He is a red-headed hacker who hails from Arkansas, goes by the name “weev,” and seems to delight in being annoying. For years, he broke into computer systems, disrupted blog sites and riled people with personal attacks.
Now his case has become a flashpoint in the debate over where to draw the line between online freedom and cybercrime in the U.S., and whether the law is too broad or too narrow in both criminal and civil cases.
Born Andrew Auernheimer, he is appealing his prison term of three years and five months for violating the Computer Fraud and Abuse Act, the main U.S. anti-hacking law. Auernheimer, 27, rants from prison that jurors wrongly convicted him of conspiring to take 114,000 e-mail addresses from AT&T Inc. (T)’s website. At trial, the Justice Department said he broke the law on unauthorized access of protected computer systems. His lawyers want an appeals court to interpret the law more narrowly, arguing that AT&T’s site was virtually wide open and left unsecured by the company’s design.
“This is really about freedom to use the Web,” said Orin Kerr, a George Washington University law professor who is helping on Auernheimer’s appeal. “The future impact is enormous because, effectively, if this is a crime, then visiting a website is a crime when the website owner doesn’t want you to visit in that way.”
Auernheimer’s conviction and 41-month sentence have emboldened those who say the CFAA can be interpreted much too broadly by prosecutors and judges. Some Internet law experts and civil liberties groups seek legislation to narrow its scope, contending that without reform it could be used to turn innocent Internet users into criminals.
From prison, where he has been held at times in solitary confinement, Auernheimer continues to argue that he is the victim of a Draconian law that threatens research and ordinary Internet usage. He sent a Twitter message that the law “doesn’t hinder Romanians, Estonians, Chinese” hackers…“It only hurts researchers and activists.”
His case highlights one of the knottiest issues in the digital economy: How can the law help ensure freedom of movement and information in cyberspace, while protecting billions of records and devices, as well as intellectual property, from theft and intrusion? Those conflicts are playing out in criminal cases like Auernheimer’s, as well as in civil lawsuits, including one filed by Craigslist, which is suing startup companies that used data on its public website to build applications.
Adding to the urgency of the debate is a backdrop of unrelenting assaults against business and government computer systems around the world, accusations by U.S. officials that Chinese hackers have pilfered vast amounts of intellectual property and classified materials, and turmoil over disclosures about the U.S. government’s digital spying on its own citizens.
Bradford Newman, an attorney who represents corporations in preventing data theft, defended the law, saying prosecutors are using it appropriately.
“The CFAA serves an important role in our society now more than ever, when computers are a daily part of everything we do,” said Newman, a lawyer with Paul Hastings LLP.
The Justice Department has been criticized at times for the cases it has chosen to prosecute under the CFAA, passed in 1984. The department came under fire, for example, after the January suicide of Aaron Swartz, an Internet activist facing prosecution for breaking into the computer system at the Massachusetts Institute of Technology.
Representative Zoe Lofgren, Democrat of California, proposed language to make it clear that that simple breach-of-contract or terms-of-service violations do not violate the law, while limiting it to circumventions of technology barriers. A competing proposal, supported by the Justice Department, would create stiffer penalties and make violators subject to the Racketeer Influenced and Corrupt Organizations Act, which is typically used in organized-crime cases.
Appeals courts have issued contradictory interpretations of unauthorized access under the law.
In Auernheimer’s case, his appeals team, including Kerr and the online civil liberties group Electronic Frontier Foundation (EFF), will ask the U.S. Third Circuit Court of Appeals to limit the concept of unauthorized access.
Unauthorized access should be defined by the circumvention of technical security barriers, like a firewall or encryption, because otherwise it’s impossible to set a clear standard, said Marcia Hoffman, a former foundation lawyer working on the appeal.
Paul Fishman, the U.S. attorney in New Jersey who oversaw Auernheimer’s prosecution, said his office doesn’t pursue minor infractions of the law, and the privacy violations were obvious.
“If you hack and you get 114,000 e-mail addresses, and you look at them and say, ‘I don’t want to tell anybody about this,’ it’s different than sending them out and publicizing what you do and basically thumbing your nose,” said Fishman. “If we don’t respond under circumstances when people do something that is so notorious, that sends a bad message, too.”
Auernheimer was convicted last November by federal jurors in Newark, New Jersey, of conspiracy to access AT&T’s servers without authorization and of identity theft. Prosecutors said his associate Daniel Spitler breached AT&T servers and stole e-mail addresses of more than 114,000 users of Apple Inc. (AAPL)’s iPads. Auernheimer disclosed that data to the Gawker website. AT&T plugged the hole and apologized to customers.
Auernheimer e-mailed iPad users at news organizations to say he had “stolen” identification numbers for their address, and he “would be happy to discuss the method of theft.” At trial, Auernheimer said he used the words like “theft” as “rhetoric and hyperbole” to “sensationalize” the story.
Spitler pleaded guilty and testified against Auernheimer. He described how he carried out his attack by writing computer code to generate iPad identification numbers. Auernheimer told jurors that the information was public and that he never considered what he did as theft.
