Today Andrew ‘Weev’ Auernheimer was sentenced to an incredible 41 months in prison. Following that time in the clink, Weev will enjoy 3 years of supervision. He also must pay a five-figure fine. He’s being charged in relation to his collecting and leaking 114,000 email addresses of AT&T customers.
The formal charges against him are a count of identity fraud, and a count of conspiracy to access a computer without authorization. The charges as well as the punishment ordered are sensational, and flawed.
Let’s run a thought experiment: If I had a server that you could ping methodically, with random strings of information, causing it to release email addresses of my users, who is to blame, you, or me? Quite obviously myself, as my server is the leaking entity, and you are simply speaking with it.
That would be doubly true if you, the server pinger, did nothing to circumvent my server’s security system. If you cracked my security, and stole my data, that’s on you. However, if my security is so flimsy that you can quickly extract data from my website that I don’t want you to, shame on me.
However, in the case of Weev, he’s going to prison, and AT&T is kvetching about the financial costs that it incurred in sending out paper notices to affected users.
As TNW reported during the earlier proceedings of the prosecution, here’s the technical details of what happened:
AT&T wanted to offer a convenient way of letting users log into their 3G data plan accounts, auto-populating users email address on the dashboard by referencing the unique identifier (ICC-ID) of the users iPad.
[Weev and his accomplice], realizing this, produced a script that utilized brute force techniques to auto-generate thousands of unique ICC-ID’s, harvesting email addresses as the script went on.
It’s a situation where you can see what AT&T were trying to do, it’s such a shame that most tech-savvy users would recognize how the email addresses were generated. No passwords were stolen but that won’t stop thousands of iPad owners from looking at AT&T with even more of a suspicious eye.
If I was a security professional at AT&T, I would be ashamed. As Sam Biddle of Gizmodo noted, citing Weev’s defense plea, the problems with AT&T’s security systems were “so severe that no ‘sophisticated means’ or ‘special skill’ was required to break those email addresses free.”
AT&T’s shame should be twofold: that it was so careless with its users’ information, and that it has so aggressively pursued Weev. The aforementioned memo that reports that AT&T internally admitted that Weev “circumvented no security.” Well then.
If collecting the email addresses wasn’t criminal, was the releasing of the email addresses in fact a crime? No. It wasn’t a nice thing to do, but being mean isn’t illegal. And to our understanding the formal charges against Weev do not select his releasing the data as functionally criminal.
That said, Weev is a controversial figure. As TNW’s own Brad McCarty noted:
The problem at hand is that Weev will now be compared equally in any respect to people such as Aaron Swartz. Swartz made a career out of standing up for Internet users. Auernheimer spent the better part of his days as a free man flexing self-entitlement while trolling for jollies. While what he did wasn’t illegal, by the definition of any reasonable person with an understanding of how the Internet works, Auernheimer deserves no accolades for his ‘work.’
Massive punishments for minor digital crime, as in the case of Aaron Swartz, defacing of other’s websites, such as with Matthew Keys, and now the utterly asinine sentencing of Weev are now apparently the norm.
If the government decides that you are up to digital mischief, it wants to send you to IRL prison.
Those who break the law should be punished in accordance to the severity of their action. As TNW reported in the case of now-suspended Matthew Keys of Reuters:
An article was changed for a 30 minute period. If Keys’ guilt is proven, he deserves to be punished for the act of abetting the vandalism. That said, the penalty should match the crime.
However with Weev, we have a different circumstance; Pinging AT&T’s server was no crime. Thus, his punishment isn’t merely outsized, it is without basis.
The Computer Fraud and Abuse Act (CFAA) is at work again in this case. The CFAA itself is bordering on ancient and is now infamous for its utterly backwards wording that has allowed for a number of high-profile prosecutions to mete out ridiculous levels punishment.
41 months in prison, 3 years of supervision, and a split fine of $73,000 to AT&T. For the mobile giant having bad security, and being caught pants-down. For shame. There is an effort to reform the CFAA to make it less odious afoot. Let’s hope those working on the issue prevail.
As a final point, the above ruling could have what TNW’s Matthew Panzarino dubbed a “chilling effect” on security reporting. If you find something that’s broken, will you turn it in if you might end up staring down the barrel of a lengthy prison sentence? Currently, many vulnerabilities are uncovered by third-parties. Far more, often, than the companies in question themselves can find. Criminalizing their discovery is simply bad policy.
Top Image Credit: zombieite