A federal appeals court has vacated the conviction against a controversial computer hacker who has spent the last 13 months in prison after going public with a security flaw that brought embarrassment to companies Apple and AT&T.
The three justices of the United Starts Court of Appeals for the Third Circuit announced in a 22-page opinion released early Friday that they’ve agreed to vacate a ruling made by US District Judge Susan Wigenton in 2012 against Andrew “weev” Auernheimer, a 28-year-old computer hacker who had previously made headlines for disclosing details to the website Gawker about a vulnerability on AT&T’s server that allowed him to discover the email addresses of roughly 114,000 Apple iPad owners.
Defense attorney Tor Ekeland tweeted Friday afternoon that he'd be picking up his client later that evening from a federal prison in Pennsylvania.
Auernheimer was sentenced by Judge Wigenton in March 2013 to spent 41 months behind bars after a jury found him guilty of identity fraud and conspiracy to access a computer without authorization, although the alleged intrusion into the telecom’s servers did not involve bypassing any password-protected security mechanisms nor yielded anything more than the email addresses registered to iPad owners.
Yet on Friday, the Third Circuit said that the federal attorneys who led the prosecution erred not necessarily because of how they interpreted the Computer Fraud and Abuse Act provisions used to convict Auernheimer, but rather as a result of the way they went about trying him on the other side of the country.
“Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age,” Circuit Judge Michael Chargares wrote for the court, “we find it necessary to reach only one that has been fundamental since our country’s founding: venue.”
All but ignoring the concerns that defense attorney raised about how Judge Wigenton’s court considered the crime in question to be a violation of the CFAA, the Third Circuit said that her 2011 decision for the United States District Court for the District of New Jersey must be vacated because Auernheimer was indicted, tried, convicted and sentenced more than 1,000 miles away from where he actually deployed the computer code that slurped up the email addresses of iPad owners.
Indeed, the appeals panel acknowledged in its ruling this week that the District Court admitted neither Auernheimer nor a co-defendant who separately cooperated with the prosecutions were ever in New Jersey when they committed the crime. Instead, the District Court said the Garden State was a valid venue because within the trove of email addresses discovered by Auernheimer were those belonging to around 4,500 New Jersey residents. Additionally, the District Court said Auernheimer’s crime qualified him for certain “sentence enhancements” and elevated it to a felony because they alleged that Auernheimer’s CFAA violation occurred in furtherance of a violation of New Jersey’s computer crime law.”
In Friday’s ruling, the appeals panel said they saw it differently. “New Jersey was not the site of either essential conduct element,” Chargares wrote, because “the evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia.”
Halfway through Friday’s ruling, Chargares wrote, “As should be clear by now, no conduct related to the ordinary CFAA violation occurred in New Jersey.”
“Nonetheless, even assuming that defective venue could be amenable to harmless error review, the venue error here clearly affected Auernheimer’s substantial rights,” he added. “The venue error in this case is not harmless because there was no evidence that any of the essential conduct elements occurred in New Jersey. If Auernheimer’s jury had been properly instructed on venue, it could not have returned a guilty verdict; the verdict rendered in this trial would have been different.”
But as a result of that original verdict, Auernheimer has spent the last 13 months in confinement at a federal prison in Pennsylvania, where the treatment he has endured during that duration has raised more than a few eyebrows. Shortly after he was first incarcerated, Auernheimer complained that he was unable to eat behind bars because he suffered from celiac disease yet nutritionists at the facility refused to provide him with appropriate meals. When he began using his allotted phone calls to leave audio messages on the internet, jailers began to rescind those privileges against Auernheimer.
Last month, trial lawyer Tor Ekeland told RT host Abby Martin that privileged client-attorney mail sent by Auernheimer from prison had been intercepted by federal officials, and as recently as earlier this week Auernheimer was reportedly being held in a solitary confinement-like cell where he was barred from having books and receiving mail. Several of these stints have occurred since Auernheimer’s incarceration began 13 months earlier.
Electronic Frontier Foundation attorney Hanni Fakhoury, who represented Auernheimer during the appeals portion of his case, told RT’s Andrew Blake on Friday that the defense counsel believes retrial is barred by double jeopardy.
“We think retrial is barred by double jeopardy. If the government tried to retry, we will definitely raise that argument,” Fakhoury said.
Should that be the case, though, then the prosecution may face a harder challenge than ever: included within a footnote half way through this week’s opinion, Judge Chargares acknowledged that no evidence was ever presented before the District Court showing that Auernheimer circumvented a code- or password-based barrier to access, which is required to convict someone under New Jersey’s state computer law.