Appeals Court Reverses Weev Conviction For Incorrect Venue, Avoids Bigger CFAA Questions
from the it's-a-start dept
We’ve been covering the prosection of Andrew “weev” Auernheimer for over a year, and things were not looking good for him, with the court seemingly stacking the deck in favor of a clueless DOJ. But instead, today the appeals court reversed his conviction and 3.5-year jail sentence (which, let’s not forget, was handed to him for exposing a security flaw, under the DOJ’s twisted interpretation of the Computer Fraud & Abuse Act).
The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don’t like. Instead, the conviction was tossed for being in the wrong venue:
Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.
But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:
The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.
New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.
Since the question of venue is still very muddy when it comes to the internet, this likely isn’t the last we’ll be hearing about this ruling, and its impact on other cases could prove interesting. It’s also likely not an end to weev’s story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.
Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we’ll have to be satisfied with a non-binding footnote.
Filed Under: andrew auernheimer, cfaa, doj, hacking, venue, weev
Comments on “Appeals Court Reverses Weev Conviction For Incorrect Venue, Avoids Bigger CFAA Questions”
Moral of the Story
If the government is going to broadly apply a bad law, it will do so with full due process and all its Is dotted and Ts crossed dammit!!! We are a nation of laws!!
Although not binding, it is important to note that the court did address (in a footnote) that there wasn’t a clear crime committed:
Re: Re:
good point — making this First Word and adding an update to the post. Thanks!
Venue is important
Limiting venue is important. One should not have to face trial in a jurisdiction just because of some tangential contact with someone who happens to reside in that jurisdiction.
As an extreme example, imagine how it would be if a person in country A doing something to a server in country B could be tried in country C because in the past someone in country C had used that server in country B.
Or an even more extreme example, someone in one country doing something that is legal in his own country but which would be illegal if done in another country, being detained and tried in that other country.
Re: Venue is important
It would be nice if the US limited itself to crimes committed by people living on its territory. Ask Garry MaKinnon and of course Kim Dotcom about the US trying to enforce its laws on foreigners.
Re: Re: Venue is important
Yeah, the USA is pretty bad about it. Don’t forget Dmitri Sklyarov, who working in Russia did something fully legal in Russia, and was detained in the USA for it.
The USA is big on extraterritorial jurisdiction, but when other countries want to apply extraterritorial jurisdiction to it the reaction is negative; see for instance the Hague Invasion Act.
Re: Venue is important
Now if only we could keep patent cases out of East Texas.
Re: Venue is important
Limiting venue is important. One should not have to face trial in a jurisdiction just because of some tangential contact with someone who happens to reside in that jurisdiction.
Look up the Amateur Action BBS case. A man and his wife ran a subscription porn BBS in California, where it was investigated and deemed to be legal. A postal inspector from Tennessee started an investigation and they were eventually convicted of violating Tennessee’s community standards.
Not to mix metaphors ...
The Court punted on the CFAA issue, but it’s still a good result. It doesn’t matter how you get on base, just that you got on base.
Also, the footnoted dicta hopefully will function nicely to convey its true meaning to prosecution: “We get what happened here; and we don’t want to see you back here on the same allegations.” To wit:
The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.
Re: Not to mix metaphors ...
I’d say it does matter, at least in part.
Throwing it out due to improper venue is good, but it also allows them to re-file the thing elsewhere if they want, whereas if the court had flat out ruled that no laws had been broken, then re-filing the case might have been a titch difficult.
Re: Re: Not to mix metaphors ...
Only weev be protected due to double jeopardy. They had their chance and they convicted him in the wrong venue. So they done goofed. I think weev is also in the position to sue them now civilly. I believe the appropriate Latin phrase here is “Repensum Est Canicula”.
Re: Not to mix metaphors ...
Exactly. His attorneys did a very good job and the Appeals court most likely would of, if the venue question had not been raised, upheld the appeal as well. Though with the venue being an absolute problem they had a better ability to crush the conviction and add in as obiter what they really felt like as well.
This will most likely have wider implications and might (one can hope) make the DoJ be more accountable and apply due diligence before they do this again to some poor soul.
This might be the best result under the circumstances.
Bouncing the case on venue instantly kills the conviction. Almost any other reversal requires re-doing part of the trail, which is expensive, time consuming, and risks another bogus outcome.
The footnote is a strong hint to the prosecutors that they were wrong, and should not re-file charges in a different venue. They can save face by claiming “a technicality”.
(But I’ll go with ‘Technically correct, the best kind of correct.’)
Re: Re:
Also, other judges and US Courts will read this opinion and take note that venue shopping will be frowned upon. The footnote strongly hints that they did not find the evidence of a crime persuasive but mostly based on the AUSA engaging in shystering.
hacking?
I always wonder how this simple stuff gets past the trial judge. Not the venue thing, because they make up those rules with regards to the internet as they go along. But the part where the guy doesn’t compromise a password or anything to find the info.
venue and double jeopardy
Not so fast, being tried in the wrong venue means jeopardy did not attach and therefore no double jeopardy.
Re-filing in 10… 9… 8…