Andrew Auernheimer, better known on the Internet as "weev," has had his sentence overturned by a federal appeals court, righting what many advocacy groups regarded as an unfair conviction.
In 2010, Auernheimer and co-defendant Daniel Spitler found a way to access the email addresses of AT&T iPad owners through AT&T's website. By guessing unique hardware numbers associated with AT&T iPads and submitting those numbers to AT&T's website, the pair were able to get AT&T's servers to respond with iPad customers' email addresses. In effect, this was security through obscurity. The data was disclosed to Gawker, which published a redacted subset of the addresses and a few names of affected individuals.
AT&T issued an apology and closed the hole. In 2012, Auernheimer was tried and convicted of identify fraud and conspiracy to gain unauthorized access to computers. In March, 2013, he was sentenced to 41 months in prison.
The case against Auernheimer relied on the Computer Fraud and Abuse Act, the much maligned law used to charge Aaron Schwartz. Among other provisions, the law makes it illegal to deliberately access a computer without authorization. Critics of the law consider it to be overly broad because the statute fails to adequately define "without authorization."
[What steps do you plan to take in response to the Heartbeat bug? Read Flash Poll: Broken Heartbeat.]
Absent that definition, a prosecutor has the option to pursue felony charges against a person using a computer against the owner's wishes or when that use violates a private agreement. The US government has already brought CFAA charges against people for violating a terms of service agreement and for contravening corporate policy.
A further issue with the law is its harsh penalties: First-time offenders can be sentenced to five years in prison for accessing a computer without authorization. Were you to publish a person's home address through Twitter -- a terms of service violation -- a vindictive prosecutor could bring a CFAA charge and seek a five-year prison sentence. Other online actions that could, in theory, bring felony charges for computer abuse include: lying about your age on Facebook, posting impolite comments on The New York Times website, and misrepresenting your physical attractiveness on Craigslist.
The appellate court granting Auernheimer's appeal did not focus on the CFAA. Rather, it found the government's decision to prosecute Auernheimer in New Jersey unacceptable.
Spitler was based in San Francisco, Calif., and Auernheimer was based in Fayetteville, Ark. The servers they accessed were located in Dallas, Texas, and Atlanta, Ga. Yet prosecutors had the trial conducted in New Jersey -- on the basis that some 4,500 New Jersey residents had had their email addresses exposed -- "to enhance the potential punishment from a misdemeanor to a felony," as the appeals court put it.
The ruling does contain a footnote to hearten those seeking to reform the CFAA: "We also note that in order to be guilty of accessing 'without authorization, or 'in excess of authorization' under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access," it reads.
Noting the absence of evidence indicating that the defendants had breached a password-based barrier, the court found that the script used to access email addresses "simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published."
Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)