In 2010, Auernheimer's co-defendant Daniel Spitler discovered that AT&T configured its website to automatically publish an iPad user's e-mail address when the server was queried with a URL containing the number that matched an iPad's SIM card ID. Spitler collected approximately 114,000 email addresses, and Auernheimer talked about the discovery to several news outlets and Gawker published a story about it. Auernheimer was convicted of violating the CFAA and identity theft and sentenced to 41 months in prison.
We filed our appeal on July 1, raising a number of claims why the conviction and sentence were improper, but most critically, we argued that Weev didn't violate the CFAA because AT&T deliberately chose to have their users' email addresses published on the web. The government responded with a 133-page brief in September and on Friday, we responded to the government's argument with a reply brief of our own, refuting all of the government's arguments point by point.
Contrary to the government's assertions, AT&T did not employ any technical measure to restrict access to the emails and thus Spitler and any other user was "authorized" to view the email addresses, even if AT&T didn't want them to. The government had argued that the serial numbers were passwords, that Spitler had "lied" to AT&T's servers by changing his computer's user agent to impersonate an iPad and that the "expertise" needed to do these things meant Spitler's actions were criminal. Most puzzling, the government argued that Spitler's actions violated “norms of behavior that are generally recognized by society” and apparent to a “reasonable person,” and as a result he wasn't "authorized" to obtain the email addresses.
Our brief explains to the Court why this is not so.
First, the serial numbers aren't "passwords" because most AT&T customers wouldn't know the number or memorize them, nor would be required to enter the serial number in the login prompt to AT&T's website to access their customer account information. Second, we once again explain that there is nothing deceptive or criminal about changing a user agent and that common web browsers do this all the time. Finally, we explain that criminal liability cannot hinge on a particular user's "expertise" nor on the government's proposed "norms of behavior" standard. Courts have long cautioned that criminal liability cannot be based on vague or ambiguous standards, and hinging CFAA liability on "norms of behavior" leaves most computer users with uncertainty about what they can and cannot do.
Now with the briefing complete, the next step will be an oral argument before a three judge panel of the court sometime in the next few months.