AT&T iPad hacker appeals conviction

Andrew "Weev" Auernheimer argues that accessing a non-password protected portion of AT&T's Web site did not violate the law because the information was freely available on the Internet.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Andrew Auernheimer, aka "Weev," in a photo from 2011.
Andrew Auernheimer, aka "Weev," in a photo from 2011. anonymous

A security researcher who was convicted of accessing a non-password protected portion of AT&T's Web site and sentenced to more than three years in prison has appealed his conviction.

Andrew Auernheimer, who goes by the nickname "Weev," was convicted by a federal jury last year of hacking and sentenced to 41 months in prison for exploiting a security hole on AT&T's servers to obtain the e-mail addresses of more than 100,000 iPad users.

Auernheimer and co-defendant Daniel Spitler were arrested and charged in January 2011 after they created a script to download the records and gave the results to Gawker. Auernheimer was convicted last November of one count of conspiracy to gain unauthorized access to computers and one count of identity theft. Spitler pleaded guilty to the charges in June 2011.

In their appeal, filed Monday with the U.S. Court of Appeals for the Third District, Auernheimer's lawyers contend that Auernheimer actions did not violate theft because as a result of AT&T's lax security, the information was freely available on the Internet.

The appeal notes that AT&T had linked the users' Integrated Circuit Card ID (ICC-ID), the serial number on iPad SIM cards, with their e-mail addresses. When a user visited AT&T's Web site, the e-mail field would automatically be populated by the device's ICC-ID.

Auernheimer and Spitler discovered a new e-mail address would appear when they changed a single digit in the ICC-ID. Spitler then wrote a script called the "iPad 3G Account Slurper" to harvest the e-mail addresses and associated unique iPad numbers.

"AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers," the appeal reads. "The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information."

Auernheimer, 27, was convicted under the Computer Fraud and Abuse Act, a controversial law that was enacted to deter intrusions into NORAD but was expanded over time to criminalize terms of use violations. Federal prosecutors were using the CFAA against the late Aaron Swartz, who committed suicide in January, for performing a bulk download of academic journal articles in violation of a terms of use agreement.