Tweet
Creative Commons-licensed photo of Andrew Auernheimer available on Wikipedia
Before his sentencing hearing, Andrew Auernheimer, who was convicted on one of charge of conspiracy under the Computer Fraud and Abuse Act (CFAA) and one charge of fraud involving personal information, declared in a statement that he was going to jail for “arithmetic.”
Twenty-six year-old security researcher, known as “Weev,” was sentenced to forty-one months in prison, three years of supervised release and ordered pay $73,000 in restitution to AT&T.
The Verge reported that prosecutors had cited a Reddit chat he did on Sunday night when justifying the length of his sentencing. In other words, speech he engaged in where he showed no remorse for his action was used against him.
During proceedings, Auernheimer tried to use a tablet. He was cuffed by agents. He left the courtroom and returned in shackles five minutes later.
The Electronic Frontier Foundation announced the digital rights organization would be supporting an appeal before the Third Circuit Court of Appeals. “Weev is facing more than three years in prison because he pointed out that a company failed to protect its users’ data, even though his actions didn’t harm anyone,” EFF Senior Staff Attorney Marcia Hofmann said in a press release. “The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them.”
The appeal indicated that EFF, along with other attorneys, would be making his case a part of a legal effort to challenge CFAA. EFF Staff Attorney Hanni Fakhoury said Weev’s case shows how “problematic” the CFAA happens to be.
The CFAA has come under scrutiny and faced calls for reform since Aaron Swartz, who was being zealously prosecuted under the law for downloading documents off an academic database, committed suicide in January.
Auernheimer spoke to Mashable. In the interview he recounts how, in June 2010, there was an AT&T public server that he discovered was exposing customers’ personal data.
“There was a URL in this web server with a number at the end,” he explains. “And, if you would add 1 to this number, you would see the next iPad 3G user email address. I figured it was egregiously negligent for AT&T to be publishing a complete target list of their customers.”
According to Auernheimer, AT&T had a chance to address this security flaw in this public application programming interface (API), which is defined as a group of routines, protocols and tools for building software applications. Auerneheimer then sampled data from the API, aggregated it and gave the data to a journalist because he felt “if a company puts you at risk you deserve to know about it and they deserve to be embarrassed.”
He only waited a few hours before handing over data, but Auernheimer said he believed there was a limited amount of time before AT&T would have issued an injunction so the company’s customers would not find out about the flaw. Also, it was out on the open Internet. He is a security researcher and believes, “You don’t have the right to say you can’t cite this thing you published,” and, “You don’t have the right to cry later about how people use it to criticize you.”
When Auernheimer was convicted in November of last year, Andy Greenberg of Forbes highlighted the reaction from security researchers:
The information security community is now arguing that Auernheimer’s conviction sets a precedent that could dangerously restrict free speech and behavior online. If merely visiting an unrestricted web page to copy an email address counts as unauthorized access, the legal line between intrusive hacking and testing websites for vulnerabilities–or merely visiting a website at all–could be blurred.
“The chilling effects are huge,” says Rob Graham, an analyst and consultant with security firm Errata Security. “Researchers will be more circumspect about what they re willing to disclose. They’ll fear that they might be the next Weev.”
Jacob Appelbaum, a Tor software developer who has been targeted by the United States government for his ties to WikiLeaks, called the case a “neo-classic whistleblower crackdown.”
Auernheimer did not discover the flaw on his own. Daniel Spitler found what he detected in his work. The two became the subject of an FBI investigation. Spitler was pled guilty to charges in 2011 and then eventually testified against Auernheimer.
In a “statement of responsibility” posted on TechCrunch, Auernheimer shared:
I can’t survive like this. I am happy to be hitting a prison cell soon. They ruined my business. The feds get approval of who I can work for or with: they rejected one company because the CEO had a social network profile with an occupation listed as “hacker.” They prohibit me from touching any computer that isn’t federally monitored. I do my best to slang Perl code on an Android device to comply with my bail conditions. It isn’t pretty.
Ivy league educated and wealthy, Aaron dealt with his indictment so badly because he thought he was part of a special class of people that this didn’t happen to. I am from a rundown shack in Arkansas. I spent many years thinking people from families like his got better treatment than me. Now I realize the truth: The beast is so monstrous it will devour us all. None will be spared.
He pointed out, like Swartz’s case, prosecutors were using anything they could against him to prosecute him. For example, his security research group is Goatse Security. Zach Intrater, one of the prosecutors, said that a comment he made about Goatse Security “starting a certification process to declare systems ‘goatse tight’ was evidence of my intent to personally profit.” Auernheimer added, “For those not in on the joke: Goatse is an Internet meme referencing a man holding open his anus very widely. The mind reels.”
It is classic politics of personal destruction. Auernheimer, a bombastic hacker-type, was made an easy target and made to do time in prison.
The service provided by the Justice Department to AT&T is hard to separate from the reality that AT&T was granted retroactive immunity for committing felonies when it engaged in warrantless wiretapping under the administration of President George W. Bush. Congress voted to give telecommunications companies like AT&T this immunity. President Barack Obama voted to give telecommunications companies this immunity. AT&T was a big sponsor of the Democratic Party’s national conventions in 2008 and 2012.
