San Francisco - A team of computer-crime legal experts on Monday filed an appeal of the federal felony conviction and lengthy prison sentence handed down to Andrew "Weev" Auernheimer, a computer researcher who revealed a massive security flaw in AT&T's website and was subsequently prosecuted under the Computer Fraud & Abuse Act (CFAA).
The Electronic Frontier Foundation (EFF) joined law professor Orin Kerr, Internet attorney and EFF fellow Marcia Hofmann, and Weev's trial lawyers Tor Ekeland and Mark Jaffe in filing the brief with the 3rd U.S. Circuit Court of Appeals. The appeal argues the government's flawed prosecution theory under the CFAA resulted in an improper conviction and prison sentence.
"The government set out to make an example of Auernheimer," EFF Staff Attorney Hanni Fakhoury said. "But the only message this sends to the security-research community is that if you discover a vulnerability, you could go to jail for sounding the alarm."
In 2010, Auernheimer's co-defendant Daniel Spitler discovered that AT&T had configured its servers to make the email addresses of iPad owners publicly available on the Internet. Spitler wrote a script and collected roughly 114,000 email addresses as a result of the security flaw. Auernheimer then distributed the list of email addresses to media organizations as proof of the vulnerability, ultimately forcing AT&T to acknowledge and fix the security problem.
"This case is about the freedom to surf the Internet," said Kerr, a professor at the George Washington University Law School. "Congress never intended to criminalize visiting a public website."
Nevertheless, federal prosecutors went after Auernheimer and Spitler, charging each with identity theft and conspiracy to violate the CFAA—the same law used against Internet activist Aaron Swartz, who committed suicide this year amidst a similarly heavy-handed federal prosecution. Spitler accepted a plea deal in June 2011, while Auernheimer unsuccessfully fought the charges in a trial. Auernheimer was convicted and sentenced to 41 months in prison in March.
"Auernheimer was aggressively prosecuted for an act that caused little harm and was intended to be—and ultimately was—in the public interest," Hofmann said. "The CFAA's vague language gives prosecutors great latitude to abuse their discretion and throw the book at people they simply don't like. That's as evident here as it was in the prosecution of Aaron Swartz."
Auernheimer is currently incarcerated in a Special Housing Unit at the Allenwood Federal Correctional Complex in White Deer, Penn.
"Anyone who cares about the free flow of information on the Internet should be concerned about this case," Ekeland said. "The government is criminalizing computer behavior that millions of Americans engage in every day. The government's reckless and myopic prosecution of Auernheimer for obtaining public information from a public website endangers that vital aspect of the Internet and our national economy, which depends on the free flow of information."
On June 20, Reps. Zoe Lofgren and Jim Sensenbrenner, and Sen. Ron Wyden introduced "Aaron's Law" in Congress, a bill that would reform the CFAA. One element of the legislation would reform the laws that were used to convict Auernheimer.
For the full opening brief for the appeal:
Electronic Frontier Foundation
Internet Lawyer and EFF Fellow
Law Office of Marcia Hofmann
Tor Ekeland, P.C.