Orin Kerr And Members Of The EFF Representing AT&T Hacker 'Weev' Pro Bono During His Appeal

from the and-hopefully,-head-off-further-damaging-CFAA-precedent dept

Wed, Mar 27th 2013 2:41pm — Tim Cushing

Andrew "Weev" Auernheimer is appealing his 41 month prison sentence (and its accompanying fine of $73,000). Many members of the security community have expressed concern with this ruling, especially in light of other CFAA cases. Auernheimer's exposure of AT&T's security hole doesn't really seem like the sort of thing that should be punished, at least not with multiple years in jail and a hefty fine. Then there's the unsettling feeling that the US prosecutors pushed hard for a prison sentence because they found Weev unlikable.

Fortunately for Weev (and others who have or will run afoul of the CFAA), Orin Kerr has stepped up to offer pro bono representation in Auernheimer's appeal (along with members of the EFF). Kerr, most recently spotted here going head-to-jackass with Rep. Gohmert over the legality of "destroying" a hacker's computer, has a very thorough post discussing his reasons for joining the fray. Basically, it boils down to this: nearly everything about the government's decision is wrong, which is problematic if this ruling is going to be used as precedent in future CFAA cases.

In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.

According to Kerr, undesirable access does not equal unauthorized access. The URLs were publicly available due to AT&T's own carelessness. What this actually looks like is the vindictive pursuit of an individual for publicly embarrassing the company. But it's not all on AT&T. The prosecutors themselves had to do a bit of creative sentencing to arrive at a "suitable" punishment for Weev's "hack."

Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.

As Kerr states, this is nothing more than disingenuous double-counting being done for no other reason than to make the charges carry some weight. A misdemeanor results in a slap on the wrist, something that would hardly make AT&T happy. This isn't Kerr's (or the government's) first experience with hacking-related double-counting.

Back in 2011, Sarah Palin's email account was hacked and the Justice Department attempted to charge the hacker under two overlapping laws: "hacking into a computer" and "hacking an email account." This was overturned on appeal by the Fourth Circuit court, stating that the Justice Department's attempt to double dip a single action violated US principles on double jeopardy. This situation is more of the same, only with a convenient overlap of federal and state laws allowing prosecutors to ratchet up the charges from a misdemeanor to a full-blown felony.

In addition to these problems, Kerr also finds some jurisdictional issues at play. Even though none of the principals are located in New Jersey, the charges were brought in that state. The rationale? Some of the email addresses belonged to New Jersey residents. This paper-thin justification for filing charges in a pretty much unrelated state gives the appearance of prosecutorial venue shopping.

The most ridiculous aspect of the case is Kerr's final reason for stepping in: the sentence.

The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.

AT&T claims it incurred costs of $73,000 due to Auernheimer's actions. But it claimed no loss to its computers, it suffered no downtime and lost no data. The only assertion of loss comes via AT&T's efforts to notify customers of the data breach.

First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.

That's right. Auernheimer has to repay AT&T for envelopes and stamps with $73,000 of his own money -- and 3-1/2 years of his life. As Kerr points out, AT&T cannot reasonably pin this notification expense on Auernheimer as these costs are not "directly attributable" to the defendant's access of its supposedly off-limits URLs. Furthermore, Kerr says these costs are not "reasonable," considering AT&T's electronic notice to its customers was largely successful. In essence, Weev is doing time because he raided AT&T's petty cash box by proxy. Hopefully, this appeal will overturn this misguided sentence and prevent the CFAA from becoming an even worse law, thanks to the precedent set by this decision.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: andrew auernheimer, cfaa, eff, orin kerr, weev

33 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Alana (profile), 27 Mar 2013 @ 2:20pm

By reading this sentence you break my TOS and are elegible for being fined $1,000,000,000,000,000.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Mar 2013 @ 3:25pm
  
  Re:
  Glad to see Dr. Evil understands inflation...
  [ link to this | view in chronology ]
- Beech, 27 Mar 2013 @ 5:21pm
  
  Re:
  No no no, all wrong. First anyone allegedly reading said comment would be fined for the amount of damages it caused you, so you'd have to snail-mail yourself a quadrillion letters about how someone violated your TOS/copyright/business model. Second, make sure everyone knows that violating your TOS/copyright/business model is in violation of some law which makes it a violation of several other laws which can all be dogpiled on you at once, so really, it should be a quadrillion dollars in fines PER broken law.
  
