The group responsible for the immensely popular Firefox Web browser has put their weight behind imprisoned security researcher Andrew “Weev” Auernheimer. The Mozilla Foundation has filed a legal brief asking for the hacker’s conviction to be overturned.
Mozilla issued a friend of the court testimony from its Silicon Valley headquarters this week that asks the United States Department of Justice to reconsider the conviction of Auernheimer, a 27-year-old hacker and security expert who was sentenced earlier this year to 41 months in prison for violating the Computer Fraud and Abuse Act.
The Electronic Frontier Foundation and George Washington University law professor Orin Kerr filed an appeal on behalf of Auernheimer earlier this month imploring the Justice Department to vacate the conviction and free the hacker from behind bars, where he has been held at times in solitary confinement since starting his sentence this past March. Now in the wake of a separate amicus brief filed by a team of computer experts weeks earlier, the Mozilla Foundation has authored a statement of their own in support of Auernheimer.
Prosecutors said Auernheimer violated the CFAA because a computer program he operated helped him uncover the email addresses of around 114,000 Apple iPad owners due to a security lapse that left valuable user data hosted on the servers of telecom company AT&T free for the taking.
“AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers,” attorneys wrote in the appeal earlier this month. “The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the email addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime.”
Now on the heels of the brief filed by professional security researchers, Mozilla is asking the Justice Department to do something about what they say is an unjust conviction.
According to Mozilla and their attorney, Stanford Law School’s Jennifer Granick, Auernheimer’s unauthorized auditing of AT&T’s servers should not be considered a crime, but praised.
“[R]esearchers cannot always conduct testing with the approval of a computer system’s owner,” Granick wrote. “Such independent research is of great value to academics, government regulators and the public even when — often especially when — conducted without permission and contrary to the website owner’s subjective wishes.”
In interpreting the CFAA, however, prosecutors and the jury that convicted Auernheimer viewed it as legislation that limits the behavior of computer users when an external system — in this case AT&T’s servers — are accessed without explicit authorization. Although Auernheimer did not crack any passwords or bypass a security mechanism, he nonetheless accessed unprotected data that the telecom company did not want to be disclosed.
“The outdated law has been abused to cover situations far removed from the type of criminal hacking Congress had in mind when it passed the law in 1986,” EFF staff attorney Hanni Fakhoury told Wired earlier this month.
Indeed, Mozilla argued in their brief that Auernheimer and his co-defendant, Daniel Spitler, “did not avoid any password requirement, decrypt any encrypted data, access any private accounts or cause the AT&T website to malfunction.”
“I’m going to prison for arithmetic,” Auernheimer said before his sentencing.
In the latest appeal, Granick wrote for Mozilla that “The CFAA draws a line between lawful ‘authorized’ access and illegal ‘unauthorized’ access to computers. The concept of ‘authorization’ is different and distinct from a computer owner’s expressed or implicit desires.”
“Rather, this Court should hold that an individual who accesses unsecured data published on a public website is ‘authorized’ under the CFAA, regardless of the website owners’ subjective wishes,” wrote Granick. “Such a holding would reduce the chill that the risk of CFAA criminal liability places on the important work of privacy and security researchers.”
According to Mozilla, prosecuting Auernheimer for finding data stored openly on the Web presents a way for the government to go after even the most novice computer users simply for typing random addresses into a browser. In the brief, Granick even acknowledged that changing a single integer in the website for the Court of Appeals for the Fourth Circuit’s homepage can return results that would, by some interpretations, warrant a conviction.
“Many individual users modify web requests by typing new values in the browser address bar. Changing these values is useful when navigating through online photo albums or reading through comment threads for online forums. Doing so is technologically identical to what Auernheimer and his co-defendant did,” the brief reads.
In fact, Granick goes on to cite other instances where similar independent security tests conducted without authorization exposed instances of alleged privacy abuse that in turn spawned litigation. In one instance from earlier this year, investigative journalists with Scripps News found the personally identifiable information of 170,000 telephone customers were openly available online. When Scripps approached the owner of the server to point out the glaring flaw, they were threatened with prosecution under the CFAA.
“I don’t see much difference between what happened in that case and what happened here,” Tor Ekeland, an attorney for Auernheimer, responded at the time. “Except maybe that the DOJ might be a bit sensitive about going after reporters given their current track record on that front.”
Granick noted in her brief that, as a result of that report, three state attorneys general launched probes into the company’s privacy misconduct.
“None of this important work was done in accordance with any website owner’s subjective wishes. Very often, a website owner’s interests are antithetical to user security and privacy. If this conviction stands, future investigators who discover egregious security or privacy practices by sending common HTTP requests to public websites may reasonably be too afraid to report the breach to the offending company or to the public so that they may protect themselves. Make no mistake: the Bad Guys already will have found the sensitive information and used it for identity fraud; it is the Good Guys who are chilled by overbroad interpretations of the CFAA,” she wrote.
Auernheimer is currently serving his three-and-a-half year prison sentence at a federal facility in central Pennsylvania. Spitler pleaded guilty before the Auernheimer case wrapped up in March and received a less stringent punishment for testifying against his one-time collaborator: only 12-18 months.