'weev' Conviction Vacated

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Friday April 11, 2014 @05:01AM from the finally-drew-the-get-out-of-jail-free-card dept.

An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

34 of 148 comments (clear)

Min score:

Reason:

Sort:

To the point... by msauve · 2014-04-11 05:09 · Score: 5, Informative

Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.
He was indicted and tried in NJ, despite none of the involved parties being located there.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:To the point... by msauve · 2014-04-11 05:24 · Score: 2
  
  How can an AC be expected to actually read the ruling they're commenting on, which specifically addresses his complaint?
  
  There was no evidence at trial that Auernheimerâ(TM)s actions evinced any contact with New Jersey, much less contact that was âoesubstantial.â The Government has not cited, and we have not found, any case where the locus of the effects, standing by itself, was sufficient to confer constitutionally sound venue./blockquote)
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
2. Re:To the point... by NatasRevol · 2014-04-11 06:01 · Score: 4, Informative
  
  Actually AT&T exposed the emails.
  
  --
  There are two types of people in the world: Those who crave closure
3. Re:To the point... by Shakrai · 2014-04-11 06:17 · Score: 5, Informative
  
  Actually AT&T exposed the emails.
  After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.
  AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
4. Re:To the point... by NatasRevol · 2014-04-11 06:22 · Score: 4, Informative
  
  'deliberate actions' don't meet the definition of illegal behavior though.
  They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:To the point... by Shakrai · 2014-04-11 06:31 · Score: 3, Interesting
  
  You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"? That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer. Then he wrote a script to automate the process and repeated it ~140,000 times.
  I really don't understand why people defend this kid's actions. The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
6. Re:To the point... by GPS+Pilot · 2014-04-11 06:31 · Score: 2
  
  The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.
  weev is fortunate that, for once, a court gives a damn about what was important to the founding generation.
  
  --
  That that is is that that that that is not is not.
7. Re:To the point... by NatasRevol · 2014-04-11 06:40 · Score: 4, Interesting
  
  Well, not me, but the appeals court certainly did.
  This paragraphy is on page 10 of the ruling:
  
  The charged portion of the CFAA provides that
  “[w]hoever . . . intentionally accesses a computer without
  authorization or exceeds authorized access, and thereby
  obtains . . . information from any protected computer . . . shall
  be punished as provided in subsection (c) of this section.” 18
  U.S.C. 1030(a)(2)(C). To be found guilty, the Government
  must prove that the defendant (1) intentionally (2) access
  edwithout authorization (or exceeded authorized access to) a
  (3)protected computer and(4) thereby obtained information
  Then his paragraph is on page 12 of the ruling:
  
  Because neither Auernheimer nor his co-conspirator
  Spitler performed any “essential conduct element” of the
  underlying CFAA violation or any overt act in furtherance of
  the conspiracy in New Jersey, venue was improper on count
  one.
  
  I guess you're smarter than them.
  Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
  
  --
  There are two types of people in the world: Those who crave closure
8. Re:To the point... by Shakrai · 2014-04-11 06:56 · Score: 3, Insightful
  
  Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.
  
  Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
  And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.
  Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
9. Re:To the point... by American+Patent+Guy · 2014-04-11 07:04 · Score: 2
  
  Well, I was trying to keep it simple, but I don't think this Court of Appeals would agree with you. There is a significant discussion beginning at the bottom of page 14 that addresses, for example, whether the "locus of the effect of the criminal conduct" can confer venue. All this Court decided is that where there was no contact with the prosecutor's chosen venue (New Jersey) other than the alleged victims were located there, that venue was improper. The question of whether the site of the servers improperly accessed could confer venue has not yet been decided.
10. Re:To the point... by Shakrai · 2014-04-11 07:26 · Score: 2
  
  The meat-space equivalent is something like reporter (who is not Bob's wife) calling a bar and saying, "I'm Bob's wife, is Bob there?"
  A better analogy would be calling AT&T and saying "I'm Bob, can you tell me when my bill is due?" You've impersonated Bob and used it to obtain access to personally identifiable information, you'd be guilty of a number of different crimes in such a circumstance.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
11. Re:To the point... by American+Patent+Guy · 2014-04-11 07:57 · Score: 3, Informative
  
  Going a little further: the decision at the bottom of page 15 hints that the litmus test of whether venue would be proper where the server is located is whether there was "some sense of venue having been freely chosen by the defendant." Here, the defendant may not have even known where the server was located. (Do you know where all the servers you access are located when you're using the Internet?) I think the prosecutor would have to show that knowledge on the part of the defendant before he could show that venue was proper.
  Venue is a tricky subject. It is a favorite for law school professors to test upon. I wouldn't presume to ever completely know the subject.
12. Re:To the point... by ganjadude · 2014-04-11 07:59 · Score: 2
  
  and if you are a public location, if you do not lock up behind you, then you have no reason to complain when people go inside. This is a little different than a private home. Im not saying that the kid was within his rights to do what he did, but i dont think your argument is the correct one
  
  --
  have you seen my sig? there are many others like it but none that are the same
13. Re:To the point... by mjtaylor24601 · 2014-04-11 08:05 · Score: 3, Informative
  
  neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation
  If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
  Not that I have a particular opinion on the specifics of this case but I think you may have truncated that quote a few words to early
  
  Because neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation in New Jersey, venue was improper
  I read that to mean "no crime was committed in New Jersey" not "no crime took place".
  
  --
  I wish I were as sure of anything as some people are of everything
14. Re:To the point... by slimjim8094 · 2014-04-11 11:06 · Score: 2
  
  You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"?
  Yes. "Without authorization" is more than "well I wasn't expecting him to ask that question!".
  
  That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer.
  No, he sent a query to the webserver, and the webserver did what it was designed to do and answered it. AT&T was the one making the mistake by assuming that all trivially-correctly-formatted requests were from AT&T customers as opposed to actually checking whether the requester was - in fact - a customer (something they could've easily done!)
  
  Then he wrote a script to automate the process and repeated it ~140,000 times.
  Sure. So? It means he knows how to use 'seq' and 'wget'. Would it be different if he changed the number in his browser 140k times?
  
  I really don't understand why people defend this kid's actions.
  Like a lot of prosecutions people complain about, it wasn't really about the "kid" (why does it matter if he's a "kid"?). It's about precedent, and "some queries shouldn't be sent to a webserver, but you don't know what those are until we nail your ass" is a pretty damn bad precedent.
  
  The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.
  He probably had a suspicion that AT&T didn't mean to provide this access, but they did. This is more like calling up a place and asking what Frank's address is - you may think it's odd that they told you, but in the absence of even trivial checks to see whether you really are Frank, it would be reasonable to conclude that this was intended to be public. After all, they just happily told a member of the public. And no, the user agent is not even a trivial check, since every browser pretends to be every other browser anyway.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Re:sad day for those who don't like 4chan trolls by bmajik · 2014-04-11 05:12 · Score: 4, Insightful

Not liking someone isn't a good enough reason to put them in jail.
Usually. For now.

--
My opinions are my own, and do not necessarily represent those of my employer.
Or in legal parlance by korbulon · 2014-04-11 05:15 · Score: 4, Funny

They invoked the writ of Copus Outus.
1. Re:Or in legal parlance by krlynch · 2014-04-11 05:17 · Score: 5, Informative
  
  Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C...
2. Re:Or in legal parlance by SailorSpork · 2014-04-11 05:25 · Score: 2
  
  Yeah, "Don't Make New Laws Unless You Have To" looks like copping out, but is actually something I completely support. When new laws are made, it usually just makes things more complicated, may create unintended/unforeseen consequences, and so forth.
Re:sad day for those who don't like 4chan trolls by roc97007 · 2014-04-11 05:21 · Score: 5, Funny

From a practical standpoint, it depends on who doesn't like him.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
What happens now? by gnasher719 · 2014-04-11 05:22 · Score: 4, Interesting

From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
1. Re:What happens now? by Registered+Coward+v2 · 2014-04-11 05:31 · Score: 2
  
  From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]" That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
  INAL, but from my understanding of double jeopardy he could be retried. It appears to be a procedural error which would allow a retrial; in this case in the proper venue.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
2. Re:What happens now? by bruce_the_loon · 2014-04-11 05:43 · Score: 3, Informative
  
  If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
3. Re:What happens now? by Hentai · 2014-04-11 05:50 · Score: 2
  
  Hmm. Overly-cynical thought:
  Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.
  Re-charge him in the proper venue, put him in jail without bail, let him stew for a few years. Then try him again, convict him again, put him in prison for a year or so again. Then vacate THAT conviction based on another technicality.
  Then re-charge him again, put him in jail without bail again, let him stew for a few more years while you set up a third trial. Then try him again, convict him again, put him in prison for awhile again, then vacate THAT conviction...
  I wonder how long you could play judiciary ping-pong with someone you REALLY didn't like?
  
