The Third U.S. Circuit Court of Appeals vacated the conviction and sentence of Internet troll and hacker Andrew "weev" Auernheimer on Friday, meaning he will soon walk free. But the court did not rule on the key issue: Whether his actions constituted of a violation of the Computer Fraud and Abuse Act. Computer crimes law critics say the CFAA is overly broad and could potentially classify the activities of everyday Internet users.
The case against Auernheimer was considered a test for just how far law enforcement and prosecutors could stretch the CFAA, the law also used against the late Aaron Swartz -- a well respected programmer and activist who committed suicide while facing a bruising federal investigation last year. Auernheimer was accused of using an automated script to to collect information about iPad users that AT&T had left unsecured. He then allegedly sent a list e-mail addresses obtained through that method to Gawker, who published a redacted version of the list.
His attorneys argued the CFAA did not apply to Auernheimer's case because there was no authorization procedure, like a password, that he circumvented to gain access to the information. Rather than hacking into the system, they argue that he discovered and exploited a network security flaw -- like walking through an open door rather than picking a lock. The details are a little more complicated, but Auernheimer once likened the situation to "going to prison for arithmetic."
That kind of discovery is the kind of thing that cybersecurity researchers and "white hat" hackers do day in and day out. Some good guy hackers worried that their line of work would be affected if Auernheimer's conviction stood, even if Auernheimer's disclosure practices (i.e. leaking directly to the media) weren't exactly industry standard.
Auernheimer is a controversial figure because of his history of behavior often described as "trollish" -- things like posting anti-Semitic YouTube videos and spearheading harassment campaigns, including at least one targeting a prominent woman in the tech community. But while not everyone likes him, many digital rights groups still supported his side in the court case on its merits.
On Friday, however, the court didn't rule on the breadth of the possible crimes under the CFAA. "Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age," the court order read, "we find it necessary to reach only one that has been fundamental since our country’s founding: venue."
Auernheimer was convicted in New Jersey. But after reviewing the evidence, the appeals court overturned the conviction on the grounds that neither Auernheimer, nor his alleged accomplice, nor the servers affected by the incident were actually in the state at the time of the hack. So the bigger questions about what exactly constitutes a computer crime will have to wait for another day.