'weev' Conviction Vacated

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Friday April 11, 2014 @05:01AM from the finally-drew-the-get-out-of-jail-free-card dept.

An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

19 of 148 comments (clear)

Min score:

Reason:

Sort:

To the point... by msauve · 2014-04-11 05:09 · Score: 5, Informative

Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.
He was indicted and tried in NJ, despite none of the involved parties being located there.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:To the point... by NatasRevol · 2014-04-11 06:01 · Score: 4, Informative
  
  Actually AT&T exposed the emails.
  
  --
  There are two types of people in the world: Those who crave closure
2. Re:To the point... by Shakrai · 2014-04-11 06:17 · Score: 5, Informative
  
  Actually AT&T exposed the emails.
  After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.
  AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
3. Re:To the point... by NatasRevol · 2014-04-11 06:22 · Score: 4, Informative
  
  'deliberate actions' don't meet the definition of illegal behavior though.
  They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.
  
  --
  There are two types of people in the world: Those who crave closure
4. Re:To the point... by Shakrai · 2014-04-11 06:31 · Score: 3, Interesting
  
  You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"? That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer. Then he wrote a script to automate the process and repeated it ~140,000 times.
  I really don't understand why people defend this kid's actions. The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
5. Re:To the point... by NatasRevol · 2014-04-11 06:40 · Score: 4, Interesting
  
  Well, not me, but the appeals court certainly did.
  This paragraphy is on page 10 of the ruling:
  
  The charged portion of the CFAA provides that
  “[w]hoever . . . intentionally accesses a computer without
  authorization or exceeds authorized access, and thereby
  obtains . . . information from any protected computer . . . shall
  be punished as provided in subsection (c) of this section.” 18
  U.S.C. 1030(a)(2)(C). To be found guilty, the Government
  must prove that the defendant (1) intentionally (2) access
  edwithout authorization (or exceeded authorized access to) a
  (3)protected computer and(4) thereby obtained information
  Then his paragraph is on page 12 of the ruling:
  
  Because neither Auernheimer nor his co-conspirator
  Spitler performed any “essential conduct element” of the
  underlying CFAA violation or any overt act in furtherance of
  the conspiracy in New Jersey, venue was improper on count
  one.
  
  I guess you're smarter than them.
  Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
  
  --
  There are two types of people in the world: Those who crave closure
6. Re:To the point... by Shakrai · 2014-04-11 06:56 · Score: 3, Insightful
  
  Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.
  
  Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
  And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.
  Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
7. Re:To the point... by American+Patent+Guy · 2014-04-11 07:57 · Score: 3, Informative
  
  Going a little further: the decision at the bottom of page 15 hints that the litmus test of whether venue would be proper where the server is located is whether there was "some sense of venue having been freely chosen by the defendant." Here, the defendant may not have even known where the server was located. (Do you know where all the servers you access are located when you're using the Internet?) I think the prosecutor would have to show that knowledge on the part of the defendant before he could show that venue was proper.
  Venue is a tricky subject. It is a favorite for law school professors to test upon. I wouldn't presume to ever completely know the subject.
8. Re:To the point... by mjtaylor24601 · 2014-04-11 08:05 · Score: 3, Informative
  
  neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation
  If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
  Not that I have a particular opinion on the specifics of this case but I think you may have truncated that quote a few words to early
  
  Because neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation in New Jersey, venue was improper
  I read that to mean "no crime was committed in New Jersey" not "no crime took place".
  
  --
  I wish I were as sure of anything as some people are of everything
Re:sad day for those who don't like 4chan trolls by bmajik · 2014-04-11 05:12 · Score: 4, Insightful

Not liking someone isn't a good enough reason to put them in jail.
Usually. For now.

--
My opinions are my own, and do not necessarily represent those of my employer.
Or in legal parlance by korbulon · 2014-04-11 05:15 · Score: 4, Funny

They invoked the writ of Copus Outus.
1. Re:Or in legal parlance by krlynch · 2014-04-11 05:17 · Score: 5, Informative
  
  Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C...
Re:sad day for those who don't like 4chan trolls by roc97007 · 2014-04-11 05:21 · Score: 5, Funny

From a practical standpoint, it depends on who doesn't like him.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
What happens now? by gnasher719 · 2014-04-11 05:22 · Score: 4, Interesting

From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
1. Re:What happens now? by bruce_the_loon · 2014-04-11 05:43 · Score: 3, Informative
  
  If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
Not Odd At All by jratcliffe · 2014-04-11 05:27 · Score: 4, Insightful

"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
Not just the Declaration by T.E.D. · 2014-04-11 06:25 · Score: 3, Interesting

He wasn't kidding in the slightest about venue being a big issue in our break with Britain. You can find the issue at least alluded to as a grievance in just about any pre-war document. My favorite is Franklin's sarcastic Rules by Which a Great Empire May Be Reduced to a Small One

This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.

(emphasis his)
Re:sad day for those who don't like 4chan trolls by bzipitidoo · 2014-04-11 07:27 · Score: 3, Informative

that the security measures were woefully inadequate is beside the point
On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.
It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.
We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.
Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.

--
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Re:Details on the exploit? by PRMan · 2014-04-11 08:04 · Score: 4, Informative

Basically, they tried to put an unlimited iPad SIM card in a PC. They disassembled the driver to find out how it authorized them and realized that there was no security, it just went to a hidden website. They went to the website and it didn't work but then they changed their agent string in their browser to impersonate an iPad. At that point, it showed him his account information. After that, they just incremented the number up and down and realized that it showed them EVERYONE'S account information.

--
Peter predicted that you would "deliberately forget" creation 2000 years ago...