  --
  -Hentai [in vita non pacem est]
4. Re:What happens now? by Shakrai · 2014-04-11 05:59 · Score: 2
  
  The password or code - there was no such barrier to access, so no illegal access through forged authorization occurred.
  He still could have been charged under CFAA, without the felony enhancement (or without it through some other requirement), or any one of a number of state-level computer trespass laws. My home state (New York) has a felony computer trespass law that would apply to the exact same crime committed within our jurisdiction, and Arkansas (weev's home state) has a similar statute.
  As a general rule of thumb the law is less concerned about the specific security measures bypassed and more concerned with whether or not you knew you were entitled to access the information (the record here is clear that he knew he was not) but still took deliberate measures to obtain said access.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
Interesting by Capt+James+McCarthy · 2014-04-11 05:22 · Score: 2, Interesting

I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal. I suppose it's not the crime they are exposing, but the tactics to obtain the information then? So the question would be do the ends justify the means? That would apply to all things governmental/commercial I suppose.

--
There are no loopholes. It's either legal or it's not.
Not Odd At All by jratcliffe · 2014-04-11 05:27 · Score: 4, Insightful

"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
1. Re:Not Odd At All by bruce_the_loon · 2014-04-11 05:45 · Score: 2
  
  An opinion on the law being violated was given in footnote 5 on page 12 of the judgement. It suggests he is not guilty of the charge.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
I hope you don't work for the NSA... by American+Patent+Guy · 2014-04-11 05:43 · Score: 2

From the decision: "To be found guilty, the Government must prove that the defendant (1) intentionally (2) accessed without authorization (or exceeded authorized access to) a (3) protected computer and (4) thereby obtained information." I haven't read this particular law, but I doubt that it has a provision that gives blanket immunity to government agents/employees. The minute you step over the line of unauthorized access to a computer (assuming you don't have a warrant), you've just committed a crime.
Ooooooh ... where's my popcorn?!
Re:sad day for those who don't like 4chan trolls by Shakrai · 2014-04-11 05:50 · Score: 2, Insightful

Not liking someone isn't a good enough reason to put them in jail.
He deserved to go to jail. Read the body of evidence against him. This wasn't a simple exposure of a security flaw in AT&T's website. He took deliberate actions to maximize the collection of information, bypassed security measures to obtain said information (that the security measures were woefully inadequate is beside the point, deliberate actions were required to bypass them), and discussed ways to use the obtained information for personal profit with his co-conspirator.
None of that is to suggest that I agree with dragging him halfway across the country, or even with the Feds getting involved in the first place. His home state (Arkansas) has a computer trespass statute that would have been sufficient to prosecute him under, or the Feds could have at least tried him in his own district. I suspect that the former is what may happen now, since double jeopardy won't apply to a State level prosecution, and if it shakes out fairly he'll get credit for the time served in Federal prison without additional jail/prison time being imposed. First time offender and a non-violent crime after all...

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Re:sad day for those who don't like 4chan trolls by mmell · 2014-04-11 06:04 · Score: 2

Not liking someone isn't a good enough reason to put them in jail.
He didn't say it never happens. He said it isn't a good enough reason for it to happen.
Not just the Declaration by T.E.D. · 2014-04-11 06:25 · Score: 3, Interesting

He wasn't kidding in the slightest about venue being a big issue in our break with Britain. You can find the issue at least alluded to as a grievance in just about any pre-war document. My favorite is Franklin's sarcastic Rules by Which a Great Empire May Be Reduced to a Small One

This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.

(emphasis his)
Re:sad day for those who don't like 4chan trolls by bzipitidoo · 2014-04-11 07:27 · Score: 3, Informative

that the security measures were woefully inadequate is beside the point
On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.
It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.
We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.
Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.

--
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Re:Details on the exploit? by PRMan · 2014-04-11 08:04 · Score: 4, Informative

Basically, they tried to put an unlimited iPad SIM card in a PC. They disassembled the driver to find out how it authorized them and realized that there was no security, it just went to a hidden website. They went to the website and it didn't work but then they changed their agent string in their browser to impersonate an iPad. At that point, it showed him his account information. After that, they just incremented the number up and down and realized that it showed them EVERYONE'S account information.

--
Peter predicted that you would "deliberately forget" creation 2000 years ago...