Andrew “weev” Auernheimer, better known as the AT&T hacker, will appeal his 41 month prison sentence with the help of lawyer Orin Keer. Aurnheimer was recently ordered to 41 months in prison and three years probation. The hacker was also ordered to pay $73,000 in restitution.
The George Washington University professor has offered his services pro-bono to the indicted hacker.
Auernheimer was recently convicted of conspiracy to access a computer without authorization and fraud. Auernheimer accesses an unprotected and publicly available AT&T website where he ran a screen that revealed the email addresses of AT&T’s iPad 3G owners. Weev then sent the 114,000 email addresses he discovered to a Gawker journalist.
The AT&T hacker has developed a devoted following who believe he provided a valuable service by proving that AT&T wireless doesn’t care about user privacy. AT&T however disagreed with that assessment and filed suit in the District Court of New Jersey.
In explaining his reason for taking the case pro-bono, Kerr says that the conviction and sentencing sets a bad precedent under the official meaning of unauthorized access under the Computer Fraud and Abuse Act. Kerr argues that, by leaving customer emails unencrypted and unprotected, AT&T failed to prove that a hack actually occurred. Kerr notes that no firewall was breached and a simple change in URL numbers was used.
Here is Orin Kerr’s statement regarding the lawsuit:
“In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.”
Kerr also argues that the felony charge goes to far since unauthorized access is typically charged as a misdemeanor offense.
Kerr also notes that the restitution fees don’t match the crime since AT&T simply sent out a warning email to customers, an email that cost almost nothing to send.
Orin Kerr writes:
But I don’t think that cost of paper and mailing counts as loss that can be attributed to Auernheimer and Spitler. That’s true for two reasons. First, existing caselaw indicates that the costs only count if they are “directly attributable to the defendants’ alleged access of [the] computer” Shirokov v. Dunlap, Grubb & Weaver, 2012 WL 1065578, at *24 (D. Mass. 2012) (concluding that legal fees cannot constitute “loss” under the CFAA). A decision to notify users of a breach, like a decision to hire lawyers, is not part of an effort to fix the computer and therefore not directly attributable to the access. Second, it is not a “reasonable” cost here in light of the successful electronic notice.
Here is the full appeals filing: