'weev' Conviction Vacated 148
An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"
To the point... (Score:5, Informative)
He was indicted and tried in NJ, despite none of the involved parties being located there.
Re:Or in legal parlance (Score:5, Informative)
Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C... [wikipedia.org]
Re:What happens now? (Score:4, Informative)
If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.
Re:To the point... (Score:5, Informative)
Actually AT&T exposed the emails.
Re:To the point... (Score:5, Informative)
Actually AT&T exposed the emails.
After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.
AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.
Re:To the point... (Score:5, Informative)
'deliberate actions' don't meet the definition of illegal behavior though.
They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.
Re:sad day for those who don't like 4chan trolls (Score:4, Informative)
that the security measures were woefully inadequate is beside the point
On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.
It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.
We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.
Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.
Re:To the point... (Score:3, Informative)
Going a little further: the decision at the bottom of page 15 hints that the litmus test of whether venue would be proper where the server is located is whether there was "some sense of venue having been freely chosen by the defendant." Here, the defendant may not have even known where the server was located. (Do you know where all the servers you access are located when you're using the Internet?) I think the prosecutor would have to show that knowledge on the part of the defendant before he could show that venue was proper.
Venue is a tricky subject. It is a favorite for law school professors to test upon. I wouldn't presume to ever completely know the subject.
Re:Details on the exploit? (Score:5, Informative)
Re:To the point... (Score:4, Informative)
neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation
If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
Not that I have a particular opinion on the specifics of this case but I think you may have truncated that quote a few words to early
Because neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation in New Jersey, venue was improper
I read that to mean "no crime was committed in New Jersey" not "no crime took place".