Legal experts are stepping in to help hacker Andrew Auernheimer appeal his 41 month prison sentence for illegally accessing emails and other data belonging to about 120,000 iPad subscribers of AT&T's networks.
Auernheimer, sentenced on Monday has filed an appeal in the United States Court of Appeals for the Third Circuit.
In a blog post Thursday, Orin Kerr, a professor from the George Washington University Law School, said he is stepping in to help Auernheimer due to concerns over the length of his sentence and the manner in which the Computer Fraud and Abuse Act (CFAA) was applied in the case.
"I think the case against Auernheimer is deeply flawed, and that the principles the case raises are critically important for civil liberties online," Kerr wrote.
Aernheimer and Daniel Spitler made headlines in June, 2010, after using an automated script, which they called iPad 3G Account Slurper, to extract email addresses and SIM card ID numbers from more than 110,000 iPad owners. The data was taken from AT&T servers.
The data included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, Diane Sawyer of the ABC television network, movie producer Harvey Weinstein, former White House chief of staff Rahm Emmanuel and numerous others.
Auernheimer and Spitler handed the data to Gawker, which posted the information on its website. The duo claimed they carried out the exercise only to demonstrate how the data was leaking from AT&T via its Web site.
Prosecutors charged the pair with fraud and with violating provisions of the CFAA. AT&T claimed that the caper had cost the company over $73,000 in breach notification costs.
Auernheimer was convicted last November and was sentenced on Monday to 41 months in prison, the maximum sought be prosecutors. Spitler pleaded guilty and is awaiting sentence.
Kerr cited what he called several problems with the case.
For instance, Auernheimer and Spitler did not have to hack or subvert any of AT&T's security controls to access the email because the data was readily available due to the server configuration, Kerr said.
Auernheimer realized this and wrote a script for automating the collection of email addresses, Kerr said. Though that data was later disclosed to a reporter, "no names or passwords were obtained, and no accounts were actually accessed," he added.
Kerr also noted that the $73,000 loss claimed by AT&T did not result from damage to AT&T servers and included no repair or restoration costs. Those costs were related to breach-notification and are therefore not directly attributable to Auernheimer's actions as defined under existing case law, he added.
Kerr also challenged the government's assertion that Auernheimer's act constituted illegal access to the AT&T server. He maintains that Auernheimer only visited a publicly accessible site and collected information.
The Electronic Frontier Foundation (EFF) is also helping in the appeal.
In a statement, EFF staff attorney Marcia Hoffman noted that Auernheimer faces more than three years in prison for essentially pointing out AT&T's failure to properly secure iPad subscriber data.
The EFF noted that the Auernheimer case is but the latest to highlight problems with how prosecutors use the Computer Fraud and Abuse Act. "Since the tragic death of programmer and Internet activist Aaron Swartz in January, EFF has redoubled its efforts to reform the law," the statement said. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them."
The EFFs attorneys and Kerr will join Auernheimer's trial consul in fighting the sentence.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.