Hacker’s appeal may shape the future of the Internet
Auernheimer, a 27-year-old security researcher from Arkansas, was found guilty last year of violating the federal Computer Fraud and Abuse Act after he used a computer script to collect the email addresses of 114,000 registered Apple iPad owners. Although that information was freely available on the Internet and was not password protected, Auernheimer was convicted of accessing a computer “without authorization” under the CFAA and was sentenced earlier this year to spend 41-months in federal prison.
Along with Auernheimer’s case lawyers Tor Ekeland and Mark Jaffe, attorneys at the Electronic Frontier Foundation and law professor Orin Kerr have authored a 74-page statement filed this week with the US Court of Appeals for the Third Circuit asking them to toss out what they call an unjust conviction that could set a dangerous precedent with regards to how computer legislation could be used in the future.
EFF staff attorney Hanni Fakhoury wrote in an editorial published by Wired on Tuesday that the “future of the Internet may well depend” on the outcome of the appeal. The CFAA “has run amok,” Fakhoury wrote, adding, “The outdated law has been abused to cover situations far removed from the type of criminal hacking Congress had in mind when it passed the law in 1986.”
In the appeal, Fakhoury and his colleagues say the conviction and sentencing of Mr. Auernheimer raises legal issues that should pursue the court to overturn the earlier ruling “on multiple and independent grounds.”
At the heart of the attorneys’ argument is that Auernheimer never accessed a computer “without authorization” as outlined in the CFAA. Because Auernheimer collected a trove of email addresses by visiting a publically available website — namely the one owned by telecom giant AT&T — his lawyers say he never broke into a restricted computer and logically can’t be charged with such. Auernheimer himself equated his crime with “incrementing a digit at the end of a URL on a public webserver” during a blog post on the eve of his sentencing hearing and said on more than one occasion, “I’m going to prison for arithmetic.”
“AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers,” the attorneys wrote. “The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the email addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime.”
The legal counsel also insists that Auernheimer was wrongly convicted of a felony count in lieu of a more appropriate misdemeanor, and that a second charge of committing identity theft was wrongfully lobbed by the prosecution. That conviction, they argue, must be overturned because a violation of the federal identity theft statute requires a suspect to transfer personally-identifiable information “in connection with unlawful activity.”
“Even assuming Auernheimer violated [the CFAA] to obtain the e-mail addresses, he did not then possess or transfer the emails ‘in connection with’ another crime,” they wrote. “The phrase ‘in connection with…any unlawful activity’ means unlawful activity other than the wrongful act of obtaining the means of identity.”
Congress specifically created that law “out of concern that it may be difficult to prove an identity thief’s specific intent to put stole identities to criminal use,” they continued
“The government’s contrary view would render the statute unconstitutionally vague. Under the government’s theory, if it charges a defendant with hacking for illegally acquiring personal information, the government can always add a second count of identity theft for possessing the information just acquired. After all, possession of information will always be ‘in connection with’ the way a person came to possess it,” the appeal reads.
“Imagine a bank robber asks the bank teller for her name in the course of the crime. After his arrest, the robber tells his lawyer that the teller gave her name as ‘Beth.’ Under the broadest reading of [the identity theft statute], both the robber and his lawyer would be guilty of felony identity theft. After all, the robber “transfer[ed]” and his lawyer “possess[ed]” a means of identification (the name Beth), all ‘in connection with” the crime of bank robbery.’”
A jury said last year that Auernheimer violated the CFAA and that identity theft statute because the email addresses — and no other information — were shared with the media. As a result of both convictions, he was sentenced to pay AT&T a restitution of $73,000 and spend the next three-plus years in prison: the upper tier of the sentencing guidelines used by the court. The fee will reportedly compensate the telecom for the mass mailer they sent to customers informing them of the security breach.
The attorneys are also asking for the court to overturn the
conviction because they dispute the venue used to hear the case
and say that, contrary to the presiding judge’s opinion,
AT&T’s decision to spend a five-figure sum to send letters to
their customers did not constitute the subsequent sentence.Those
are just some of the aspects, however, that they say should
prompt an appeal.
“The fundamental question in this case,” they add, “is whether it is a crime to visit a public website.”
“Websites are open and available to the public. By publishing information on the World Wide Web, a website owner inherently authorizes others to view that information,” they attorneys wrote.
“Any other rule would have disturbing implications. Most Americans surf the web every day. How are they supposed to know when visiting a webpage is legal and when visiting a webpage might land them in jail?” they ask.
When Auernheimer was convicted of both counts last year, he told a reporter outside of the courtroom, “Have you ever received permission from Google to go to Google?”
Kerr, the George Washington University law professor who is assisting with the appeal, said in a statement that “This case is about the freedom to surf the Internet.”
"Anyone who cares about the free flow of information on the Internet should be concerned about this case," Ekeland added. "The government is criminalizing computer behavior that millions of Americans engage in every day. The government's reckless and myopic prosecution of Auernheimer for obtaining public information from a public website endangers that vital aspect of the Internet and our national economy, which depends on the free flow of information."
According to friends of Auernheimer, he has only in recent days been removed from a segregate housing unit at a federal detention center in Pennsylvania where he had been confined to a 10x10 cell shared with another roommate. He is scheduled for release in late 2016. Meanwhile, Rep. Zoe Lofgren (D-California) and Sen. Ron Wyden (D-Oregon) introduced a bill last month that if approved in Congress could reform the CFAA.
“The CFAA is a sweeping Internet regulation that criminalizes many forms of common Internet use,” they wrote. “It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open Internet as a platform for ideas and commerce, reforming the CFAA must be included.”
The proposal, dubbed “Aaron’s Law,” is named in memory of Aaron Swartz, a 26-year-old computer prodigy who committed suicide earlier this year while awaiting trial for a felony CFAA case.
"Like Aaron Swartz, I've no faith in the justice system," Auernheimer told The Guardian in January.