Weev Is Free, Because You Can't Prosecute a Hacker Just Anywhere
Weev's conviction was just vacated on grounds of venue. Here's what that means for the future of hacking and computer crimes.
A federal court has decided to vacate the conviction of Andrew 'weev' Aurenheimer, the "web's most notorious troll," on charges of accessing a computer without authorization. This is a swift response to an appeals hearing held just two weeks ago, in which the defense argued that among the problems with Aurenheimer's conviction was the issue of venue—the defense, led by the law professor Orin Kerr, argued that it was improper and arbitrary that the case was prosecuted in New Jersey, where none of the alleged criminal activity occurred.
The judges agreed. In the decision handed down today, they write that "Because we conclude that venue did not lie in New Jersey, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction."
It's an interesting ruling, and one that many observers of weev's appeals hearing thought a likely outcome.
"Almost the entire thing was about venue," Tor Ekeland, an attorney who also represents Auernheimer, told me after the hearing in March. he speculated that weev was tried in New Jersey simply because the state had a major computer crimes division; it had no relevance to the case. "Nothing happened in New Jersey. No victims, no possession."
The decision allows the state to vacate what many considered to be an overzealous prosecution—which led to 41 months in prison—without reconsidering the fundamentals of the outmoded law he was convicted under, the heavily criticized Computer Fraud and Abuse Act (CFAA). That law, a relic of the 80s, is extremely ambiguous, and many commentators say it leaves room for overly aggressive prosecution. Aurenheimer was convicted of accessing a computer without authorization, after all. The federal prosecutor at the appeals hearing clearly demonstrated he barely understood what it was that weev did, nor how or why he should be punished for it.
Meanwhile, weev has not been acquitted; the ruling has just been 'vacated.' That means that he can still be retried in another venue—either Alabama, where weev was when he sent the data, or New York, the location of the Gawker offices where it ended up.
While it chose to focus on the venue issue, the court did briefly address another crucial aspect of weev's alleged crime—one that his lawyers and many others in the computer community have argued did not constitute "hacking" in the criminal sense.
We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access [..] The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.
In other words, New Jersey law demands that "hacking" requires breaking a password, even though, as the opinion notes, the threshold for hacking is lower under the federal version of the CFAA. The law was also used to originally prosecute Aaron Swartz, the activist whose scraping of journal articles was determined by the government to be theft.
An illustration from Weev's sentencing hearing by Molly Crabapple. Read her report here.
Still, venue is the most important issue in the opinion, and the court has made a potentially game-changing decision on how internet crimes can be prosecuted. From the decision:
Venue in criminal cases is more than a technicality; it involves “matters that touch closely the fair administration of criminal justice and public confidence in it.” United States v. Johnson, 323 U.S. 273, 276 (1944). This is especially true of computer crimes in the era of mass interconnectivity.
While the government never offered a full explanation as to why it brought the case in New Jersey, the state is the site of AT&T's headquarters and is known as a hub of influential telecommunications companies. As one commenter speculated on Hacker News, "the specifics of NJ state computer crime law might have been the reasons prosecutors stretched venue so much to get the case located there. But with the Appeals Court determining that the NJ venue was invalid, the whole framework of the case falls apart."
This should result in more consideration being made to how and where internet crimes can be prosecuted. Without this clarification, it was feasible that a hacker in Hawaii could be arrested and prosecuted in Florida for sending data to a server in New York; the sky for prosecutors was essentially the limit. “In terms of venue, it’s an incredibly important concept, and the government’s prosecution here just threw that out the window," Ekeland told the Guardian.
What precedent this sets for current and future hacking cases remains to be seen. One case that bears resonance with weev's is that of Jeremy Rubin, an MIT student who built Tidbit, a bit of software that can mine Bitcoin on users' computers in lieu of showing advertisements. In December, Rubin was issued a subpoena from New Jersey demanding his source code and information on every computer his code had touched. His case was taken up the Electronic Frontier Foundation, which argued that New Jersey had nothing to do with Rubin's software and that the subpoana should be quashed.
"States have to be very careful to only regulate conduct that occurs within its geographical borders," wrote the EFF's Hanni Fakoury in February. "New Jersey is doing more than just investigating local websites or code stored in the state. Instead, its investigation suggests an attempt to target out-of-state conduct, a power the Constitution specifically reserves for Congress."
Ekeland hailed the ruling. “If the court had ruled the other way, you would have had universal venue in these kinds of cases, computer fraud and abuse cases, and that would have had huge implications for the Internet and computer law."