A federal appeals court on Friday overturned the conviction of a prominent computer hacker whose imprisonment had highlighted a growing debate over whether the government is overreaching in its campaign against cybercrime.
The U.S. Court of Appeals for the 3rd Circuit ruled that the Justice Department improperly put Andrew Auernheimer on trial in New Jersey, even though his alleged hacking took place elsewhere. Auernheimer was convicted in 2012 of obtaining about 120,000 email addresses of iPad users from AT&T’s website – including then-New York Mayor Michael Bloomberg, Hollywood executive Harvey Weinstein and other well-known figures – and giving them to the website Gawker.
The 2010 data breach alarmed federal officials because it affected such a prominent company and triggered fears about the security of mobile devices. But Auernheimer’s conviction and prison sentence of more than three years prompted criticism from digital rights advocates and others that he was one of a number of minor hackers caught up in the cybercrime crackdown because of their political or anti-corporate views.
In an interview last year, Auernheimer told The Washington Post that he is a “political and economic activist” who was trying to embarrass AT&T. Only a few of the email addresses he obtained were published, in heavily redacted form, and AT&T fixed the problem in about an hour, court documents showed.
Prosecutors portrayed Auernheimer as a dangerous longtime hacker who had violated the privacy of thousands of people, and Justice officials say their broader efforts are vital for protecting Americans from a vast and growing cybersecurity threat.
In the decision, a three-judge panel said the government violated Auernheimer’s rights by trying him in Newark “despite the absence of any apparent connection to New Jersey.” Auernheimer’s hacking activities took place in Arkansas, a co-conspirator was found in California, and the AT&T servers they accessed were in Texas and Georgia, the court said.
Even though the so-called venue is widely considered a technicality, the court said that trying a person where the crime was committed “has been fundamental since our country’s founding.”
But the decision will probably not resolve the broader legal debate over the crackdown since the judges – other than in a brief footnote – did not address defense arguments that a key federal law was incorrectly applied in Auernheimer’s case. The law, the Computer Fraud and Abuse Act, is at the center of the debate.
Still, the Electronic Frontier Foundation, a digital rights group that worked on Auernheimer’s appeal, hailed the decision. Orin Kerr, a former Justice Department computer-crimes prosecutor who worked pro bono on the appeal, called it “an important result. Venue sounds like a technicality, but it’s a really important technicality.”
Matthew Reilly, a spokesman for the U.S. attorney’s office in New Jersey, said: “The court determined that the Department of Justice brought this case in the wrong district. We’re reviewing our options.” It is unclear if Auernheimer can be retried.
An AT&T spokeswoman declined to comment.