Not Open to the Public: United States v. Weev

blogpic

 

Introduction

The CFAA, the federal government’s key anti-hacking law, was originally enacted in 1986 to deter hackers from wrongfully obtaining confidential governmental and financial information, or inflicting “federal interest” computers with harmful viruses. It was passed to regulate only those computer crimes that were interstate in nature, particularly those involving large financial institutions and governmental organizations but the statute was amended several times to broaden the CFAA’s reach. A case which attracted attention of many advocacy groups for ambiguity in CFAA section 1030 recently had an interesting outcome. Andrew “Weev” Auernheimer, a hacker, who was accused of stealing the personal data of over 100,000 iPad users from AT&T website in 2010, is about to be free with his sentence overturned by a federal appeals court.

Facts

This is what happened; he and co-defendant, Spitler found a security loophole on AT&T website. Earlier, iPad owners could sign up for Internet access using AT&T. In the sign-up process, AT&T took these iPad users’ email addresses. To make user log-in process easier, AT&T designed this system; when an iPad owner would visit the AT&T website, the browser would automatically go to a specific URL associated with its own ID number; when that URL was visited, the webserver would open a pop-up window that was preloaded with the e-mail address associated with that iPad. Weev and Spitler found out about this sytem and collected lots of email addresses which were associated with particular iPad identification numbers. They reported this to the Gawker website with collected data as an evidence; it is said that security researchers often use this approach to warn the public about security vulnerability. In 2012, he was tried and sentenced to 41 months in prison for identity fraud under 18 U.S.C. section 1028(a)(7) and conspiracy to gain unauthorized access to computers under section 1030, while Spitler received probation by pleading guilty to conspiracy to gain unauthorized access to computers and identity theft. Luckily, Auernheimer had powerful legal support by a law professor representing him pro-bono in his appeal, and the federal appeals court reversed the conviction.

This case has raised important questions on CFAA during the trial and appeal. According to Kerr (2013), it was going to be an influential precedent on the meaning of “unauthorized access”. In addition to it, the case revealed complication with jurisdiction of such cases; like most hackers’ cyber crime, Auernheimer, Spitler, AT&T servers, and victims were all in different locations.

Unauthorized access under section 1030

Like the other cases of this week’s reading, United States v. Auernheimer is an issue of CFAA violation and unauthorized access. The government claims that Spilter’s program tricked and deceived the AT&T computer into giving up information —implicitly rendering the access unauthorized. However, unlike the examples of Nosal and Swartz, the AT&T server links accessed by weev and co were not secure and the company appeared not have gone to any lengths to prevent unauthorized access. Weev and his co-conspirator simply accessed what was public, bringing information hidden by obscurity, into the public eye, and did not misuse their credentials or circumvent any barriers to entry. First Circuit in EF Cultural Travel BV v. Zefer Corp held that use of the scraper was “authorized” under § 1030 even though the company would have disliked it. Following USA v Nosal, “excess of authorization” does not apply to violating restrictions on how information is used within an accessed controlled setting. So although weev misused the information that he came across, in our opinion, it is possible to recognize his conduct as “authorized access”; he had permission to access the URLs in the first place.

In Nosal case, the database from which Nosal’s conspirators stole information was protected by password. On the other hand, Weev just accessed a publicly available URLs which doesn’t even require password as we mentioned earlier. This raises serious concern on ambiguity in the definition of “unauthorized access.” However, a footnote in the ruling provides to be guilty as per New Jersey law, Auernheimer or Spitler would have had to breach a code or password based barrier to gain access. This may  influence the interpretation of corresponding terms in CFAA section 1030.

Jurisdiction

In this particular example of CFAA violations, the venue of illegal activity became an important feature, given that the victims were in New Jersey, the defendants in California and Arkansas, and the AT&T servers in Texas. In particular, this seems to draw attention away from the technology at hand, which is interstate by nature, focusing scrutiny on location of where the unauthorized access might have occurred. Geography is simpler in a case like Swartz’s, with only one person involved, and where the perpetrator and the victim were in the same physical location. This raises questions on how location should be decided in these interstate cases. In his analysis, Orin Kerr notes that prosecution may be pursued in any of the states in which the violation occurred; in weev’s example, however, only the location of New Jersey was relevant only to the victims and the actual unauthorized access had actually occurred elsewhere. Given the interstate nature of the internet and associated transactions, this issue will likely occur in future cases.

Implications

Weev’s trial continues to raise questions about how the CFAA applies to non criminals, such as ordinary citizen and security researchers. Previously, United States v. Lori Drew discussed how the average citizen may often violate standards of unauthorized access or excess of authorization in day to day life, simply by providing false information in an online profile, or when checking a family member’s email for them. Although the decision was reached so as to avoid prosecuting the ordinary citizen for not adhering to a site’s TOS, weev’s trial again draws attention to the fact that one citizen may face significant penalties without realizing the severity of their crime. Would Aaron Swartz, who already had personal access to the JSTOR articles he pirated, have repeated the same actions had he known his sentence? This is especially relevant for security researchers or the occasional ethical hacker, who may violate authorized access while searching for loopholes and weak points. In some instances, unauthorized access may occur as a part of reverse engineering. The CFAA currently seems to focus on the nature of the violation and little on the intent.

References:

  1. http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
  2. https://www.eff.org/document/opening-brief-appeal
  3. http://www.volokh.com/2013/03/21/united-states-v-auernheimer-and-why-i-am-representing-auernheimer-pro-bono-on-appeal-before-the-third-circuit/
  4. http://www.informationweek.com/government/cybersecurity/hacker-weev-free-after-appeal/d/d-id/1204411?piddl_msgid=209845#msg_209845

Image source:

 

– Noriko Misra, Kristine Yoshihara & Dheera Tallapragada