The iPad Data Security Lawsuit — What’s Next?

blog post about the 2013 ipad security scandalIn 2010, ran a story about Andrew Auernheimer (a.k.a., weev) and Daniel Spitler (a.k.a., JacksonBrown) from the Goatse Security team (GoatSec). You see, five weeks after Apple released its 3G-enabled iPad, Auernheimer and Spitler uncovered a gaping security hole, singular to the 3G hardware, which exposed personally identifiable information of AT&T customers.

Last week, a court convicted Auernheimer on one count of conspiring to access a computer without authorization – a violation of the Computer Fraud and Abuse Act (CFAA) — and one count of fraud. Auernheimer is appealing, which means this suit could eventually land in the hands of the Supreme Court.

The iPad Security Incident

Hackers have been around forever. And while their work can sometimes cause havoc, ultimately, hackers provide a necessary service – one that many would argue is vital to our national safety. After all, they’re the guys and gals who shed light on digital security gaps, which then allows authorities to address problems. In other words, it’s not outrageous to argue that Auernheimer and Spitler did Apple and AT&T a favor by discovering the massive security faux pas.

What did “Weev” and “JacksonBrown” unearth? Without getting too technical, the pair realized there was a “hole” in the AT&T website code that was exposed on 3-G enabled iPads. It was so exposed that the pair didn’t have to hack into the system or crack any passwords. All they did was guess a few passwords, and voila! Auernheimer and Spitler then wrote a script and were able to harvest over 100,000 thousand names and addresses of early iPad adopters who were also AT&T customers.

The GoatSec members got their hands on the PII of NYC Mayor Michael Bloomberg, ABC anchor Diane Sawyer, Hollywood mogul, Harvey Weinstein, and former Obama chief-of-staff and current Mayor of Chicago Rahm Emanuel.

Illustrating that not all hackers are out for evil, Auernheimer and Spitler made attempts to contact the affected entities (i.e., ABC News), but were essentially ignored. Then they took their data to Gawker who jumped on the opportunity to expose the story, opting not to publish any of the private information.

As you may guess, a lawsuit against Auernheimer and Spitler soon followed. Despite the fact that neither actually hacked into anything, nor cracked any passwords, the pair was charged criminally under the Computer Fraud and Abuse Act – the argument being that they knowingly accessed a computer to which they did not have authorization.

After being charged, Spitler took a plea and agreed to help the prosecution. Auernheimer’s trial was set to begin on November 13, 2012.

Why The Trial Was Of Interest To The Internet Law Community

What made the Auernheimer lawsuit so intriguing to those in the Internet community was the fact that he didn’t, technically, hack into anything. Instead, he simply made a few simple guesses and then used his know-how to write a script. As such, the question arose: should he be guilty of essentially finding a webpage with no links pointing to it, and then using the information found therein?

The merits of the CFAA have been hotly debated in the wake of significant technological advancement. Primarily, pundits are concerned that the law’s vague wording harshly punishes young kids — who are essentially committing the same level crime as toilet papering someone’s house — and useful bug hunters who aren’t nefarious actors.

Under the current law, anybody who accesses “a computer without authorization or exceeds authorized access from a protected computer” can be charged with a criminal offense. Moreover, any device that “affects interstate commerce with a microprocessor and a network connection” is considered a “protected computer.” That definition pretty much includes all mobile devices. Clearly, the CFAA is in need of some language upgrades.

What’s Next In The Auernheimer Data Security Lawsuit?

When the trial was announced, GoatSec vowed that if “weez” lost the case, they would release information on an encrypted “insurance file.” He was convicted last week.

But Auernheimer announced plans to appeal the decision – which means this one could go all the way to the Supreme Court.

I’ll be keeping an eye on this Internet law case.

iPad Hacker Trial Tests Pre-Internet Law