Appeals Court Reverses Weev Conviction For Incorrect Venue, Avoids Bigger CFAA Questions

from the it's-a-start dept

We've been covering the prosection of Andrew "weev" Auernheimer for over a year, and things were not looking good for him, with the court seemingly stacking the deck in favor of a clueless DOJ. But instead, today the appeals court reversed his conviction and 3.5-year jail sentence (which, let's not forget, was handed to him for exposing a security flaw, under the DOJ's twisted interpretation of the Computer Fraud & Abuse Act).

The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:

Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.

But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:

The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.

New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.

Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.

Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 9:49am

    Moral of the Story

    If the government is going to broadly apply a bad law, it will do so with full due process and all its Is dotted and Ts crossed dammit!!! We are a nation of laws!!

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    SEHumphrey, Apr 11th, 2014 @ 9:57am

    Although not binding, it is important to note that the court did address (in a footnote) that there wasn't a clear crime committed:

    We also note that in order to be guilty of accessing without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code - or password - based barrier to access. See State v. Riley, 988 A.2d 1252,1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Leigh Beadon (profile), Apr 11th, 2014 @ 10:00am

    Re:

    good point -- making this First Word and adding an update to the post. Thanks!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 10:08am

    Venue is important

    Limiting venue is important. One should not have to face trial in a jurisdiction just because of some tangential contact with someone who happens to reside in that jurisdiction.

    As an extreme example, imagine how it would be if a person in country A doing something to a server in country B could be tried in country C because in the past someone in country C had used that server in country B.

    Or an even more extreme example, someone in one country doing something that is legal in his own country but which would be illegal if done in another country, being detained and tried in that other country.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 10:22am

    Re: Venue is important

    It would be nice if the US limited itself to crimes committed by people living on its territory. Ask Garry MaKinnon and of course Kim Dotcom about the US trying to enforce its laws on foreigners.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    GMacGuffin (profile), Apr 11th, 2014 @ 10:23am

    Not to mix metaphors ...

    The Court punted on the CFAA issue, but it's still a good result. It doesn't matter how you get on base, just that you got on base.

    Also, the footnoted dicta hopefully will function nicely to convey its true meaning to prosecution: "We get what happened here; and we don't want to see you back here on the same allegations." To wit:

    The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 11:06am

    Re: Re: Venue is important

    Yeah, the USA is pretty bad about it. Don't forget Dmitri Sklyarov, who working in Russia did something fully legal in Russia, and was detained in the USA for it.

    The USA is big on extraterritorial jurisdiction, but when other countries want to apply extraterritorial jurisdiction to it the reaction is negative; see for instance the Hague Invasion Act.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    DB (profile), Apr 11th, 2014 @ 11:19am

    This might be the best result under the circumstances.

    Bouncing the case on venue instantly kills the conviction. Almost any other reversal requires re-doing part of the trail, which is expensive, time consuming, and risks another bogus outcome.

    The footnote is a strong hint to the prosecutors that they were wrong, and should not re-file charges in a different venue. They can save face by claiming "a technicality".
    (But I'll go with 'Technically correct, the best kind of correct.')

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    That One Guy (profile), Apr 11th, 2014 @ 11:23am

    Re: Not to mix metaphors ...

    I'd say it does matter, at least in part.

    Throwing it out due to improper venue is good, but it also allows them to re-file the thing elsewhere if they want, whereas if the court had flat out ruled that no laws had been broken, then re-filing the case might have been a titch difficult.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:07pm

    Re: Venue is important

    Now if only we could keep patent cases out of East Texas.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:20pm

    Re: Re: Not to mix metaphors ...

    Only weev be protected due to double jeopardy. They had their chance and they convicted him in the wrong venue. So they done goofed. I think weev is also in the position to sue them now civilly. I believe the appropriate Latin phrase here is "Repensum Est Canicula".

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    madasahatter (profile), Apr 11th, 2014 @ 1:17pm

    Re:

    Also, other judges and US Courts will read this opinion and take note that venue shopping will be frowned upon. The footnote strongly hints that they did not find the evidence of a crime persuasive but mostly based on the AUSA engaging in shystering.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Michael, Apr 11th, 2014 @ 5:22pm

    hacking?

    I always wonder how this simple stuff gets past the trial judge. Not the venue thing, because they make up those rules with regards to the internet as they go along. But the part where the guy doesn't compromise a password or anything to find the info.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Michael, Apr 11th, 2014 @ 5:27pm

    venue and double jeopardy

    Not so fast, being tried in the wrong venue means jeopardy did not attach and therefore no double jeopardy.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Rekrul, Apr 11th, 2014 @ 6:28pm

    Re-filing in 10... 9... 8...

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Rekrul, Apr 11th, 2014 @ 6:38pm

    Re: Venue is important

    Limiting venue is important. One should not have to face trial in a jurisdiction just because of some tangential contact with someone who happens to reside in that jurisdiction.

    Look up the Amateur Action BBS case. A man and his wife ran a subscription porn BBS in California, where it was investigated and deemed to be legal. A postal inspector from Tennessee started an investigation and they were eventually convicted of violating Tennessee's community standards.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    G Thompson (profile), Apr 12th, 2014 @ 1:41am

    Re: Not to mix metaphors ...

    Exactly. His attorneys did a very good job and the Appeals court most likely would of, if the venue question had not been raised, upheld the appeal as well. Though with the venue being an absolute problem they had a better ability to crush the conviction and add in as obiter what they really felt like as well.

    This will most likely have wider implications and might (one can hope) make the DoJ be more accountable and apply due diligence before they do this again to some poor soul.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.