Tuesday afternoon in federal court in Newark, NJ, a jury convicted Andrew “Weev” Auernheimer for his role in a 2010 exploit that caused an AT&T account maintenance website to leak 114,000 email addresses of iPad owners. Auernheimer was convicted on both counts for which he was charged: conspiracy to access a computer without authorization (18 U.S.C. § 1030(a)(2)(C), part of the Computer Fraud and Abuse Act of 1986) and fraud in connection with personal information (18 U.S.C. § 1028(a)(7)).
As I suspected, the jury—likely with Thanksgiving turkey on its collective mind—deliberated for only an hour or two before reaching a unanimous guilty verdict. Auernheimer’s lawyer, Tor Ekeland, said the verdict was “not unexpected” and that he will file an appeal for Auernheimer soon. Auernheimer himself tweeted similar thoughts:
Auernheimer’s post-conviction tweet
On his way home after the verdict, Ekeland told me he thinks “Any legitimate security researcher should be concerned” by the case because Auernheimer didn’t bypass any security on the poorly designed AT&T website. The focus of the appeal will be on the Computer Fraud and Abuse Act itself more than on the facts of the case, which didn’t appear to be significantly contested.
Auernheimer is out on bail until his sentencing, which will be in about 90 days. Each conviction carries a sentence of up to five years.