The infamous iPad hacker will get another day in court, and this time, he'll have a dream team of lawyers to defend him.
Andrew Auernheimer, also known as Weev, was sentenced to 41 months in prison on Monday for computer crimes. In a blog post on Thursday, Orin Kerr, a former federal prosecutor and an expert in computer crime law, announced he was joining his defense team pro bono and he also confirmed that they had filed a notice of appeal (PDF), the initial step in the appeal process.
Kerr joins Auernheimer's trial lawyer Tor Ekeland, and two attorneys from the Internet civil rights advocacy group the Electronic Frontier Foundation, Marcia Hofmann and Hanni Fakhoury. The two announced they were joining the case on Monday.
In the blog post, Kerr underlined why he decided to work for free to defend Auernheimer in front of the Third Circuit Court of Appeals. He said that he thinks the case will "set a major precedent on the meaning of unauthorized access under the Computer Fraud and Abuse Act."
The law, which was used against Auernheimer, was the same one levied against Aaron Swartz and, more recently, Matthew Keys. The legislation, approved in 1986 and subsequently amended and expanded (as perfectly explained in this exhaustive story from CNET's Declan McCullagh), has been criticized for being overly broad and for giving prosecutors too much leeway, criminalizing what critics define as innocuous acts.
For Kerr, Auernheimer's case is a perfect example of that.
"What Auernheimer and Spitler did was lawful authorized access, not unlawful unauthorized access," he wrote referring to the actions that brought Auernheimer to justice. In 2010, the hacker and his colleague Daniel Spitler discovered that they could acces an AT&T webserver by simply changing a number in its URL. That way, and with the help of a script, they gained access to around 114,000 email addressess of AT&T subscribers who owned iPads.
The prosecutors and the judge considered this to be unauthorized access. Kerr disagrees. "I think that’s wrong. At bottom, the conduct here was visiting a public website," he wrote. What's more, Kerr doesn't get why the sentence considers this a crime and not a simple misdemeanor. Kerr explains that the CFAA considers unauthorized access as a misdemeanor offense, but similar computer crime state laws consider it a felony. And that's why the government considered Auernheimer's actions a felony.
Kerr also opposes the damages that Auernheimer will have to pay, which amount to half of $73,000 (the other half will have to be paid by Spitler). Kerr considers that the punishment is too high, since "AT&T did not claim any loss to its computers from the conduct, there was no interruption of service and no cost of restoring data or conducting a damage assessment," he wrote. The $73,000 claim comes from AT&T's decision to notify the customers of the breach via snail mail, after notifying them by email.
But for Kerr, those costs should not fall on Auernheimer's and Spitler's shoulders. "A decision to notify users of a breach, like a decision to hire lawyers, is not part of an effort to fix the computer and therefore not directly attributable to the access. Second, it is not a 'reasonable' cost here in light of the successful electronic notice," Kerr explained in the blog post.
It remains to be seen if these arguments will convince the judges in the Third Circuit Court of Appeals in Philadelphia. What's certain is that Monday's sentence is not the end of Auernheimer's story.