WASHINGTON - An Arkansas man found guilty of violating the main U.S. anti-hacking law by taking 114,000 email addresses from AT&T Inc. had his conviction thrown out by an appeals court that ruled he was tried in the wrong state.
Andrew Auernheimer, known in the online world as “weev,” was indicted and convicted at a trial in Newark, N.J., of conspiracy to violate the Computer Fraud and Abuse Act and identity fraud. The U.S. Court of Appeals in Philadelphia ruled Friday that he never should have been charged in New Jersey because his crimes had no connection to the state.
A three-judge panel said that while the case raised “complex and novel issues that are of great public importance in our increasingly interconnected age,” its decision turned on venue - the proper place for a defendant to be tried.
Auernheimer, who is serving a 41-month prison term, gained notoriety for breaking into computer systems, disrupting blog sites and riling people with personal attacks. His supporters made the case a rallying point to argue that the Justice Department wields the Computer Fraud and Abuse Act too broadly, threatening Internet freedom. His lawyer said he was punished for his views.
“I’m ecstatic,” said Auernheimer’s attorney, Tor Ekeland. “This is a really great decision. We’ve been arguing since Day One that this was improperly brought in New Jersey. They hate his speech. This whole case has not really been about computer crime.”
Ekeland obtained a court order to release Auernheimer from the Allenwood Federal Correctional Complex in White Deer, Pa., subject to his previous bail conditions.
His client has been held in solitary confinement for 23 hours a day and has “generally been treated horribly,” Ekeland said. He said prosecutors told him they want Auernheimer held on the same supervised release conditions as he had before trial.
Matthew Reilly, a spokesman for U.S. Attorney Paul Fishman, who oversaw Auernheimer’s prosecution, said the office was reviewing its options.
Former federal prosecutor Doug Burns said Auernheimer could be retried if the Justice Department seeks his indictment in the proper district. The constitutional bar against double jeopardy wouldn’t apply, he said.
Auernheimer was represented on appeal by the Electronic Frontier Foundation, which applauded the ruling.
“Today’s decision is important beyond weev’s specific case,” foundation attorney Hanni Fakhoury said in a statement. “The court made clear that the location of a criminal defendant remains an important constitutional limitation, even in today’s Internet age.”
Prosecutors said Auernheimer’s associate, Daniel Spitler, breached AT&T servers and stole email addresses of more than 114,000 users of Apple Inc.’s iPads. Auernheimer disclosed that data to the Gawker website. AT&T plugged the hole and apologized to customers.
Auernheimer emailed iPad users at news organizations to say he had “stolen” identification numbers for their addresses, and he “would be happy to discuss the method of theft.” At trial, Auernheimer said he used the words like “theft” as “rhetoric and hyperbole” to “sensationalize” the story.
In an interview last year, Fishman said his office doesn’t pursue minor infractions of the law and that the privacy violations in the case were obvious.
“If you hack and you get 114,000 email addresses, and you look at them and say, ‘I don’t want to tell anybody about this,’ it’s different than sending them out and publicizing what you do and basically thumbing your nose,” Fishman said. “If we don’t respond under circumstances when people do something that is so notorious, that sends a bad message, too.”
Spitler pleaded guilty and testified against Auernheimer. He described how he carried out his attack by writing computer code to generate iPad identification numbers. Auernheimer told jurors that the information was public and that he never considered what he did as theft.
Auernheimer was in Fayetteville, while Spitler was in San Francisco. The computer servers they hacked were in Dallas and Atlanta, according to the ruling.
“Despite the absence of any apparent connection to New Jersey,” Auernheimer was indicted by a grand jury in Newark, U.S. Circuit Judge Michael Chagares wrote.
Trying someone where a crime occurred is a fundamental constitutional right intended to prevent the government from shopping for the most favorable forum, Chagares wrote.
“The ever-increasing ubiquity of the Internet only amplifies this concern,” he said. “As we progress technologically, we must remain mindful that cyber crimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.”
Auernheimer’s supporters said he was punished for being obnoxious.
At his sentencing hearing in March 2013, he told the prosecutors and the judge, “If you people understood what you were doing with the rule of law and the Constitution, you would feel shame.” The judge criticized his “pervasive disrespect,” which she factored into his sentence.
After being imprisoned, Auernheimer sent electronic messages about his experience, relying on friends who posted tidbits from emails sent through the prison email system.
In April 2013, he was cut off from prison email without explanation. He used recordings, posted by supporters on the audio-sharing site Sound-Cloud, to document his prison experience.
Later that month, all his books and papers were taken away, and he was placed in a special housing unit used to separate and punish inmates.
The case is U.S. v. Auernheimer, 13-1816, U.S. Court of Appeals for the Third Circuit (Philadelphia).
Front Section, Pages 3 on 04/12/2014