X

AT&T 'hacker' and Internet troll sentenced to over three years

Andrew Auernheimer, professional Internet troll, is a uniquely unsympathetic defendant. But even his detractors are protesting a 41-month prison sentence that a federal judge levied today.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

In the latest criminal prosecution to alarm Internet activists, a security researcher who accessed a non-password protected portion of AT&T's Web site was sentenced today to 41 months in prison and three years of supervised release.

Andrew "Weev" Auernheimer at the time of his arrest. Washington County Sheriff's Office

Andrew Auernheimer, who goes by the nickname "Weev" and was convicted by a federal jury last year of hacking, was sentenced today by a federal judge in Newark, N.J. "No matter what the outcome, I will not be broken," Auernheimer said this morning after hosting an all-night party in Newark and making an unsuccessful appearance on Reddit. "I am antifragile."

Auernheimer is hardly the most sympathetic defendant: He's a self-described Internet troll who has delighted in making enemies along the way. "I hack, I ruin lives, I make piles of money," he told The New York Times, which published a profile of him in 2008, and two years later Fortune dubbed him "the ugliest computer hacker." He even trolled prosecutors in an open letter offering "friendly advice."

The Justice Department responded by using Auernheimer's trollishness to urge U.S. District Judge Susan Wigenton to hand down a lengthy sentence -- and 41 months is at the upper end of what the federal sentencing guidelines allow. In a letter to Wigenton last week, U.S. Attorney Paul Fishman cited "defendant's chosen 'career' of wreaking havoc on the Internet" and said "his entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he."

But, by itself, being a professional irritant isn't illegal. Supporters have set up a defense fund for Auernheimer, with one calling him "the Internet prophet of discord," and others organizing impromptu book deliveries in prison. The Electronic Frontier Foundation said this morning it will join his legal defense team during an appeal, and even Auernheimer's detractors said today that he didn't deserve to be imprisoned for accessing AT&T's servers.

Last November, a federal jury found Auernheimer guilty of two crimes: identity theft, and conspiracy to access computers without authorization.
Last November, a federal jury found Andrew Auernheimer guilty of two crimes: identity theft and conspiracy to access computers without authorization. The court redacted the jury foreman's name. Click for larger image.

Normally Auernheimer's predicament might not have attracted much attention. But he was convicted under the Computer Fraud and Abuse Act, a controversial law that was enacted to deter intrusions into NORAD, but was expanded over time to criminalize terms of use violations -- including, according to federal prosecutors, lying about your personal information when using social networks. There's now a growing effort, including legislation drafted in the U.S. Congress, to reform the CFAA.

The mighty CFAA ensnared the late Aaron Swartz, who committed suicide in January a few months before his criminal trial was due to begin. Under the CFAA, he could have faced decades in prison for performing a bulk download of academic journal articles in violation of a terms of use agreement, though seven years was more likely. Last Friday, Matthew Keys, a 26-year-old deputy social media editor at Reuters, was also indicted under the CFAA for allegedly providing a password that allowed hackers associated with the group Anonymous to alter a headline on the Los Angeles Times' Web site, and faces an equally stiff prison sentence.

If Keys had given the keys to the newspaper's printing press to vandals who altered a headline on a printed version of the newspaper, he might have been charged with misdemeanor crimes such as trespass or malicious mischief that would have yielded a few months in jail or, more likely, probation. But penalties in the CFAA -- which was enacted in a "WarGames"-fueled panic over hackers accessing government mainframes -- are far more Draconian than state law.

Auernheimer was arrested in 2011 after discovering a security hole on AT&T's Web site that exposed the e-mail addresses of more than 100,000 iPad users. His organization, Goatse Security, created a script to download the records and gave the results to Gawker.

In an interview with CNET at the time of the discovery, Auernheimer said: "I think it was necessary to inform the public in this particular manner. I know some people are criticizing us and calling it irresponsible, but we did our best effort to be good guys about it. We waited until the hole was patched. We didn't disclose the data except to a reporter who agreed to censor the relevant bits. We felt it was in the public's best interest."