Andrew Auernheimer is appealing a conviction that could land him in jail until 2016. His crime: accessing a public AT&T page and gathering the email addresses of 114,000 iPad 3G users in 2009.
"AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers," said Auernheimer’s attorneys in their appeal. "The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information."
“Auernheimer ... found a security flaw in an AT&T server three years ago that allowed his security group to collect 114,000 email addresses belonging to iPad 3G users," according to The Huffington Post. "Auernheimer turned over that information to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.”
Auernheimer was convicted under the Computer Fraud and Abuse Act, a 1986 law that prohibits anyone from accessing a website without authorization. However, Auernheimer argued that accessing the webpage was like “incrementing a digit at the end of a URL on a public webserver,” in a blog post shortly before his conviction.
“I’m going to prison for arithmetic,” he said.
"The CFAA's vague language gives prosecutors great latitude to abuse their discretion and throw the book at people they simply don't like," said Marcia Hofmann, Auernheimer’s attorney. "That's as evident here as it was in the prosecution of Aaron Swartz."
Additionally, Auernheimer is being charged under the law’s identity theft statute for sharing the information with Gawker. However, the law specifically states that this information must be “in connection with unlawful activity,” which Aureneheimer’s lawyers say is an inappropriate assumption, even if their client is guilty for accessing a web page without authorization.
“The government’s contrary view would render the statute unconstitutionally vague,” they argued. “Under the government’s theory, if it charges a defendant with hacking for illegally acquiring personal information, the government can always add a second count of identity theft for possessing the information just acquired. After all, possession of information will always be ‘in connection with’ the way a person came to possess it.”