In June of 2010, Andrew Auernheimer created a small computer program that connected to a publicly accessible, unsecured AT&T database of iPad subscribers. In November of 2012, he was found guilty of violating the Computer Fraud and Abuse Act (CFAA) and identify theft.
Tomorrow, he’s likely going to jail.
“It’s a fucking ludicrous charge,” Auernheimer told me this morning from New Jersey. “The FBI has tried to frame me for terrorism five times, and by their own admission they’ve been surveilling me since I was 15 years old.”
But tomorrow he expects to go to jail. In preparation, he and supporters have rented a 10,000 square foot hall where they’ll party the night away in perhaps his last taste of freedom for 10 years.
If he does go to jail, it’ll be the latest chapter in a long list of federal prosecutions of computer “crimes” by hackers who are forcing mainstream society to reconsider what freedom of speech means online, what is an appropriate response to a corporation’s poor security, and what kinds of access constitute crimes. That list includes Aaron Swartz, who committed suicide after what many have said was DOJ misconduct.
The story starts with a boneheaded AT&T decision.
During the summer of 2010, Auernheimer and co-defendant Danile Spitler discovered that by querying AT&T’s iPad servers with a string of numbers that matched subscribers’ SIM card identifiers, AT&T’s servers would send back the unencrypted, unprotected email address of the AT&T customer, the iPad owner. AT&T had a massive security design flaw, which, as it admitted in Auernheimer’s one-week trial, was intentional: for subscriber convenience. After running the script to capture 114,000 email addresses of AT&T iPad subscribers, Auernheimer sent a list of the email addresses to Gawker to highlight the security hole. Gawker then printed them in redacted form.
“If you buy an Apple product, you have a right to know that Apple partners could compromise your privacy,” Auernheimer told me, explaining why he sent the email addresses. “And that they take six months to patch security issues.”
So there’s obviously a security issue. And there’s obviously a privacy issue. But where’s the crime?
“We sent Get requests to a public API,” Auernheimer says. “They charged me with unauthorized access to a computerized device … and identity theft, which is a possession charge … if you walk down a street and write down physical addresses, you’re stealing identifiers, and you’re an identify thief.”
If sending Get requests is a crime, we are all criminals.
You could be charged with unauthorized access to a computerized device, for instance, simply because you clicked on the link that brought you to this article. Oh, and Google, one of the most successful corporations in the world, is the root of all evil. A Get request is simply a note from a browser computer code asking for a resource. You issue thousands of them every day all by yourself. Google issues billions.
Whether the receiving server responds to that request in any way, shape, or form is entirely at the discretion of the developers and system administrators who control that server.
The CFAA does not define the phrase “unauthorized access,” so according to Auernheimer, the government essentially told the jury that his access to the server was unauthorized because they said it was. Which, if true, means that whether you commit a legal act or an illegal act is at the discretion of anyone who runs a webserver, who can change their mind at any time without you knowing.
Good luck following the straight and narrow.
After a one-week trial, a jury found Auernheimer guilty on November 20 after just a few hours of debate. Auernheimer told me that his friend overheard “vicious arguing and screaming” in the jury room, so there was some serious debate, but there was a potential reason to be fast, and maybe even hasty.
“The trial was right before Thanksgiving … I think people wanted to get the hell out of there and get to Thanksgiving,” Auernheimer said.
Tonight he’s awaiting sentencing, which could be up to 10 years in jail and up to $500,000 in fines. And he’s not too hopeful that the judge will go easy on him.
“I’m probably going to prison, and they may take me into custody immediately,” Auernheimer told me. “But I have an excellent chance on appeal … any sane examination of the CFAA at this point is going to realize that it criminalizes all web access.”
The Electronic Frontier Foundation has already agreed to help him with that appeal.