Judge Throws the Book at AT&T Hacker 'Weev'
The Computer Fraud and Abuse Act is under the microscope again following a stiff sentence for Andrew Auernheimer, who will spend just over three years in prison for taking personal data from a publicly accessible website and giving it to a popular blog. A digital rights group, while admitting that Auernheimer's behavior during trial didn't help, says the CFAA -- used by law enforcement in two other recent cases -- is too vague.
03/18/13 4:17 PM PT
Andrew Auernheimer, a hacker known as "Weev," was sentenced Monday to 41 months in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T's publicly accessible website and sending the information to the media. The ruling immediately sparked an outcry from a digital rights group that claims the punishment does not fit the crime.
Weev was also given three years of supervised probation and ordered to pay US$73,000 in restitution together with codefendant Daniel Spitler.
The court "is sending out the message that this type of behavior will be punished very severely," Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation told TechNewsWorld. "We don't think it's criminal -- he did not hack into anything or use a fake user name or password. He entered a URL and that URL spat out information. Forty-one months for that behavior is insane."
The sentence was directed more towards "Weev," however, than with an eye to sending such a warning message, said Yasha Heidari, managing partner at the Heidari Power Law Group. "Auernheimer showed a lack of respect to the court, appeared unsympathetic and posted some foolish comments on Reddit that implied he was going to engage in the same conduct in the future," he said. "From the judge's perspective, when a defendant engages in such behavior, it becomes difficult to show any leniency."
Weev was reportedly pinned down and handcuffed by court agents before the sentence was handed down, after he gave a mobile phone to his defense attorney instead of handing it to the court as requested.
Reaction to The Case
The sentence "will likely have a polarizing effect on the [computer] security community," warned Ken Baylor, a research vice president at NSS Labs. "Some will stop doing research altogether, some will do it but not report it through the normal channels for fear of repercussions, others will do it and sell their results on the black market."
Had Weev immediately reported his findings to AT&T instead of making them public, it is "very unlikely" he would have been prosecuted, Baylor told TechNewsWorld. However, there is no legal requirement for him to have done so.
Weev, who was defended pro bono by New York City law firm Tor Ekeland, P.C., was charged under the Computer Fraud and Abuse Act (CFAA), which has been criticized for being too far-reaching and susceptible to abuse. A fund has been set up to fight the CFAA and to assist in Weev's appeal.
The EFF announced on Monday that it planned to join Weev's legal team to appeal the sentence.
Even though Weev may have been an unsympathetic defendant, "we live in a country where it's not a crime to be a jerk," Fakhoury noted. The hacker accessed data on a publicly available site, and "you have to separate the personality from the activity."
The Long Arm of the Law
"The CFAA is being used in this case to enforce morality and ethics, something it should not be used for," Baylor said.
The CFAA "was poorly drafted, as it was meant to deal with a wide gap in cyberspace where conventional laws were lacking," Heidari said. "Accordingly, the law was written to be extremely broad, which has resulted in abuse by overzealous prosecutors who attempt to criminalize what should be nothing more than a civil lawsuit or terms-of-use violation."
The best-known case prosecuted under the CFAA was that of Reddit co-founder Aaron Swartz, who committed suicide after being indicted. Last week, journalist Matthew Keys was indicted under the CFAA for allegedly helping members of the hacker collective Anonymous break into the network of the Tribune Company, his former employer.
As for reports that Weev had been handcuffed, that would have been "an appropriate reaction" if he was trying to willfully disobey the judge or play games, Heidari said. However, if it was a misunderstanding on Weev's part, "it would indeed seem to be an overreaction."