Orin Kerr, Hanni Fakhoury at the Electronic Frontier Foundation, and Marcia Hoffman, filed Andrew Auernheimer’s (weev) appeal with the Third Circuit Court of Appeals. The appeal raises serious questions about the scope and interpretation of the notorious Computer Fraud and Abuse Act (CFAA). In November 2012, Auernheimer was convicted by a federal jury sitting in Newark, New Jersey, of one count of conspiracy to commit unauthorized access to a protected computer, in violation of 18 U.S.C. §§ 371 & 1030(a)(2)(c), and one count of federal identity theft, in violation of 18 U.S.C. § 1028(a)(7). He is currently serving a 41 month sentence at Allenwood Low Federal Correctional Facility in Pennsylvania. Tor Ekeland, P.C. served as Auernheimer’s trial counsel. Upon his conviction the Firm immediately began working with Orin Kerr, the Electronic Frontier Foundation and Marcia Hoffman on Auernheimer’s appeal. In essence, Auernheimer was convicted for obtaining public information from a public website. In May of 2010, his co-conspirator Daniel Spitler, discovered that AT&T’s publicly accessible servers would publish the email address of a given AT&T iPad data subscriber when queried by a URL that matched the serial number on the SIM card in that subscriber’s iPad. Realizing this, Spitler wrote a script that counted off serial numbers to AT&T’s servers and copied the email addresses the server published in response to the queries. No password was required to view the email addresses. They were available to anyone who entered a correct URL string into their web browser. In June, 2010, Spitler informed Auernheimer of his discovery. Auernheimer went to the press the next day with the news, and Gawker ran an article featuring a redacted list of email addresses. The FBI raided Auernheimer’s residence a little over a week later and his prosecution followed. The case is significant because of the government’s overbroad interpretation of what constitutes “unauthorized access” to a computer under the CFAA. The CFAA is notorious for failing to define what constitutes unauthorized access to a protected computer. The interpretation that prevailed at trial risks criminalizing normal computer behavior that millions of Americans engage in every day. The implications of the government’s interpretation of unauthorized access to a computer are startling and scary because it risks criminalizing surfing the Internet. AT&T placed its customers email addresses on a server available to anyone with an Internet connection. It did not password protect the information nor put it behind any firewall. And it provided no notice that copying the information was unauthorized, and its systems did not block multiple requests from the same IP address asking for multiple subscribers ‘ email addresses. In short, AT&T’s servers published the email addresses to anyone who entered the correct URL string into his or her web browser. Millions of Americans enter URL strings into web browsers everyday. If the government’s interpretation of unauthorized access under the CFAA prevails, all of those Americans who visit a website are potential felons if the owner decides the visit is unauthorized. No notice is required, no password need be bypassed. All that is required is a glance at the website. Now, is the government going to prosecute millions of web browsing Americans? No. But it now has a powerful tool that allows it to pick and choose who to prosecute out of a large volume of unsuspecting computer users. The potential for prosecutorial abuse of this tool is great, one need only look at Aaron Swartz’s prosecution for an example. The Appellate Brief’s main arguments are simple and straight forward. Here is a summary of the Brief’s main arguments, the full Brief is attached below:
Summary of Argument
Auernheimer’s convictions must be overturned on multiple and independent grounds. First, Auernheimer’s conviction on Count 1 must be overturned because visiting a publicly available website is not unauthorized access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a “theft.” The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the e-mail addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime. See Pulte Homes, Inc. v. Laborers’ Intern. Union of North America, 648 F.3d 295, 304 (6th Cir. 2011). Second, should the Court find that Auernheimer is guilty of conspiracy to violate the CFAA under Count 1, the Court must vacate the felony conviction because the offense was at most a misdemeanor. The government charged Auernheimer with a felony on the novel ground that accessing a computer without authorization under the federal computer crime law is a felony because it is in furtherance of an analogous state computer crime law, N.J.S.A. 2C:20-31(a). The felony enhancement was improper for two reasons. First, it constitutes double-counting: the government cannot charge a defendant with committing a crime in furtherance of the crime itself. See United States v. Cioni, 649 F.3d 276, 283 (4th Cir. 2011), cert. denied, 132 S. Ct. 437 (2011). Second, Auernheimer did not violate the New Jersey computer crime law. Third, the conviction on Count 2 must be overturned because Auernheimer did not violate the identity theft statute, 18 U.S.C. § 1028(a)(7). Auernheimer’s actions were lawful for two reasons. First, the collection of e-mail addresses from a publicly accessible website does not run afoul of § 1030(a)(2)(C), so there was no predicate offense on which to anchor a § 1028(a)(7) violation. Second, even assuming that Auernheimer violated § 1030(a)(2)(C) to obtain the e-mail addresses, he did not “possess” or “transfer” them “in connection with” another distinct and separate crime, as both the plain text and legislative history of § 1028 require. Fourth, the convictions must be vacated because venue was improper in the District of New Jersey. Venue requires a close study of the laws under which a defendant is charged to determine the essential elements of the conduct Congress prohibited. Venue is improper under Count 1 because no computer was accessed nor information obtained in New Jersey. Venue is improper under Count 2 because no data was transferred, possessed, or used in New Jersey. This case has nothing to do with New Jersey and could not have been charged in New Jersey. Finally, if the Court upholds the convictions on Count 1 and Count 2, the sentence must be vacated and the case remanded for resentencing because the district court improperly applied an eight-level upward adjustment under U.S.S.G. § 2B1.1. The district court applied this enhancement to account for AT&T’s alleged $73,000 mailing cost to notify its affected customers. This upward adjustment was wrongly imposed for three reasons. First, the government failed to carry its burden of proof that AT&T suffered this loss. Second, mailing costs are not the type of “loss” envisioned by the CFAA. And third, the $73,000 amount was unreasonable given the absence of a legal obligation to notify its customers of the breach and the otherwise adequate email notice sent to almost all of AT&T’s affected customers. United States v. Auernheimer, 13-1816 (3d Cir. 2013) (TE) Auernheimer App. Brief ]]]]> ]]>
