It's hard to know what to make of Andrew Auernheimer. The 27-year-old grey hat, known in the hacker community as "Weev," was sentenced to 41 months in prison and ordered to pay a $75,000 fine to AT&T on Monday morning for his involvement in a 2010 incident involving iPads on the carrier's network. However, as Weev himself points out and tech bloggers confirm, he is being punished as a hacker who never actually did any hacking — not technically speaking, anyways.
So if Weev isn't a hacker, is he another activist, like Aaron Swartz, who's been swept up by too strict hacking laws? Or is he more of a rabblerouser, like Matthew Keys, the Reuters employee who helped Anonymous deface the Los Angeles Times's website? Or is he really a regular old criminal like the court says he is? The ambiguity here places Weev in a growing line-up of digital usual suspects, from Swartz to Keys, boy-men whom the government wants to make examples of and whom the internet freedom community, for better or worse, is eager to embrace as heroes.
That does not mean that Weev is an admirable character — he's an infamous, race-baiting troll who cut his teeth in the dark corners of 4chan — nor that he was entirely innocent in his intentions. He basically spotted a security flaw and exploited it. Working as an operative of the hacker collective Goatse Security, Weev wrote a script that pinged AT&T's customer database with random ICC-IDs, the unique number used to authenticate a device's SIM card with the carrier's servers. Each ICC-ID is linked to the customer's email address, so when Weev's script sent each random code, AT&T's network spit out a customer's email. Eventually, Weev and friends collected 114,000 email addresses using this method.
At this point, Weev could've easily alerted AT&T to the vulnerability and possibly gotten a thank you note instead of a jail sentence. Indeed he did contact AT&T but almost immediately turned around and handed off the email addresses to Gawker, who quickly published them. It didn't take long for the Feds to track down Weev and slap him with some serious charges for violating the Computer Fraud and Abuse Act of 1986. Last November, a judge ultimately found Weev guilty of "one count of identity fraud and one count of conspiracy to access a computer without authorization." And now, pending appeal, Weev is off to jail.
In any other news climate, this story would be another random blip in the cyber security news cycle. It's a familiar story: Hacker type does hacker-like thing, gets caught, gets turned into an example by the government and a hero by the people. But there have a been a series of high-profile cases lately that have brought new scrutiny to the CFAA, especially the rather draconian maximum sentence that violating the law carries.
Critics say that the law is vague and obviously outdated since it was written before the web era. The CFAA says it's illegal to "access a computer without authorization or exceed authorized access" on a "protected computer." But what does it mean to "exceed authorized access" and what is a "protected computer" to begin with? Breaking into the Department of Defense's personnel database is one thing, but is it really hacking if a company like AT&T leaves the backdoor open?
This kind of question is popping up more and more as the Feds crack down on would-be hackers. The best known case of this nature is most definitely that of the late Aaron Swartz, who faced up to 35 years in prison and $1 million in fines for allegedly violating the CFAA back in 2010. Swartz didn't expose any private email addresses or bring down any networks. He downloaded reams of JSTOR academic articles that he may have intended to release to the public for free before being caught. Two months ago, he killed himself after federal prosecutors doubled down on the case. Those close to the 26-year-old, who helped build the original Reddit, insisted that he had been bullied to death by his prosecutors.
Swartz and Keys
Swartz's name and case reappeared in the news last week when federal prosecutors indicted Matthew Keys, a social media editor at Reuters. Keys was charged with violating the CFAA for handing off his old log-in credentials for the Tribune Company to a hacker affiliated with Anonymous who then logged into the Los Angeles Times and defaced an article's headline. The cyber graffiti was up for about 30 minutes before editors spotted it and took it down. Keys faces up to 25 years and $75,000 worth of fines for his involvement. He didn't necessarily do any hacking himself, but according to federal prosecutors, he broke the hacker law.
Attempting to make comparisons between Weev, Swartz and Keys can be a little bit dicey. The allegations are vastly different, as were the young men's intentions. It sounds like Weev just wanted to stir things up and have some fun. (And it sounds like he wants to do it again, based on some ill-advised threats made in a Reddit AMA the night before his sentencing.) Swartz wanted to make information free. Keys, who was previously fired from a job at the Tribune Company, seemed vindictive in his actions. But none of these guys necessarily hurt anyone by exposing and exploiting back doors to which they had found the keys. Should they face the same level of punishment as someone who committed aggrevated assault or grand theft auto?
Digital rights advocates think not. The Electronic Frontier Foundation (EFF) announced not long after Weev's sentencing that it would pursue an appeal and has "redoubled its efforts to reform the law" since Swartz's death brought national attention to the issue. "Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone," EFF Senior Staff Attorney Marcia Hofmann said. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them." Congress will first need to learn more about how this Internet thing works. In the meantime, the martyrs will keep piling up.
Image via Flickr