Security Experts Blast iPad Hacker's 'Chilling' Conviction
Andrew Auernheimer, aka Weev, in a 2010 self-portrait.
CREDIT: Weev/Creative Commons
Computer-security experts worldwide took to Twitter and the Web last night (Nov. 20) to denounce the conviction of famed troll and hacker Andrew "Weev" Auernheimer.
Today, several of those experts spoke to TechNewsDaily to explain why the guilty verdict endangers all computer-security researchers.
Auernheimer was convicted of violating the federal Computer Fraud and Abuse Act (CFAA) after he and friend David "JacksonBrowne" Spitler – part of a group calling itself Goatse Security or Goatsec — ran an automated script that "slurped" email addresses of iPad owners from an unprotected AT&T server.
Both men were indicted, but Spitler later took a plea deal and agreed to testify against Auernheimer.
To policy and tech experts, the verdict is puzzling because Auernheimer didn't write the script or compile the data. Nor did he publish the compiled email addresses. Instead, he reported the security flaw to the media.
"This decision, if it stands, affects everyone who ever discovered a security flaw," wrote security researcher Alex Pilosov last night on TwitLonger. "If security research is forced underground because of chilling effect of possible prosecution — we will all suffer."
"Running a script is not a crime," tweeted digital-rights lawyer and Stanford professor Jennifer Granick following the verdict. "Exceeding authorized access is, but the AT&T site was coded to spill data."
"Andrew is a troll and he did something stupid, and to be frank, irresponsible," wrote F-Secure researcher Sean Sullivan in a blog posting today. "But does he deserve up to 10 years in federal prison for slurping e-mail addresses that were never even made public?"
The implications of the jury's verdict are broad. The Computer Fraud and Abuse Act of 1986 makes it illegal to "access a computer without authorization or exceed authorized access from [a] protected computer."
As Auernheimer pointed out yesterday, that could be construed to include most computer-based communication in 2012.
"Around 1993, the Web happened, and people started clicking on URL links, accessing computers with reckless abandon, without caring if their access was authorized or not," said Robert Graham, co-founder of Atlanta-based Errata Security. "That has led to the dangerous situation where 'authorized access' is interpreted arbitrarily, such as in this case to prosecute Weev."
The ambiguity of the law coupled with yesterday's verdict, Graham said, means that "any of us can be properly convicted."
Jeremiah Grossman, founder and chief technology officer of Santa Clara, Calif.'s White Hat Security, agreed.
"Cases like this have a chilling effect with respect to vulnerability disclosure, which by extension puts people at risk," Grossman said.
The verdict makes it "less likely that security researchers will risk disclosing vulnerabilities," Graham said. "That's especially true when challenging and embarrassing the powerful."
As Grossman understands it, simply making a complaint under the CFAA seems to be enough to put a computer hacker behind bars.
"Should a website owner complain that you did something 'illegal' to their website, and a prosecutor decides to take up the case, then that's all that seems is necessary to get a conviction — or least a plea," Grossman said.
"That's why I tell everyone that you never, ever, ever test a website for security vulnerabilities unless you have expressed written consent. Period."
Immediately after his conviction, Auernheimer said jurors' technical illiteracy might have been partly responsible for the verdict.
Gabriella Coleman, an anthropologist and professor at McGill University in Montreal who studies hacker culture, agreed.
"I do wonder if the jury was able to have a real clear understanding of what was going on," Coleman said. "It's so vaguely worded that even if you do have a sense of what's going on, it could seem like unlawful access."
Principled or personal?
Many people who've dealt with Auernheimer might agree that he can be annoying, obnoxious and offensive, at least online. But being a pest isn't a crime, as perhaps even AT&T came to recognize.
After the telecommunications giant determined that its security had not been breached and that no private data had been stolen or exposed, it lost interest in Weev.
But Auernheimer trolled and pranked FBI agents and members of the prosecution, Coleman said. He became more than just another case. The matter had become personal.
Still, Coleman said, "In the end, you have to follow the dictum of the law, not the person involved. Weev is kind of an extreme example."
Graham Cluley, senior technology consultant at the British anti-virus firm Sophos, also detects an ulterior motive on the government's part.
"AT&T didn't press charges, so it wasn't clear to me what the benefit of a prosecution would be," Cluley said. "One has to wonder whether, in the absence of any obvious criminal harm, Spitler and Auernheimer were being made something of an example of, against a background of heightened hacktivist activity."
Perception may have played a role, according to Coleman.
"If this had come from an individual who perhaps worked for a security [company], who held a 9-to-5 job, who wasn't an Internet troll, who wasn't part of an extremely infamous group — it's possible that person wouldn't have been found guilty," she said.
Trolling for truth?
Today, Auernheimer is a convicted criminal. But many see him and others like him as whistle-blowers who, even if they do so obnoxiously, provide an invaluable public service by highlighting security vulnerabilities and forcing companies to better protect their customers.
"One thing the indictment makes clear is that Auernheimer's goal was to hurt the reputation of AT&T — as if that were a bad thing," Graham said. "That's supposed to be a good thing.
"When companies behave improperly and expose customer information, our goal rightly should be to point that out, bringing their reputation in line with reality."
"I'm no fan of Weev," wrote Immunity Inc. founder and chief executive officer Dave Aitel in a blog posting today. "[But] it's obvious to anyone with any technical background that the case the FBI brought against him is a travesty, and the fact that they won is even more insane."
Follow Ben on Twitter @benkwx.