iPad Exploiter is Freed by Federal Appeals Court
April 11, 2014 7:40 PM
comment(s) - last by
Andrew Auernheimer gets off, but the CFAA remains as ambiguous as ever
He might be an admitted troll, but Andrew "weev" Auernheimer (aka "Escher" Auernheimer) scored some sympathy when he was sentenced to 41 months (nearly four years) in prison. Now thanks to the
Third U.S. Circuit Court of Appeals
Mr. Auernheimer is a free man early in
[PDF] that some feel dodges, rather than answers fundamental questions regarding internet freedoms.
I. Closing AT&T's Open Hole
Mr. Auernheimer spent his days trolling
, and other popular online hubs. And like many, he dabbled in computer security research. While laymen might refer to what he was engaging in as "hacking" true hackers would scoff at that as he generally only poked and prodded around in systems with no access protections.
Such exploration might have gone unnoticed had he not targeted two of America's biggest and most powerful corporations Apple, Inc. (
) and AT&T, Inc. (
Back in 2010 Apple had just launched
its first generation tablet, dubbed the "iPad"
. AT&T -- Apple's long time iPhone partner -- had exclusive rights to the cellular version of the device. Every iPad has a unique identifier number -- the ICC-ID -- which is one of several pieces of information Apple uses to control remote access to customers emails.
Mr. Auernheimer, along with his friend Daniel Spitler and other online miscreants, had just founded "troll"/hacker collective Goatse Security. It is unclear which of them first figured it out, but one of the group members -- possible Mr. Auernheimer himself -- noticed Apple's iPads were sending users' ICC-ID (unencrypted) to an AT&T server, which returned the email of the customer associated with that packet.
To AT&T and Apple, this was a "feature" allowing developers quick access to user emails. But Mr. Auernheimer and the rest of Goatse Sec. correctly realized that it was a
gaping hole in the device's security
, given how easy it was to simply brute force your way into that back door, gaining everyone's emails by guessing ICC-IDs until you got valid ones.
Mr. Auernheimer faced legal reprecussions merely for accessing an open interface on the internet.
[Image Source: Boot Click]
He wrote a script that did this and it worked flawlessly, penetrating the databanks of AT&T's bare, unprotected server. Most troubling was the fact that AT&T's server was not only open to anyone who wished to ping it, but it also apparently had no restrictions on how many requests could come from specific IPs, even. Soon Goatse Sec. had the emails of most iPad 3G customers. They went to Gawker Media, who published a piece.
To validate that Goatse Sec.'s claims were accurate they weeded through the list pulling out the emails of certain high profile people including actors, members of the military, and politicians. The White House chief of staff was even on the list.
The approach worked -- Apple and AT&T owned up to the problem and finally agreed to close their security holes.
Mr. Auernheimer's home was raided in 2010, in apparent retribution for the disclosure.
[Image Source: The Washington County's Sheriff Office]
The U.S. Federal Bureau of Investigation
(FBI) began to harass Mr. Auernheimer shortly thereafter, raiding his house and arresting him when they found drugs (including a small quantity of
cocaine, LSD, and the party drug ecstasy
). Authorities also found schedule 2 and 3 pharmaceuticals.
But the raid wasn't as clean cut as it sounded at first. First, the cops were unable to explain what compelled them to conduct the search, so basically their only probable cause was that Mr. Auernheimer had caused trouble and that they didn't like him. Second, Mr. Auernheimer had roommates and it became increasingly apparent that while some -- or all -- of the drugs may have belonged to those folks, the FBI was looking to pin everything on the one resident of the household who had caused trouble by leaking the email of federal politicians.
The FBI had also reportedly denied him a public defender, subjecting him to a gag order about that violation, which Mr. Auernheimer defiantly broke.
II. Imprisoned for "Doing Arithmetic"
In Jan. 2011 the weak case was on the verge of collapse, so the FBI decided to drop charges against Mr. Auernheimer. But the
U.S. Department of Justice
(DOJ) was determined to not let his disclosure go unpunished, so they
with one count of conspiracy to access servers without permission and one count of identity theft. The DOJ justified these charges via passages in the ambiguously worded Computer Fraud and Abuse Act (CFAA) of 1986 (
18 USC § 1030
the same law
used to terrorize and harass Reddit cofounder Aaron Swartz
would later tragically take his own life
Mr. Auernheimer was brought back to jail after being booked on these charges in January, along with his colleague Mr. Spitler. Mr. Spitler, who had an IT job, quickly bailed himself out, but Mr. Auernheimer was imprisoned for an extra month as he was unemployed.
