X

Appeals court overturns conviction of AT&T hacker 'Weev'

A federal appeals court rules that Andrew "Weev" Auernheimer was tried in the wrong state and overturns his conviction under the Computer Fraud and Abuse Act.

Carrie Mihalcik Former Managing Editor / News
Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News, Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Carrie Mihalcik
3 min read

Andrew_Auernheimer_2010.png
Andrew "Weev" Auernheimer at the time of his arrest. Washington County Sheriff's Office

A federal appeals court on Friday vacated the conviction against hacker and Internet troll Andrew Auernheimer.

Auernheimer, a security researcher who goes by the nickname "Weev," was found guilty of hacking in 2012 for accessing a non-password protected portion of AT&T's Web site to obtain the email addresses of more than 100,000 iPad users. Auernheimer, who was convicted under the controversial Computer Fraud and Abuse Act, was sentenced to 41 months in prison.

The US Court of Appeals for the 3rd Circuit, however, did not overturn the conviction because it had come to some new revelation about the fraud law, but instead found that Auernheimer was tried in the wrong federal court.

"Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue," the court wrote in an opinion.

Auernheimer was originally tried and convicted in federal court in New Jersey, which the 3rd Circuit concluded was improper since neither Auernheimer nor the AT&T servers he accessed were in New Jersey.

"Evidence at trial showed that at all times relevant to this case, [Auernheimer's co-defendant Daniel Spitler] was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas," the court wrote in its opinion. "The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia."

As a result, the appeals court ruled that the venue did not lie in New Jersey and vacated Auernheimer's conviction. Auernheimer is expected to be released from the Allenwood Federal Penitentiary in the coming days, reported The Verge.

"Today's decision is important beyond Weev's specific case," Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation and one of the attorneys on Auernheimer's appeal, said in a statement. "The court made clear that the location of a criminal defendant remains an important constitutional limitation, even in today's Internet age."

CNET has contacted the Justice Department for comment on the appeals court's decision. We will update this report when we have more information.

Auernheimer and co-defendant Spitler were arrested and charged in January 2011 after they created a script to download the records from AT&T and gave the results to Gawker. Auernheimer was convicted in November 2012 of one count of conspiracy to gain unauthorized access to computers and one count of identity theft. Spitler pleaded guilty to the charges in June 2011. Their appeal, which was filed in July 2013, argued that -- in addition to New Jersey being the wrong venue for the trial -- Auernheimer's actions did not violate theft because as a result of AT&T's lax security, the information was freely available on the Internet.

In an interview with CNET in 2010, Auernheimer admitted that the hackers had compromised the AT&T 3G iPad customer Web site and released data on 120,000 accounts but said they did so with the intention of warning AT&T and protecting consumers.

Auernheimer was convicted under the CFAA, a controversial law that was enacted to deter intrusions into NORAD but was expanded over time to criminalize terms of use violations. Federal prosecutors were using the CFAA against Aaron Swartz, who committed suicide in January 2013, for performing a bulk download of academic journal articles in violation of a terms of use agreement.