Hacker's High-Profile Conviction Overturned
(CN) - The 3rd Circuit on Friday overturned the felony convictions of a hacker sentenced to nearly three and a half years in prison for exposing an AT&T security flaw.
Prosecutors targeted Andrew "Weev" Auernheimer after he tried to draw attention to a security hole discovered by his co-defendant, Daniel Spitler, in 2010.
Spitler learned that AT&T's servers were configured to pre-load the email addresses of iPad 3G users as their user IDs when they logged in. AT&T had linked these email addresses to an ID number used to identify an iPad user's SIM card.
Spitler then wrote an "account slurper" program that allowed him to collect 114,000 email addresses from AT&T's servers from June 5 to June 8, 2010.
As Spitler's program continued to run, Auernheimer sent the list to several journalists, including a Gawker reporter, who urged the telecommunications giant to fix the flaw.
A grand jury in Newark, N.J., charged Spitler and Auernheimer with identity fraud and conspiracy to violate the Computer Fraud and Abuse Act.
Auernheimer moved to dismiss the charges, arguing that New Jersey was the wrong venue, as neither he nor Spitler were ever in the state while they allegedly committed the crimes.
A federal judge rejected the motion, and Auernheimer was convicted on both counts after a closely watched five-day trial. He was sentenced to 41 months in prison.
Spitler reached a plea deal with the government in June 2011, ultimately testifying against his co-defendant.
The federal appeals court in Philadelphia noted that Auernheimer's appeal "raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age."
However, the 3rd Circuit said it was necessary to reach only one: venue.
"Evidence at trial showed that at all times relevant to this case, Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas," Judge Michael Chagares wrote for the three-judge panel. "The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey."
The government acknowledged that Auernheimer, Spitler and AT&T's servers weren't in the Garden State, but argued that venue was still proper because about 4 percent of the email addresses collected belonged to New Jersey residents.
"There was no evidence at trial that Auernheimer's actions evinced any contact with New Jersey, much less contact that was 'substantial,'" he wrote.
He also rejected the government's claim that its choice of venue did not harm and actually benefited Auernheimer, in part because it helped him team up with the Electronic Frontier Foundation, which filed his 3rd Circuit appeal. The government had also noted that Newark was a "relatively easy commute" for Auernheimer's Brooklyn-based attorney, Tor Ekeland.
"Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey," Chagares wrote. "Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened.
"While we are not prepared today to hold that an error of venue never could be harmless, we do not need to because the improper venue here - far from where he performed any of his allegedly criminal acts - denied Auernheimer's substantial right to be tried in the place where his alleged crime was committed," the court concluded.
The EFFsaid it was "thrilled" with the appeals court's decision.
"This prosecution presented real threats to security research," staff attorney Hanni Fakhoury said in a statement. "Hopefully this decision will reassure that community."