Appeals Court Reverses Weev Conviction For Incorrect Venue, Avoids Bigger CFAA Questions

from the it's-a-start dept

We've been covering the prosection of Andrew "weev" Auernheimer for over a year, and things were not looking good for him, with the court seemingly stacking the deck in favor of a clueless DOJ. But instead, today the appeals court reversed his conviction and 3.5-year jail sentence (which, let's not forget, was handed to him for exposing a security flaw, under the DOJ's twisted interpretation of the Computer Fraud & Abuse Act).

The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:

Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.

But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:

The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.

New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.

Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.

Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: andrew auernheimer, cfaa, doj, hacking, venue, weev


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Apr 2014 @ 9:49am

    Moral of the Story

    If the government is going to broadly apply a bad law, it will do so with full due process and all its Is dotted and Ts crossed dammit!!! We are a nation of laws!!

    link to this | view in chronology ]

  • identicon
    SEHumphrey, 11 Apr 2014 @ 9:57am

    Although not binding, it is important to note that the court did address (in a footnote) that there wasn't a clear crime committed:

    We also note that in order to be guilty of accessing without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code - or password - based barrier to access. See State v. Riley, 988 A.2d 1252,1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Apr 2014 @ 10:08am

    Venue is important

    Limiting venue is important. One should not have to face trial in a jurisdiction just because of some tangential contact with someone who happens to reside in that jurisdiction.

    As an extreme example, imagine how it would be if a person in country A doing something to a server in country B could be tried in country C because in the past someone in country C had used that server in country B.

    Or an even more extreme example, someone in one country doing something that is legal in his own country but which would be illegal if done in another country, being detained and tried in that other country.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Apr 2014 @ 10:22am

      Re: Venue is important

      It would be nice if the US limited itself to crimes committed by people living on its territory. Ask Garry MaKinnon and of course Kim Dotcom about the US trying to enforce its laws on foreigners.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Apr 2014 @ 11:06am

        Re: Re: Venue is important

        Yeah, the USA is pretty bad about it. Don't forget Dmitri Sklyarov, who working in Russia did something fully legal in Russia, and was detained in the USA for it.

        The USA is big on extraterritorial jurisdiction, but when other countries want to apply extraterritorial jurisdiction to it the reaction is negative; see for instance the Hague Invasion Act.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Apr 2014 @ 12:07pm

      Re: Venue is important

      Now if only we could keep patent cases out of East Texas.

      link to this | view in chronology ]

    • identicon
      Rekrul, 11 Apr 2014 @ 6:38pm

      Re: Venue is important

      Limiting venue is important. One should not have to face trial in a jurisdiction just because of some tangential contact with someone who happens to reside in that jurisdiction.

      Look up the Amateur Action BBS case. A man and his wife ran a subscription porn BBS in California, where it was investigated and deemed to be legal. A postal inspector from Tennessee started an investigation and they were eventually convicted of violating Tennessee's community standards.

      link to this | view in chronology ]

  • icon
    GMacGuffin (profile), 11 Apr 2014 @ 10:23am

    Not to mix metaphors ...

    The Court punted on the CFAA issue, but it's still a good result. It doesn't matter how you get on base, just that you got on base.

    Also, the footnoted dicta hopefully will function nicely to convey its true meaning to prosecution: "We get what happened here; and we don't want to see you back here on the same allegations." To wit:

    The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 11 Apr 2014 @ 11:23am

      Re: Not to mix metaphors ...

      I'd say it does matter, at least in part.

      Throwing it out due to improper venue is good, but it also allows them to re-file the thing elsewhere if they want, whereas if the court had flat out ruled that no laws had been broken, then re-filing the case might have been a titch difficult.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Apr 2014 @ 12:20pm

        Re: Re: Not to mix metaphors ...

        Only weev be protected due to double jeopardy. They had their chance and they convicted him in the wrong venue. So they done goofed. I think weev is also in the position to sue them now civilly. I believe the appropriate Latin phrase here is "Repensum Est Canicula".

        link to this | view in chronology ]

    • icon
      G Thompson (profile), 12 Apr 2014 @ 1:41am

      Re: Not to mix metaphors ...

      Exactly. His attorneys did a very good job and the Appeals court most likely would of, if the venue question had not been raised, upheld the appeal as well. Though with the venue being an absolute problem they had a better ability to crush the conviction and add in as obiter what they really felt like as well.

      This will most likely have wider implications and might (one can hope) make the DoJ be more accountable and apply due diligence before they do this again to some poor soul.

      link to this | view in chronology ]

  • icon
    DB (profile), 11 Apr 2014 @ 11:19am

    This might be the best result under the circumstances.

    Bouncing the case on venue instantly kills the conviction. Almost any other reversal requires re-doing part of the trail, which is expensive, time consuming, and risks another bogus outcome.

    The footnote is a strong hint to the prosecutors that they were wrong, and should not re-file charges in a different venue. They can save face by claiming "a technicality".
    (But I'll go with 'Technically correct, the best kind of correct.')

    link to this | view in chronology ]

    • icon
      madasahatter (profile), 11 Apr 2014 @ 1:17pm

      Re:

      Also, other judges and US Courts will read this opinion and take note that venue shopping will be frowned upon. The footnote strongly hints that they did not find the evidence of a crime persuasive but mostly based on the AUSA engaging in shystering.

      link to this | view in chronology ]

  • identicon
    Michael, 11 Apr 2014 @ 5:22pm

    hacking?

    I always wonder how this simple stuff gets past the trial judge. Not the venue thing, because they make up those rules with regards to the internet as they go along. But the part where the guy doesn't compromise a password or anything to find the info.

    link to this | view in chronology ]

  • identicon
    Michael, 11 Apr 2014 @ 5:27pm

    venue and double jeopardy

    Not so fast, being tried in the wrong venue means jeopardy did not attach and therefore no double jeopardy.

    link to this | view in chronology ]

  • identicon
    Rekrul, 11 Apr 2014 @ 6:28pm

    Re-filing in 10... 9... 8...

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.