Auernheimer Case Will Define Extent of Internet Freedom

“He had to do all kinds of things I don’t even understand.”

That was a quote from the government’s attorney on March 19, 2014, at the Third Circuit oral argument in U.S. v. Auernheimer. He was referring to the alleged criminal activity of the defendant, 28-year-old Andrew “weev” Auernheimer, who is now serving time in federal prison on a March 2013 conviction for violating the Computer Fraud and Abuse Act (CFAA).

The case raises an important civil liberties question: can you go to prison for violating the CFAA when you access information via a publicly available web address (URL) and you never bypass any security mechanism because there is none? Here are the facts. Auernheimer and a friend, who later testified against him as part of a plea deal, in 2010 harvested 114,000 email addresses (but no other information, such as passwords) from the AT&T website without bypassing any security. AT&T had made these website URLs publicly available to facilitate use of its website by the iPads associated with them. Auernheimer’s colleague discovered this fact and the two of them decided to harvest the email addresses and disclose them to the press in order to embarrass AT&T by revealing the flaw in its system. At the time, the two men held themselves out as security researchers, people who for a fee would help you understand how to make your systems as safe as possible. So this was theoretically good for business marketing purposes, but other than that, they made no attempt to and did not profit by their actions. In fact, they did nothing with the email addresses other than send them to reporters at Gawker Media and The Washington Post.

The Department of Justice prosecuted Auernheimer under the CFAA for accessing a computer “without authorization” and secured a conviction. Auernheimer is now serving a 41-month prison sentence while he appeals the conviction.

The central issue in the case is whether Congress intended the CFAA to encompass activity that stops short of breaching a security mechanism such as a password or other protective measure. Auernheimer takes the position that the court should adopt a bright line rule that there can be no liability absent a breach of security. The government contends that liability on the CFAA depends on the state of mind of the defendant and that Auernheimer knew that his actions were unauthorized, meaning he knew subjectively that AT&T did not want him to harvest the email addresses.

Auernheimer is represented pro bono by George Washington law professor Orin Kerr, who argued the case, along with Marcia Hoffman and Hanni M. Fakhoury of the Electronic Freedom Foundation and Tor B. Ekeland and Mark H. Jaffe of Tor Ekeland, P.C. in Brooklyn, who also represented Auernheimer at trial.

“This case is about the freedom to surf the Internet,” said Kerr last summer. “Congress never intended to criminalize visiting a public website.”

Auernheimer’s position is supported by many people who do understand what Auernheimer and his colleague did to obtain the email addresses off of the AT&T website—they say it’s not illegal to know how to point a web browser to a URL and the degree of difficulty makes no difference. They also say that many people and organizations use technology to scrape every bit of information they can find off of publicly available websites without realizing that they may be engaged in criminal activity.

At the oral argument, the appellate panel anticlimactically focused mainly on a threshold issue—whether venue for the crime was proper in New Jersey, when the only contact with New Jersey is that some of the email addresses were from accounts in that state. The defense argued that under the government’s view venue would be proper in all fifty states. The government acknowledged that point, and pointed out that the case involves email addresses from all fifty states.

Venue may be a basis to reverse the conviction, but the real issue here is the scope of the CFAA. Auernheimer has said so all along. As he tweeted right after the conviction: “Hey epals don’t worry. We went in knowing there would be a guilty here. I’m appealing of course.”

If the Third Circuit rejects Auernheimer’s position on the scope of the CFAA, that would set up a circuit split to be resolved by the Supreme Court. The Sixth Circuit decided in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), that an “unprotected website” cannot give rise to CFAA liability; it is “open to the public.”

The case was brought by U.S. Attorney for the District of New Jersey, Paul Fishman, and argued by Assistant U.S. Attorney Glenn Moramarco.

For copies of the pleadings, check out the Electronic Freedom Foundation.

Everything You Wanted to Know About Predictive Coding But Were Afraid to Ask

When I was a lawyer at the Department of Justice in Washington, DC, in the early 1990s, I worked on this crazy case in federal court involving electronic records preserved in the last days of the Reagan White House, following the Iran Contra Affair.  The lead counsel on the case for the government was my friend Jason Baron, who later went on to serve as Director of Litigation for the National Archives and Records Administration.

More recently, Jason joined Drinker Biddle’s Information Governance and eDiscovery practice as Of Counsel.  He just published a fascinating article in The Legal Intelligencer entitled “Using Analytics to Add Value to Your Legal Practice.”  He is talking about predictive coding.  Predictive coding is the use of a small set of coded documents to build a computer-generated model that can predict the coding on a larger set of documents and thereby facilitate legal review and analysis.  Are you amazed the way can suggest new books for you to read based on your past choices?  Predictive coding works the same way for document review in litigation.  Is predictive coding the next great thing or just a passing fad?  I am not sure, but Jason says that “as computing power increases, the power of predictive coding and like techniques will only grow in importance in both our daily and professional lives.”

Thoughtful lawyers and business leaders will watch predictive coding with great interest.

New Law Firm Experiences Strong Growth; Doubles Size in Just Three Months

The trial and litigation boutique law firm known as Steve Harvey Law LLC is celebrating its three-month anniversary by announcing the hiring of David V. Dzara as Counsel.  David is a terrific trial lawyer/litigator who formerly worked in the commercial litigation group at Pepper Hamilton.  Please join me in welcoming David to the Steve Harvey Law team.  Also join me in welcoming paralegal Terance Fitzsimmons.  Read more about David and Terance on the website under Our Team.

Steve Harvey Law focuses on trial and litigation of business disputes, banking and financial services matters, and civil rights.