It’s Not Easy Being Weev (Update)

Appellants and amici briefs are now in at the Third Circuit on the appeal of Andrew Auernheimer’s conviction for somehow violating the Computer Fraud and Abuse Act. I say “somehow” as the government was never pinned down on whether it was exceeding authorized access or unauthorized access. But they were clear that what he did was wrong, wrong enough to get him convicted and sentence to 41 months imprisonment.

Weev didn’t help himself. Whether he wanted to be a martyr to the cause of geekdom or just unwilling to win except on his terms isn’t clear. But his lawyer, Tor Eckland, couldn’t control him, and had enough on his hands trying to defend Weev in what I believe to be his first trial*. While the prosecution was huge within the computer hacker community, it didn’t garner the attention of Lori Drew’s prosecution, lacking a dead child.  But make no mistake, Weev’s prosecution raises issues of monumental significance for all computer users.

Orin Kerr, who  joined the defense team on appeal, gives a summary of the case.

 

Here are the basic facts. When iPads were first released, iPad owners could sign up for Internet access using AT&T. When they signed up, they gave AT&T their e-mail addresses. AT&T decided to configure their webservers to “pre load” those e-mail addresses when it recognized the registered iPads that visited its website. When an iPad owner would visit the AT&T website, the browser would automatically visit a specific URL associated with its own ID number; when that URL was visited, the webserver would open a pop-up window that was preloaded with the e-mail address associated with that iPad.

The basic idea was to make it easier for users to log in to AT&T’s website: The user’s e-mail address would automatically appear in the pop-up window, so users only needed to enter in their passwords to access their account. But this practice effectively published the e-mail addresses on the web. You just needed to visit the right publicly-available URL to see a particular user’s e-mail address. Spitler realized this, and he wrote a script to visit AT&T’s website with the different URLs and thereby collect lots of different e-mail addresses of iPad owners. And they ended up collecting a lot of e-mail addresses — around 114,000 different addresses — that they then disclosed to a reporter. Importantly, however, only e-mail addresses were obtained. No names or passwords were obtained, and no accounts were actually accessed.

 

Or to put it a bit more succinctly, Weev and Spitler stumbled on pages that were publicly accessible, but AT&T figured no one would find because there was no way to access them other than to have its iPad or, as stumble on them. They then did what geeks do, and exploited their discovery to see how far they could go. Rather than hand it over nicely to AT&T so it could cover its tracks and deny its screw-up, they gave it to a reporter to publish. AT&T was pissed, and the government was happy to prosecute as payback for quick and easy disclosure of your cellular communications the heinous crime of publicly embarrassing AT&T for being a computer idiot.

The appellant’s brief, after a disturbing opening to the main argument that repeats the conventional wisdom from 1986 analogizing computers to physical trespass, takes the view that this just isn’t a crime. As the pages were public, it cannot be unlawful access. The brief reads more academic than advocate, but does an admirable job of making its points.

There are two amici briefs, one arguing that this is how everybody uses the internet, and the other arguing that this is how sophisticated internet security experts use the internet, both reaching the same conclusion that affirmance of Weev’s conviction would criminalize normal and lawful practices.

As everybody else involved relies on analogies, it seems appropriate despite my view that it’s critical to stop using real world analogies to explain digital world conduct, to do the same. The prosecution’s argument is that just because someone leaves their door unlocked doesn’t mean a person can walk in and take what he wants.  The defense argument is that when someone leaves their stuff in front of a picture window, passersby commit no crime by looking in and seeing what the person put on display.  Neither analogy strikes me as fully satisfying.

The question for the rest of us is where the line is drawn between lawful and unlawful conduct based on a law crafted at the birth of public computer use and before there was any world wide web to consider. The language of the CFAA fails miserably to provide an answer, and there is certainly no “originalist” view since there was no internet in existence. What we are left with is empty, meaningless language being shoehorned into technology that didn’t exist. It might have seemed like a good idea back in 1986, but we’re paying for it now.

Nonetheless, Congress can’t be bothered to do its job of crafting a law that might apply, and the court is left with trying to decipher criminality from inapt words and their limited grasp of how the tubes work (or that of their kids, their law clerks, or maybe the kid down the street).

The prosecution has a huge glaring hole that needs answering: Is there any middle ground for a URL that can be accessed without hacking a password but is otherwise not intended to be found, accessed or used except by a discrete, chosen group of users?  The government wants the crime to depend on the subjective and transitory intent of the website owner, where “unauthorized” is defined as undesired. The defense wants a brightline test that says if it can be publicly accessed, then there can be no crime.

The government’s position is not only untenable, but presents a threat to users that can’t be tolerated. And indeed, it’s so highly subjective, and selective, that it ignores that Google et al. violate it constantly with impunity. Do we want cookies and bots crawling all over us, capturing our personal info to feed back to people so they can sell us crap? I don’t think so. But it prevailed below anyway.

