As cyberthreats mount, hacker’s conviction fuels critics’ claims of government overreach

April 29, 2013

Their guns drawn, a dozen federal agents, police and forensics experts kicked in the door of a run-down two-story home in Arkansas shortly after dawn, barged inside and ordered the occupants to put their hands on their heads.

The target of the raid was neither terrorist nor bank robber. He was a 24-year-old computer hacker suspected of handing off stolen e-mail addresses to the media.

With that, the Justice Department began a case that has come to symbolize what some lawyers and civil libertarians see as overreach in the government’s campaign against cybercrime.

The hacker, Andrew Auernheimer, was convicted and sentenced last month to more than three years in prison for obtaining about 120,000 e-mail addresses of iPad users from AT&T’s Web site — including New York Mayor Michael R. Bloomberg (I), Hollywood executive Harvey Weinstein and other prominent figures — and giving them to the Web site Gawker. At the time it happened three years ago, the data breach jolted federal officials because it affected one of the nation’s most prominent companies and triggered fears about the security of increasingly popular mobile devices.

Yet only a few, heavily redacted e-mail addresses were published, court documents show. No one’s account was broken into. AT&T fixed the problem in about an hour, and a company official testified that there probably was not enough evidence to sue the hackers.


Andrew Auernheimer leaves court after posting bail on Feb. 28, 2011, in Newark. (Julio Cortez/AP)

The case highlights a growing debate over how to define right and wrong in the digital age, what is public and proprietary online, and how far law enforcement should go in pursuing cybercrime.

The Obama administration is confronting what it calls a vast cybersecurity threat, and the Justice Department is waging aggressive efforts, including against national security threats such as cyberterrorism and cyber-espionage. But recent cases involving other types of online activity have prompted criticism that the crackdown may also be scooping up minor hackers who see themselves as political or anti-corporate activists.

Among the most prominent is former Reuters journalist Matthew Keys, who was indicted last month on charges of conspiring with the hacker group Anonymous to alter an article on the Web site of the Los Angeles Times. Federal authorities have said they suspect that Keys was acting in response to his firing by a Sacramento television station that, like the Los Angeles Times, is owned by Tribune Co.

Another highly publicized case involved Internet-freedom advocate Aaron Swartz, who campaigned for academic and other information to be freely available online. Swartz killed himself in January while under indictment for allegedly accessing MIT’s computer network to steal more than 4 million scholarly articles.

His family said “prosecutorial overreach” contributed to his death. Federal prosecutors initially emphasized that he could face up to 35 years in prison but later disclosed that he was offered a plea deal with a recommended six-month sentence.

Justice Department officials said in interviews that their efforts — which involve more than 300 prosecutors nationwide dedicated to cybercrime — are vital for protecting Americans. They emphasized that deterrence is crucial because some hackers seek to target key infrastructure or steal large volumes of personal information.

Orin S. Kerr, a former Justice Department computer-crimes prosecutor, said the Auernheimer case has vast implications for the emerging frontier of cybersecurity law.

“I don’t think the conduct was criminal,” said Kerr, a George Washington University law professor who is working pro bono on Auernheimer’s appeal. “At bottom, it was visiting a Web site. If the courts say it can be a crime just to visit a Web site, we’re all in trouble.”

In the Auernheimer case, federal prosecutors in New Jersey chose to elevate a misdemeanor computer crime into a more serious felony, though their evidence showed that Auernheimer’s co-conspirator wrote and ran the computer program that obtained the e-mail addresses. Then, prosecutors argued for a much stiffer sentence based in large part on AT&T’s estimated financial loss, though the company did not declare any loss in court filings.

Prosecutors said their approach was justified because Auernheimer violated the privacy of thousands of people. They pointed to his extended hacking career, fiery denunciations of the government and lack of remorse.

“You have to ask the question, what would he have done next?” said a Justice Department official who spoke on the condition of anonymity because the case is under appeal. “Where would we be if we let this guy go and the next thing he did was take down a network?”

‘I make people afraid’

The man at the center of the debate is a self-proclaimed Internet “troll” known by his online handle, “Weev,” who has been on the FBI’s radar since he was 15.

In words that prosecutors would use against him, Auernheimer told the New York Times in 2008: “I hack, I ruin, I make piles of money. I make people afraid for their lives.”

In a recent telephone interview and in e-mail exchanges through a prison Web site, Auernheimer told The Washington Post that he is a “political and economic activist” whose motive in the iPad breach was to embarrass AT&T. He called federal agents and prosecutors “despicable parasites.”

Auernheimer had headed an organization called Goatse Security. He described it as a nine-member information security firm; prosecutors called it a hacker group.

It was another Goatse member, Daniel Spitler, who was instrumental in the events that led to the federal probe. Apple’s iPad tablet had recently come out, and AT&T was providing Internet access for iPad users. Spitler wanted AT&T’s data plan but did not have an iPad, so he used his computer skills to trick the AT&T servers into believing he was operating one and got himself an iPad identifying number.

When he logged on to the AT&T site, he discovered that a window would pop up with his e-mail address filled in, Spitler testified at Auernheimer’s trial. AT&T, in an effort to be user-friendly, had linked each iPad number with the user’s e-mail address so that users did not have to type in their address when they logged in. The addresses were automatically displayed.

Spitler altered his identifying number by one digit and typed it in. Someone else’s e-mail address popped up, he testified. Spitler typed in more iPad numbers. More e-mail addresses popped up. Then he wrote a computer program to automate the process. It landed about 120,000 addresses.

The government’s evidence — chat logs from an FBI informant secretly monitoring Auernheimer’s computer group — showed that Spitler ran the program and did not tell Auernheimer until it was underway. (Spitler pleaded guilty in the scheme and is awaiting sentencing.)

