Gray-hat hacker and self-proclaimed Internet troll Andrew "Weev" Auernheimer had his hacking conviction vacated today (April 11) on grounds of venue, with an appeals court ruling that Auernheimer's federal trial should not have been held in New Jersey.
The vacating of the conviction did not automatically set Auernheimer free, as the ruling did not address the charges of identity fraud and conspiracy to violate the Computer Fraud and Abuse Act (CFAA). Auernheimer has been serving a 41-month sentence at a minimum-security federal prison in Pennsylvania since March 2013.
"Might be picking up Weev tonight. Keep your fingers crossed," Auernheimer's lawyer, Tor Ekeland, tweeted. Later, Ekeland added, "I am going to pick up Weev tonight."
Federal prosecutors could ask for a retrial, although it is unlikely a judge would order Auernheimer to remain in custody during preparations. Auernheimer's legal team, which includes some of the most experienced Internet-law lawyers in the United States, has already filed a motion to block a retrial on grounds of double jeopardy, or being tried twice for the same crime.
The ruling may have an effect on the prosecution of future computer crimes. Federal prosecutors have tried to establish that because the Internet is everywhere, alleged Internet crimes can be tried anywhere.
But the U.S. Third Circuit Court of Appeals didn't see it that way.
"Cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue," the court said in its decision. "People and computers still exist in identifiable places in the physical world."
What Weev did, and where he did it
In 2010, Auernheimer's co-defendant, Daniel "JacksonBrown" Spitler, discovered that AT&T had set up a website especially for owners of cellular-enabled iPads.
If an iPad owner accessed the site using the iPad, the device ID unique to that iPad would be incorporated into the site's URL, and the iPad owner's registered email address would be automatically filled in a form on the site's front page.
Spitler, who was in San Francisco, disclosed his findings to Auernheimer, who was in Arkansas. (They had not met in person.) Auernheimer was already famous under his online handle, Weev, as a "griefer" — someone who lurks in Internet chat rooms to harass people — and had even been featured in a New York Times Magazine article.
Spitler and Auernheimer wrote a script — a short computer program — that sent hundreds of thousands of possible iPad device IDs to the special AT&T site, and collected the email addresses that the site spit out. (They did not hack, or even use, any iPads.)
Their script gathered more than 114,000 email addresses, including some that seemed to belong to politicians, media figures and celebrities.
Seeking publicity for their discovery, Auernheimer emailed several media figures on the list hoping to generate news stories. Instead, the media figures told AT&T, which changed the website so the email addresses were no longer automatically filled in.
Auernheimer then contacted the gossip blog Gawker, which wanted to see the list of email addresses. Auernheimer obliged, and Gawker ran a story about the discovery, revealing a few email addresses.
Federal prosecutors charged Spitler and Auernheimer in New Jersey, even though none of the parties were based there: Spitler was in California, Auernheimer in Arkansas, Gawker in New York, AT&T in Texas and an AT&T Web server in Georgia.
Unclear venue, unclear law
Prosecutors successfully argued that because some of the 114,000 email addresses belonged to persons in New Jersey, the venue was valid. Because Spitler and Auernheimer were charged with violating a New Jersey state law as well as the federal CFAA, a clause kicked in that made a longer sentence possible.
Computer-security experts argued that Spitler and Auernheimer had violated no law, since accessing data posted online and not protected by a password should not constitute a crime.
If it did, then much security research — such as testing websites to see if any secured data leaked because of the Heartbleed bug — would be illegal, and so would Web-"scraping" software used by Google and other search engines.
Spitler agreed to testify against Auernheimer in exchange for a reduced sentence. In November 2012, Auernheimer, who had become an Internet cause célèbre, was convicted, and he was sentenced to 41 months in prison at a raucous public hearing in March 2013.
To the Third Circuit Court of Appeals, the seemingly random choice of where to hold the trial directly contravened fundamental American values.
"The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence," the court wrote in its decision. "Article III [of the Constitution] requires that 'the Trial of all Crimes ... shall be held in the State where the said Crimes shall have been committed.'"
"The venue error here clearly affected Auernheimer's substantial rights," the court added. "Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey. Certainly if he had directed his criminal activity toward New Jersey ... he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened."