It's hard to have sympathy for Andrew "weev" Auernheimer, the infamous internet provocateur known for his copious drug use and racial epithets who once bragged to the The New York Times, "I hack, I ruin, I make piles of money." But a team of digital rights lawyers looking to appeal his conviction under the same controversial law used to prosecute Aaron Swartz make the case that, if uncorrected, what's happening to weev will have a devastating impact on the rights of every internet user — troll and non-troll alike.
"It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data."
The team, which is being led pro-bono by The Volokh Conspiracy's Orin Kerr with support from the Electronic Frontier Foundation, filed a brief yesterday to appeal the case. Auernheimer was sentenced in March to 41 months in prison and a $73,000 fine on multiple "hacking" charges for revealing an AT&T security hole which publicly displayed the email addresses of over 100,000 iPad 3G customers on the company's website. Auernheimer and partner Daniel Spitler had discovered that private user information could be viewed by simply incrementing the number at the end of a public URL, and wrote a script to automatically scrape the public data from AT&T's site, which they then shared — without publishing it and after warning AT&T — with a journalist at Gawker.
Of particular concern: how can those actions possibly constitute "unauthorized" or "exceeding" access to a computer, which do not have clear definitions under the 1986 Computer Fraud and Abuse Act? The team arguing Auernheimer's appeal makes the case that just because the access was "undesirable" and damaging to AT&T's reputation does not make it "unauthorized," since the material in question was available by simply typing in a URL. "It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a 'theft,'" the brief argues. "The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information."
"The fundamental question in this case is whether it is a crime to visit a public website."
The root of the issue is the vague language of the statute, which has allowed Terms of Service agreements to fill in the blanks with their own definitions of "unauthorized" or "exceeding access." The consequence, digital rights groups say, is that vast amounts of innocuous internet activity can be easily made into felony offenses, like using a fake name on a social network, if the site's administrators simply assert they didn't give a user explicit permission. "The fundamental question in this case is whether it is a crime to visit a public website," the brief states. It cites a court case, United States v. Gines-Peres, which ruled that a company that “places information on the information superhighway clearly subjects said information to being accessed by every conceivable interested party,” unless “protective measures or devices that would have controlled access” are put in place.
But the court in the weev case didn't seem to make that distinction. Instead, the prosecution focused largely on weev's personality, citing unsavory and aggressive public statements made on Reddit prior to the trial rather than examining the technical aspects of whether or not he had actually broken the law. Members of Congress are currently pushing new legislation designed to narrow the CFAA's scope so that future prosecutions only target malicious intruders, not authorized users a company might find undesirable.