Self-proclaimed troll Andrew “Weev” Auernheimer was sentenced to 41 months in prison and three years of supervised release yesterday for violating the Computer Fraud and Abuse Act (CFAA) by accessing data left publicly available online by AT&T — the high end of the range called for by federal sentencing guidelines in his case. In 2010 Auernheimer and a colleague discovered a major security flaw in the system AT&T used to track iPad owners: There was no security — in fact, anyone with a web browser could have accessed the data because it was published on the the open web. Auernheimer shared information on the exploit with Gawker after the flaw was fixed — resulting in the exposure of AT&T’s inability to protect customer data and CFAA charges against Auernheimer.
Auernheimer’s situation has not gotten the same level of attention as other high profile CFAA cases like Aaron Swartz or Reuters’ Matthew Keys, no doubt at least partially due to the wildly unsympathetic defendant: His history of aggressive trolling is so disgusting even reddit couldn’t sympathize with him and he has also been arrested on drug charges. But the details of his case represent one of the best examples of how current computer crime law fails to address how the internet actually works. For instance, the “unauthorized access” to AT&T’s network Auernheimer was convicted of is essentially the same web crawling process used by search giants to map the internet, according to experts who spoke with Fox Business at the time of Auernheimer’s conviction:
Web crawlers … are automatic indexers which search through content on a website and index the information for easy access in search engines. This is a regular part of the Internet that is essential to the functionality of websites such as Google and Yahoo … Most commentators believe that if data is revealed to un-authorized users who use the above technique, then the responsibility is on the data owner to secure that information behind a password or some other authentication mechanism. If [these individuals] can be arrested for adjusting a URL in a numerical sequence, then to what degree can other users be arrested for entering any URL?
Swartz allegedly circumvented access protocols to download JSTOR documents by changing his MAC address. Keys allegedly gave his old credentials to hackers with a blessing to “go fuck some shit up.” Yet, as AT&T confirmed in their testimony during his court case, Auernheimer didn’t crack any code or passwords. He just did the same thing many network security researchers do every day: Snoop around for security flaws, and expose them. Auernheimer certainly did not follow industry best practices — like informing AT&T — but he also didn’t use the information for evil, unless you count making consumers aware of the insecurity of their data as evil. Some might even call that a public service announcement: As Electronic Frontier Foundation Senior Staff Attorney Marcia Hoffman noted, Auernheimer “is facing more than three years in prison because he pointed out that a company failed to protect its users’ data, even though his actions didn’t harm anyone.”
Make no mistake, laws are needed to govern cyberspace. There are dangerous and criminal activities being committed online — maybe some of Auernheimer’s past behavior included — but the AT&T “hacking” wasn’t one such situation. It’s very unlikely that if someone more reputable discovered the same exploit and disclosed it in a more responsible manner, the situation would have resulted in the same criminal case. Indeed, the same technical practice, web crawling, is deployed by large corporations as part of their regular business practices. That alone shows something is majorly amiss in computer crime laws.