AT&T hacker wants government to pay him $13M

Andrew ‘weev’ Auernheimer, whose struggles with federal prosecutors have fueled calls for reforming the Computer Fraud and Abuse Act (CFAA), wants the government to pay him $13 million for taking away his freedom for the past three years.

In an impassioned open letter to the FBI, the U.S. Justice Department and others, Auernheimer claimed he had been unfairly hounded and incarcerated over charges that he illegally accessed data belonging to about 120,000 iPad 3G customers of AT&T.

“I want history to record that I made an honest and public attempt to get reasonable compensation,” from the government, Auernheimer said in comments via email to Computerworld. “Whatever I do in the future, I want people to know that I tried peaceful civil actions first.”

The U.S. District Court for the District of New Jersey in March 2013 sentenced Auernheimer to 41 months in prison for violating provisions of the Computer Fraud and Abuse Act (CFAA). Last month, the United State Court of Appeals for the Third Circuit vacated that sentence on a technicality, holding that the case had been pursued in the wrong venue.

Auernheimer made headlines in June 2010 when he and his partner, Daniel Spitler, used an automated script they called iPad 3G Account Slurper to extract email addresses and SIM card ID numbers of more than 100,000 iPad owners from AT&T’s servers.

The data included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, ABC’s Diane Sawyer, movie producer Harvey Weinstein, former White House Chief of Staff Rahm Emmanuel and numerous others.

Auernheimer claimed he had pulled off the caper purely to highlight AT&T’s lack of controls for protecting customer data. He noted that he did not have to subvert any AT&T security controls to access the data because it was readily available on the company’s website to anyone who knew where to look.

Prosecutors argued that Auernheimer knew he was breaking the law when he accessed the customer data from AT&T’s servers and then made it available to the media. They charged him with violating the CFAA, which makes it a crime for anyone to bypass security controls, like passwords and firewalls, to access data to which they’re not authorized.

The case attracted widespread attention from several advocacy groups who saw it as another example of the CFAA being used by overzealous federal prosecutors to pursue cases for which it was never intended.

Concerns over misuse of the law peaked last year after noted Internet activist Aaaron Swartz committed suicide, apparently over the prospect of a long prison sentence stemming from CFAA charges against him.

Several legal experts and groups like the Electronic Frontier Foundation stepped in to help Auernheimer, noting that he had not hacked or subverted any AT&T security controls to access the data. The mere fact that he had used a script to automatically collect data from the AT&T site was not a CFAA violation, they claimed.

In his open letter this week, Auernheimer claimed that the government owed him money for taking away his freedom for 1,179 days between his arrest in January 2011 and his release last month. “My current market-determined hourly rate is 1 Bitcoin an hour,” Auernheimer claimed. “I am owed 28,296 Bitcoin,” for 1,179 days, he said, adding that he does not want the money in U.S. currency.

Auernheimer also said he plans on suing the government for his incarceration.

Even though the sentence against him has been vacated, the government could still appeal the case to the Supreme Court, Auernheimer said. “We’ll know by June 9 if they plan to appeal to SCOTUS. In addition, I can be re-indicted in a new jurisdiction, which the government is hilariously claiming doesn’t violate double jeopardy.”

According to Auernheimer, the appellate court’s decision to vacate his sentence was unexpected. “I was in the middle of a hunger strike in solitary confinement when I was released,” Auernheimer said. “I had no idea what was going on.”

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar’s RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about legal in Computerworld’s Legal Topic Center.