Appeals Court Reverses Weev Conviction For Incorrect Venue, Avoids Bigger CFAA Questions

from the it's-a-start dept

We've been covering the prosection of Andrew "weev" Auernheimer for over a year, and things were not looking good for him, with the court seemingly stacking the deck in favor of a clueless DOJ. But instead, today the appeals court reversed his conviction and 3.5-year jail sentence (which, let's not forget, was handed to him for exposing a security flaw, under the DOJ's twisted interpretation of the Computer Fraud & Abuse Act).

The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:

Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.

But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:

The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.

New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.

Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.

Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: andrew auernheimer, cfaa, doj, hacking, venue, weev


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    SEHumphrey, 11 Apr 2014 @ 9:57am

    Although not binding, it is important to note that the court did address (in a footnote) that there wasn't a clear crime committed:

    We also note that in order to be guilty of accessing without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code - or password - based barrier to access. See State v. Riley, 988 A.2d 1252,1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.