Orin Kerr And Members Of The EFF Representing AT&T Hacker 'Weev' Pro Bono During His Appeal
from the and-hopefully,-head-off-further-damaging-CFAA-precedent dept
Andrew "Weev" Auernheimer is appealing his 41 month prison sentence (and its accompanying fine of $73,000). Many members of the security community have expressed concern with this ruling, especially in light of other CFAA cases. Auernheimer's exposure of AT&T's security hole doesn't really seem like the sort of thing that should be punished, at least not with multiple years in jail and a hefty fine. Then there's the unsettling feeling that the US prosecutors pushed hard for a prison sentence because they found Weev unlikable.
Fortunately for Weev (and others who have or will run afoul of the CFAA), Orin Kerr has stepped up to offer pro bono representation in Auernheimer's appeal (along with members of the EFF). Kerr, most recently spotted here going head-to-jackass with Rep. Gohmert over the legality of "destroying" a hacker's computer, has a very thorough post discussing his reasons for joining the fray. Basically, it boils down to this: nearly everything about the government's decision is wrong, which is problematic if this ruling is going to be used as precedent in future CFAA cases.
In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.According to Kerr, undesirable access does not equal unauthorized access. The URLs were publicly available due to AT&T's own carelessness. What this actually looks like is the vindictive pursuit of an individual for publicly embarrassing the company. But it's not all on AT&T. The prosecutors themselves had to do a bit of creative sentencing to arrive at a "suitable" punishment for Weev's "hack."
Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.As Kerr states, this is nothing more than disingenuous double-counting being done for no other reason than to make the charges carry some weight. A misdemeanor results in a slap on the wrist, something that would hardly make AT&T happy. This isn't Kerr's (or the government's) first experience with hacking-related double-counting.
Back in 2011, Sarah Palin's email account was hacked and the Justice Department attempted to charge the hacker under two overlapping laws: "hacking into a computer" and "hacking an email account." This was overturned on appeal by the Fourth Circuit court, stating that the Justice Department's attempt to double dip a single action violated US principles on double jeopardy. This situation is more of the same, only with a convenient overlap of federal and state laws allowing prosecutors to ratchet up the charges from a misdemeanor to a full-blown felony.
In addition to these problems, Kerr also finds some jurisdictional issues at play. Even though none of the principals are located in New Jersey, the charges were brought in that state. The rationale? Some of the email addresses belonged to New Jersey residents. This paper-thin justification for filing charges in a pretty much unrelated state gives the appearance of prosecutorial venue shopping.
The most ridiculous aspect of the case is Kerr's final reason for stepping in: the sentence.
The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.AT&T claims it incurred costs of $73,000 due to Auernheimer's actions. But it claimed no loss to its computers, it suffered no downtime and lost no data. The only assertion of loss comes via AT&T's efforts to notify customers of the data breach.
First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.That's right. Auernheimer has to repay AT&T for envelopes and stamps with $73,000 of his own money -- and 3-1/2 years of his life. As Kerr points out, AT&T cannot reasonably pin this notification expense on Auernheimer as these costs are not "directly attributable" to the defendant's access of its supposedly off-limits URLs. Furthermore, Kerr says these costs are not "reasonable," considering AT&T's electronic notice to its customers was largely successful. In essence, Weev is doing time because he raided AT&T's petty cash box by proxy. Hopefully, this appeal will overturn this misguided sentence and prevent the CFAA from becoming an even worse law, thanks to the precedent set by this decision.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: andrew auernheimer, cfaa, eff, orin kerr, weev
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Yeah, I totally believe them.
/sarc
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
"See this link in the address bar that ends in a '1'? I change it to a '2' and voila, we're shown a web page not normally accessible. Change it to a '3' and we get another, and so on. Show of hands, who thinks this qualifies as 'hacking'? What if I'm entering it manually and I make a typo, does that qualify as hacking?"
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Having such law based on TOS or worse EULA is a nightmare of commercially derived felonies that make any telling of corporatism weak. Have mentioned my hope that judges and juries figuratively choke on such (wildly and ridiculously) loosely written law but... its a blind hope.
For any respectable senator to suggest destroying private property sounds thuggish and frankly quite embarrassing to hear of. Its already bad enough to have to scrape off the graffiti from the back garage.
