Hacker ‘Weev’ Is Out of Jail, but His ‘Fight for Freedom’ Isn’t Over Yet

Pinguino K (CC BY 2.0)

Andrew “Weev” Auernheimer walked out of the Federal Correctional Institution Allenwood in White Deer, Pa., on April 11 after spending over a year there when a federal appeals court vacated his conviction on hacking charges.

Auernheimer had been found guilty on Nov. 20, 2012, of conspiracy to gain unauthorized access to AT&T servers under the Computer Fraud and Abuse Act and for identity theft in New Jersey (although he was never in New Jersey, nor were the servers he accessed in that state). He and another man, Daniel Spitler, were charged with fraud under the CFAA for finding a loophole on AT&T’s website in June 2010 that allowed them to gain access to thousands of emails of iPad owners — after which Auernheimer shared his findings with a reporter from Gawker who wrote a story and notified AT&T. The list of emails was never released to the public. Spitler pleaded guilty and was given probation but Auernheimer decided to fight the charges.

The trial was set in motion by the U.S. government with the help of AT&T. According to Auernheimer and his lawyer, Tor Ekeland, the FBI was at the center of Auernheimer’s conviction. None of the email addresses that Auernheimer found on AT&T’s public website were password protected. In addition to Ekeland, Auernheimer’s legal team included Orin Kerr, a former prosecutor and now a professor at George Washington University Law School, and digital rights organization Electronic Frontier Foundation.

Although Auernheimer was released April 11, he may be retried and even if he isn’t, this case presents grave implications. One issue that has been noted in the press is trial through personality. According to some people familiar with the case — including Auernheimer’s legal team and net neutrality lawyer Marvin Ammori writing in Wired — it was that kind of personal attack that led to his conviction. Auernheimer has been portrayed by some as amoral, juvenile and narcissistic. Indeed, judging by his interviews with The Huffington Post, he presents himself as a martyr with a grandiose sense of his own intellect, which can challenge his ability to elicit empathy from the public (not to mention his opponents).

Auernheimer surfaced on the public stage in 2008 when The New York Times did an exposé on “trolls” that included some of his controversial commentary, such as: “The question we have to answer is: How do we kill four of the world’s six billion people in the most just way possible?” Aside from such philosophical statements, Auernheimer also gained a reputation for humiliating people through online public forums, a habit that was cataloged in the Times piece. Since then he has been widely known by his online name “Weev” and tends to refer to himself as such.

Although Auernheimer is far from a sympathetic character, these are clearly not reasons in themselves to throw someone in prison. During his trial, the prosecutor went after Auernheimer’s personality and political views, and the District Court sentenced him to a 41-month term. According to Ekeland and Ammori, this was an attack on Auernheimer as a person, rather than on his alleged crime, and was the focus of the government’s prosecution. In court prosecutors revealed personal messages Auernheimer had sent, quoted the New York Times article and used Internet data that some would consider private as evidence that he needed to be locked away.

The strategy of using personal data and conversations submitted online is not unique to Auernheimer’s case. It’s the same tactic that has been used against Edward Snowden, albeit in the media rather than in a courtroom, with pundits like CNN’s Jeffrey Toobin quoting the NSA whistle-blower’s chat logs from years ago as a way to define his actions and call him a “traitor.” It was also a method used to discredit and attack Pfc. Chelsea Manning. As Ammori pointed out in Wired, “[W]e should all be worried when the government digs up our past and puts us on trial for who we are and what we stand for by using an expansive interpretation of what has been called ‘the worst law in technology‘ to make criminals out of millions.”

Another issue this case raises relates to the Computer Fraud and Abuse Act. As Wired and other outlets noted, the CFAA was the same law that the government had used to charge Aaron Swartz after he downloaded academic journals from MIT, a prosecution that many people believe contributed to his decision to kill himself. The CFAA states that online users can’t have unauthorized access to public servers and to do so is a felony. However, CFAA’s critics argue that the law, created in 1986 under very different technological circumstances, is outdated and can allow for dangerously ambiguous applications. For example, the CFAA stipulates broadly that it is a crime to obtain information “without authorization,” but in cases like Auernheimer’s, exactly what constitutes “authorization” is up for interpretation. Auernheimer has also noted that Hypertext Transfer Protocol (HTTP) had not been created yet at the time of the CFAA’s enactment, let alone Wi-Fi, which allows people to constantly roam public servers. That renders the CFAA obsolete today, he has argued.

According to The Guardian, this is one of the reasons a group of security researchers, computer scientists and Internet freedom advocates had filed an amicus brief asking the appeals court to overturn Auernheimer’s conviction. One of the parties that signed the brief is the Mozilla Foundation, creator of the Firefox Web browser. The brief signers “argue there are ‘striking similarities’ between research tools used by experts to benefit privacy and security and those employed by Auernheimer, and that they have a vital interest in arguing why individuals must be deemed authorized under the CFAA when they access unsecured data on websites,” the paper noted.

In the Auernheimer case, the CFAA was interpreted to consider publicly available data strictly under the purview of AT&T, thus allowing the company to dictate what is or isn’t criminal behavior. According to the Wired piece, there is nothing to stop the CFAA from being used against people, for example, who lie about their identities on online platforms such as Myspace or Facebook. Taking this logic a step further then, it’s possible to see how information generated by average online users, not just provocateurs like Auernheimer, might be used against them.

According to Auernheimer, the ways in which the CFAA was mobilized against him could theoretically be emulated by companies like Google. He told The Huffington Post that Google doesn’t actually give its users permission to access its services and could use the CFAA to urge that people be tried and put in prison for a simple search query the company did not like.

The other troubling precedent this case almost set involved trying Auernheimer in a state different from where the alleged crime was committed. Prosecutors had brought charges against Auernheimer in U.S. District Court in New Jersey even though he and Spitler operated out of Arkansas and California, respectively, and the servers they accessed were in Texas and Georgia. Improper venue was the reason given for the vacating of Auernheimer’s conviction by a unanimous three-judge panel of the 3rd U.S. Circuit Court of Appeals. In the April 11 decision, U.S. Circuit Judge Michael Chagares wrote that:

“The Supreme Court has repeatedly made clear that the constitutional limitations on venue are extraordinarily important. “[Q]uestions of venue are more than matters of mere procedure. They raise deep issues of public policy in the light of which legislation must be construed. … [T]he ever-increasing ubiquity of the Internet only amplifies this concern. As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue. People and computers still exist in identifiable places in the physical world. When people commit crimes, we have the ability and obligation to ensure that they do not stand to account for those crimes in forums in which they performed no ‘essential conduct element’ of the crimes charged.”

In our security state, the FBI seems to be taking more liberties in its pursuit against activists. As you can read here, some in the U.S. government have tried to paint certain peace activists as terrorists, and when figures like Auernheimer end up in prison, our civil liberties are threatened. While Auernheimer was in prison, Ekeland had claimed that only one out of every 10 to 20 letters his client sent him actually reached him. According to Auernheimer and his legal team, he was also denied the attorney room his whole stay and prison officials isolated him in solitary confinement for about half the time he was incarcerated. At one point they even denied him the food he needed (he cannot eat gluten), Auernheimer and his team allege, which led him to stage a three-day hunger strike.

The U.S. government is threatening to retry Auernheimer in another jurisdiction. His case is not over by any means, and critics of his prosecution hope Auernheimer’s plight will underscore the need to put an end to the CFAA.