Mr. Auernheimer lived in Arkansas and conducted the server scrape there, so his attorneys (hired by an internet fundraising campaign) argued that the case should be tried there. Attorneys instead chose to try it in New Jersey, a state known for higher conviction rates. They made the tenuous argument that many of the affected iPad users lived in that state -- an argument that could be made for virtually any jurisdiction.
The feds won, the trial was taken to New Jersey. And they won again when the verdict was read. In Nov. 2012 he was found guilty of both charges, prompting him to write an article in
sarcastically titled "
Forget Disclosure - Hackers Should Keep Security Holes to Themselves
Andrew Auernheimer faced nearly four years in prison after sentencing. [Image Source: The Verge]
The surprisingly mature account made a compelling case for disclosure of security flaws. He pointed out that Apple had a long history of ignoring warnings from security researchers and typically only fixed flaws after they were disclosed.
Nonetheless, a federal judge in the New Jersey District Court was unmoved by his arguments and sentenced to 41 months in prison.
Mr. Auernheimer appealed. His lawyers -- financed by the Electronic Frontier Foundation (EFF) -- appealed that decision to the third circuit.
III. EFF, Auernheimer Win, But Fail to Beat Back CFAA
The EFF team argued that Mr. Auernheimer wasn't gaining unauthorized access or "hacking" as any member of the public could access the server as he did, and AT&T's partners would regularly do so. They also argued that Mr. Auernheimer should have been tried in Arkansas and the DOJ had no business hauling him to New Jersey. The DOJ argued that the choice of venue "[did] not affect substantial rights." The EFF suggested otherwise.
The verdict of a three-judge panel came in this week, resoundingly in Mr. Auernheimer's favor. The judges wrote in their ruling "no evidence was advanced at trial [that] any password gate or other code-based barrier [was breached]", a statement that seemed to suggest that Mr. Auernheimer's lawyers fundamental argument might be right.
However, the panel made the rather odd decision of not issuing a full ruling on that argument. Instead, they sidestepped the issue somewhat; deciding the DOJ's choice of venue was inappropriate enough to vacate the verdict.
The court writes:
Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue... The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.
Venue issues are animated in part by the danger of allowing the Government to choose its forum free from any external constraints. The ever-increasing ubiquity of the Internet only amplifies this concern. As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue. People and computers still exist in identifiable places in the physical world. When people commit crimes, we have the ability and obligation to ensure that they do not stand to account for those crimes in forums in which they performed no essential conduct element of the crimes charged.
“Though our nation has changed in ways which it is difficult to imagine that the Framers of the Constitution could have foreseen, the rights of criminal defendants which they sought to protect in the venue provisions of the Constitution are neither outdated nor outmoded.” Passodelis, 615 F.2d at 977. Just as this was true when we decided Passodelis in 1980 — after the advent of railroad, express mail, the telegraph, the telephone, the automobile, air travel, and satellite communications — it remains true in today’s Internet age. For the forgoing reasons, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.
Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey. Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened. While we are not prepared today to hold that an error of venue never could be harmless, we do not need to because the improper venue here—far from where he performed any of his allegedly criminal acts—denied Auernheimer's substantial right to be tried in the place where his alleged crime was committed.
Some may be disappointed at this outcome, but the end result is at least one internet activists will be pleased with -- Mr. Auernheimer's freedom.
Andrew Auernheimer is now a free man. [Image Source: Stephanie Keith]
It appears that Mr. Auernheimer is a free man, as unlike in the case of a mistrial, such an order to vacate a federal judgment typically eliminates the verdict altogether. To try Mr. Auernheimer again would arguably be consider double jeopardy, a fundamentally unconstitutional legal act.
Mr. Auernheimer's top lawyer -- Orin Kerr --
wrote an article
The Washington Post
about the verdict and its importance.
We'll have to wait for more federal trials and appeals -- or Congressional action -- to get closure on the CFAA and how to make its ambiguous language less of a ticket to arbitrary, and at times punitive, imprisonment.
