Lawyers for hacker Andrew “Weev” Auernheimer, who is serving a 41-month prison sentence, will appear in a US court on Wednesday to try to overturn a conviction they say has serious repercussions for internet freedom.
Auernheimer, a self-confessed internet troll and hacker, was found guilty in November 2012 of identity theft and conspiracy to gain unauthorised access to AT&T public servers, after he obtained thousands of email addresses of iPad owners. He shared his findings with Gawker, which published them in redacted form. He was charged with a felony under the Computer Fraud and Abuse Act (CFAA), a law that came under fire as outdated and too general when it was used to prosecute the late internet activist Aaron Swartz.
Lawyers for Auernheimer say his conviction is flawed and raises important questions for civil liberties online.
On Wednesday, at the 3rd circuit court of appeals in Philadelphia, lawyers will argue that Auernheimer’s actions do not constitute a misdemeanour, let alone a felony. They will say that Auernheimer did not violate the CFAA because he simply accessed a public server, something that does not constitute “unauthorised access”, which is what the law criminalises. Neither, they say, does it constitute a crime under the identity theft statute.
The government argues that his actions were without authorisation under the CFAA because AT&T did not want them to have the addresses, despite them being available on its public website.
“The fundamental question in this case is whether it is a crime to visit a public website,” the lawyers wrote in their legal brief. “By posting information on the public web without a password requirement, AT&T made the information available to everyone.”
Auernheimer’s legal team includes Orin Kerr, a former prosecutor and law professor at George Washington University Law School and lawyer for the Electronic Frontier Foundation (EFF), a digital rights organisation.
Hanni Fakhoury, staff attorney at the EFF, said Auernheimer’s case was an example of a prosecution aimed at a person, not a crime: “One of the big problems of this case has always been that Auernheimer can be unsympathetic. The thing is, when you couple a very bad law [the CFAA] with the prosecutor having brought the decision being able to go after who they like, or who they don’t like, that’s a problem,” he said.
Because the CFAA makes it a crime to obtain information from a computer “without authorisation”, a term that has not been defined in the law, the conviction sets a dangerous precedent, Fakhoury said.
He cited the case of Isaac Wolf, a journalist at Scripps Howard News Service, who was threatened with legal action under the CFAA last year. Wolf was researching a story on TerraCom, a company that provides federally subsidised phone services to those on low incomes and came across social security numbers and other sensitive records while doing a basic google search. But when he revealed that TerraCom and an affiliate YourTel America, had left thousands of customers at risk of identity theft, the companies claimed the reporters were hacking and threatened to sue.
Auernheimer’s appeal will be closely watched by security researchers and privacy experts who say that the conviction, if not overturned, will have a detrimental effect on security. They say the information Auernheimer helped to access was made available by AT&T to the entire internet and access occurred through standard protocols used by every web user.
Computer scientists, security researchers and internet freedom advocates have filed amicus brief, asking the appeals court to overturn his conviction. They include the Mozilla Foundation, which makes the web browser Firefox. In their brief, they argue there are “striking similarities” between research tools used by experts to benefit privacy and security and those employed by Auernheimer, and that they have a vital interest in arguing why individuals must be deemed authorised under the CFAA when they access unsecured data on websites.
Auernheimer’s conviction raises other legal issues, in addition to questions of whether it was a crime, his lawyers say. In papers submitted to the court, they argue that the case was improperly brought in New Jersey, because no computer was accessed nor information obtained in New Jersey and that the largest part of his sentence, due to an alleged $73,000 loss to AT&T, was wrong because the losses were nothing to do with computer costs, but were the result of mail sent out to the company’s customers.
Auernheimer, who is serving his sentence at Allenwood Federal Correctional Complex in White Deer, Pennsylvania, has not been given permission to attend the hearing.