On Friday, the Department of Justice filed its appellee brief before the U.S. Court of Appeals for the Third Circuit in United States v. Auernheimer. We expect to see a lot of commentary on the case from others – the brief has already been called out for being almost double the limit allowed under the Federal Rules of Appellate Procedure – but I wanted to specifically mention the government's comments concerning the amicus brief that the DMLP filed in this case with help from our good friends at the Cyberlaw Clinic.
To quickly summarize our earlier coverage, the case concerns Andrew "Weev" Auernheimer, a well-known grey hat hacker and activist. Auernheimer was indicted in January 2011 after he and a partner discovered a critical security oversight in AT&T's website for for its iPad customers. The website allowed any person browsing the Internet to see AT&T customer email addresses when they entered a URL that included that user's iPad device ID number. Auernheimer's partner, Daniel Spitler, designed a script that would systematically generate such URLs, thus allowing them to build a database of all of the emails that AT&T disclosed through its data mismanagement.
Under the government's theory in this case, this access of AT&T's website constituted a misdemeanor under the Computer Fraud and Abuse Act ("CFAA"). This alone is quite a troubling interpretation of the statute (as many have said), but what prompted the DMLP to get involved in this case is what the government did next.
When Auernheimer obtained the list of addresses, he contacted the media website Gawker, explaining AT&T's security mismanagement and using the email addresses as substantiation of his discovery. He also used the emails he obtained to contact some media organizations whose emails were exposed directly, offering to share how he did what he did. (Gawker published a story based on this disclosure in June 2010, using the data Auernheimer provided to illustrate how dangerous AT&T's mistakes were.) In punishing Auernheimer for this, the government decided to adopt the unprecedented view that this disclosure transformed the misdemeanor into a felony, because the access was done in furtherance of another crime. The other crime he allegedly furthered? The New Jersey state equivalent of the federal CFAA, which is substantively identical to the CFAA, save the requirement that the intruder must also disclose the data he obtained to another.
In our amicus brief, the DMLP argued that this theory – taking a misdemeanor and turning it into a felony because he disclosed what he found to the press – mandated First Amendment scrutiny, and court precedent indicates that such escalation of punishment would be unconstitutional in this case.
As we explain in our brief, laws that govern access to private spaces and information, generally speaking, do not present a First Amendment problem like this one, as most laws in this space only punish unlawful access and assign punishment based on the intrusion alone. That said, in the rare instances where a party has tried to punish both unlawful access and disclosure of information at the same time, or tried to "count" damages based on the disclosure of unlawfully-obtained information when calculating the harm of the unauthorized access, courts have been careful to separate the two. As the Fourth Circuit and the Supreme Court of California have said before, courts should not punish the disclosure of information – even when obtained unlawfully – unless it is separately found that the speech in question is separately unprotected under First Amendment doctrine. These cases addressed persons who unlawfully obtained information (due to a breach of a duty of loyalty and intrusion upon seclusion), but in each case the courts declined to include the damage that flowed from the disclosure of the information when calculating the harm caused by the unlawful access.
The government's brief argues against this precedent, insisting that Auernheimer's (allegedly) unlawful acquisition should terminate all First Amendment consideration. They argue:
Auernheimer could have gone to a reporter and described in detail the security flaws in AT&T’s server and the exact procedures he and Spitler took to breach AT&T’s security. What he could not do, and what is not subject to First Amendment protection, is disclose the personal identifying information that he and Spitler obtained as a result of their breach of AT&T’s security.
This presupposes the legal analysis, of course, and when one looks at the actual caselaw the opposite conclusion is reached. Admittedly, the Supreme Court has never squarely addressed whether the unlawful obtaining of information taints its future disclosure. But the courts that have considered this question reject that notion (see the cases above), and the Supreme Court itself has said that, absent a state interest of the highest order, a person cannot be punished for publishing true information on a matter of public concern. This was undoubtedly true and newsworthy information – the prosecution stated as such during the trial, and its disclosure lead to a panoply of other reporting, including criticism of AT&T's data practices, reporting on how AT&T's practices impacted the average iPad user, discussion of what companies can do to avoid comparable mistakes in their own systems, and recognition of Auernheimer's public service in disclosing this information.
