DOJ Files Brief in Hacker's Appeal; Security Experts Disagree

Article Placeholder Image
By Gabriella Khorasanee, JD on September 27, 2013 6:59 AM

Hackers have a bad rap -- but not all hackers are bad. For instance, those wearing "white hats" are A-OK, according to the government in its recently filed appellate brief in the Auernheimer case.

Background

Andrew "Weev" Auernheimer ("Weev") is a self-proclaimed hacker who, together with a colleague, found a gap in AT&T's website that allowed him to harvest more than 100,000 email addresses of iPad users, according to The Washington Post.

Weev made the addresses available to the media (namely, Gawker), exposing the security loop hole on the AT&T website.

For that, Weev was sentenced to 41 months in prison for conspiring to violate the Computer Fraud Abuse Act ("CFAA"). Prior to sentencing, Weev stated in a press conference: "I'm going to jail for doing arithmetic."

Appellate Briefs

On July 1, Weev filed his opening brief to appeal to the Third Circuit, and last week the government filed its response. Weev argues that he merely accessed public information because AT&T did not password-protect the page where he found the email addresses.

In its 133-page brief, the government argues that weev was deceptive by spoofing a user agent and impersonating AT&T customers, according to The Washington Post.

Dangerous Precedent?

On July 8, a group of privacy experts and computer scientists filed an amicus brief in support of weev's appeal. Though many consider Weev a "jerk" (The Washington Post's words, not mine), experts agree that he should not be considered a felon. The reason? Because the way he obtained the email addresses -- through a process called "scraping" -- is widely used among businesses, journalists, academics, and security researchers.

Matt Blaze, a University of Pennsylvania computer scientist who signed on to the amicus brief told the Post: "I'm not sure how else a person would know whether or not they're supposed to access a Web site or not." Password protection, he continued, is "the standard way a Web service tells you whether you're supposed to be doing something or not."

The case will turn on how the Third Circuit chooses to define "unauthorized access" under the CFAA. While Congress has still not voted on Aaron's Law, it's up to the Third Circuit (for now) to clarify the CFAA. The outcome will have huge ramifications on many things, from company marketing research and strategies, to computer security research. Let's hope the Third Circuit doesn't cast an overly wide net.

Related Resources: