On Monday, Andrew Auernheimer was sentenced to serve 41 months in prison for violating the Computer Fraud and Abuse Act. Auernheimer’s case has received a lot of press attention, and I think that attention is merited: I think the case against Auernheimer is deeply flawed, and that the principles the case raises are critically important for civil liberties online. For that reason, I have agreed to represent Auernheimer pro bono in his appeal before the Third Circuit. (I will be joined by the trial counsel Tor Ekeland and his colleagues Nace Naumoski and Mark Jaffe, together with Marcia Hofmann and Hanni Fakhoury of EFF.) In this post, I want to explain some of the issues in play in this case that I think make it so important.
First, this case is going to set a major precedent on the meaning of unauthorized access under the Computer Fraud and Abuse Act. In my view, what Auernheimer and Spitler did was lawful authorized access, not unlawful unauthorized access. Here are the basic facts. When iPads were first released, iPad owners could sign up for Internet access using AT&T. When they signed up, they gave AT&T their e-mail addresses. AT&T decided to configure their webservers to “pre load” those e-mail addresses when it recognized the registered iPads that visited its website. When an iPad owner would visit the AT&T website, the browser would automatically visit a specific URL associated with its own ID number; when that URL was visited, the webserver would open a pop-up window that was preloaded with the e-mail address associated with that iPad. The basic idea was to make it easier for users to log in to AT&T’s website: The user’s e-mail address would automatically appear in the pop-up window, so users only needed to enter in their passwords to access their account. But this practice effectively published the e-mail addresses on the web. You just needed to visit the right publicly-available URL to see a particular user’s e-mail address. Spitler realized this, and he wrote a script to visit AT&T’s website with the different URLs and thereby collect lots of different e-mail addresses of iPad owners. And they ended up collecting a lot of e-mail addresses — around 114,000 different addresses — that they then disclosed to a reporter. Importantly, however, only e-mail addresses were obtained. No names or passwords were obtained, and no accounts were actually accessed.
In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them. Further, the fact that an automated script was used to collect lots of information instead of visiting manually makes no difference to whether the visiting was an unauthorized access. See EF Cultural Travel BV v. Zefer, 318 F.3d 58 (1st Cir. 2003) (the fact that a website owner “would dislike” the use of an automated script “to construct a database” of information available from visiting the website does not render the use of the automated script an unauthorized access under the CFAA).
Although the “unauthorized access” question in this case has received the most press attention, there are several other aspects of the case that strike me as pretty blatantly wrong.
First, consider the government’s basis for treating the conduct as a serious felony rather than a misdemeanor. Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime. I think that kind of double-counting can’t be permitted. That interpretation would effectively nullify Congress’s decision to make the basic unauthorized access crime a misdemeanor. Instead, the caselaw supports the common-sense conclusion the “in furtherance” language must refer to furthering a crime other than unauthorized access itself. See Caro v. Weintraub, 618 F.3d 94 (2d Cir. 2010) (interpreting identical statutory language as being limited to acts independent of the crime furthered); United States v. Cioni, 649 F.3d 276 (4th Cir. 2011) (invalidating a similar effort to double-count with two federal unauthorized access statutes). Under that caselaw, the conduct was at most a misdemeanor rather than a felony.
Another problematic aspect of the Auernheimer case relates to the absence of a connection between the conduct and the jurisdiction where charges were brought. Auerhheimer was in Arkansas and Spitler was in California, and they connected to AT&T’s servers in Georgia and Texas. AT&T is a Delaware corporation headquartered in Texas. But the charges were not brought in any of these states. Instead, the charges were brought in New Jersey, and the government charged Auernheimer with a felony on the ground that he was acting in furtherance of New Jersey’s computer crime law. Why? The government’s theory is that the crime was completed in New Jersey because some of the e-mail addresses obtained belong to people who live in New Jersey. But I don’t think the Constitution or federal venue statute allows that. The Sixth Amendment and the federal venue statute require that crimes must be charged in the place where the crime occurred. When a crime occurred in multiple places, the federal government can bring the case in any state where part of the crime occurred. (For a helpful guide to the law on this, see here.) Under Supreme Court precedent, this requires a consideration of where the prohibited conduct occurred — here, where the unauthorized access occurred. See United States v. Rodriguez-Moreno, 526 U.S. 275 (1998). I don’t see how the crime of unauthorized access could have occurred in New Jersey given that neither the defendants, the computers accessed, the company, nor apparently even any Internet traffic at all was in or went through New Jersey. While I’m at it, I also don’t understand how the conduct could be in furtherance of New Jersey’s computer crime statute given that neither the defendants, the computers accessed, the company, nor any Internet traffic had any connection to New Jersey. New Jersey’s unauthorized access statute doesn’t extend to regulate people outside of New Jersey accessing computers outside of New Jersey owned by a company outside New Jersey. Indeed, under the Dormant Commerce Clause, it probably can’t. See, e.g., American Booksellers Foundation v. Dean, 342 F.3d 96 (2d Cir. 2003). So it seems to me that this case could not have been properly brought in New Jersey, and the conviction should be overturned on that basis alone.
A final problem that leads me to work on the case pro bono is the sentence. The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant. The dollar loss is calculated based on “[a]ny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.” In this case, however, AT&T did not claim any loss to its computers from the conduct. There was no interruption of service and no cost of restoring data or conducting a damage assessment. Instead, the sole assertion of loss was based how AT&T decided to notify its customers that their e-mail addresses had been obtained by Spitler and Auernheimer. First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000. Auernheimer’s 41-month sentence was based in substantial part on that $73,000 in loss, and he was also ordered to pay restitution in that amount. But I don’t think that cost of paper and mailing counts as loss that can be attributed to Auernheimer and Spitler. That’s true for two reasons. First, existing caselaw indicates that the costs only count if they are “directly attributable to the defendants’ alleged access of [the] computer” Shirokov v. Dunlap, Grubb & Weaver, 2012 WL 1065578, at *24 (D. Mass. 2012) (concluding that legal fees cannot constitute “loss” under the CFAA). A decision to notify users of a breach, like a decision to hire lawyers, is not part of an effort to fix the computer and therefore not directly attributable to the access. Second, it is not a “reasonable” cost here in light of the successful electronic notice.
Anyway, those are the concerns that have led me to volunteer in this case. I think they are really important issues. The first one wades into the morass that is “unauthorized access,” and the rest are questions of first impression in any circuit. No matter what the Third Circuit does, it will be very important for the development of this body of law. The notice of appeal was filed today; if there any groups interested in filing amicus briefs in the case, please contact me or my co-counsel.