United States v. Auernheimer [1]

On January 13, 2011, Daniel Spitler and Andrew Auernheimer were indicted [2] in federal court in New Jersey for their alleged roles in a data breach that resulted in the theft of personal information of approximately 120,000 AT&T customers. They were charged with (1) conspiracy to access a computer without authorization under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 [3]; and (2) fraud in connection with personal information, under 18 U.S.C. § 1028 [4]. Further, the complaint stated that the conspiracy charge was in furtherance of a criminal violation of a New Jersey statute, NJSA. 2C:20-31, that criminalizes unauthorized computer access and disclosure of the accessed data, thus elevating a misdemeanor charge to a felony charge.

In the criminal complaint [2], the government alleged that hackers wrote a script called the "iPad 3G Account Slurper" after discovering that each iPad 3G user's Integrated Circuit Card Identifier ("ICC-ID"), which automatically displayed in the URL of AT&T's website when an iPad 3G connected to the site, was connected to the user's e-mail address. The complaint stated that the Account Slurper "attacked AT&T's servers, gained unauthorized access to those servers, and ultimately stole for its hacker-authors approximately 120,000 1CC-ID/email address pairings for iPad 3G customers . . . without the authorization of AT&T, Apple, or any of the individual iPad 3G users."

The complaint claimed that immediately following the theft, the hacker-authors of the Account Slurper provided the gathered information to the website Gawker, which then published the information in redacted form and identified Goatse Security, a loose association of Internet hackers including Spitler and Auernheimer, as the group that obtained the data. According to the complaint, a confidential source provided federal law enforcement with chat logs that "conclusively demonstrate[d] that defendants Spitler and Auernheimer were responsible for the data breach," listing examples from the logs such as Spitler stating he was "stepping through iPad SIM ICCIDs to harvest email addresses" and providing the script to Auernheimer. The government claimed that AT&T had spent approximately $73,000 in remedying the data breach.

On June 22, 2011, Spitler signed a plea agreement [5]. In it, he pled guilty to both counts under the condition that that U.S. Attorney for the District of New Jersey would not initiate any further charges against him for his actions relating to the unauthorized access to AT&T users' personal information.

On August 16, 2012, a grand jury returned a superseding indictment [6] against Auernheimer a/k/a "Weev" a/k/a "Weevlos" a/k/a "Escher." Under Count I, conspiracy to access a computer without authorization, the government claimed that AT&T's servers and individual iPads were considered "protected computers" under the CFAA. The government alleged that Auernheimer, in furtherance of the New Jersey statute, intentionally conspired with Spitler and others to "steal and disclose the personal identifying information of thousands of individuals, to cause monetary and reputational damage to AT&T and to create monetary and reputational benefits for themselves." Under Count II, fraud in connection with personal information, the government claimed that the defendant "knowingly transferred, possessed, and used, without lawful authority, means of identification of other persons . . . in connection with unlawful activity, specifically, the unlawful accessing of AT&T's servers."

On September 21, 2013, Auernheimer filed a motion to dismiss [7] the indictment, claiming that Count I of the indictment violated the Fifth Amendment's Due Process Clause. Auernheimer claimed that the CFAA was unconstitutionally vague as applied, as it provided no definition for unauthorized access. Thus, the motion stated, Auernheimer had no notice that the alleged unauthorized access was illegal. He claimed that Count I also violated the Fifth Amendment's Double Jeopardy Clause because the federal and state statutes for unauthorized access were "virtually identical," requiring the same facts for both the CFAA violation and the felony aggravator. "The Double Jeopardy Clause prohibits this type of bootstrapping because it charges the same criminal act twice," the motion stated, noting that the congressional intent was to "elevate CF AA misdemeanor violations to felonies only when a crime separate and distinct from the act of unauthorized access occurs."

Auernheimer's motion also stated that Count II should be dismissed because the alleged fraud relating to personal information was not "in connection with" a CFAA violation, as is required by the statute. Auernheimer claimed that the alleged CFAA violation from Count I was completed before the conduct underlying Count II began and that the "in connection with" statutory language only refers to present or future criminal acts, not prior criminal acts. Thus, the motion argued, because "the criminal activity that is in connection with the disclosure of the ICC-ID/ e-mail address pairings was finished before the disclosure occurred," Count II must be dismissed. Auernheimer alleged that Count II also violated the First Amendment because it was criminalizing the publication of "publicly available information on matters of important public concern to the press," and he claimed that venue was improper because none of the alleged criminal acts took place in New Jersey.

In response, the government filed a brief in opposition [8] of Auernheimer's motion on October 5, 2012. The government claimed that Auernheimer's void-for-vagueness argument on the reach of the CFAA failed because the definitions of "without authorization" and "exceeds authorized access" were unambiguous in the context of the statute and that other circuit courts had defined them using the terms' ordinary meanings. The government further claimed that the "intentional" mens rea requirement of the CFAA alleviates vagueness concerns because "it reduces the likelihood that a defendant will be convicted for conduct that he committed through inadvertence." The government's motion alleged that Count I did not create a double jeopardy issue because the elements and conduct required for the federal and state statutes were different. While the motion noted that the first two elements of the statutes were similar, it claimed that the New Jersey statute had an additional element-requiring proof of knowing or reckless disclosure of the data-that distinguished it from the federal statute.

