A chorus of tech pundits – myself included – unleashed a collective wail of outrage earlier this week, upon learning that hacker Andrew “Weev” Auernheimer received a 41-month sentence from a U.S. judge in New Jersey. A jury decided in November that pilfering 120,000 iPad user email addresses from a publicly accessible portion of AT&T’s website and leaking the breach to the press violated the contentious Computer Fraud and Abuse Act (CFAA). Auernheimer’s punishment far outweighs his “crime,” we said – further proof that this increasingly infamous anti-hacking law should no longer exist.
That latter point I stand by. What I can no longer support is the beatification of Auernheimer, whose dirty laundry has muddied an important debate about computer crime laws in the U.S.
While it’s not at all clear whether Auernheimer is a “good person,” however you want to define that, he has firmly established his public persona as a force of chaotic badness. Around the time that another “hacker” haunted by a serious CFAA prosecution, Aaron Swartz, was helping develop the valuable Creative Commons licensing, Auerenheimer was busy releasing the Social Security Number and home address of blogger Kathy Sierra. “This was part of a larger trolling campaign against Sierra,” wrote Mattathias Schwartz in a 2008 New York Times Magazine piece about Internet trolls (featuring Weev), “one that culminated in death threats.”
Ruthless trolling, blatant antisemitism, compulsive lying – this is the type of baggage Weev carries wherever he travels. If we are serious about successfully navigating the craggy political landscape that stands between us and fair computer crime laws, we must cut Auernheimer loose. This is me pulling out my knife – a move I should have made from the start.
My mistake came on Tuesday in the form of my latest “Digital Self” column, which carries the headline “We all lose with the Web’s last bandits behind bars.” Weev takes top billing, both as the lead image, and in the copy. Like many others, I packed “Auernheimer” foolishly close to “Swartz,” implicitly drawing a false parallel.
My argument – that a recent wave of high-profile cases based on the CFAA has created a volatile environment for journalists and Internet activists – did not explicitly absolve Auernheimer of wrongdoing. Still, the admittedly rant-y piece sparked a heated reader debate about the nature of Auernheimer’s actions. Does he deserve to go to jail? Did he even break the law at all? And should he be painted a hero by the tech punditry?
Auernheimer’s apologists argue that, due to its negligent security, AT&T deserves full blame for this fiasco. If the wireless provider had better protected its network, Auernheimer and his partner, Daniel Spitler, would never have had the ability to scrape email addresses in the first place.
Ryan Tate, who first reported the “iPad hack” for Gawker (thanks to Auernheimer tipping him off), writes in Wired that the “scapegoating of Auernheimer is revolting,” partially because “it lets AT&T off the hook for exposing sensitive information to public view, shifting the blame onto those who reported the slip-up, and discouraging future disclosure.”
What complicates the Auernheimer saga is that all of these arguments are correct. This story has no hero.
Then there’s Auernheimer himself, who recently told Mashable’s Alex Fitzpatrick that he believes he “did the right thing,” that he “did something of global social good.” He maintains that he was prosecuted solely because he “embarrassed” AT&T. “I went and notified their customers for them,” he said. “And they didn’t appreciate that at all.”
In short, according to the apologists, Auernheimer is going to jail for “grey hat” hacker tactics meant to ultimately protect consumers.
Auernheimer critics believe his actions clearly fell on the wrong side of the law. Just look at the evidence, they say. He acted with blatant malicious intent – not to protect AT&T iPad users, but to hurt AT&T, and have a good laugh at the company’s expense. The script that scraped the user data (which was actually written by Spitler, not Auernheimer) used “brute force” tactics to uncover data that AT&T never intended to be public, which justifies the prosecution’s assertion that the pair illegally accessed a “protected computer” – a move strictly prohibited under CFAA. As commenter nickwest points out, in response to the suggestion that AT&T is at fault for not properly protecting its data: “If I forget to lock the door to my house, and leave my private documents on my kitchen table, it’s ok for someone to come in, take them, and then put them in the newspaper?”
In short, according to his detractors, Weev deserves every month behind bars he received.
What complicates the Auernheimer saga is that all of these arguments are correct. This story has no hero.
AT&T did fail to protect its network. Auernheimer and Spitler did access the iPad user email addresses through brute force tactics, with the intent to cause harm to AT&T – they admit as much in the IRC chat logs cited in the original criminal complaint against them (PDF). And the CFAA is a dangerous law that allows the imposition of severe penalties for relatively harmless crimes, and gives prosecutors egregious powers over almost any Web users they choose to pursue – including legitimate cybersecurity professionals who make us all safer by uncovering network holes. Every inch of this slimy tale stinks.
Those of us who genuinely want to do the right thing – not for the lulz, but for justice – must shed ourselves of Auernheimer’s self-serving, self-destructive escapades. Andrew Auernheimer is not Aaron Swartz, no matter how many times we repeat that he is. Groups like the EFF may find it necessary to help appeal his sentencing, as part of a broader strategy to change the CFAA. But if the rest of us want to win the inherently political battle for better computer crime laws, not one of us should let our righteousness over the intolerable failings of the CFAA seduce us into painting Auernheimer a martyr anymore than we already have.