  Disclamer: The previous comment counts as legal advice, for which I charge whatever you are charging for reading your comment
  [ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2013 @ 3:19pm

the even bigger tragedy in this case is that the judge totally went along with the bull shit spouted by both the prosecutor and AT&T. how can anyone that is supposed to represent and uphold the law behave like this? it makes an ass out of the law, simply to satisfy the prosecutors desire for jail time being dished out. i fully understand AT&T's attitude. they are embarrassed by what happened and have to appear squeaky clean. the problem there is that they are the ones at fault. they are the ones to blame. weev is just the scapegoat. what i am waiting to see is when someone discovers a serious flaw somewhere in something that could have dire consequences and says nothing because of fear of getting the blame, rather than being praised. what a tragedy that could be and all because certain companies, certain law enforcement representatives cant stand being proved to be wrong and get embarrassed!
[ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2013 @ 3:22pm

Well it has taught me something. It is better to exploit the security hole then to inform about the problem. It is only illegal if you inform someone. If no one knows then your OK.
[ link to this | view in chronology ]
Glen, 27 Mar 2013 @ 3:24pm

And yet we look back at the Aaron Swartz case where the prosecutor claimed that he would have NEVER served the full amount of time that they where threatening.

Yeah, I totally believe them.

/sarc
[ link to this | view in chronology ]
Rekrul, 27 Mar 2013 @ 3:26pm

They should have set up a custom web site with numbered directories not accessible from the front page, so they could demonstrate to the jury exactly what he did.

"See this link in the address bar that ends in a '1'? I change it to a '2' and voila, we're shown a web page not normally accessible. Change it to a '3' and we get another, and so on. Show of hands, who thinks this qualifies as 'hacking'? What if I'm entering it manually and I make a typo, does that qualify as hacking?"
[ link to this | view in chronology ]
- DCX2, 27 Mar 2013 @ 3:28pm
  
  Re:
  Jurors would have been dumb founded that you can type URLs in by hand.
  [ link to this | view in chronology ]
  - Anonymous Coward, 27 Mar 2013 @ 3:36pm
    
    Re: Re:
    URLs... is that like google?
    [ link to this | view in chronology ]
    - Anonymous Coward, 27 Mar 2013 @ 11:25pm
      
      Re: Re: Re:
      Yurp,
      
      My girlfriend always searches google in the firefox search box to get google up. I repeatedly facepalm when she does this, apparently it's the way she likes to do things.
      [ link to this | view in chronology ]
special-interesting (profile), 27 Mar 2013 @ 3:36pm

Have been criticizing the CFAA as the open barn door policy to writing law lately. Making felonies out of everything should just stop. The public cannot afford the legal liability niether the lost economic base (having a job and spending money) or justice department incarceration costs. (its a double expense)

Having such law based on TOS or worse EULA is a nightmare of commercially derived felonies that make any telling of corporatism weak. Have mentioned my hope that judges and juries figuratively choke on such (wildly and ridiculously) loosely written law but... its a blind hope.

For any respectable senator to suggest destroying private property sounds thuggish and frankly quite embarrassing to hear of. Its already bad enough to have to scrape off the graffiti from the back garage.

As for 'probing' URL's thats done by almost every one from every country just by even looking for valid email accounts for spam not including the spy agencies and worse. The faster ATT finds out about weaknesses the better regardless of slightly questionable circumstances.

Ridiculing a company is par for the course when talking about a former Monopoly like ATT. Lets face it they did grow large enough and annoyed so many that they were broken up and even if todays corporation is not the exact same as then (some foreign ownership?) they did retain the name and all the baggage that goes with it. It would be distasteful if they demonstrated a grudge in any way.

If they perceive image problems then a different approach. Hire Weev; you don't have to like an employee or subcontractor to do successful business. (although it helps)

From outward appearances its seems that a knee jerk is the typical response to 'Weev' but so what? Putting legal muscle behind such guttural reaction is childish at best. What happened to impartiality and restraint?
[ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2013 @ 3:54pm

Yeah, taking 114,000 e-mail addresses and giving them to Gawker- no problem there. Just a citizen, trying to helpful.
[ link to this | view in chronology ]
- Mike Masnick (profile), 28 Mar 2013 @ 3:13am
  
  Re:
  Yeah, taking 114,000 e-mail addresses and giving them to Gawker- no problem there. Just a citizen, trying to helpful.
  
  Yes, actually. He didn't release them to the public -- but to a journalist to report on it. If the goal was to be malicious, wouldn't they have released all the emails publicly?
  [ link to this | view in chronology ]
  - Anonymous Coward, 28 Mar 2013 @ 7:03am
    
    Re: Re:
    He didn't release them to the public -- but to a journalist to report on it.
    