“HILARIOUS oh man now this is big media news,” Auernheimer wrote back to Spitler.

Auernheimer gave him advice about how to improve the computer program and encouraged him to compile as many e-mail addresses as possible, the evidence showed. Auernheimer also pushed to disclose the e-mail addresses to the media and, he has acknowledged, gave them to Gawker.

A Gawker article on June 9, 2010, described the incident in detail and attributed it to Goatse Security.

The piece went viral and caught the attention of the FBI’s Newark division. “This is . . . very important to us,” the division said in an internal communication, according to court documents.

The investigation was straightforward; Auernheimer had said online that Goatse was responsible for the breach.

The prosecution proved more controversial.

Auernheimer and Spitler were charged under the Computer Fraud and Abuse Act, a 1984 law at the center of the recent criticism of the government’s anti-
cybercrime campaign.

Passed before Internet use became widespread — when the movie “WarGames” had triggered concern that hackers could start World War III — the law was narrowly drawn. It only covered hacking into U.S. government computers or using computers to obtain national security secrets or financial records. As computer use has exploded, however, the measure has been amended five times by Congress and dramatically expanded. Today, legal scholars say, its provisions cover what is known as “unauthorized access” to virtually any computer in the United States and many abroad.

Critics contend that the law has become dangerously overbroad and might criminalize activity as innocuous as touching a mouse and peeking at someone’s screen in a coffee shop.

“It’s too vague, and its punishments are too severe,’’ said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, a digital rights group working on Auernheimer’s appeal.

Jennifer Granick, director of civil liberties at the Stanford Law School Center for Internet and Society, said prosecutors have been guilty of “overreach” in their handling of computer cases such as those of Auernheimer and Swartz.

“Neither the prosecutors nor the [computer crimes] statute have a good idea of what the line is between ordinary online activity and dangerous criminal conduct,” Granick said. She added: “The Justice Department is reading into the person’s motives based on what their politics are or whether they are a thorn in the government’s side. People who are edgy, either politically or otherwise, are in danger.”

The Justice Department argues that the computer fraud law is not tough enough to combat the heightened cybersecurity threat. Officials support proposals to cover computer crimes under federal racketeering laws and stiffen sentences for some offenses.

Auernheimer was charged with two felony counts: committing fraud by giving personal information — the e-mail addresses — to Gawker and conspiring to access the AT&T computer servers without authorization.

The latter is a misdemeanor under federal law. But under a 1996 amendment to the ­computer-crimes statute, it becomes a felony if the offense was committed “in furtherance” of any criminal act that violates federal or state law. Federal prosecutors invoked New Jersey’s computer-crimes law to charge Auernheimer under that provision.

His attorneys objected, saying that essentially accused him of the same crime twice. Justice Department officials disputed that contention, and the judge agreed with them.

‘Where’s the harm?’

At the trial, prosecutors painted Auernheimer as an incorrigible hacker out to promote himself and his computer security firm.

“His motive was publicity and greed,” Assistant U.S. Attorney Zach Intrater said in closing arguments. “He arrogantly thought that because he and his cohorts were skilled computer hackers that they could violate people’s privacy and get famous doing it.”

Auernheimer’s attorneys called the case much ado about nothing.

“Where’s the harm?” defense lawyer Tor Ekeland asked the jury. “No one’s bank account was hacked. No credit card was hacked. . . . AT&T’s iPad servers blabbered the e-mail addresses of every one of their subscribers to anybody who just said hi to the server.”

An AT&T official testified that the company’s servers had inadvertently published the e-mail addresses. While initially discussing a potential FBI investigation of the breach, R. David Hulsey, an AT&T assistant vice president, wrote in an e-mail later introduced as evidence: “I don’t believe there is a case here. No security was circumvented. A poorly crafted design feature was available and exploited.” When cross-examined by prosecutors, Hulsey said he was referring to a potential AT&T lawsuit against the hackers.

The jury convicted Auernheimer on both counts.

At a sentencing hearing attended by several dozen supporters, Auernheimer was unrepentant. He said the court should compensate him “for the harm and the violence that has been inflicted upon my life,” adding: “The Internet is becoming bigger than the law can contain.”

Prosecutors, however, argued for a tough sentence to deter him from hacking and accused him in court papers of a “smear campaign” against the government and corporate America.

The prosecution put AT&T’s financial loss at $73,000, based on the cost of sending letters to iPad users telling them about the breach. The company did not submit a loss estimate when given the chance to do so by the court. Because loss is a key factor in federal sentencing guidelines, the figure was used by prosecutors to argue for a sentence of 33 to 41 months in prison, up from 10 to 16 months had there been no loss.

Judge Susan D. Wigenton ­sentenced Auernheimer to 41 months, citing his defiant Internet postings and interviews.

“You have shown no contrition whatsoever,” she said. “And there is just this sort of pervasive disrespect that is shown in many of the postings.”

Michael Sussmann, a former senior computer-crimes prosecutor at the Justice Department, said in an interview that he considered it “borderline” whether Auernheimer had committed a crime under the computer-crimes law. AT&T’s system, he said, had made the e-mail addresses “publicly available.’’

Sussmann, who practices computer privacy law at Perkins Coie, said the case was “not endemic of an overreaction to cybercrime or overaggressive prosecutions in general.” But he added: “Forty one months in prison seems like an awfully long time when nothing bad happened.”

Discuss this topic and other political issues in the politics discussion forums.

Jerry Markon covers the Department of Homeland Security for the Post’s National Desk. He also serves as lead Web and newspaper writer for major breaking national news.
Comments
Show Comments
Most Read Politics