Third US Circuit Court of Appeals
The Washington Post
This article is over a month old, voting and posting comments is disabled
RE: Far away
4/12/2014 11:04:18 AM
I just don't think finding a security flaw gives someone a green light to go exploit it and steal people's emails.
I mean, is that some extreme point of view?
RE: Far away
4/12/2014 11:53:29 AM
Steal emails? Do you not understand what happened?
AT&T had a website that would return an email address when a valid iPad serial number was provided.
This is no different than someone calling AT&T or Apple tech support, saying "Hi, I have iPad # 123456789" and AT&T or Apple responding with "Hi, your email address is
If somebody called AT&T 1,000,000 times doing the above, would that be considered "stealing emails"? I think most mentally competent people would consider it AT&T giving away your address to anyone who provides some random numbers.
Can I steal your phone number? Can I steal your home address? How can anyone steal an email address, especially when it's handed to them?
People that think like you are the problem these massive security holes continue to exist. You blame people for "requesting" your information instead of blaming the company who gave it to them when they should have been protecting it.
RE: Far away
4/12/2014 12:11:08 PM
Well I tried to read the article, but that freaky looking ginger's beard kept getting in the way.
Look relax will ya? This isn't THAT big of a deal. Maybe now he'll do something with his life more productive than trolling 4chan and trying to be a low-level "Neo" or something.
RE: Far away
4/14/2014 1:11:35 PM
Lifter is correct. AT&T gave away the information. If anything, AT&T committed a crime of violating the terms of services which we both agreed to when I allowed AT&T to have my email address. AT&T had no right to share that information with anyone.
This is a case of wrongful prosecution due to some lobbyist in the Feds. If any investigation needs to occur is the Federal ASA which recieved the case. I want to know who decided this cased was worth the time and effort. I bet if we actually had real free press reporters. We will would find that someone in the Justice department was paid off!
This case stinks to high of corruption on the Federal side!!!!!! Ohh and the judge in New Jersey needs to be removed and dis-Barred. He should have thrown out the case!
RE: Far away
4/14/2014 5:04:20 PM
isn't customer email classified as PII data, and as such, needs to be encrypted prior to transmittal?
"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home
Bill to Reform Computer Fraud and Abuse Act Proposed in Aaron Swartz's Name
June 24, 2013, 5:08 AM
House Committee Questions Aaron Swartz Charges in Letter to DOJ
January 29, 2013, 5:08 PM
Anonymous Declares War on the U.S. Government Following Aaron Swartz' Suicide
January 26, 2013, 1:43 PM
Apple, AT&T Convince FBI to Charge Goatse Security
January 18, 2011, 10:31 AM
Goatse Security Researcher Arrested After FBI Raid Reveals Blow, X
June 16, 2010, 8:34 AM
Verizon Wireless' VoLTE Service Tiptoes Closer to Launch
August 26, 2014, 3:21 PM
5.5” LG G3 Stylus to Make Its Debut at IFA 2014, Will Feature Budget Specs/Pricing
August 26, 2014, 9:00 AM
HTC Desire 820 to Set New High Bar for Mid-Range With Snapdragon 615
August 25, 2014, 3:07 PM
Huawei: Windows Phone Devices On Hold, Tizen has "No chance to be successful"
August 25, 2014, 8:16 AM
Microsoft's Surface 2 Tablet Family Gets a $100 Price Cut
August 25, 2014, 1:16 AM
LG Posts Teaser Video of Its “Round Face” G Watch R Smartwatch, Set for IFA Lauch
August 24, 2014, 2:49 PM
Most Popular Articles
New Photos Show “Assembled” iPhone 6, Protruding Camera Ring
August 20, 2014, 2:32 PM
Leaked Qualcomm Roadmap: 20 nm 64-bit Octacore Smartphone SoCs Cometh
August 20, 2014, 11:38 AM
Microsoft's Surface 2 Tablet Family Gets a $100 Price Cut
August 25, 2014, 1:16 AM
Report: Microsoft to Announce Windows 9 on September 30
August 21, 2014, 11:20 AM
From HULC to FORTIS: the Evolution of Lockheed Martin's Incredible Exosuit
August 22, 2014, 12:45 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information