The government shows no interest that overcomes this. Instead, the government appears to be drawing an analogy to the tort of public disclosure of private facts, arguing that disclosure of "personally identifying information" is per se unprotected under the First Amendment. Ignoring the facial absurdity of that statement (speech does not lose protection because it identifies a person), and as we argued in our brief, the Third Circuit has previously noted that punishing a defendant for publishing private facts requires a court to balance the injury suffered with the interests of the public in receiving that information; disclosing newsworthy information like this, even if embarrassing, cannot be punished.
As we further argued at some length, it is important that courts take care not to punish speech like Auernheimer's, as it is vital to our understanding of how Internet security works, as it informs us of the exact nature and extent of data security issues. The government's brief counters this argument in a footnote:
DMLP suggests that the reporter at Gawker needed the personal identifying information to substantiate Auernheimer’s claims. […] The mere fact that a reporter requests a certain type of verification does not confer a license to do so. Certainly the reporter had other ways to verify Auernheimer’s story. He could have gone to a computer expert to examine Spitler’s slurper program and determine whether it would have worked. He could have contacted some of the victims to whom Auernheimer had sent e-mails and verified whether their security had been breached. While disclosing the personal identifying information of individuals was no doubt easy for Auernheimer and the reporter, it was not required for this story to become public.
There's some clever rhetoric in this paragraph that, once distilled, shows the weakness of this argument. "[T]hat a reporter requests a certain type of verification does not confer a license to do so" is a conclusory statement at best, and non sequitur at worst. Saying this is "not required for this story to become public" is far short of arguing that it is "not protected," and reverses the general rule of the First Amendment – we tend to only allow restraint of speech when it is necessary to do so; we do not limit protection of speech only to when it necessary for a speaker's message. Such a rule impermissibly substitutes the judgment of a court for the judgments of the press and the public. Courts that have addressed arguments like the government's here – seeking to carefully slice away a defendant's particular behavior while seeming not to disrupt the general interests of journalism – have correctly rejected them. This includes the Tenth Circuit, which noted that primary source material "heighten[s] the report's impact and credibility," and the Fifth Circuit, which noted that specific details related to the event in that case had "importance to the credibility and persuasive force of the story."
The theories put forth by the government are similarly incoherent on the facts. Gawker would only know the emails of victims by seeing Auernheimer's list, and the victims themselves would not know if their emails had been disclosed even after Auernheimer obtained them. Furthermore, asking Gawker to verify a story based only on scrutiny of the script used itself is a needless crippling of the verification process: either the computer expert would use the script to test its utility, repeating Auernheimer's actions, or they would be left to make an educated guess, which is by its very nature a lesser substantiation of the facts.
As a final argument, the government attempted to distinguish the Fourth Circuit case Ostergren v. Cuccinelli, a case concerning the First Amendment right to publish Social Security Numbers of government officials obtained off of public-facing state websites, as a way of calling out the state's poor data security practices. There is great irony in their attempt to distinguish Ostergren, which they do by saying that the defendant there "simply republished documents that the State had disclosed publicly." A review of that case shows that the State of Virginia "disclosed publicly" that information in about the same way that AT&T disclosed the information here: inadvertently, on websites that were not publicly accessible through common search techniques but nevertheless available. To call the Ostergren disclosure "public" seems to undercut their CFAA argument altogether.
For more, feel free to review all of the briefing in this case on our Threats Database page. We look forward to sharing more as the Third Circuit takes up this important issue.
Andy Sellars is a staff attorney with the Digital Media Law project, and the Dunham First Amendment Fellow at the Berkman Center for Internet & Society.