THE BLOG

Weev, the Hacker Who Didn't Hack AT&T

03/25/2013 09:56 am ET | Updated May 25, 2013

2013-03-25-Weev2.jpeg

Andrew "weev" Auernheimer outside Newark Courthouse with supporters on the morning of sentencing (Screenshot from documentary film work-in-progress by Vivien Lesnik Weisman/Josh Kun DP)

In a Newark New Jersey courtroom last Monday, Andrew "weev" Auernheimer, 27, was sentenced to 41 months imprisonment due to finding and publishing a security flaw on AT&T's website. The courtroom was packed with friends, fans, as well as both of his parents. The security flaw enabled Mr. Auernheimer to collect what the court found to be the personal data of 114,000 iPad owners on AT&T's network. The so called personal data included email addresses and unique identifiers (ICC-ID). No hacking was involved. In fact, at trial AT&T admitted wanting to offer an easy way for 3G users to access their data plan accounts. AT&T made the decision not to secure the information which Mr. Auernheimer and his co-defendant Daniel Spitler later accessed.

Mr. Auernheimer's attorney, Tor Ekeland, cited the opinion of Judge Loretta A. Preska, of the United States District Court in Manhattan, who presides over U.S. v Jeremy Hammond where she found that the disclosure of her husband's email address posed "too insubstantial a harm" to her husband and his law firm. Judge Preska was being asked to recuse herself form the case due to the appearance of a conflict as her husband's email address was allegedly leaked by the defendant, the celebrated hacktivist and revolutionary, Jeremy Hammond. The court demurred.

Aside from more than three years of jail time, Mr. Auernheimer will be subject to three years of supervised release including mental health examinations, drug testing and supervised Internet use. Why Mr. Auernheimer's mental health would be in question was not elucidated. The details of supervised Internet use were also not discussed.

Mr. Auernheimer and co-defendant Mr. Spitler (the latter plead guilty in 2011) were both ordered to pay $73,167 in damages to AT&T. The restitution is to cover the costs of a direct mailing to inform the customers of the security breach.

A good part of the tech-savvy world interprets Mr. Auernheimer's exploits as a non-crime. His attorney Tor Ekeland also represents Matthew Keys, the Reuters reporter indicted last week for violations of the Computer Fraud Authorization Act. Mr. Keys is the first reporter employed by a major news gathering organization to be indicted under the the Act. Mr. Ekeland explained that Mr. Auerheimer is part of a class of cases such as that of Aaron Swartz, Barrett Brown and Matthew Keys, which are being tried under an antiquated law that should be scrapped. Mr. Swartz has become a cause célebre beyond the hacker and activist world. He committed suicide in January, 2013. His suicide is sometimes seen as a result of prosecutorial overreach and the excessively charged case. Again, no hacking was involved. Unlike Mr. Brown. who has a very public history of substance abuse, and Mr. Auernheimer, who has what many consider an offensive online persona, Mr. Swartz was a white, privileged do-gooder with unimpeachable business and academic credentials.

After sentencing I interviewed Mr. Ekeland at The Standard Hotel in NYC on Monday afternoon for my documentary film on the subjects of the criminalization of dissent, the nexus of the private information security firms and the surveillance state and the targeting of activists and hacktivists by the DOJ and the government. Mr. Auernheimer has been participating in the documentary since last year. Mr. Ekeland was visibly upset about how the ambiguous CFAA can be used to target those who threaten the government. He argued: "Weev is being targeted because they can. He is no Aaron Swartz. His views are not acceptable and even offensive. He's a blowhard but he is not a criminal. Essentially he embarrassed AT&T."

I spoke with Jay Leiderman several weeks ago in his Ventura County California office. Jay Leiderman is a legal adviser in the case of Barrett Brown. Mr. Brown who is also the subject of my documentary is the journalist and information activist facing a possible 105-year sentence in Mansfield Texas for among other charges, pasting a link from one chat room to another. He has no hacking skills. Many online activists or hacktivists use his name and that of Swartz as a verb to connote being framed and or made an example of by being over-charged as in to be Barret Browned or Aaron Swartzed. Mr. Leiderman explained: "In the case of weev and Barrett Brown and Aaron Swartz, the government is saying loud and clear, if you use computers in ways that make us feel uncomfortable you go to jail and you go to jail for a very, very long time." Mr. Leiderman sees these cases which he calls the first generation of computer fraud cases as important precedents.

