The trial attorney for Andrew "weev" Auernheimer, Orin Kerr, says the actions the FBI took to find the servers of the online drug haven Silk Road could fall under the same hacking statute in which his high-profile client was charged.
Kerr, a former federal prosecutor and an expert on the hacking statute called the Computer Fraud and Abuse Act, said there's a lot of similarities between the Silk Road prosecution and his client's case.
The FBI said in a court brief Friday that the Silk Road server's IP address was "leaking" from the site "due to an apparent misconfiguration of the user login interface by the site administrator," accused Silk Road mastermind Ross Ulbricht. The FBI said it typed "miscellaneous" information into the login, prompting an error message. An examination of the message revealed the Icelandic IP address of the Silk Road server, the FBI said. [PDF]
Writing in the Volokh Conspiracy on Monday, Kerr said:
The FBI’s location of the SR server brings to mind the prosecution of my former client Andrew Auernheimer, aka 'weev,' who readers may recall was criminally prosecuted for his role in visiting website addresses on an AT&T server that AT&T had thought and hoped would not be found by the public. Auernheimer’s co-conspirator found that AT&T had posted e-mail addresses on its server at IP addresses that the public was not expected to find. In defending its prosecution, DOJ took the view that obtaining information at the website addresses was criminal unauthorized access because AT&T had not intended for the public to see it and it was in a place where an ordinary computer user would likely not find it. (The Third Circuit ultimately overturned the conviction on venue grounds without reaching the lawfulness of the conduct under the CFAA.) In defending conduct in the Silk Road case, however, DOJ takes the view that there is 'nothing . . . unlawful' about taking advantage of a server misconfiguration to obtain data inadvertently 'leaked' by the server because that information is 'fully accessible to the public.'
Kerr sums up the Justice Department's position and his own argument:
"In Auernheimer, DOJ argued that data on a webserver was protected by law if an ordinary user could not find it. In the Silk Road case, DOJ argues that data on a webserver is unprotected by law if the system administrator configured the network incompetently so that an FBI expert could find the data. It sounds like there’s some significant tension between the government’s position in the two cases," he wrote. "Granted, the CFAA and the Fourth Amendment are not the same thing. Further, the CFAA has an exception for 'lawfully authorized investigative... activity of a law enforcement agency of the United States,' although the Silk Road brief does not rely on it. But there’s an interesting tension there. Perhaps the difference just reflects the different positions of two different prosecutors or two different offices litigating the two different cases. Or, more cynically, maybe it’s just natural to view the lawfulness of conduct differently when prosecuting versus defending it."
A federal appeals court in April reversed and vacated Auernheimer's conviction and sentence. The case against Auernheimer, who had been placed in solitary confinement for obtaining and disclosing personal data of about 140,000 iPad owners from a publicly available AT&T website, was seen as a test case on how far the authorities could go under the Computer Fraud and Abuse Act (CFAA), the same law that federal prosecutors were invoking against Aaron Swartz.
But in the end, the Third US Circuit Court of Appeals didn't squarely address the controversial hacking law and instead said Auernheimer was charged in the wrong federal court. Prosecutors have not brought new charges.
In the Silk Road case, meanwhile, the FBI said Friday that it easily found the main server of the now-defunct online drug-selling site and didn't need the assistance of the National Security Agency "bogeyman."
The Silk Road website was only accessible through the anonymizing tool Tor. The government alleges that Ulbricht, as Dread Pirate Roberts, "reaped commissions worth tens of millions of dollars” through his role as the site's leader. Trial is set for later this year.
The authorities said Friday that the FBI didn't need a US warrant to search the Icelandic server of Silk Road because "warrants are not required for searches by foreign authorities of property overseas."
Ulbricht's attorney did not immediately respond for comment.
reader comments
102