But, what does that have to do with this case? It is not like the nexus of cooperation between corporations and the state targeted his free speech rights and worked together every step of the way to make sure an example was made out of Auernheimer.
13 Comments
Damn!
Aaron’s dead, Andrew is convicted and Jamie Dimon is our young President’s BFF.
One need look no further to know how fucked up our country has become.
“Jacob Appelbaum, a Tor software developer who has been targeted by the United States government for his ties to WikiLeaks, called the case a “neo-classic whistleblower crackdown.”
Modern fugitive slave laws?
“…that AT&T was granted retroactive immunity for committing felonies when it engaged in warrantless wiretapping under the administration of President George W. Bush. Congress voted to give telecommunications companies like AT&T this immunity. President Barack Obama voted to give telecommunications companies this immunity. AT&T was a big sponsor of the Democratic Party’s national conventions in 2008 and 2012.”
I admired “Quest Com.” Go get a warrant!
These “douche-bags” got big balls for sure and insult America daily with their scum buggery!
http://en.wikipedia.org/wiki/Hepting_v._AT%26T
AT&T is a scurelous company and politicians who support it are equally scurelous.
In spite of significant public outrage, the maneuvering of Harry Reid to get Retroactive Immunity for AT&T and the rest of Big Telco was marvelous.
And Obama’s AT&T triple axel double backflip was also wondrous.
It is truly amazing what they can get done and what they can’t get done (Single payer Nationalized Healthcare, for example).
The public be damned.
Whistleblowers and Protestors represent “a form of terrorism” according to the Pentagon.
Obama: our first Black Dictator.
This really is fascism. AT&T cooperated with the Bush administration’s illegal requests for customer data and now the government goes to war against citizens to protect AT&T from embarrassment. Any hick that still talks about America being the land of the free is a fool.
It’s increasingly obvious that one of the highest priorities of our government, whether it’s headed by Republicans or Democrats, is to preserve a monopoly of useful information for the super-rich and the corrupt transnational corporations they control.
I wish I could disagree with anything in your trenchant post, but I can’t.
The Computer Fraud and Abuse Act (CFAA) is an ANTI-security measure that is intended to protect companies from the perceived expense of even minimally securing their networks and securing the third-party data for which they are minimally responsible. CFAA is arguably a major reason why we, allegedly, face a major threat from Chinese Army “cyber soldiers”.
More than a decade ago now, I worked for a major supplier of telco equipment. Some kid breached security on one of our telephone-network products and caused a major local service outage. 911 service went down, among other things. There was considerable alarm in the responsible engineering circles at our company–until it emerged that a senior telco manager had overruled his underlings and forced them to attach a modem to the equipment that we supplied. He wanted to monitor it from home. Attaching a modem was the single biggest security breach you could have and was expressly forbidden in all of our documentation.
When the clueless boy that randomly dialed the modem and played with the computer was hunted down and prosecuted, the engineers that I knew were outraged. All of us felt that the boy should have been commended. The telco manager should have been the one prosecuted. HE was the one that endangered the public by reckless conduct. The kid merely revealed the danger to the public.
Unfortunately, managers and their mercenaries–the lawyers, politicians, and paid “experts”–got to write the laws, not the technical professionals. As a result, CFAA focuses on protecting the corporatists who expose our data and communications to the world by prosecuting those who expose their ineptitude and negligence.
Security costs money, and due diligence requires some corporate inconvenience. But thanks to laws like CFAA, corporations no longer have to waste money on things that do not directly contribute to the executive lifestyle. They have been able to dismiss their expert, security-conscious professionals and replace them with lower-paid, less outspoken staff–staff that, coincidentally enough, is available at low, low prices in China. Corporations have greatly reduced their investments in newer, more secure hardware and software, and accepted any implementation that is cheap, regardless of security or suitability for the task (note the use of RFID and the implementation of ATM and online banking arrangements).
So who pays the costs of laxity? We do, of course, as always. Our taxes pay to prosecute the valiant few who tell us that the Emperor is Not Wearing Pants and thereby shield the guilty from lawsuits. The prices we pay cover the managerial bonuses and the bottomline losses that managerial policies make inevitable. To add insult to injury, we are even ramping up to pay for “cyber warfare” against the off-shored employees of those that created our vulnerability to “cyber warfare.”
I think back to how I was ridiculed for making comparisons with fascist and fascism?
“This really is fascism. AT&T cooperated with the Bush administration’s illegal requests for customer data and now the government goes to war against citizens to protect AT&T from embarrassment. Any hick that still talks about America being the land of the free is a fool.”
Yes it is….
“As a result, CFAA focuses on protecting the corporatists who expose our data and communications to the world by prosecuting those who expose their ineptitude and negligence.”
Another sad example of corporate fascism…
I wonder what the “NDAA” act is really protecting?
Quite disgusting and correct!