According to his brand new lawyer, Andrew “weev” Auernheimer, otherwise known as the AT&T hacker, will appeal his sentence of 41 months in prison, three years probation, and restitution of $73,000 owed to AT&T. Orin Kerr, a civil rights lawyer who is now on the faculty of the George Washington University Law School, has stated on a blog that he will be joining Auernheimer’s legal team, free of charge, in his appeal.
For a little background, Auernheimer was recently convicted on two charges, conspiracy to access a computer without authorization and fraud in connection with personal information. After accessing a publicly available (and unprotected) AT&T website, Auernheimer realized he could run a script that would reveal the email addresses of AT&T’s iPad 3G owners. He sent 114,000 email addresses to a Gawker journalist and has now been charged with felony crimes for these actions.
Many see Auernheimer’s hack as a public service (thus, the Crunchie), considering AT&T was letting users’ email addresses hang out in the open. However, AT&T and the District Court of New Jersey seem to disagree.
Kerr lists in his blog four main reasons for taking the case pro-bono, and working to appeal weev’s sentence.
The first reason is that he’s concerned Auernheimer’s sentence and conviction may set a bad precedent for the meaning of unauthorized access under the Computer Fraud and Abuse Act. Technically, says Kerr, the email addresses obtained by Auernheimer were published publicly on an AT&T website, albeit unprotected but not necessarily meant for prodding eyes. Still, Auernheimer didn’t actually hack past any security measures or a firewall; he simply changed a number in the URL.
Here’s what Orin Kerr had to say about it:
In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.
But this isn’t the only reason Kerr is taking over.
Kerr is also concerned with the fact that Auernheimer is being charged with a felony rather than a misdemeanor, since the “unauthorized access” charge is normally a misdemeanor offense. According to Kerr, the government feels that the overlap between the 50 states’ unauthorized access computer crime statutes and the very similar federal unauthorized access statute automatically transforms this crime into a federal matter, based on 18 U.S.C. 1030(C)(2)(B)(ii).
This section states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” Kerr calls this “double-counting” and thinks it’s unfair and unreasonable.
Finally, Kerr has taken the case because of the outrageous sentence weev has been given, as well as the discrepancy between the location of crimes committed and the jurisdiction. Though Auernheimer never accessed any AT&T websites in Jersey, the government is still charging him in New Jersey based on the fact that some of the email addresses obtained came from NJ.
Plus, his sentence is clearly heavy-handed compared to the “crimes” he committed. Kerr explains that Auernheimer’s 41 month sentence was based around the $73,000 figure AT&T said it was owed in damages. However, Kerr states that, while Auernheimer is responsible for reparations based on the law, the figure is pretty bogus.
The dollar loss is calculated based on “[a]ny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.”
However, AT&T’s only costs from this hack come by way of notifying its customers of the breech. It started with an email, which cost the firm nothing. Then, AT&T sent out a notification by snail mail, which apparently cost them $73,000.
But I don’t think that cost of paper and mailing counts as loss that can be attributed to Auernheimer and Spitler. That’s true for two reasons. First, existing caselaw indicates that the costs only count if they are “directly attributable to the defendants’ alleged access of [the] computer” Shirokov v. Dunlap, Grubb & Weaver, 2012 WL 1065578, at *24 (D. Mass. 2012) (concluding that legal fees cannot constitute “loss” under the CFAA). A decision to notify users of a breach, like a decision to hire lawyers, is not part of an effort to fix the computer and therefore not directly attributable to the access. Second, it is not a “reasonable” cost here in light of the successful electronic notice.
For these reasons, Kerr will be joining weev’s legal representation from here on out with the goal to reduce his sentence or perhaps even overturn it.
Here’s the appeal filing in full: