Appeals court reverses hacker/troll “weev” conviction and sentence [Updated]

A federal appeals court Friday reversed and vacated the conviction and sentence of hacker and Internet troll Andrew "weev" Auernheimer.

The case against Auernheimer, who has often been in solitary confinement for obtaining and disclosing personal data of about 140,000 iPad owners from a publicly available AT&T website, was seen as a test case on how far the authorities could go under the Computer Fraud and Abuse Act (CFAA), the same law that federal prosecutors were invoking against Aaron Swartz.

But in the end, the Third US Circuit Court of Appeals didn't squarely address the controversial fraud law and instead said Auernheimer was charged in the wrong federal court.

"Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue," the appeals court wrote. "The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence" (PDF).

Auernheimer was accused of passing along the e-mail addresses to Gawker, which thereafter published the information in redacted form in 2010. Auernheimer was convicted in a New Jersey federal court of a felony under the CFAA for conspiracy to access AT&T's servers against the company's will.

His attorneys argued all along that in order for the CFAA to have applied in this case, there needed to be some sort of "password-gate" or other way of keeping someone out of the AT&T website, which was not present here. They maintained that Auernheimer did not hack into servers or steal passwords. Rather, a major network security flaw at AT&T was discovered and exploited.

A three-judge federal appellate panel, however, for the most part sidestepped ruling on the merits of the hacking allegations and instead focused on where the case was tried.

The government argued that the New Jersey court was a proper venue for the case because 4,500 e-mail addresses were obtained from residents there. The authorities claimed that even if the venue was improper, is should be disregarded because it did "not affect substantial rights."

The court disagreed and suggested that Auernheimer's home state of Arkansas, where the alleged illegal activity took place, was the proper location for trial:

Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey. Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened. While we are not prepared today to hold that an error of venue never could be harmless, we do not need to because the improper venue here—far from where he performed any of his allegedly criminal acts—denied Auernheimer's substantial right to be tried in the place where his alleged crime was committed.

Co-defendant Daniel Spitler discovered a security vulnerability in the website used to register iPad users who signed up for AT&T's 3G service. A script on AT&T's servers would accept an iPad's ICC-ID—a unique identifier embedded in the device's microSIM card—and return that user's e-mail address. Spitler figured out that ICC-IDs come in a predictable range, allowing him to enumerate the tens of thousands of them and obtain the corresponding e-mail addresses. Auernheimer was accused of providing Spitler with advice and encouragement over IRC, and later disclosed the information Spitler obtained to the media. In the view of federal prosecutors, Spitler's actions constituted a violation of the Computer Fraud and Abuse Act, and Auernheimer faced conspiracy charges for allegedly assisting Spitler.

Spitler pleaded guilty and was sentenced in January to three years probation.

While the court would not resolve whether Auernheimer's conduct was illegal, it commented that "no evidence was advanced at trial" that "any password gate or other code-based barrier" was breached.

A day before his sentencing, Auernheimer commented on reddit last year that his only "regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won't nearly be as nice next time."

Justice Department spokesman Matthew Reilly said in a telephone interview the agency was "reviewing our options now." 

The defendant's attorney, Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, said in an e-mail that a "retrial is barred by double jeopardy."

If the authorities do seek a second trial, he said, "we will raise precisely that."

He applauded the appellate court's decision, saying the government's position presented "a risk that defendants could be hailed anywhere in the country to face a criminal trial. This decision will hopefully put some limits on that practice and make sure important constitutional limitations on venue survive in the Internet age."