Before his sentencing hearing, Andrew Auernheimer, who was convicted on one of charge of conspiracy under the Computer Fraud and Abuse Act (CFAA) and one charge of fraud involving personal information, declared in a statement that he was going to jail for “arithmetic.”
Twenty-six year-old security researcher, known as “Weev,” was sentenced to forty-one months in prison, three years of supervised release and ordered pay $73,000 in restitution to AT&T.
The Verge reported that prosecutors had cited a Reddit chat he did on Sunday night when justifying the length of his sentencing. In other words, speech he engaged in where he showed no remorse for his action was used against him.
During proceedings, Auernheimer tried to use a tablet. He was cuffed by agents. He left the courtroom and returned in shackles five minutes later.
The Electronic Frontier Foundation announced the digital rights organization would be supporting an appeal before the Third Circuit Court of Appeals. “Weev is facing more than three years in prison because he pointed out that a company failed to protect its users’ data, even though his actions didn’t harm anyone,” EFF Senior Staff Attorney Marcia Hofmann said in a press release. “The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them.”
The appeal indicated that EFF, along with other attorneys, would be making his case a part of a legal effort to challenge CFAA. EFF Staff Attorney Hanni Fakhoury said Weev’s case shows how “problematic” the CFAA happens to be.
The CFAA has come under scrutiny and faced calls for reform since Aaron Swartz, who was being zealously prosecuted under the law for downloading documents off an academic database, committed suicide in January.
Auernheimer spoke to Mashable. In the interview he recounts how, in June 2010, there was an AT&T public server that he discovered was exposing customers’ personal data.
“There was a URL in this web server with a number at the end,” he explains. “And, if you would add 1 to this number, you would see the next iPad 3G user email address. I figured it was egregiously negligent for AT&T to be publishing a complete target list of their customers.”
According to Auernheimer, AT&T had a chance to address this security flaw in this public application programming interface (API), which is defined as a group of routines, protocols and tools for building software applications. Auerneheimer then sampled data from the API, aggregated it and gave the data to a journalist because he felt “if a company puts you at risk you deserve to know about it and they deserve to be embarrassed.”
He only waited a few hours before handing over data, but Auernheimer said he believed there was a limited amount of time before AT&T would have issued an injunction so the company’s customers would not find out about the flaw. Also, it was out on the open Internet. He is a security researcher and believes, “You don’t have the right to say you can’t cite this thing you published,” and, “You don’t have the right to cry later about how people use it to criticize you.”
When Auernheimer was convicted in November of last year, Andy Greenberg of Forbes highlighted the reaction from security researchers:
The information security community is now arguing that Auernheimer’s conviction sets a precedent that could dangerously restrict free speech and behavior online. If merely visiting an unrestricted web page to copy an email address counts as unauthorized access, the legal line between intrusive hacking and testing websites for vulnerabilities–or merely visiting a website at all–could be blurred.
“The chilling effects are huge,” says Rob Graham, an analyst and consultant with security firm Errata Security. “Researchers will be more circumspect about what they re willing to disclose. They’ll fear that they might be the next Weev.”
Jacob Appelbaum, a Tor software developer who has been targeted by the United States government for his ties to WikiLeaks, called the case a “neo-classic whistleblower crackdown.”
Auernheimer did not discover the flaw on his own. Daniel Spitler found what he detected in his work. The two became the subject of an FBI investigation. Spitler was pled guilty to charges in 2011 and then eventually testified against Auernheimer.
In a “statement of responsibility” posted on TechCrunch, Auernheimer shared:
I can’t survive like this. I am happy to be hitting a prison cell soon. They ruined my business. The feds get approval of who I can work for or with: they rejected one company because the CEO had a social network profile with an occupation listed as “hacker.” They prohibit me from touching any computer that isn’t federally monitored. I do my best to slang Perl code on an Android device to comply with my bail conditions. It isn’t pretty.
Ivy league educated and wealthy, Aaron dealt with his indictment so badly because he thought he was part of a special class of people that this didn’t happen to. I am from a rundown shack in Arkansas. I spent many years thinking people from families like his got better treatment than me. Now I realize the truth: The beast is so monstrous it will devour us all. None will be spared.
He pointed out, like Swartz’s case, prosecutors were using anything they could against him to prosecute him. For example, his security research group is Goatse Security. Zach Intrater, one of the prosecutors, said that a comment he made about Goatse Security “starting a certification process to declare systems ‘goatse tight’ was evidence of my intent to personally profit.” Auernheimer added, “For those not in on the joke: Goatse is an Internet meme referencing a man holding open his anus very widely. The mind reels.”
It is classic politics of personal destruction. Auernheimer, a bombastic hacker-type, was made an easy target and made to do time in prison.
The service provided by the Justice Department to AT&T is hard to separate from the reality that AT&T was granted retroactive immunity for committing felonies when it engaged in warrantless wiretapping under the administration of President George W. Bush. Congress voted to give telecommunications companies like AT&T this immunity. President Barack Obama voted to give telecommunications companies this immunity. AT&T was a big sponsor of the Democratic Party’s national conventions in 2008 and 2012.
But, what does that have to do with this case? It is not like the nexus of cooperation between corporations and the state targeted his free speech rights and worked together every step of the way to make sure an example was made out of Auernheimer.