    This time.
    
    Weev:
    
    "My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker," he wrote. "I won't nearly be as nice next time."
    
    Is Gawker journalists; or do they just "do journalism" sometimes?
    [ link to this | view in chronology ]
out_of_the_blue, 27 Mar 2013 @ 4:22pm

Hmm, almost convinced BUT I stick at "unauthorized".
From the original Gawker (many clicks):

"The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.
....
Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application."

http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed

So CLEARLY it was "unauthorized" access, and this group knew that. It's another case where going to a deal of trouble to obtain non-public information that one doesn't have a right to, for NO other reason than to make trouble almost overwhelmingly has to be called criminal, BUT I would go with misdemeanor level assuming the argument above is accurate. And to hell with AT&T's costs to notify people.

Now, there IS a HUGE hole in my knowledge of the case (I don't see the answer in my skimming): was this Auernheimer the one who wrote and used the script? Or did he, as Mike alleges, just change numbers on a couple URLs and somehow got smacked with all the charges? -- Cause if the former then guilty, and if latter, HOW?
[ link to this | view in chronology ]
- Capitalist Lion Tamer (profile), 27 Mar 2013 @ 4:54pm
  
  Re: Hmm, almost convinced BUT I stick at "unauthorized".
  Now, there IS a HUGE hole in my knowledge of the case (I don't see the answer in my skimming): was this Auernheimer the one who wrote and used the script? Or did he, as Mike alleges, just change numbers on a couple URLs and somehow got smacked with all the charges? -- Cause if the former then guilty, and if latter, HOW?
  
  Yes, Auernheimer wrote and used the script. That (and Kerr's discussion surrounding that aspect) appears in Kerr's post at Volokh. (Also linked in post above.)
  
  As for Mike claiming Weev only changed numbers on a couple of URLs? I can't find him stating that anywhere. This is a quote from his post on the subject:
  
  In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press.
  
  Here's Kerr's perspective on Weev's script:
  
  Further, the fact that an automated script was used to collect lots of information instead of visiting manually makes no difference to whether the visiting was an unauthorized access. See EF Cultural Travel BV v. Zefer, 318 F.3d 58 (1st Cir. 2003) (the fact that a website owner �would dislike� the use of an automated script �to construct a database� of information available from visiting the website does not render the use of the automated script an unauthorized access under the CFAA).
  [ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2013 @ 4:47pm

I'd say this douchenozzle got what was coming.

From Arstechnica:

Auernheimer spent some of his last hours before sentencing participating in a reddit Ask Me Anything thread. The reaction of redditors was overwhelmingly hostile. "Everybody who thinks weev is some kind of hero is getting played by a sadistic sociopath who has spent most of his adult life anonymously inflicting misery on people as entertainment," wrote a representative commenter.

The hacker showed no sign of remorse. "My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker," he wrote. "I won't nearly be as nice next time."

His comments were cited by prosecutors as a reason to give him a longer prison sentence.

Auernheimer has vowed to appeal his conviction. He will be represented by Orin Kerr, a well-known law professor and blogger, and the Electronic Frontier Foundation.
[ link to this | view in chronology ]
- Capitalist Lion Tamer (profile), 27 Mar 2013 @ 4:56pm
  
  Re:
  Being an asshole: still not a crime.
  [ link to this | view in chronology ]
  - Anonymous Coward, 27 Mar 2013 @ 7:42pm
    
    Re: Re:
    He wasn't convicted of being an asshole.
    [ link to this | view in chronology ]
    - Bergman (profile), 27 Mar 2013 @ 9:09pm
      
      Re: Re: Re:
      Except he was. What he did wasn't a crime either by the letter of the law or by existing case law. But the man is a complete asshole. So he got convicted of not being likable while committing no crime.
      [ link to this | view in chronology ]
    - Anonymous Coward, 27 Mar 2013 @ 10:06pm
      
      Re: Re: Re:
      Then what do you call all the baying for Kim Dotcom's blood, then? "He's a flamboyant guy; even though he's already paid for his past felonies, throw the books at him with no legal recourse!"
      [ link to this | view in chronology ]
    - Anonymous Coward, 28 Mar 2013 @ 8:16am
      
      Re: Re: Re:
      And yet you only cite him being an asshole as evidence for him "[getting] what was coming."
      [ link to this | view in chronology ]
- Capitalist Lion Tamer (profile), 27 Mar 2013 @ 5:01pm
  
  Re:
  And let me add this:
  
  His comments were cited by prosecutors as a reason to give him a longer prison sentence.
  
