I am pleased to report that the Third Circuit has entered a ruling in United States v. Auernheimer, the pro bono case I have been litigating in the last year and that I argued on March 19th. The court unanimously vacated the conviction on venue grounds and issued the mandate forthwith, so that my client Andrew Auernheimer should be released from prison shortly. The court did not address the reach of the Computer Fraud and Abuse Act except for in a footnote (more on that below). Here’s the conclusion of the opinion, with internal quotations and citations omitted except where necessary:
Venue issues are animated in part by the danger of allowing the Government to choose its forum free from any external constraints. The ever-increasing ubiquity of the Internet only amplifies this concern. As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue. People and computers still exist in identifiable places in the physical world. When people commit crimes, we have the ability and obligation to ensure that they do not stand to account for those crimes in forums in which they performed no essential conduct element of the crimes charged.
“Though our nation has changed in ways which it is difficult to imagine that the Framers of the Constitution could have foreseen, the rights of criminal defendants which they sought to protect in the venue provisions of the Constitution are neither outdated nor outmoded.” Passodelis, 615 F.2d at 977. Just as this was true when we decided Passodelis in 1980 — after the advent of railroad, express mail, the telegraph, the telephone, the automobile, air travel, and satellite communications — it remains true in today’s Internet age. For the forgoing reasons, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.
The only discussion touching on CFAA liability is in Footnote 5. In discussing the New Jersey computer crime law, which has been held to require circumventing a code-based barrier to entry — a requirement that may also apply to the CFAA — the court writes:
Although we need not resolve whether Auernheimer’s conduct involved [a breach of a code-based barrier to access] no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.