Auernheimer’s lawyers will argue that his 41-month sentence is excessive because he did not damage AT&T’s computers and the e-mail addresses were never distributed or used in any other way. The law covers unauthorized access to computers when the damage exceeds $5,000. The judge ordered Auernheimer to pay restitution of $73,167 to AT&T.
His sentence shows how disconnected the anti-hacking law is from the harm it was meant to prevent, said James Grimmelmann, a New York Law School professor.
“If I crash a computer, if I delete data, if I access confidential information, those are all things that we might be very concerned about happening on computers,” Grimmelmann said. “Those involve specific harm to the computer owner or to other users.”
Given the limited distribution of the data weev took, one could argue the harm he caused was “much smaller” than prosecutors said and deserved a lesser punishment, he said.
Auernheimer’s appeal to the Philadelphia-based Third Circuit follows a ruling by the San Francisco-based Ninth Circuit in the case of David Nosal. He was prosecuted for inducing two accomplices to access information from a database at the executive-search firm where they worked.
The Ninth Circuit narrowed his criminal case as well as the application of the statute, ruling in 2012 that employees cannot exceed their authorized access unless that access has been revoked. It rejected the government’s interpretation, saying “millions of unsuspecting individuals would find that they are engaging in criminal conduct.”
After the case was narrowed, a jury convicted Nosal on April 24 of conspiring with employees at his former firm to violate the CFAA, unauthorized access to a computer and trade secret theft.
Kerr and EFF say that Auernheimer’s conviction is an example of the overreach warned against by the Ninth Circuit, putting too much power to determine a user’s violations in the hands of the Justice Department and a computer’s owner.
The Department of Justice advanced the interpretation that even simple terms of service breaches could be violations of the anti-hacking law in the case of a Missouri woman, Lori Drew. She was convicted of a misdemeanor CFAA violation for creating a phony account on News Corp.’s MySpace.com to trick a teen-ager, who later committed suicide. A judge tossed the conviction in 2009, saying it “criminalizes what otherwise would be a breach of contract” under a website’s terms of service.
The questions over unauthorized access have also crossed into civil cases, particularly in commercial disputes otherwise resolved under contract law, according to Andrea Matwyshyn, a professor at the University of Pennsylvania’s Wharton School. “By using the CFAA in such a heavy-handed way, we are actually throwing other bodies of law out of kilter,” she said.
A group of Internet companies sent an open letter in March to Congress warning that “the law has lost its way” and may quash innovation if courts continue to interpret breaches of contractual agreements or policies as CFAA breaches. Such interpretations “give incumbent companies a dangerous and unfair weapon to wield against competitors,” the companies wrote.
In one current case, Craigslist, the provider of free online classified ads, is suing 3Taps Inc., which grabs data from public websites for application developers. 3Taps’s harvesting of data is “unauthorized access” under the law, Craigslist claims.
Craigslist is also suing PadMapper Inc., which automates the combing of real estate listings and places them on a map for renters or buyers of apartments. New York Law School’s Grimmelmann said he expects more such lawsuits.
Auernheimer’s sentence of 41 months has rallied the law’s critics, who say he was punished for being obnoxious. At his sentencing hearing on March 18, he told the prosecutors and the judge, “if you people understood what you were doing with the rule of law and the Constitution, you would feel shame.” The judge criticized his “pervasive disrespect,” which he factored into his sentence.
After being imprisoned, Auernheimer continued to send electronic messages about his experience, relying on friends who posted tidbits from e-mails sent through the prison e-mail system.
In early April, he was cut off from prison e-mail without explanation. He used recordings, posted by supporters on the audio-sharing site SoundCloud to document his prison experience, as he was moved from Brooklyn to a facility in Pennsylvania and then to Allenwood Federal Correctional Complex in White Deer, Pennsylvania.
“We live in a country with a childishly authoritarian government that can’t handle anybody saying anything mean about it on the Internet,” Auernheimer said in an April 15 clip.
In late April, all his books and papers were taken away and he was placed in a special housing unit used to separate and punish inmates.
“The conditions in the SHU here are pretty terrible,” Auernheimer wrote in a letter dated May 1 to Bloomberg News. “We are rotated on a weekly basis between solitary confinement and extreme overcrowding. Right now I am subject to the latter, in a bunk where I cannot even sit up.”
Auernheimer compared the unit to Japanese prison camps in World War II. He said he was passing the time by meditating.
Auernheimer was told by prison authorities that he is under investigation for “abusing the telephone,” according to his lawyer, Tor Ekeland. Administrative detention is typically used for inmates under investigation for misconduct, Bureau of Prisons spokesman Chris Burke said, while declining to comment in more detail.
Ekeland contends Auernheimer’s treatment amounts to retaliation for his dogged use of technology to document and publicize his prison experience and hammer against the anti-hacking law.
“I don’t see any other reason for them doing it,” Ekeland said. “Right now our focus is filing the appeal, but we’re probably going to litigate the prison issues.”
The case is U.S. v. Auernheimer, 2:11-cr-00470, U.S. District Court, District of New Jersey (Newark).