You May Not Like Weev, But Your Online Freedom Depends on His Appeal

“The Internet’s best terrible person.” A “disappointment.” “Reviled/Beloved.” Those are just a few of the things people have called convicted AT&T/iPad "hacker" Andrew Auernheimer -- a.k.a. “Weev” -- currently sitting in federal prison serving a 41-month sentence.

Whether you love him or hate him, whether you disagree with him or disagree with AT&T, even if you’re indifferent -- you should hope Weev wins his appeal filed last night before the Third Circuit Court of Appeals.

The future of the Internet may well depend on it.

Because the Computer Fraud and Abuse Act(“CFAA”) -- the very statute that was used to prosecute Aaron Swartz for downloading scholarly articles he had access to -- has run amok. The outdated law has been abused to cover situations far removed from the type of criminal hacking Congress had in mind when it passed the law in 1986. Nothing highlights that more than the fact that the CFAA is now the subject of a bill named after Aaron Swartz to fix it.

Weev’s case is just another example of a dangerous prosecution that covers all sorts of innocuous, common internet behavior. Perhaps more dangerously, it’s an example of a prosecution that tries to regulate a person, not just his or her crime.

From Hero to Villain: What Happens When Companies Can Stretch the CFAA

Here’s a reminder of what happened: Weev and Daniel Spitler discovered and publicized a security hole in AT&T’s website. After spoofing his web browser to look like an iPad, Spitler discovered that AT&T’s website published iPad users’ email addresses when someone entered a URL that included an iPad’s unique identification number. He created a script to keep entering random numbers to emulate the iPad IDs and got more than 114,000 email addresses as a result. Weev disclosed this security hole by telling journalists about the discovery and shared the list with Ryan Tate (then at Gawker, now at Wired), who published a story -- not the email addresses -- on the incident.

AT&T got around to closing the hole after the story got national attention.

In one version of this story, Auernheimer and Spitler were hailed as heroes. They were awarded a “Crunchie” for their public service in bringing attention to AT&T’s leaky website.

But in another version of this story, Auernheimer and Spitler were treated as criminals. The feds indicted Weev for identity theft and unauthorized access to a computer under the CFAA, even though it was AT&T -- not them -- that made the email addresses publicly available on the internet. Swayed by the government’s arguments that Weev and Spitler had engaged in “theft” (unfortunately, Weev’s own words) when Spitler “tricked” and “deceived” AT&T’s servers into giving him the email addresses, the jury found Weev guilty in short order.

The appeal filed yesterday argues that AT&T’s servers weren’t “deceived”. They did exactly what AT&T had programmed them to do whenever a correct URL was entered: publish email addresses. (The spoofing was irrelevant; Spitler would have gotten the same email addresses if he had manually inputted the URLs on an iPad rather than a spoofed desktop browser.) In short, one can’t violate the CFAA by accessing information on a freely available, public website.

So why is Weev sitting in prison? Because the CFAA makes it a crime to obtain information from a computer “without authorization.” That term isn’t defined in the statute and has been dangerously interpreted to cover all sorts of innocuous behavior, from lying about yourself on your MySpace page to misusing data you’re otherwise allowed to access.

The CFAA was stretched in Weev’s case to permit website owners like AT&T who make their data publicly available to anyone -- without security restrictions like a login and password -- to still grant or deny “authorization” to view that information. But it’s not just the government that’s relying on this strained interpretation of the CFAA. Companies like craigslist have tried to use this same argument under the CFAA in court, too.

Let’s consider what that means for us. How’s a person surfing the internet supposed to know when they can or can’t view information if there’s no technical barrier to access? If Wired decided only people from the U.S. could read its otherwise publicly available Opinion pieces, and someone tries to access the site from the U.K., get ready for a prison jumpsuit.

Placing publicly available data within the purview of the CFAA allows companies -- not the normal legislative process -- to dictate what is and isn’t criminal behavior, and to do so in arbitrary ways.

And here, it allows AT&T to avoid blame for exposing its customer’s data by pointing the finger at Weev. (Not to mention getting him to pay the bill for notifying its customers by mail, too.)

Yet Weev’s case is more than just another abusive CFAA prosecution. His story doesn’t start with the iPad “hack.” Before Weev was a “martyr” he was a “troll.” And nothing’s easier to blame than the “troll” with a reputation worse than the “hacking” charges that made him a “felon.”

When the Government Can Prosecute a Personality, Not Just a Crime

“I hack, I ruin, I make piles of money,” Weev infamously told *The New York Times *in 2008. That quote follows Weev everywhere and landed in the letter the government sent the trial judge asking for his lengthy prison sentence.

Of course, everyone’s entitled to an opinion about someone. Especially about a personality as colorful as Weev. The danger is when it’s those opinions -- about Weev the man, not of the alleged crime -- that become the focus of a government prosecution.

At sentencing, instead of hearing about the effects of the iPad “hack,” the government recounted in detail Weev’s “attitudes” towards others on the internet.

Instead of victim impact statements from affected iPad users, nasty emails sent by Weev in 2009 resurfaced in court four years later. (What would the affected iPad users have said anyway? Their email addresses were never revealed publicly or sold to spammers.) When AT&T was asked to provide an official “victim” statement, it didn’t bother to send one in -- because there was no “impact.” At trial, an AT&T representative testified its reputation suffered as a result of the hack; today it’s still the largest wireless phone provider in the U.S.

Instead of hearing about how AT&T itself acknowledged that its website was designed “poorly,” the government submitted* news articles* about Weev discussing his flip attitude towards the entire proceeding.

At sentencing, the government submitted news articles about Weev.The result? Weev got the top of the 33- to 41-month sentencing range.

Ultimately the government was keen on making sure Weev’s past finally caught up to him. Deterrence (especially given Weev’s past actions) is indeed an important consideration in criminal sentencing. But we should all be worried when the government digs up our past and puts us on trial for who we are and what we stand for by using an expansive interpretation of the what has been called “the worst law in technology” to make criminals out of millions.

It’s hard to escape the power of the government when it’s aimed right for us and technology allows it to never forget.

For us, it means we can never move beyond the things we’ve done or said, stupid or otherwise, on the internet. For Weev, it means he lost his freedom for three and a half years. For Swartz, it meant he’d drawn the scrutiny of the feds long before he downloaded JSTOR articles by liberating court records and publishing the Guerilla Open Access Manifesto (and later took his own life after facing unchecked prosecutorial discretion).

This opinion isn’t intended to defend the harmful things Weev or others have done in the past. It’s a reminder that we should be wary of giving companies too much control in loosely interpreting the law. And that decisions about who should be prosecuted -- and for what crimes -- have to be based primarily on the crime itself ... not the person.

Wired Opinion Editor: Sonal Chokshi @smc90