computers involved in the incident were based there and no data was "transferred, possessed or used in the state"; and that the costs absorbed by AT&T due to the incident were not "reasonable" or "losses."
"The government set out to make an example of Auernheimer," EFF Staff Attorney Hanni Fakhoury said in a statement posted Monday evening by the nonprofit advocacy group. "But the only message this sends to the security research community is that if you discover a vulnerability, you could go to jail for sounding the alarm."
Two members of Congress since have proposed a law that would update the CFAA, amending certain provisions that can be used to criminalize common internet use.
Aside from researchers, civil liberties defenders believe the CFAA also is unjustly and aggressively being used to wage war against those who seek to expose wrongdoing. A number of other so-called "hacktivists," including Barrett Brown and Jeremy Hammond, are facing long prison time under the law.