Hoards of internet enthusiasts crowed in unison, when Andrew “Weev” Auernheimer was convicted of computer fraud in 2012 and later sentenced to 3.5 years in prison. And on Friday, those cries were justified. A federal appeals panel just overturned the conviction, but not for the reasons some activists might’ve hoped for. Read The 3rd Circuit Court Ruling To Vacate [pdf] [scribd]
The judges actually threw out the case simply because of where it was filed. Weev, you see, was physically located in Arkansas when he wrote a script that lifted over 120,000 iPad users’ email addresses through a hole in AT&T’s website that they later reported to Gawker.
Meanwhile, his alleged partner in crime, Daniel Spitler, was located in California, and the servers they were targeting were in Dallas. But the case was brought against Weev in New Jersey.
“Almost the entire thing was about venue,” Tor Ekeland, an attorney who also represents Auernheimer, told me after the hearing in March. he speculated that weev was tried in New Jersey simply because the state had a major computer crimes division; it had no relevance to the case. “Nothing happened in New Jersey. No victims, no possession.”
Weev Is Free, Because You Can’t Prosecute A Hacker Just Anywhere
So the Computer Fraud and Abuse Act, the one that prosecutors love to accuse hackers of breaking, will remain vague. Internet activists will pat themselves on the back for keeping another hacker (who didn’t actually hack) out jail. And Weev, well, Weev will probably be just as salty as he’s always been.
While it chose to focus on the venue issue, the court did briefly address another crucial aspect of weev’s alleged crime—one that his lawyers and many others in the computer community have argued did not constitute “hacking” in the criminal sense.
“We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access [..] The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.”
In other words, New Jersey law demands that “hacking” requires breaking a password, even though, as the opinion notes, the threshold for hacking is lower under the federal version of the CFAA. The law was also used to originally prosecute Aaron Swartz, the activist whose scraping of journal articles was determined by the government to be theft.
RELATED STORY | CAN A REVILED HACKER BECOME A GEEK HERO?