I was reminded of Mr. Leiderman's words when the judge and the prosecution referred to Mr. Auernheimer's "special skills" and how important it was that the length of the sentence serve the dual purpose of both punishing the defendant and deterring others who possess these 'special skills." "Special skills" here refers to computer coding skills. These are the skills you need to break into what are thought to be secure networks such as corporate and or government networks and websites. It seems that the class of people who possess computer coding skills, even if they are neither using these skills at the time they allegedly commit the acts with which they are charged and in addition are not accessing protected information nor breaking any laws, would indeed be deterred by these legal precedents. But deterred from what? It criminalizes a entire class of people for what they know rather than for what they do. I think I'll take the red pill and see how far the rabbit hole goes.

Peter Ludlow, professor of philosophy at Northwestern University and one of the producers of my documentary, argued:

"Violations under the CFAA have been interpreted by Holder's Justice Department to include violations of the terms of service agreements; you know those things you check the box for that no one ever bothers to read. So when I check that box on Match.com which says that I will not misrepresent myself and then I lie about my age on Match.com well, I'm a felon. So essentially everyone is a felon and that gives the government carte blanche to pick and choose which 'felons' they want to prosecute. And guess who they're going to choose? They're going to choose those individuals that they see as threatening to the system, to the power structure, the Jeremy Hammonds and the Barrett Browns and the weevs."

The judge asked Mr. Auernheimer if there was anything he would like to say. Anyone who knows "weev" knows the answer to that. The first time I interviewed Mr. Auernheimer was in November 2102 in San Francisco's Golden Gate Park. He spoke for two hours in the freezing cold and then informed me that it was his birthday, he was hungry and we should hang out. Ten hours later the charismatic, anti-Semitic, infuriating and lovable, legendary Internet troll and founder of Goatse Security was still talking.

This is what he had to say last Monday:

"I don't come here today to ask for forgiveness. I'm here to tell this Court, if it has any foresight at all, that it should be thinking about what it can do to make amends to me for the harm and the violence that has been inflicted upon my life.

The Internet is becoming bigger than the law can contain. The law was written, the CFAA was written by Reagan's team at a time when he was so senile he thought war games was a documentary..."

Many governments that have attempted to restrict the freedom of the Internet have ended up toppled, and this place cannot abridge the liberties of Internet users, the rights of people to criticize large corporations and the right of us to cite things that AT&T, by their own admission, published, Sherry Ramsey's words.

I would like to highlight the actions that Zack Intrater (the prosecution) just went through,the many steps that he said that my co-defendant Daniel Spitler took. All of those steps under the Digital Millennium Copyright Act are lawful. It has specific exceptions for security research. You can reverse engineer any device to any degree and that is all lawful behavior.

As far as the special skills, certainly those things would require special skills, but they were not an element of the access, which I am charged with. The access which I am charged with involves adding one to a number. It is simple arithmetic. Anybody with a Web browser could have done it. I respectfully say that this court's decision is wrong. And if you people understood what you were doing with the rule of law and the Constitution, you would feel shame."

The courtroom fell silent, followed by applause. Eight imposing U.S. Marshals sitting in the jury box were unmoved. Mr. Auernheimer sat down. As the prosecution continued to make the case for the top of the guidelines "weev" reached for his tablet. A U.S. Marshal yelled "put down the phone." Five U.S. Marshals descended on him and slammed his face and upper body against the table. "Weev" struggled. The full force of the state came down on him, because they can, for reaching for his weapon of choice: a tablet connected to the Internet. An epic troll.

A young man who had helped me with my camera that morning turned to me and said in an audible voice, "That's why Aaron Swartz hung himself."

This morning, I called attorney, Jay Leiderman for his reaction to the sentence. He responded via text message: "To channel weev, the unjustly incarcerated master of mayhem, Lady Justice lapses into no more than a seditious whore when she ventures into the realm of the Internet." Weev would have liked that.