The problem now is that the burdens shift on appeal, and it’s the appellant’s position that will be subject to scrutiny. Is there no limit to what we can access on the internet, as long as we don’t hack the password? What if all the surrounding circumstances leave us with no doubt that the website owner doesn’t want anybody coming in uninvited, so that no reasonable person can not be aware that he’s entering a URL where he isn’t welcome? Is that still okay?

Since the lines are drawn at polar extremes, and the arguments remain couched in poor analogies, and the judges will have a terrible time getting into the mindset of sophisticated computer users who think nothing of screwing around with user agents to see what they can find, and Weev felt compelled to handle himself in the typical, snarky, computer whizkid way that tends to just piss the crap out of everybody who isn’t a snarky computer whizkid, this is going to be a tough fight.

But there remains one detail that I would have pounded hard, far harder than either the appellant or amici. Fair notice requires that the language of the CFAA, for smarter or stupider, state clearly what constitutes criminal conduct so that a person will know what not to do. By the Rule of Lenity, the failure of the law to adequately define a crime given the state of technology as it currently exists must resolve all ambiguities in favor of the defendant.

While no one knows what Congress might do if it is forced to recraft the CFAA, and they could make it even worse, what seems clear now is that it is far too unclear to imprison anyone whose conduct falls within that middle ground of not hacking a password and breaking through a brick wall. Maybe they would criminalize what happened here, but until the law makes clear where the line is drawn, the government can’t just make it up at will. And the Third Circuit should not be so activist as to give a 2013 meaning to a 1986 law that the government pulls out of its butt to nail Weev.

Weev’s conviction must be reversed, despite his attitude and mouth, because the rest of us used the internet too and if Weev is a criminal, so too are we all.

* I hasten to add, lest anyone think otherwise, that I think Tor did an exceptional job with this case, even the more remarkable given the circumstances.

Update: Via Volokh, the amicus brief of the National Association of Criminal Defense Lawyers has just become available.  While I’m still going through it, my initial impression is that it’s excellent, and fills in some of the gaps in the other briefs.  Notably, putting them all together, the argument on behalf of Weev is overwhelming.

7 comments on “It’s Not Easy Being Weev (Update)

  1. Jack

    I am not going to comment on the law aspect of this, but as a programmer who does web security all day this is something I face all the time – and the only solution to this “problem” is due diligence – not running and crying to the government because you couldn’t be bothered to set up authentication properly. The way Weev accessed these pages is very similar to the way that a search engine accesses web pages – if Google had accidentally indexed all of these pages, I doubt Eric Schmidt would be going to jail.

    There is absolutely no need for a new law or new definition for some “middle ground” between public and private on the web – especially for this case. There are literally thousands of ways AT&T could have pre-loaded this data and properly authenticated it’s users to ensure that only the proper device/user combination could access the private data. They could have easily made it so Weev couldn’t have accessed this without actually “hacking” or breaking in.

    The internet is made up of a stack of protocols and languages that all have well defined standards that have existed for decades. These standards just so happen to define how to properly secure things. If someone “intends” to make something private, their ignorance of how to implement those intentions shouldn’t be protected by law. The web standards have a bright line between secure and insecure* – the law should do the same.

    Using another shitty real world analogy: If I put out a bunch of stuff on the curb and write “Free Stuff” I shouldn’t be allowed to have people who take it prosecuted because I really meant to write “This is my stuff, don’t take it”…

    * Of course there are different levels of security – but there is still a bright line between public and private. Simply not indexing a URL is NOT, by any definition “secure.” According to every standard this considered a public page.

  2. SHG

    Your view is very much the view of all the other sophisticated computer security people. The question remains (and the one they want an answer to) whether this is all illegal, even if they think it isn’t and shouldn’t be. Given Weev’s conviction, the answer at the moment in the Third Circuit is “yes, yes it is.”

  3. Jack

    Unfortunately, if this isn’t overturned, the entire HTTP protocol and all browsers are going to have to be rewritten to handle an additional header to provide notice whether a site is considered “public” or “private” in terms of CFAA. Since apparently you don’t need encryption, access control, or user accounts anymore to protect your private data, I’ll be out of a job pretty soon. No need to pay an expert for intentions…

    I guess the upshot is I can become a troll and start suing people for CFAA violations and “damaging” my web server by exceeding their access. Just going to my domain name doesn’t list any of my clients, but going to “/full” lists a bunch of my clients and it isn’t indexed by Google. That is the exact same “security” AT&T had in this case – so clearly all the people who went to that URL that I didn’t specifically authorize are all felons.

  4. Pingback: Why Hackers Don’t Win Too Often | Simple Justice

  5. Pingback: How The Government Explains The Internet | Simple Justice

  6. Pingback: Too Much Transparency | Simple Justice

Comments are closed.