The U.S. Court of Appeals for the Third Circuit (federal appellate court for New Jersey, Pennsylvania, and Delaware) in April 2014 decided to duck, that is, not decide, whether the U.S. Department of Justice had overstepped its bounds in prosecuting 28-year-old Andrew “weev” Auernheimer for violating the federal Computer Fraud and Abuse Act (“CFAA”). Instead, the court vacated the conviction on venue grounds, holding that Auernheimer had insufficient contact with New Jersey to try him for the crime there. Neither Auernheimer nor his co-conspirator did anything from within New Jersey and none of the AT&T public web servers were located in New Jersey, leading the court to conclude that venue was improper because “[n]o protected computer was accessed and no data was obtained in New Jersey.” Here is a copy of the decision. The Department of Justice has not yet said whether it will seek to re-try Auernheimer in another jurisdiction.
Auernheimer was convicted of a felony, sentenced, and served part of that sentence in federal prison for violating the CFAA by accessing data “without authorization.” The crime? “[R]evealing to media outlets that AT&T had configured its [public web] servers to allow the harvesting of iPad owners’ unsecured email addresses,” as the Electronic Frontier Foundation succinctly summarized the case. Importantly, Auernheimer did this without bypassing any security measures because AT&T decided not to secure the data he accessed. All he did was enter keystrokes as a publically available URL to access the information. So how is this a crime? It’s true that there are limits on what you can do with information you can find publically available on the Internet. You cannot use it in violation of copyright for example. You cannot use it to perpetrate a scheme to defraud. This makes sense, as the law should. But how does it make any sense for the government to bring all of its criminal sanction power to bear on a person (in the old-fashioned sense of that word meaning a single woman or man) for doing nothing more than accessing data that was left open to the public and then blowing the whistle on the AT&T security lapse? Also, shouldn’t there be a bright line right at the point where a person bypasses a security mechanism? Many people and entities scrub the Internet for publically available data. Could they be liable for criminal violations of law depending on what they do with the data?
The government’s position in the Auernheimer case implicates all of these issues. Similar issues were raised in the case of Aaron Swartz, the 26-year old internet genius and freedom advocate who died tragically in January 2013 while under aggressive prosecution by the Department of Justice for criminally violating the CFAA under circumstances that reasonable people would characterize as civil disobedience with no intent to gain and no harm to the general public.
Unless the government decides to try Auernheimer again in another jurisdiction, it appears that we will not get the answers to any of the question discussed above, at least not in the Auernheimer case, because the Third Circuit decided it on venue grounds only. This issue will arise again and ultimately the courts will give clear guidance on this issue or if not Congress should do so. Vladimir Putin is clamping down on internet freedom everywhere he has control. We should do the opposite everywhere we have control.
Meanwhile, Auernheimer is out of prison and talking to the media again. I wonder if the government is still following him?