Appellants and amici briefs are now in at the Third Circuit on the appeal of Andrew Auernheimer’s conviction for somehow violating the Computer Fraud and Abuse Act. I say “somehow” as the government was never pinned down on whether it was exceeding authorized access or unauthorized access. But they were clear that what he did was wrong, wrong enough to get him convicted and sentence to 41 months imprisonment.
Weev didn’t help himself. Whether he wanted to be a martyr to the cause of geekdom or just unwilling to win except on his terms isn’t clear. But his lawyer, Tor Eckland, couldn’t control him, and had enough on his hands trying to defend Weev in what I believe to be his first trial*. While the prosecution was huge within the computer hacker community, it didn’t garner the attention of Lori Drew’s prosecution, lacking a dead child. But make no mistake, Weev’s prosecution raises issues of monumental significance for all computer users.
Orin Kerr, who joined the defense team on appeal, gives a summary of the case.
Here are the basic facts. When iPads were first released, iPad owners could sign up for Internet access using AT&T. When they signed up, they gave AT&T their e-mail addresses. AT&T decided to configure their webservers to “pre load” those e-mail addresses when it recognized the registered iPads that visited its website. When an iPad owner would visit the AT&T website, the browser would automatically visit a specific URL associated with its own ID number; when that URL was visited, the webserver would open a pop-up window that was preloaded with the e-mail address associated with that iPad.
The basic idea was to make it easier for users to log in to AT&T’s website: The user’s e-mail address would automatically appear in the pop-up window, so users only needed to enter in their passwords to access their account. But this practice effectively published the e-mail addresses on the web. You just needed to visit the right publicly-available URL to see a particular user’s e-mail address. Spitler realized this, and he wrote a script to visit AT&T’s website with the different URLs and thereby collect lots of different e-mail addresses of iPad owners. And they ended up collecting a lot of e-mail addresses — around 114,000 different addresses — that they then disclosed to a reporter. Importantly, however, only e-mail addresses were obtained. No names or passwords were obtained, and no accounts were actually accessed.
Or to put it a bit more succinctly, Weev and Spitler stumbled on pages that were publicly accessible, but AT&T figured no one would find because there was no way to access them other than to have its iPad or, as stumble on them. They then did what geeks do, and exploited their discovery to see how far they could go. Rather than hand it over nicely to AT&T so it could cover its tracks and deny its screw-up, they gave it to a reporter to publish. AT&T was pissed, and the government was happy to prosecute as payback for quick and easy disclosure of your cellular communications the heinous crime of publicly embarrassing AT&T for being a computer idiot.
The appellant’s brief, after a disturbing opening to the main argument that repeats the conventional wisdom from 1986 analogizing computers to physical trespass, takes the view that this just isn’t a crime. As the pages were public, it cannot be unlawful access. The brief reads more academic than advocate, but does an admirable job of making its points.
There are two amici briefs, one arguing that this is how everybody uses the internet, and the other arguing that this is how sophisticated internet security experts use the internet, both reaching the same conclusion that affirmance of Weev’s conviction would criminalize normal and lawful practices.
As everybody else involved relies on analogies, it seems appropriate despite my view that it’s critical to stop using real world analogies to explain digital world conduct, to do the same. The prosecution’s argument is that just because someone leaves their door unlocked doesn’t mean a person can walk in and take what he wants. The defense argument is that when someone leaves their stuff in front of a picture window, passersby commit no crime by looking in and seeing what the person put on display. Neither analogy strikes me as fully satisfying.
The question for the rest of us is where the line is drawn between lawful and unlawful conduct based on a law crafted at the birth of public computer use and before there was any world wide web to consider. The language of the CFAA fails miserably to provide an answer, and there is certainly no “originalist” view since there was no internet in existence. What we are left with is empty, meaningless language being shoehorned into technology that didn’t exist. It might have seemed like a good idea back in 1986, but we’re paying for it now.
Nonetheless, Congress can’t be bothered to do its job of crafting a law that might apply, and the court is left with trying to decipher criminality from inapt words and their limited grasp of how the tubes work (or that of their kids, their law clerks, or maybe the kid down the street).
The prosecution has a huge glaring hole that needs answering: Is there any middle ground for a URL that can be accessed without hacking a password but is otherwise not intended to be found, accessed or used except by a discrete, chosen group of users? The government wants the crime to depend on the subjective and transitory intent of the website owner, where “unauthorized” is defined as undesired. The defense wants a brightline test that says if it can be publicly accessed, then there can be no crime.
The government’s position is not only untenable, but presents a threat to users that can’t be tolerated. And indeed, it’s so highly subjective, and selective, that it ignores that Google et al. violate it constantly with impunity. Do we want cookies and bots crawling all over us, capturing our personal info to feed back to people so they can sell us crap? I don’t think so. But it prevailed below anyway.
The problem now is that the burdens shift on appeal, and it’s the appellant’s position that will be subject to scrutiny. Is there no limit to what we can access on the internet, as long as we don’t hack the password? What if all the surrounding circumstances leave us with no doubt that the website owner doesn’t want anybody coming in uninvited, so that no reasonable person can not be aware that he’s entering a URL where he isn’t welcome? Is that still okay?
Since the lines are drawn at polar extremes, and the arguments remain couched in poor analogies, and the judges will have a terrible time getting into the mindset of sophisticated computer users who think nothing of screwing around with user agents to see what they can find, and Weev felt compelled to handle himself in the typical, snarky, computer whizkid way that tends to just piss the crap out of everybody who isn’t a snarky computer whizkid, this is going to be a tough fight.
But there remains one detail that I would have pounded hard, far harder than either the appellant or amici. Fair notice requires that the language of the CFAA, for smarter or stupider, state clearly what constitutes criminal conduct so that a person will know what not to do. By the Rule of Lenity, the failure of the law to adequately define a crime given the state of technology as it currently exists must resolve all ambiguities in favor of the defendant.
While no one knows what Congress might do if it is forced to recraft the CFAA, and they could make it even worse, what seems clear now is that it is far too unclear to imprison anyone whose conduct falls within that middle ground of not hacking a password and breaking through a brick wall. Maybe they would criminalize what happened here, but until the law makes clear where the line is drawn, the government can’t just make it up at will. And the Third Circuit should not be so activist as to give a 2013 meaning to a 1986 law that the government pulls out of its butt to nail Weev.
Weev’s conviction must be reversed, despite his attitude and mouth, because the rest of us used the internet too and if Weev is a criminal, so too are we all.
* I hasten to add, lest anyone think otherwise, that I think Tor did an exceptional job with this case, even the more remarkable given the circumstances.
Update: Via Volokh, the amicus brief of the National Association of Criminal Defense Lawyers has just become available. While I’m still going through it, my initial impression is that it’s excellent, and fills in some of the gaps in the other briefs. Notably, putting them all together, the argument on behalf of Weev is overwhelming.