The iPad Data Security Lawsuit — What’s Next?

On June 9th, 2010, ran a story about Andrew Auernheimer (a.k.a., weev) and Daniel Spitler (a.k.a., JacksonBrown), two hackers from the Goatse Security team (GoatSec). Five weeks after Apple’s 3G-enabled iPad was released, Auernheimer and Spitler uncovered a gaping security hole, singular to the 3-G hardware, which exposed personally identifiable information of AT&T customers.

Last week, one of the bug hunters was convicted on one count of conspiring to access a computer without authorization – a violation of the Computer Fraud and Abuse Act (CFAA) — and one count of fraud. To add insult to injury, his former hacking partner helped the prosecution. Auernheimer is appealing, which means this suit could eventually land in the hands of the Supreme Court.

Below is the story behind the lawsuit that could further solidify legal precedence regarding the Computer Fraud & Abuse Act.

The iPad Security Incident

Hackers have been around since the Internet existed. And while their work can sometimes cause havoc, ultimately, hackers provide a necessary service – one that many would argue is vital to our national safety. After all, hackers are the guys and gals who shed light on digital security gaps, which then allows authorities to address the problem. That’s why it’s not outrageous to argue that Auernheimer and Spitler did Apple and AT&T a favor by discovering the massive security faux pas.

What was this security breech unearthed by “Weev” and “JacksonBrown”? Without getting too technical, the two realized there was a “hole” in the AT&T website code — one which was exposed when using the 3-G enabled iPad. It was so exposed that the pair didn’t have to hack into the system or crack any passwords. All they did was guess a few passwords, and voila! Auernheimer and Spitler then wrote a script and were able to harvest over 100,000 thousand names and addresses of early iPad adopters who were AT&T customers.

Being that early adopters are often those with the financial means to “be the first,” the GoatSec members got their hands on the PII of NYC Mayor Michael Bloomberg, ABC anchor Diane Sawyer, Hollywood mogul, Harvey Weinstein and former Obama chief-of-staff and current Mayor of Chicago Rahm Emanuel.

Illustrating that not all hackers are out for evil, Auernheimer and Spitler made attempts to contact the affected entities (i.e., ABC News), but were essentially ignored. Then they took their data to Gawker who jumped on the opportunity to expose the story, though they did not publish any of the private information.

As you may guess, a lawsuit against Auernheimer and Spitler soon followed. Despite the fact that neither actually hacked into anything, nor cracked any passwords, the pair was charged criminally under the Computer Fraud and Abuse Act – the argument being that they knowingly accessed a computer to which they did not have authorization.

After being charged, Spitler took a plea and agreed to help the prosecution. Auernheimer’s trial was set to begin on November 13, 2012 in a New Jersey federal court.

Why The Trial Was Of Interest To The Hacking & Internet Law Community

What made the Auernheimer hacking lawsuit so intriguing to those in the Internet community was the fact that he did not, technically, hack into anything. Instead, he simply made a few simple guesses and then used his know-how to write a script. As such, the question arose: should he be guilty of essentially finding a webpage with no links pointing to it, and then using the information found therein?

The merits of the CFAA have been hotly debated in the wake of significant technological advancement. Primarily, pundits are concerned that the vague wording of the bill harshly punishes young kids, who are essentially committing the same level crime as toilet papering someone’s house, and useful bug hunters who don’t do anything nefarious with the data they uncover.

Under the current law, anybody who accesses “a computer without authorization or exceeds authorized access from a protected computer” can be charged with a criminal offense. Moreover, any device that “affects interstate commerce with a microprocessor and a network connection” is considered a “protected computer.” As many have pointed out, that definition pretty much includes all mobile devices – clearly, the CFAA is in need of some language adjustments.

What’s Next In The Auernheimer Data Security Lawsuit?

When the trial was announced, GoatSec vowed that if “weez” lost the case, they would release information on an encrypted “insurance file.” He was convicted last week, so I suppose we can expect a big story soon. But Auernheimer announced that he plans to appeal the decision – which means this one could go all the way to the Supreme Court.

I’ll be keeping an eye on this Internet law case, as the end result has the power to significantly affect future lawsuits and the direction of cyberlaw as a whole.

iPad Hacker Trial Tests Pre-Internet Law