Lawyers for AT&T and iPad "hacker" Andrew "Weev" Auernheimer, who is in federal prison, on Monday (July 1) filed an appeal seeking to vacate Auernheimer's convictions by challenging the government's interpretation of the 1984 Computer Fraud and Abuse Act (CFAA).
"Auernheimer's convictions must be overturned on multiple and independent grounds," said the appeal, which was filed with the Third Circuit Court of Appeals in Philadelphia. "Visiting a publicly available website is not unauthorized access ... [AT&T] configured its servers to make the information available to everyone and thereby authorized the general public to view the information."
In June 2010, Auernheimer's friend Daniel "JacksonBrown" Spitler created and used a simple computer tool called "Account Slurper" that, taking advantage of a feature on an AT&T website, harvested the email addresses of 114,000 owners of first-generation cellular-data-enabled iPads.
Spitler had discovered that the AT&T website, when fed a URL that included a unique iPad ID, returned the otherwise private email address associated with that iPad. His tool simply ran through thousands of possible iPad IDs.
"To make it easier for iPad owners to access their AT&T accounts, AT&T programmed its website to automatically pre-populate the login prompt with the email address associated with that particular iPad computer," Auernheimer's appeal explained. "AT&T configured its website so that it would share an e-mail address with anyone — not just the account holder — who entered the correct website address."
Spitler "spoofed" his desktop computer to appear to be an iPad and "slurped" more than 114,000 email addresses, which he then shared with Auernheimer.
Auernheimer in turn handed over the list of email addresses, which appeared to include those of several prominent political and media figures, to the gossip blog Gawker.
After Gawker ran a story entitled "Apple's Worst Security Breach: 114,000 iPad Owners Exposed," AT&T removed the pre-populated email-address feature from the website (which is still accessible ).
Although no email addresses were ever made public and AT&T chose not to press charges, federal prosecutors got involved and indicted both Spitler and Auernheimer on charges of identity theft and conspiracy to access a protected computer without authorization.
In his defense, Auernheimer said he was helping AT&T's security team by pointing out a flaw that left customers' personal information exposed to anyone. AT&T has said it was never contacted by Auernheimer or his company Goatse Security.
"Auernheimer was stupid for not responsibly informing AT&T of the flaw," British security expert Graham Cluley said in a blog posting yesterday (July 2). "But AT&T were even more dumb for creating a system that could serve up customers' email addresses to anyone — without requiring a username or password."
Spitler agreed to testify against Auernheimer, who was convicted of both charges in November 2012 in a federal court in Newark, N.J. During a raucous hearing in March, Auernheimer was sentenced to a 41-month prison sentence, which he chose to begin serving immediately.
He and Spitler were also ordered to reimburse AT&T for the $73,000 the company allegedly spent notifying affected iPad users of the data breach. (Spitler has pleaded guilty to the same charges but has not yet been sentenced.)
Auernheimer's appeal argued that the trial venue was improper, since neither he, Spitler nor the AT&T servers they accessed were located in New Jersey at the time of the incident; that the felony charge of conspiracy was improper since the underlying infraction was a misdemeanor under New Jersey law; and that the government failed to prove that the incident cost AT&T $73,000, a damages figure that multiplied the length of Auernheimer's sentence.
"The collection of email addresses from a publicly accessible website does not run afoul of [the CFAA]," the appeal further argued. Auernheimer "did not 'possess' or 'transfer' them 'in connection with' another distinct and separate crime."
"Spitler would have gotten the same email addresses if he had manually inputted the URLs on an iPad rather than a spoofed desktop browser," wrote Hanni Fakhoury, a lawyer at the Electronic Frontier Foundation (EFF) in San Francisco and part of Auernheimer's legal team, in an opinion piece posted yesterday on the Wired website. "In short, one can't violate the CFAA by accessing information on a freely available, public website."
Many security experts see the CFAA as an antiquated law ill-suited to the Internet age, arguing that the CFAA's wording essentially allows prosecution of routine behavior by anyone on a computer connected to the World Wide Web.
Overzealous prosecution based on vague language in the CFAA has been blamed for the January suicide of Internet activist Aaron Swartz, who faced a possible half-century in prison for rapidly downloading millions of academic-journal articles from an online repository.
Auernheimer's case has garnered an unusual amount of attention among Internet pundits and journalists, and has become a cause célèbre on Twitter under the hashtag #freeweev.
His defense team, originally one lawyer in Brooklyn, has been joined by prominent members of the technology-law community, including Fakhoury, George Washington University law professor Orin Kerr and former EFF staff lawyer Marcia Hofmann.
In its own show of support, the Center for Internet and Society at Stanford Law School put out a call Monday for security researchers to assist in writing an amicus brief to the Third Circuit Court of Appeals on Auernheimer's behalf.
"Auernheimer may not have followed best practices in the security research community," wrote Stanford's Jennifer Granick, herself a prominent technology-law expert, in the center's posting. "But as far as the statute is concerned, if his conduct is prohibited, then much of the applied-security research field is unlawful."
In his opinion piece, Fakhoury said the success or failure of Auernheimer's appeal will affect everyday Internet users.
"How's a person surfing the Internet supposed to know when they can or can't view information, if there's no technical barrier to access?" Fakhoury asked. "Placing publicly available data within the purview of the CFAA allows companies ... to dictate what is and isn't criminal behavior, and to do so in arbitrary ways. And here, it allows AT&T to avoid blame for exposing its customer's data by pointing the finger at Weev."
Cluley, no fan of Auernheimer's methods, also questioned the punishment.
"This case has exposed how vague language used in the Computer Fraud and Abuse Act could be abused by prosecutors," Cluley said. "The challenge now is for security researchers to act more responsibly in future, for companies to better protect sensitive customer data and for the legislators to tighten up the wording of their computer crime laws."