Attorneys for a Fayetteville man convicted and imprisoned on federal computer hacking charges are preparing to appeal.
Andrew Auernheimer, 27, was convicted in November of violating the federal Computer Fraud and Abuse Act,the foundation for anti-hacking laws in the United States. Auernheimer and a co-defendant, Daniel Spitler of San Francisco, were arrested in January 2011.
The men were charged with penetrating AT&T servers and stealing more than 100,000 e-mail addresses associated with AT&T iPad users. The two then contacted gawker.com, a website that credits itself with the tagline “Today’s gossip is tomorrow’s news,” to brag about their exploits, and provided Gawker with the AT&T customer data as proof.
In June 2011, Spitler pleaded guilty to one count of conspiracy to gain unauthorized access to computers and one count of identity theft, according to Reuters news reports. Susan Cassell, Spitler’s defense attorney, said Friday that Spitler had not yet been sentenced and that no sentencing date had been set.
Auernheimer pleaded innocent to all charges, claiming that his actions were meant to point out security flaws in AT&T’s server system. He was convicted in a federal court and is serving a 41-month sentence in the Allenwood Federal Correction Complex in White Deer, Pa.
During his 2012 trial, Auernheimer was represented by Tor Ekeland, a Brooklyn,N.Y.-based attorney specializing in technology and business law, and received the assistance of other attorneys from organizations including the American Civil Liberties Union and the Electronic Frontier Foundation.
Ekeland, who will represent Auernheimer duringthe appeals process, said the case was unusual because many technology experts are unsure if a crime was committed.
“I don’t know if there’s been a criminal prosecution like this, where [a defendant] has been sentenced for accessing a publicly accessible server,” Ekeland said.
According to Ekeland and technical experts interviewed for this story, the way in which Auernheimer and Spitler gained information to AT&T’s customer information doesn’t qualify as “hacking” because each customer’s e-mail address was found by simply typing in a specific Web address (commonly known as a URL, or uniform resource locator) into a Web browser.
Hanni Fakhoury, an attorney with the Electronic Frontier Foundation in San Francisco, said once the two men discovered the first idiosyncratic Web address, they wrote a simple computer program, known as a “script,” that automated the search process.
“The writing of the script itself isn’t hacking,” Fakhoury said. “[The script] wrote in a URL, and copied what it found there. When I think of ‘hacking,’ I think of breaking into a system - going around a technological barrier that’s trying to keep you out. If there’s no gate to keep you out, there’s no ‘breaking;’ there’s no intrusion.”
Dale Thompson, an associate professor at the University of Arkansas at Fayetteville specializing in computer network systems, security and privacy, agreed with Fakhoury’s technical assessment.
“This is not much of a hack, to be honest,” Thompson said.
Thompson, who helped provide network security for the U.S. Army as a civilian employee from 1992 to 2000 before joining the UA faculty, said that whenever a hacker makes news, he brings it up as a topic of discussion in his network security classes, from both forensic and ethical standpoints.
“We always think about the ethics of things like this,” Thompson said. “Initially, it seemed like ‘computer people’ didn’t really understand that just because you can do something doesn’t mean it’s OK.”
Thompson said that even if he thought Auernheimer and Spitler were not technically guilty of hacking, the act of making the personal information of AT&T customers available was ethically dubious.
“It’s a tough one,” Thompson said. “Since these people thought their data was secure, and [the customers] didn’t publish their e-mail address, that trust was obviously broken.
“It was an easy hack, but I still think it’s an ethical violation. The door’s open - you walked right in,” Thompson said. “It was pretty easy to do, almost too easy.”
The prosecutor in the case saw no legal or ethical ambiguity in Auernheimer’s actions.In his March 2013 sentencing recommendation to the judge, U.S. Attorney Paul Fishman described Auernheimer and Spitler’s actions as “theft by deception.”
“Only by deceiving, by lying, and by tricking, did the defendant and his co-conspirator get those users’ information,” Fishman’s memorandum reads in part.
Fakhoury said an important aspect of Auernheimer’s case is the extremely broad nature of the Computer Fraud and Abuse Act, which was first enacted by the U.S. Congress in 1986, 10 years before the Web was a part of modern life for most people. Fakhoury and other lawyers focused on Internet law have lobbied over the years to have the act amended and narrowed, although Fakhoury said it has been an uphill battle.
“It has absolutely been broadened,” Fakhoury said. “When it was put into law in the 1980s, it was focused on hackers. The problem now is that the law has been so broadened and stretched that it covers things that fall very far from that definition. It was not intended to criminalize finding information on a publicly available website.
“We think the law should be narrowly focused on truly destructive hacking, instead of a broad statute that can cover all sorts of innocuous behavior,” Fakhoury said.
Auernheimer’s lawyers are appealing both his conviction and his sentencing. Fakhoury said they are appealing the conviction because previous legal precedent has established that Internet users are assumed not to need authorization to access publicly available websites, as Fakhoury and others have said the AT&T servers clearly were.
They are also appealing Auernheimer’ 41-month sentence, which was calculated based on the $73,000 cost AT&T incurred when it mailed written notices to its customers, notifying them of the security breech. Fakhoury said the cost was improperly applied to Auernheimer’s case, because neither he nor Spitler caused any actual damage to AT&T’s property or any loss of equipment, data or funds.
Fakhoury and others have speculated that the length of Auernheimer’s sentence is also attributable to his behavior both in and out of the courtroom during his trial process, as he often publicly questioned the validity of the law in question and mocked the legal process.
In his sentencing recommendation, Fishman noted Auernheimer’s apparent lack of remorse for his actions, stating that, “Rather than accept personal responsibility for his criminal conduct and start down the path toward rehabilitation, the defendant consistently paints himself as the victim of a government and corporate conspiracy. If left unpunished, the defendant will - by his own admission - continue to engage in computer intrusions; continue to access computers without authorization; and continue to draw attention to himself through damaging exploits in the cyberworld.”
“Let’s be honest,” Fakhoury said. “He can be a tough guy to deal with. He can be a nuisance, and he’s not necessarily respectful of authority. But that’s not how we punish people in this country.”
Rebekah Carmichael, a spokesman for the U.S. attorney’s office in the New Jersey district, said the office has no comment about Auernheimer’s coming appeal.
Fakhoury and Ekeland said they plan to file their initial appellate briefs July 1 with the Third Circuit Court of Appeals in Philadelphia.
Arkansas, Pages 7 on 06/24/2013