“He had to do all kinds of things I don’t even understand.”
That was a quote from the government’s attorney on March 19, 2014, at the Third Circuit oral argument in U.S. v. Auernheimer. He was referring to the alleged criminal activity of the defendant, 28-year-old Andrew “weev” Auernheimer, who is now serving time in federal prison on a March 2013 conviction for violating the Computer Fraud and Abuse Act (CFAA).
The case raises an important civil liberties question: can you go to prison for violating the CFAA when you access information via a publicly available web address (URL) and you never bypass any security mechanism because there is none? Here are the facts. Auernheimer and a friend, who later testified against him as part of a plea deal, in 2010 harvested 114,000 email addresses (but no other information, such as passwords) from the AT&T website without bypassing any security. AT&T had made these website URLs publicly available to facilitate use of its website by the iPads associated with them. Auernheimer’s colleague discovered this fact and the two of them decided to harvest the email addresses and disclose them to the press in order to embarrass AT&T by revealing the flaw in its system. At the time, the two men held themselves out as security researchers, people who for a fee would help you understand how to make your systems as safe as possible. So this was theoretically good for business marketing purposes, but other than that, they made no attempt to and did not profit by their actions. In fact, they did nothing with the email addresses other than send them to reporters at Gawker Media and The Washington Post.
The Department of Justice prosecuted Auernheimer under the CFAA for accessing a computer “without authorization” and secured a conviction. Auernheimer is now serving a 41-month prison sentence while he appeals the conviction.
The central issue in the case is whether Congress intended the CFAA to encompass activity that stops short of breaching a security mechanism such as a password or other protective measure. Auernheimer takes the position that the court should adopt a bright line rule that there can be no liability absent a breach of security. The government contends that liability on the CFAA depends on the state of mind of the defendant and that Auernheimer knew that his actions were unauthorized, meaning he knew subjectively that AT&T did not want him to harvest the email addresses.
Auernheimer is represented pro bono by George Washington law professor Orin Kerr, who argued the case, along with Marcia Hoffman and Hanni M. Fakhoury of the Electronic Freedom Foundation and Tor B. Ekeland and Mark H. Jaffe of Tor Ekeland, P.C. in Brooklyn, who also represented Auernheimer at trial.
“This case is about the freedom to surf the Internet,” said Kerr last summer. “Congress never intended to criminalize visiting a public website.”
Auernheimer’s position is supported by many people who do understand what Auernheimer and his colleague did to obtain the email addresses off of the AT&T website—they say it’s not illegal to know how to point a web browser to a URL and the degree of difficulty makes no difference. They also say that many people and organizations use technology to scrape every bit of information they can find off of publicly available websites without realizing that they may be engaged in criminal activity.
At the oral argument, the appellate panel anticlimactically focused mainly on a threshold issue—whether venue for the crime was proper in New Jersey, when the only contact with New Jersey is that some of the email addresses were from accounts in that state. The defense argued that under the government’s view venue would be proper in all fifty states. The government acknowledged that point, and pointed out that the case involves email addresses from all fifty states.
Venue may be a basis to reverse the conviction, but the real issue here is the scope of the CFAA. Auernheimer has said so all along. As he tweeted right after the conviction: “Hey epals don’t worry. We went in knowing there would be a guilty here. I’m appealing of course.”
If the Third Circuit rejects Auernheimer’s position on the scope of the CFAA, that would set up a circuit split to be resolved by the Supreme Court. The Sixth Circuit decided in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), that an “unprotected website” cannot give rise to CFAA liability; it is “open to the public.”
The case was brought by U.S. Attorney for the District of New Jersey, Paul Fishman, and argued by Assistant U.S. Attorney Glenn Moramarco.
For copies of the pleadings, check out the Electronic Freedom Foundation.