San Francisco - A federal appeals court overturned the conviction of Andrew "weev" Auernheimer, the computer researcher who was charged with violating the Computer Fraud and Abuse Act (CFAA) after he exposed a massive security flaw in AT&T's website.
Auernheimer was represented on appeal by the Electronic Frontier Foundation (EFF), Professor Orin Kerr of George Washington University, and attorneys Marcia Hofmann, and Tor Ekeland. In an opinion issued this morning by the U.S. Court of Appeals for the Third Circuit, Judge Michael Chagares wrote that the government should not have charged Auernheimer in New Jersey, which had no direct connection to AT&T or Auernheimer.
"We're thrilled that the Third Circuit reversed Mr. Auernheimer's conviction," EFF Staff Attorney Hanni Fakhoury said. "This prosecution presented real threats to security research. Hopefully this decision will reassure that community."
In 2010, Auernheimer's co-defendant, Daniel Spitler, discovered that AT&T had configured its servers to make the email addresses of iPad owners publicly available on the Internet. Spitler wrote a script and collected roughly 114,000 email addresses as a result of the security flaw. Auernheimer then distributed the list of email addresses to media organizations as proof of the vulnerability, ultimately forcing AT&T to acknowledge and fix the security problem.
Federal prosecutors charged Auernheimer and Spitler with identity theft and conspiracy to violate the CFAA in New Jersey federal court. Spitler accepted a plea deal, while Auernheimer unsuccessfully fought the charges in a jury trial. Auernheimer began serving a 41-month prison sentence in March 2013.
On appeal, Auernheimer's defense team argued that accessing a publicly available website does not constitute unauthorized access to a computer under the CFAA. They also argued that Auernheimer should not have been charged in New Jersey. At the time they were obtaining email addresses, Auernheimer was in Arkansas, Spitler was in California and AT&T's servers were in Georgia and Texas.
The court agreed with Auernheimer that charging the case in New Jersey was improper and reversed his conviction and ordered him released from prison. Although it did not directly address whether accessing information on a publicly available website violates the CFAA, the court suggested that there may have been no CFAA violation, since no code-based restrictions to access had been circumvented.
"Today's decision is important beyond weev's specific case," added Fakhoury. "The court made clear that the location of a criminal defendant remains an important constitutional limitation, even in today's Internet age."
For the opinion: https://www.eff.org/document/appellate-court-opinion
Electronic Frontier Foundation