Orin Kerr And Members Of The EFF Representing AT&T Hacker 'Weev' Pro Bono During His Appeal

from the and-hopefully,-head-off-further-damaging-CFAA-precedent dept

Andrew “Weev” Auernheimer is appealing his 41 month prison sentence (and its accompanying fine of $73,000). Many members of the security community have expressed concern with this ruling, especially in light of other CFAA cases. Auernheimer’s exposure of AT&T’s security hole doesn’t really seem like the sort of thing that should be punished, at least not with multiple years in jail and a hefty fine. Then there’s the unsettling feeling that the US prosecutors pushed hard for a prison sentence because they found Weev unlikable.

Fortunately for Weev (and others who have or will run afoul of the CFAA), Orin Kerr has stepped up to offer pro bono representation in Auernheimer’s appeal (along with members of the EFF). Kerr, most recently spotted here going head-to-jackass with Rep. Gohmert over the legality of “destroying” a hacker’s computer, has a very thorough post discussing his reasons for joining the fray. Basically, it boils down to this: nearly everything about the government’s decision is wrong, which is problematic if this ruling is going to be used as precedent in future CFAA cases.

In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.

According to Kerr, undesirable access does not equal unauthorized access. The URLs were publicly available due to AT&T’s own carelessness. What this actually looks like is the vindictive pursuit of an individual for publicly embarrassing the company. But it’s not all on AT&T. The prosecutors themselves had to do a bit of creative sentencing to arrive at a “suitable” punishment for Weev’s “hack.”

Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.

As Kerr states, this is nothing more than disingenuous double-counting being done for no other reason than to make the charges carry some weight. A misdemeanor results in a slap on the wrist, something that would hardly make AT&T happy. This isn’t Kerr’s (or the government’s) first experience with hacking-related double-counting.

Back in 2011, Sarah Palin’s email account was hacked and the Justice Department attempted to charge the hacker under two overlapping laws: “hacking into a computer” and “hacking an email account.” This was overturned on appeal by the Fourth Circuit court, stating that the Justice Department’s attempt to double dip a single action violated US principles on double jeopardy. This situation is more of the same, only with a convenient overlap of federal and state laws allowing prosecutors to ratchet up the charges from a misdemeanor to a full-blown felony.

In addition to these problems, Kerr also finds some jurisdictional issues at play. Even though none of the principals are located in New Jersey, the charges were brought in that state. The rationale? Some of the email addresses belonged to New Jersey residents. This paper-thin justification for filing charges in a pretty much unrelated state gives the appearance of prosecutorial venue shopping.

The most ridiculous aspect of the case is Kerr’s final reason for stepping in: the sentence.

The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.

AT&T claims it incurred costs of $73,000 due to Auernheimer’s actions. But it claimed no loss to its computers, it suffered no downtime and lost no data. The only assertion of loss comes via AT&T’s efforts to notify customers of the data breach.

First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.

That’s right. Auernheimer has to repay AT&T for envelopes and stamps with $73,000 of his own money — and 3-1/2 years of his life. As Kerr points out, AT&T cannot reasonably pin this notification expense on Auernheimer as these costs are not “directly attributable” to the defendant’s access of its supposedly off-limits URLs. Furthermore, Kerr says these costs are not “reasonable,” considering AT&T’s electronic notice to its customers was largely successful. In essence, Weev is doing time because he raided AT&T’s petty cash box by proxy. Hopefully, this appeal will overturn this misguided sentence and prevent the CFAA from becoming an even worse law, thanks to the precedent set by this decision.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Orin Kerr And Members Of The EFF Representing AT&T Hacker 'Weev' Pro Bono During His Appeal”

Subscribe: RSS Leave a comment
Beech says:

Re: Re:

No no no, all wrong. First anyone allegedly reading said comment would be fined for the amount of damages it caused you, so you’d have to snail-mail yourself a quadrillion letters about how someone violated your TOS/copyright/business model. Second, make sure everyone knows that violating your TOS/copyright/business model is in violation of some law which makes it a violation of several other laws which can all be dogpiled on you at once, so really, it should be a quadrillion dollars in fines PER broken law.