With respect to Count II, the government argued that a plain reading of "in connection with" was not subject to a temporal restriction, saying that the legislative intent did not support this construction. "The statute simply criminalizes possessing means of identification of other people, which possession is connected to some other crime - here, the crime of unauthorized computer access." Even if the defendant's "cramped reading" was correct, the government noted, the indictment in this case clearly alleged that Auernheimer's possession of the "victims' e-mail addresses and ICC-IDs took place during the period of unlawful access." The government also claimed that the defendant's First Amendment challenge must fail because the ICC-ID/email pairings were confidential, not public, information, and it alleged that venue was proper because, among other things, the defendant knowingly disclosed personal identifying information for thousands of New Jersey victims.

On October 26, 2012, the court denied [9] Auernheimer's motion to dismiss. On Count I, the court found that the CFAA was not vague based on the circumstances in the case and because several courts had defined "without authorization" based on its ordinary definition. Regarding the defendant's double jeopardy argument, it held that the CFAA and N.J.S.A. 2C:20-31 did not require the same proof of conduct, as the New Jersey statute required proof of conduct-disclosure-that was not required for a CFAA offense. On Count II, the court found that Auernheimer's interpretation of "in connection with" was contrary to the statute's legislative history and unsupported by case law, as neither indicated that the language created a temporal restriction. Even if it did, the court stated, the superseding indictment alleged that at least part of Auernheimer's "unauthorized computer access overlapped with his possession and transfer of persons' identification."

Addressing the defendant's First Amendment argument, the court stated that the ICC-IDs and iPad user email addresses were not available to the public and were kept confidential by AT&T. "The very conduct at issue involves Defendant's allegedly unauthorized access to a protected computer and the subsequent transfer of such confidential information." Because the First Amendment has rarely been extended to protect speech "used as an integral part of conduct in violation of a valid criminal statute," the court noted, Auernheimer's argument failed. Further, the court found that venue was proper "because a defendant can be prosecuted in any district where the crime began, continued, or completed."

On November 20, 2012, the jury found [10] Auernheimer guilty on both counts. The jury instructions [11] and jury charge [12] detailed the law as presented by the court to the members of the jury.

On December 3, 2012, Auernheimer filed a motion for acquittal [13] under Federal Rule of Criminal Procedure 29(c). He claimed there was insufficient evidence for a rational fact finder to find a guilty verdict for both counts. The motion claimed that reasonable doubt existed "as to (1) the knowing transfer, possession, and use without lawful authority, of (2) a means of identification (3) in connection with the unlawful accessing of AT&T's servers referenced in Count One."

The court denied [14] Auernheimer's motion for acquittal on March 18, 2013. The court's judgment [15], entered on March 19, 2013, sentenced him to 41 months in prison followed by three years of supervised release. The court ordered him to pay $73,167 in restitution.

On March 21, 2013, Auernheimer filed notice [16] that he was appealing his judgment to the Third Circuit.

Auernheimer filed his opening brief [17] on appeal on July 1, 2013. In it, he claimed he had not violated the CFAA because he had visited an unprotected public webpage. He claimed that AT&T had not employed passwords or other protective measures to control access to the pages, configuring its servers to make the information available to everyone. Auernheimer alleged that AT&T had programmed its website so the user's email address associated with a particular iPad would appear automatically, and he claimed that Spitler had changed the ICC-ED number of the website by only one digit and the site "pre-populated" the login email. The brief stated, "It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a ‘theft.'"

Auernheimer argued that the court should vacate the felony conviction and, if it found him in violation, reduce the CFAA conviction to a misdemeanor. He claimed that because the elements of the both the CFAA and the New Jersey statute were "inextricably linked," the government could not use the state offense to double-count, as the state offense would need to be independent of the CFAA violation. He also claimed that he did not violate the New Jersey statute, that he did not violate the CFAA "in connection with" another distinct and separate crime, and that venue was improper.

On July 8, 2013, four amicus briefs were filed in support of Auernheimer. The Digital Media Law Project [18] challenged the constitutionality under the First Amendment of elevating Count I from a misdemeanor to a felony based on Aurenheimer's publication of true information on a matter of public concern. The Mozilla Foundation, computer scientists, and security and privacy experts [19] argued that researchers commonly use techniques indistinguishable from the commonplace, legitimate techniques Auernheimer used and that criminalizing privacy and computer security research in that manner would be incompatible with congressional intent. The National Association of Criminal Defense Lawyers [20] claimed that the district court's interpretation of "without authorization" violated the Fifth Amendment's Due Process Clause, which requires a narrow construction, and that the court's finding that venue was proper invites "prosecutorial forum-shopping." A brief by professional security researchers [21] claimed it was unconstitutional to allow a corporation to serve data publicly but later state that access was restricted, thus imposing criminal liability, as this amounted to private criminal law.

As of August 6, 2013, the government had not yet filed its appellee brief; the deadline for filing of that brief has been stayed pending a determination as to whether the government will be allowed additional space in its brief to respond to arguments made by the various amici briefs.