  Put him in prison longer because people seem to dislike him? How does that make any sense in context of the judicial system? "The court finds the defendant guilty as charged. In light of the general opinion that the defendant is a prick, we have added 12 months to his sentence."
  
  Really? Is that how you want "justice" meted out?
  [ link to this | view in chronology ]
  - Beech, 27 Mar 2013 @ 5:36pm
    
    Re: Re:
    I would say he's not getting a longer sentence because people don't like him, its probably because saying something like "My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker, I won't nearly be as nice next time." doesn't exactly exude remorse. It makes it sound like that big mean hacker is going to go right back into trying to cyber-break AT&Ts cyber-computers with his cyber-sorcery!!
    [ link to this | view in chronology ]
    - Bergman (profile), 27 Mar 2013 @ 9:11pm
      
      Re: Re: Re:
      Remorse...for what exactly? I go out of my way to avoid breaking laws. If I am successful at not breaking a law, I feel no remorse for not breaking a law.
      
      If I am falsely accused of breaking a law, I will continue to not feel remorse for not breaking that law. Remorse is something that people who did bad/illegal things feel.
      
      If you didn't do bad/illegal things, why should you feel remorseful?
      [ link to this | view in chronology ]
  - Anonymous Coward, 27 Mar 2013 @ 7:39pm
    
    Re: Re:
    The judge has discretion to sentence within the guidelines. A lot of that is based on the seriousness of the crime and the attitude of the defendant. If the defendant acts like an asshole, says ignorant, inflammatory shit like: "My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker," he wrote. "I won't nearly be as nice next time." Then it follows that the judge may conclude that the guilty party needs a longer sentence as a deterrent or punishment. He didn't have to shoot off his big mouth. He could have said nothing and chose instead to act like a dick. It probably cost him an extra year. I doubt he will find it worthwhile 3 1/2 years from now. Also with a sentence that long, he's not a slamdunk for a minimum security facility. He could well end up in medium security, which is a real prison with some really hard guys. A rich boy, convicted of a soft crime like hacking who also acts like an asshole will not fare well among hardened criminals doing serious time. Particularly if he continues to act like an asshole. His stupid defiance has probably already marked him as a potential attitude problem to prison officials which almost assures a higher security level. So instead of 2-2 1/2 years in Club Fed, he gets 41 months with real criminals. His stupidity is staggering.
    [ link to this | view in chronology ]
    - This comment has been flagged by the community. Click here to show it
      
      Anonymous Coward, 27 Mar 2013 @ 7:46pm
      
      Re: Re: Re:
      Pirate Mike doesn't agree. All cybercriminals are martyrs in his eyes.
      [ link to this | view in chronology ]
      - Anonymous Coward, 28 Mar 2013 @ 1:12am
        
        Re: Re: Re: Re:
        There's no such thing as a "cybercriminal". There's only a criminal.
        
        THIS is what is wrong with the whole debate.
        [ link to this | view in chronology ]
      - DP, 28 Mar 2013 @ 6:21am
        
        Re: Re: Re: Re:
        OOTB incognito again - if he actually knows what that word means with his obviously limited education. That's four syllables, OOTB - too much for you to take in, I guess.
        [ link to this | view in chronology ]
- Anonymous Coward, 27 Mar 2013 @ 5:01pm
  
  Re:
  Well, if being an asshole is a crime, then every politician would be a lifer without parole.
  [ link to this | view in chronology ]
Bergman (profile), 27 Mar 2013 @ 9:14pm

So does this mean...?
That if I am very slightly harmed by someone or some organization, even if the harm exists only in my own delusions, if I run out and immediately incur MASSIVE expenses in the course of dealing with that harm, those expenses constitute damages that I can sue for?

That's quite a precedent right there.
[ link to this | view in chronology ]
- kitsune361, 28 Mar 2013 @ 12:08pm
  
  Re: So does this mean...?
  It is quite a slippy slope: If my security is negligent I can charge the person who discovered it for costs incurred notifying my customers of my negligent security?
  [ link to this | view in chronology ]
Anonymous Coward, 28 Mar 2013 @ 7:18am

why aren't the lard-ass judges pushing back
What happened to the INjustice system that allows such abuses and even turns a blind eye? Are the court judges bought and paid for too? I know congress-critters have been but the judges too... wow.

Just wondering...
[ link to this | view in chronology ]