After spending over a year in federal prison, infamous hacker and internet troll Andrew “Weev” Auernheimer had his conviction vacated on Friday by the Third Circuit Court of Appeals.  Last March, Auernheimer received a 41-month sentence for conspiracy to violate the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and identity fraud under 18 U.S.C. § 1028(a)(7).  Weev was prosecuted for revealing a security flaw in AT&T’s website, thereby obtaining the email addresses of 114,000 iPad 3G users, and then providing that information to gossip site Gawker.  Gawker’s article, which included some of the data partially redacted, prompted an FBI investigation.  Weev’s case has been particularly important to some cyber security researchers, as Weev’s prosecution has made them afraid to report the security and privacy flaws they find.

Unfortunately for all those interested in the substantive merits of the charges against Weev, the appeals court vacated his conviction on procedural grounds, finding that venue for his prosecution in the District of New Jersey was improper.  The court came to this conclusion because neither AT&T’s server nor Auernheimer were physically located in New Jersey when Auernheimer exposed the security flaw.

As for the CFAA itself, Weev conviction was based specifically on 18 USC § 1030(a)(2)(C), which states: “whoever intentionally access a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer…shall be punished as provided in subsection (c) of this section.”  Weev’s prosecution was particularly interesting because he did not crack any codes, steal any passwords, or in any way “break into” AT&T’s customer database – something company representatives confirmed during testimony.  The team that handled Weev’s appeal wrote in their brief, “The fundamental question in this case is whether it is a crime to visit a public website.”  However, since the appeals court vacated the conviction on procedural grounds and punted on the nature of the charges, the question of whether Weev’s actions actually constituted a violation of the CFAA was left unanswered.

–Michael Joshi

Image Source


Comments are closed.