By ROSE BOUBOUSHIAN
(CN) – A hacker who is serving 3 1/2 years in prison for publicizing an AT&T server security flaw has appealed what he calls a “remarkable and unprecedented” felony conviction.
Andrew “Weev” Auernheimer, now 27, came under fire after he tried to spotlight a security problem discovered by Daniel Spitler in 2010.
Spitler had written a script that collected roughly 114,000 email addresses through a security hole at AT&T. The telecommunications giant had deliberately configured its servers so that it would reveal the email addresses of iPad owners when queried with a number matching the SIM card identifier of their iPad.
Auernheimer sent the list Spitler had generated to several journalists.
AT&T then fixed the vulnerability, and the government charged Spitler and Auernheimer with conspiracy to violate the federal Computer Fraud and Abuse Act (CFAA) and identity theft law.
Spitler reached a plea deal with the government in June 2011, ultimately testifying against Auernheimer, who was convicted of two felonies in November.
Auernheimer was sentenced in March to 41 months in federal prison, and the Electronic Frontier Foundation joined Auernheimer’s legal team in filing the appeal Monday.
“This is an appeal from a remarkable and unprecedented criminal conviction,” the appeal states. “The government charged Auernheimer with felony computer hacking under the Computer Fraud and Abuse Act (‘CFAA’) for visiting an unprotected AT&T website and collecting e-mail addresses that AT&T had posted on the World Wide Web. The government also charged Auernheimer with identity theft for sharing those addresses with a reporter. This prosecution was brought in New Jersey even though neither Auernheimer, his alleged co-conspirator Daniel Spitler, nor any computer or communications were actually located in or passed through New Jersey. Finally, Auernheimer was sentenced to a forty-one-month prison term based in large part on AT&T’s decision to spend approximately $73,000 to supplement e-mail notification to customers with a postal letter informing them that their privacy was not breached.”
In addition to EFF attorney Hanni Fakhoury, who signed the appeal, Auernheimer is represented by Orin Kerr of George Washington University Law School, San Francisco-based attorney Marcia Hofmann and the Brooklyn, N.Y.-based firm Tor Ekeland.
“This case is about the freedom to surf the Internet,” Kerr said in a statement. “Congress never intended to criminalize visiting a public website.”
Fakhoury said “the government set out to make an example of Auernheimer. But the only message this sends to the security-research community is that if you discover a vulnerability, you could go to jail for sounding the alarm.”
The EFF did not shy away from comparing Auernheimer’s case to that of the 26-year-old Reddit.com co-founder Aaron Swartz , who committed suicide earlier this year. At the time, Swartz had faced more than 30 years in prison and $1 million in fines if convicted for several felony CFAA violations related to his download of more than 4 million academic articles from the scholarly database Jstor.
“Auernheimer was aggressively prosecuted for an act that caused little harm and was intended to be – and ultimately was – in the public interest,” said attorney Hofmann, an EFF member. “The CFAA’s vague language gives prosecutors great latitude to abuse their discretion and throw the book at people they simply don’t like. That’s as evident here as it was in the prosecution of Aaron Swartz.”
Tor Ekeland said that Auernheimer’s case involves the free flow of information on the Internet.
“The government is criminalizing computer behavior that millions of Americans engage in every day,” Ekeland said in a statement. “The government’s reckless and myopic prosecution of Auernheimer for obtaining public information from a public website endangers that vital aspect of the Internet and our national economy, which depends on the free flow of information.”
If passed by Congress, a bill called Aaron’s Law would decriminalize breaches of a websites’ terms of service agreements, which became felony offenses under CFAA.
Auernheimer is in solitary at the Allenwood Federal Correctional Complex in White Deer, Pa.