As for 'probing' URL's thats done by almost every one from every country just by even looking for valid email accounts for spam not including the spy agencies and worse. The faster ATT finds out about weaknesses the better regardless of slightly questionable circumstances.
Ridiculing a company is par for the course when talking about a former Monopoly like ATT. Lets face it they did grow large enough and annoyed so many that they were broken up and even if todays corporation is not the exact same as then (some foreign ownership?) they did retain the name and all the baggage that goes with it. It would be distasteful if they demonstrated a grudge in any way.
If they perceive image problems then a different approach. Hire Weev; you don't have to like an employee or subcontractor to do successful business. (although it helps)
From outward appearances its seems that a knee jerk is the typical response to 'Weev' but so what? Putting legal muscle behind such guttural reaction is childish at best. What happened to impartiality and restraint?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Hmm, almost convinced BUT I stick at "unauthorized".
"The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.
....
Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application."
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
So CLEARLY it was "unauthorized" access, and this group knew that. It's another case where going to a deal of trouble to obtain non-public information that one doesn't have a right to, for NO other reason than to make trouble almost overwhelmingly has to be called criminal, BUT I would go with misdemeanor level assuming the argument above is accurate. And to hell with AT&T's costs to notify people.
Now, there IS a HUGE hole in my knowledge of the case (I don't see the answer in my skimming): was this Auernheimer the one who wrote and used the script? Or did he, as Mike alleges, just change numbers on a couple URLs and somehow got smacked with all the charges? -- Cause if the former then guilty, and if latter, HOW?
[ link to this | view in thread ]
From Arstechnica:
Auernheimer spent some of his last hours before sentencing participating in a reddit Ask Me Anything thread. The reaction of redditors was overwhelmingly hostile. "Everybody who thinks weev is some kind of hero is getting played by a sadistic sociopath who has spent most of his adult life anonymously inflicting misery on people as entertainment," wrote a representative commenter.
The hacker showed no sign of remorse. "My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker," he wrote. "I won't nearly be as nice next time."
His comments were cited by prosecutors as a reason to give him a longer prison sentence.
Auernheimer has vowed to appeal his conviction. He will be represented by Orin Kerr, a well-known law professor and blogger, and the Electronic Frontier Foundation.
[ link to this | view in thread ]
Re: Hmm, almost convinced BUT I stick at "unauthorized".
Yes, Auernheimer wrote and used the script. That (and Kerr's discussion surrounding that aspect) appears in Kerr's post at Volokh. (Also linked in post above.)
As for Mike claiming Weev only changed numbers on a couple of URLs? I can't find him stating that anywhere. This is a quote from his post on the subject:
Here's Kerr's perspective on Weev's script:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
His comments were cited by prosecutors as a reason to give him a longer prison sentence.
Put him in prison longer because people seem to dislike him? How does that make any sense in context of the judicial system? "The court finds the defendant guilty as charged. In light of the general opinion that the defendant is a prick, we have added 12 months to his sentence."
Really? Is that how you want "justice" meted out?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Disclamer: The previous comment counts as legal advice, for which I charge whatever you are charging for reading your comment
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
If I am falsely accused of breaking a law, I will continue to not feel remorse for not breaking that law. Remorse is something that people who did bad/illegal things feel.
If you didn't do bad/illegal things, why should you feel remorseful?
[ link to this | view in thread ]
So does this mean...?
That's quite a precedent right there.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
My girlfriend always searches google in the firefox search box to get google up. I repeatedly facepalm when she does this, apparently it's the way she likes to do things.
[ link to this | view in thread ]
Re: Re: Re: Re:
THIS is what is wrong with the whole debate.
[ link to this | view in thread ]
Re:
Yes, actually. He didn't release them to the public -- but to a journalist to report on it. If the goal was to be malicious, wouldn't they have released all the emails publicly?
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
This time.
Weev:
"My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker," he wrote. "I won't nearly be as nice next time."
Is Gawker journalists; or do they just "do journalism" sometimes?
[ link to this | view in thread ]
why aren't the lard-ass judges pushing back
Just wondering...
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: So does this mean...?
[ link to this | view in thread ]