A famed hacker, Andrew “weev” Auernheimer, was sentenced to 41 months in prison yesterday. A jury convicted Auernheimer of conspiracy and identity theft back in November stemming from his role in a scheme to snag the personal email addresses of over 114,000 iPad users, including Mayor Michael Bloomberg, Diane Sawyer, and Mayor Rahm Emmanuel.
Auernheimer argued that he acted as an uninvited “gray hat” hacker, grabbing the email addresses of customers for the sole purpose of exposing the flaws in AT&T’s security.
The sentence, at the upper end of the Guidelines range, is a far cry from the non-custodial slap on the wrist Auernheimer’s attorneys sought. There are two broad categories of response to the sentence. First, that Auernheimer is a completely terrible human being, but that his being a dick does not justify the harsh sentence. Second, that Auernheimer did not commit a real crime because he never intended to steal anyone’s identity and the Computer Fraud and Abuse Act is a bad law.
To these arguments, I reply “yes it does,” and “who cares?”
But Auernheimer’s case hasn’t elicited as much outrage or sympathy as the others have. This is likely because Auernheimer is a huge jerk. He has a long history of race-baiting and malicious trolling. “I hack, I ruin, I make piles of money. I make people afraid for their lives,” Auernheimer told Mattathias Schwartz in a 2008 New York Times Magazine piece about online trolling. In that same story, Auernheimer admitted to harassing a blogger named Kathy Sierra—or, as he described her in an email that also included her home address and Social Security number, “a cockholster chugged full of cum that isn’t even worth giving the time of day.”
I’m pretty sure Auernheimer plagiarized that line from the commenters on this site writing about me.
Being a jerk should not be the sole reason someone is punished, but it should play a role:
In an informal pre-sentencing brief to Judge Susan D. Wigenton, the U.S. Attorney’s office essentially echoed these sentiments in arguing that Auernheimer deserved a substantial prison sentence. “His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,” wrote U.S. Attorney Paul Fishman, who went on to note the “atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access.”
If the criminal justice system is intended to produce any form of specific deterrence, someone who shows no remorse or demonstrable regard for others cannot be deterred by a slap on the wrist. To be clear, America is prone to over-incarceration, and Auernheimer’s crime does not strike me as one worth imprisonment. But whatever the particular punishment heaped upon Auernheimer, it’s absolutely justified to punish Auernheimer more severely than a more remorseful defendant in the same position. Robbing the courts of the power to shape the punishment to fit the punished, within defined limits, would be as big a mistake at the severe end as it would be on the leniency end.
As for the argument that the Computer Fraud and Abuse Act (CFAA) is bad law, I’m inclined to agree. But how does this apply to Auernheimer? Justin Peters of Slate argues:
The government’s charges against Auernheimer are centered around an ostensible violation of the Computer Fraud and Abuse Act (CFAA), the vague and inadequate computer crime statute that I’ve criticized here before. Specifically, the indictment charged that, by conspiring to deploy a computer script that queried AT&T’s database for iPad users’ email addresses, Auernheimer unlawfully accessed or exceeded authorized access to a protected computer. (Under the CFAA, “protected computer” essentially means any computer with an Internet connection.) Once his culpability under the CFAA had been established, the DOJ could then charge him with the conspiracy and identity theft counts.
This is the third big CFAA-related case I’ve covered lately, the other two being those of Internet activist Aaron Swartz and Reuters deputy social media editor Matthew Keys. While the specifics of the charges in each case differ, all three illustrate the unfortunate plasticity of the CFAA, and how it can be shaped and contorted to cover almost any computing-related actions. (Did you fill out an NCAA bracket from your work computer today? Congratulations! Depending on your office’s computer use policies, you may have violated the CFAA!)
But stealing personal information fits nicely into that “should be illegal” zone in whatever “new and improved” CFAA we might conceive. Auernheimer argued that AT&T had actually published the information on their own, and his script merely revealed what AT&T had put out there. Basically, Auernheimer likened his actions to walking through an open door. Yes, but you can’t necessarily do that either — leaving the front door unlocked is not a legal invitation to burglarize. AT&T did not post Mike Bloomberg’s personal email address in a form everyone could read; Auernheimer had to take action to see the information.
He may have only intended to help AT&T improve their security, but the whole industry of uninvited “gray hats” is suspect. There’s some value to their work exposing security flaws, but the system doesn’t reward bank robbers if they later claim that they “just wanted to expose the flaws in the bank’s security!”
But if Auernheimer successfully appeals this conviction, someone should really try out that bank robbery angle.
Judge Ignores Leniency Plea, Hands AT&T Hacker a 41-Month-Sentence [Computer World]
The Internet’s Best Terrible Person Goes to Jail: Can a Reviled Master Troll Become a Geek Hero? [Gawker]
Andrew “Weev” Auernheimer Might Be a Jerk. But That Doesn’t Make Him a Computer Criminal [Slate]