Disclamer: The previous comment counts as legal advice, for which I charge whatever you are charging for reading your comment

Anonymous Coward says:

the even bigger tragedy in this case is that the judge totally went along with the bull shit spouted by both the prosecutor and AT&T. how can anyone that is supposed to represent and uphold the law behave like this? it makes an ass out of the law, simply to satisfy the prosecutors desire for jail time being dished out. i fully understand AT&T’s attitude. they are embarrassed by what happened and have to appear squeaky clean. the problem there is that they are the ones at fault. they are the ones to blame. weev is just the scapegoat. what i am waiting to see is when someone discovers a serious flaw somewhere in something that could have dire consequences and says nothing because of fear of getting the blame, rather than being praised. what a tragedy that could be and all because certain companies, certain law enforcement representatives cant stand being proved to be wrong and get embarrassed!

Rekrul says:

They should have set up a custom web site with numbered directories not accessible from the front page, so they could demonstrate to the jury exactly what he did.

“See this link in the address bar that ends in a ‘1’? I change it to a ‘2’ and voila, we’re shown a web page not normally accessible. Change it to a ‘3’ and we get another, and so on. Show of hands, who thinks this qualifies as ‘hacking’? What if I’m entering it manually and I make a typo, does that qualify as hacking?”

special-interesting (profile) says:

Have been criticizing the CFAA as the open barn door policy to writing law lately. Making felonies out of everything should just stop. The public cannot afford the legal liability niether the lost economic base (having a job and spending money) or justice department incarceration costs. (its a double expense)

Having such law based on TOS or worse EULA is a nightmare of commercially derived felonies that make any telling of corporatism weak. Have mentioned my hope that judges and juries figuratively choke on such (wildly and ridiculously) loosely written law but… its a blind hope.

For any respectable senator to suggest destroying private property sounds thuggish and frankly quite embarrassing to hear of. Its already bad enough to have to scrape off the graffiti from the back garage.

As for ‘probing’ URL’s thats done by almost every one from every country just by even looking for valid email accounts for spam not including the spy agencies and worse. The faster ATT finds out about weaknesses the better regardless of slightly questionable circumstances.

Ridiculing a company is par for the course when talking about a former Monopoly like ATT. Lets face it they did grow large enough and annoyed so many that they were broken up and even if todays corporation is not the exact same as then (some foreign ownership?) they did retain the name and all the baggage that goes with it. It would be distasteful if they demonstrated a grudge in any way.

If they perceive image problems then a different approach. Hire Weev; you don’t have to like an employee or subcontractor to do successful business. (although it helps)

From outward appearances its seems that a knee jerk is the typical response to ‘Weev’ but so what? Putting legal muscle behind such guttural reaction is childish at best. What happened to impartiality and restraint?

Anonymous Coward says:

Re: Re: Re:

He didn’t release them to the public — but to a journalist to report on it.

This time.


“My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker,” he wrote. “I won’t nearly be as nice next time.”

Is Gawker journalists; or do they just “do journalism” sometimes?

out_of_the_blue says:

Hmm, almost convinced BUT I stick at "unauthorized".

From the original Gawker (many clicks):

“The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.
Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.”


So CLEARLY it was “unauthorized” access, and this group knew that. It’s another case where going to a deal of trouble to obtain non-public information that one doesn’t have a right to, for NO other reason than to make trouble almost overwhelmingly has to be called criminal, BUT I would go with misdemeanor level assuming the argument above is accurate. And to hell with AT&T’s costs to notify people.

Now, there IS a HUGE hole in my knowledge of the case (I don’t see the answer in my skimming): was this Auernheimer the one who wrote and used the script? Or did he, as Mike alleges, just change numbers on a couple URLs and somehow got smacked with all the charges? — Cause if the former then guilty, and if latter, HOW?

Capitalist Lion Tamer (profile) says:

Re: Hmm, almost convinced BUT I stick at "unauthorized".

