March 22, 2013, 4:17 PM — Legal experts are stepping in to help hacker Andrew Auernheimer appeal his 41 month prison sentence for illegally accessing emails and other data belonging to about 120,000 iPad subscribers of AT&T's networks.
Auernheimer, sentenced on Monday has filed an appeal in the United States Court of Appeals for the Third Circuit.
In a blog post Thursday, Orin Kerr, a professor from the George Washington University Law School, said he is stepping in to help Auernheimer due to concerns over the length of his sentence and the manner in which the Computer Fraud and Abuse Act (CFAA) was applied in the case.
"I think the case against Auernheimer is deeply flawed, and that the principles the case raises are critically important for civil liberties online," Kerr wrote.
Aernheimer and Daniel Spitler made headlines in June, 2010, after using an automated script, which they called iPad 3G Account Slurper, to extract email addresses and SIM card ID numbers from more than 110,000 iPad owners. The data was taken from AT&T servers.
The data included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, Diane Sawyer of the ABC television network, movie producer Harvey Weinstein, former White House chief of staff Rahm Emmanuel and numerous others.
Auernheimer and Spitler handed the data to Gawker, which posted the information on its website. The duo claimed they carried out the exercise only to demonstrate how the data was leaking from AT&T via its Web site.
Prosecutors charged the pair with fraud and with violating provisions of the CFAA. AT&T claimed that the caper had cost the company over $73,000 in breach notification costs.
Auernheimer was convicted last November and was sentenced on Monday to 41 months in prison, the maximum sought be prosecutors. Spitler pleaded guilty and is awaiting sentence.
Kerr cited what he called several problems with the case.
For instance, Auernheimer and Spitler did not have to hack or subvert any of AT&T's security controls to access the email because the data was readily available due to the server configuration, Kerr said.
Auernheimer realized this and wrote a script for automating the collection of email addresses, Kerr said. Though that data was later disclosed to a reporter, "no names or passwords were obtained, and no accounts were actually accessed," he added.
Kerr also noted that the $73,000 loss claimed by AT&T did not result from damage to AT&T servers and included no repair or restoration costs. Those costs were related to breach-notification and are therefore not directly attributable to Auernheimer's actions as defined under existing case law, he added.