There's no question that accused hacker Andrew Auernheimer is a jerk. But computer security experts say it would be a mistake to make him a felon.
AT&T had accidentally published tens of thousands of e-mail addresses to a public Web site, and Auernheimer used an automated program to download them. He then passed the addresses to the news media in an effort to embarrass AT&T. The federal government responded by indicting him on federal computer-hacking charges in 2011. He was convicted in April.
Last week, Auernheimer, better known by his online handle "Weev," appealed his conviction to the U.S. Court of Appeals for the 3rd Circuit. On Monday, dozens of prominent computer security experts filed a brief warning that his conviction could chill legitimate security research, making everyone's computers less safe as a result.
Weev is no hero. By the time he was indicted, he had made himself a minor celebrity through online "trolling" antics that often involved harassing and embarrassing people. In a reddit "Ask Me Anything" thread before his sentencing, a legion of critics denounced him for using phrases like "sadistic sociopath" (most of the other phrases aren't appropriate for a family Web site).
But Matt Blaze, a computer scientist at the University of Pennsylvania who signed on to the security researchers' brief, argues that "it's important to distinguish between between Weev being creepy, which is true, and what Weev did being creepy, which is much less clear."
Auernheimer is charged with violating the Computer Fraud and Abuse Act, which makes it a federal crime to access a computer system without authorization. An AT&T server used in the registration process for iPad data plans was misconfigured to provide private e-mail addresses to anyone who visited particular Web addresses. Auernheimer and a friend figured out the format of those addresses and wrote a computer program to visit a sequence of Web pages and harvest customers' e-mail addresses from them.
The government argues that Weev should have known that the information wasn't intended to be accessed by third parties. Prosecutors say that by accessing the data, Weev crossed the line from harmless tinkering into felonious "unauthorized access."
But Blaze believes that AT&T's decision not to protect the Web site with a password or other security measure should settle the issue. "I'm not sure how else a person would know whether or not they're supposed to access a Web site or not," he says. Password protection is "the standard way a Web service tells you whether you're supposed to be doing something or not."
The kind of automated downloading Auernheimer engaged in, known as "scraping," is extremely common. For example, search engines use similar techniques to build their indexes.
And the courts have previously held that even unwelcome Web site scraping doesn't violate anti-hacking laws. In one case cited by Auernheimer's attorneys, a travel agency sued a competitor who had "scraped" its prices from its Web site to help the rival set its own prices. The judge ruled that the fact that this scraping was not welcomed by the site's owner was not sufficient to make it "unauthorized access" for the purpose of federal hacking laws.
Blaze makes a similar argument in Weev's case. The government argues that he should have known that the passwords on AT&T's Website were off-limits, despite the lack of technical access controls. Blaze believes that this position "essentially requires anyone doing Web-scale research to not just be ethical and honest but also to be a mind-reader."
And he says that Web-scale research can have significant public benefits. Blaze points to a recent paper that used an automated program to collect the encryption keys used by millions of Internet servers. They found more than 170,000 servers that were using insecure encryption keys, exposing them to security vulnerabilities.
This kind of research makes the Internet more secure for everyone by identifying problems that need to be fixed. And Blaze says that in many cases it can only be done using the kind of automated scraping techniques Auernheimer employed.
Of course, security vulnerabilities are embarrassing, and companies don't necessarily want independent security experts exposing their dirty laundry. But Blaze contends that it's better for consumers if a vulnerability is discovered by legitimate researchers (who often provide firms with advance notice), rather than waiting for a malicious hacker to find it.
"I would have a different reaction if it turned out that after Weev collected the e-mail addresses that he or his friend had collected, that they went and tried to commit a crime with it," Blaze says. "But there's no evidence or suggestion that they had done anything of the sort."
"Many people seem to think of this as an issue that only affects Weev and AT&T and Apple and maybe AT&T's customers," Blaze says. But he believes that upholding Weev's conviction would have broader consequences for computer security researchers like him, and for millions of people who rely on the security of the Web sites they use. Criminalizing independent security research will make it easier for companies to ignore security problems with their Web sites. And Blaze says that will make the Web less safe for everyone.