Now, there IS a HUGE hole in my knowledge of the case (I don’t see the answer in my skimming): was this Auernheimer the one who wrote and used the script? Or did he, as Mike alleges, just change numbers on a couple URLs and somehow got smacked with all the charges? — Cause if the former then guilty, and if latter, HOW?

Yes, Auernheimer wrote and used the script. That (and Kerr’s discussion surrounding that aspect) appears in Kerr’s post at Volokh. (Also linked in post above.)

As for Mike claiming Weev only changed numbers on a couple of URLs? I can’t find him stating that anywhere. This is a quote from his post on the subject:

In this case, what he did was expose a pretty blatant security hole in AT&T’s servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn’t a malicious “hack.” It’s barely a “hack” at all. This isn’t “breaking in.” This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press.

Here’s Kerr’s perspective on Weev’s script:

Further, the fact that an automated script was used to collect lots of information instead of visiting manually makes no difference to whether the visiting was an unauthorized access. See EF Cultural Travel BV v. Zefer, 318 F.3d 58 (1st Cir. 2003) (the fact that a website owner ?would dislike? the use of an automated script ?to construct a database? of information available from visiting the website does not render the use of the automated script an unauthorized access under the CFAA).

Anonymous Coward says:

I’d say this douchenozzle got what was coming.

From Arstechnica:

Auernheimer spent some of his last hours before sentencing participating in a reddit Ask Me Anything thread. The reaction of redditors was overwhelmingly hostile. “Everybody who thinks weev is some kind of hero is getting played by a sadistic sociopath who has spent most of his adult life anonymously inflicting misery on people as entertainment,” wrote a representative commenter.

The hacker showed no sign of remorse. “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker,” he wrote. “I won’t nearly be as nice next time.”

His comments were cited by prosecutors as a reason to give him a longer prison sentence.

Auernheimer has vowed to appeal his conviction. He will be represented by Orin Kerr, a well-known law professor and blogger, and the Electronic Frontier Foundation.

Capitalist Lion Tamer (profile) says:

Re: Re:

And let me add this:

His comments were cited by prosecutors as a reason to give him a longer prison sentence.

Put him in prison longer because people seem to dislike him? How does that make any sense in context of the judicial system? “The court finds the defendant guilty as charged. In light of the general opinion that the defendant is a prick, we have added 12 months to his sentence.”

Really? Is that how you want “justice” meted out?

Beech says:

Re: Re: Re:

I would say he’s not getting a longer sentence because people don’t like him, its probably because saying something like “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker, I won’t nearly be as nice next time.” doesn’t exactly exude remorse. It makes it sound like that big mean hacker is going to go right back into trying to cyber-break AT&Ts cyber-computers with his cyber-sorcery!!

Bergman (profile) says:

Re: Re: Re: Re:

Remorse…for what exactly? I go out of my way to avoid breaking laws. If I am successful at not breaking a law, I feel no remorse for not breaking a law.

If I am falsely accused of breaking a law, I will continue to not feel remorse for not breaking that law. Remorse is something that people who did bad/illegal things feel.

If you didn’t do bad/illegal things, why should you feel remorseful?

Anonymous Coward says:

Re: Re: Re:

The judge has discretion to sentence within the guidelines. A lot of that is based on the seriousness of the crime and the attitude of the defendant. If the defendant acts like an asshole, says ignorant, inflammatory shit like: “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker,” he wrote. “I won’t nearly be as nice next time.” Then it follows that the judge may conclude that the guilty party needs a longer sentence as a deterrent or punishment. He didn’t have to shoot off his big mouth. He could have said nothing and chose instead to act like a dick. It probably cost him an extra year. I doubt he will find it worthwhile 3 1/2 years from now. Also with a sentence that long, he’s not a slamdunk for a minimum security facility. He could well end up in medium security, which is a real prison with some really hard guys. A rich boy, convicted of a soft crime like hacking who also acts like an asshole will not fare well among hardened criminals doing serious time. Particularly if he continues to act like an asshole. His stupid defiance has probably already marked him as a potential attitude problem to prison officials which almost assures a higher security level. So instead of 2-2 1/2 years in Club Fed, he gets 41 months with real criminals. His stupidity is staggering.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...