Andrew Auernheimer, the 27-year-old hacker better known as Weev, was sentenced to 41 months in federal prison this week for his role in what became known as the AT&T hack, with an additional 3 years supervised release after his time is served. He and a co-defendant who had previously pled guilty will also have to pay $73K to AT&T in restitution.
In 2010, Auernheimer discovered a flaw in AT&T's iPad user database and was able to exploit it to collect 114,000 users' email addresses. He then disclosed those email addresses to Gawker, who published some of the accounts, partially redacted. The information that Auernheimer gathered was available to anyone on the Internet who knew how to find it, and the fact that he didn't access any private servers or obtain passwords has led some supporters to argue he was "chucked behind bars . . . as a result of speaking up to point out a security problem."
This sentencing comes on the heels of another computer-related case that made national news – the indictment of Matthew Keys, Reuters' deputy social media editor (since suspended). Keys allegedly supplied members of Anonymous with a login and password to a Tribune Co. server that they then used to deface the Los Angeles Times homepage. The digital vandalism was cleared up in about 30 minutes. For that, Keys was charged with three felony counts, two of which have a maximum sentence of 10 years and the third has a maximum of 5 years. All three counts have maximum fines of up to $250K.
Auernheimer and Keys, both often considered Internet trolls in their own ways, were charged under the outdated Computer Fraud and Abuse Act (CFAA), the same law prosecutors used to threaten late activist Aaron Swartz with up to 35 years in prison. The Electronic Frontier Foundation has been leading the charge to reform the CFAA, and will also join Auernheimer's defense team in appealing his conviction.
As others have noted, perhaps the most important context for these prosecutions is the massive cultural anxiety about cyber crime and foreign cyber threats. Director of National Intelligence James Clapper addressed the Senate Intelligence Committee last week and said for the first time since 9/11 that cyber attacks are a greater danger to national security than al Qaeda. Secretary of Homeland Security Janet Napolitano recently warned that a "cyber 9/11" was possible "imminently" – an interesting word choice, considering an infamous Justice Department white paper that discussed when a U.S. citizen can be killed without due process defined "imminently" in a very loose way.
To the extent that cyber attacks are a legitimate concern, there certainly need to be strong distinctions in the law made between defacing a website or collecting emails on the one hand and a engaging in a "cyber 9/11" on the other. The fact that they both involve computers can't be a sufficient reason for someone like Matthew Keys to face a maximum of 25 years in prison. As it stands now, lawmakers are behind on the technology and prosecutors have major incentives to at least threaten defendants with massively disproportionate sentences. The added irony that AT&T, the target of Auernheimer's action, and other telecoms were granted retroactive immunity after spying on Americans without warrants – a crime far more significant than anything Weev, Swartz or Keys did – only heightens the sense of injustice.
"I think hackers are the new Communists for the D.O.J.," Tor Ekeland, who is representing Matthew Keys, told The New York Times. And one doesn't even have to go as far back as the Red Scare to find the FBI attempting to scapegoat dissidents. Recently released FOIA documents revealed that the FBI treated Occupy Wall Street protesters as though they, too, were terrorists.
There is a clear danger in elevating all computer-based activism, civil disobedience or low-level criminality to the level of Greatest Threat to the Country based only on the technology being used. And that's true regardless of one's opinions about the personal ethics of Auernheimer or Keys.