Years as an Internet provocateur haven't left accused hacker Andrew Auernheimer with many friends. But computer security experts say it would be a mistake to make him a felon.
AT&T had inadvertently published tens of thousands of e-mail addresses to a public Web site, and Auernheimer used an automated program to download them. He then passed the addresses to the press in an effort to embarrass the company. The federal government responded by indicting him on federal computer hacking charges in 2011. He was convicted in April.
Last week, Auernheimer, better known by his online handle "Weev," appealed his conviction to the U.S. Court of Appeals for the 3rd Circuit. This week, dozens of prominent computer security experts filed a brief warning that his conviction could chill legitimate security research, making everyone's computers less safe as a result.
These experts don't say Weev is a hero. By the time he was indicted, he had made himself a minor celebrity through online "trolling" antics that often involved harassing and embarrassing people. In a Reddit "Ask Me Anything" thread before his sentencing, a legion of critics denounced him, using phrases such as "sadistic sociopath." Most of the other phrases were laced with profanity.
But Matt Blaze, a computer scientist at the University of Pennsylvania who signed onto the security researchers' brief, said, "It's important to distinguish between Weev being creepy, which is true, and what Weev did being creepy, which is much less clear."
Auernheimer is charged with violating the Computer Fraud and Abuse Act, which makes it a federal crime to access a computer system without authorization. An AT&T server used in the registration process for iPad data plans was misconfigured to provide private e-mail addresses to anyone who visited particular Web addresses. Auernheimer and a friend figured out the format of these addresses and wrote a computer program to visit a sequence of Web pages and harvest customers' e-mail addresses from them.
The government argues that Auernheimer should have known that the information wasn't intended to be accessed by third parties. Prosecutors say that by accessing the data, Weev crossed the line from harmless tinkering into felonious "unauthorized access."
Auernheimer's program "utilized a process known as a 'brute force' attack — an iterative process used to obtain information from a computer system — against AT&T's servers," according to the government indictment. A spokesman for the federal prosecutors in the case could not be immediately reached.
But Blaze said AT&T's decision not to protect the website with a password or other security measures should settle the issue. "I'm not sure how else a person would know whether or not they're supposed to access a website or not," he said.
The kind of automated downloading Auernheimer engaged in, known as "scraping," is extremely common. For example, search engines use similar techniques to build their indexes.
And the courts have previously held that even unwelcome website scraping doesn't violate anti-hacking laws. In one case cited by Auernheimer's attorneys, a travel agency "scraped" prices from a rival's website and then was sued under the anti-hacking law. The judge ruled that the fact that this scraping was not welcomed by the site's owner was not sufficient to make it "unauthorized access" for the purpose of the law.
Blaze made a similar argument in Auernheimer's case. He said large-scale security research can have significant public benefits. Blaze pointed to a recent paper that used an automated program to collect the encryption keys used by millions of Internet servers. They found more than 170,000 servers that were using insecure encryption keys, exposing them to security vulnerabilities.
This kind of research makes the Internet more secure for everyone by identifying problems that need to be fixed.
And Blaze said that in many cases, this kind of research can be done only by using the kind of automated scraping techniques Auernheimer employed.
Of course, security vulnerabilities are embarrassing, and companies don't necessarily want independent security experts exposing their dirty laundry.
But Blaze contended that it's better for consumers for a vulnerability to be discovered by legitimate researchers (who often provide firms with advance notice) than to wait for a malicious hacker to find it.