Legal experts pitch in to appeal AT&T hacker's sentence

Computer Fraud and Abuse Act wrongly applied in case related to illegal access of data from iPad users on AT&T networks, they contend

Legal experts are stepping in to help hacker Andrew Auernheimer appeal his 41 month prison sentence for illegally accessing emails and other data belonging to about 120,000 iPad subscribers of AT&T's networks.

Auernheimer, sentenced on Monday has filed an appeal in the United States Court of Appeals for the Third Circuit.

In a blog post Thursday, Orin Kerr, a professor from the George Washington University Law School, said he is stepping in to help Auernheimer due to concerns over the length of his sentence and the manner in which the Computer Fraud and Abuse Act (CFAA) was applied in the case.

"I think the case against Auernheimer is deeply flawed, and that the principles the case raises are critically important for civil liberties online," Kerr wrote.

Aernheimer and Daniel Spitler made headlines in June, 2010, after using an automated script, which they called iPad 3G Account Slurper, to extract email addresses and SIM card ID numbers from more than 110,000 iPad owners. The data was taken from AT&T servers.

The data included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, Diane Sawyer of the ABC television network, movie producer Harvey Weinstein, former White House chief of staff Rahm Emmanuel and numerous others.

Auernheimer and Spitler handed the data to Gawker, which posted the information on its website. The duo claimed they carried out the exercise only to demonstrate how the data was leaking from AT&T via its Web site.

Prosecutors charged the pair with fraud and with violating provisions of the CFAA. AT&T claimed that the caper had cost the company over $73,000 in breach notification costs.

Auernheimer was convicted last November and was sentenced on Monday to 41 months in prison, the maximum sought be prosecutors. Spitler pleaded guilty and is awaiting sentence.

Kerr cited what he called several problems with the case.

For instance, Auernheimer and Spitler did not have to hack or subvert any of AT&T's security controls to access the email because the data was readily available due to the server configuration, Kerr said.

Auernheimer realized this and wrote a script for automating the collection of email addresses, Kerr said. Though that data was later disclosed to a reporter, "no names or passwords were obtained, and no accounts were actually accessed," he added.

Kerr also noted that the $73,000 loss claimed by AT&T did not result from damage to AT&T servers and included no repair or restoration costs. Those costs were related to breach-notification and are therefore not directly attributable to Auernheimer's actions as defined under existing case law, he added.

Kerr also challenged the government's assertion that Auernheimer's act constituted illegal access to the AT&T server. He maintains that Auernheimer only visited a publicly accessible site and collected information.

The Electronic Frontier Foundation (EFF) is also helping in the appeal.

In a statement, EFF staff attorney Marcia Hoffman noted that Auernheimer faces more than three years in prison for essentially pointing out AT&T's failure to properly secure iPad subscriber data.

The EFF noted that the Auernheimer case is but the latest to highlight problems with how prosecutors use the Computer Fraud and Abuse Act. "Since the tragic death of programmer and Internet activist Aaron Swartz in January, EFF has redoubled its efforts to reform the law," the statement said. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them."

The EFFs attorneys and Kerr will join Auernheimer's trial consul in fighting the sentence.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about legal in Computerworld's Legal Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags abcnew york timesat&tsecuritylegalgovernmentBloombergGovernment/Industries

More about ABC NetworksABC NetworksAndrew Corporation (Australia)BloombergEFFElectronic Frontier FoundationTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place