Orin Kerr has posted the appeal brief [PDF] just filed on behalf of Andrew "Weev" Auernheimer. It is a group work, with EFF's Hanni M. Fakhoury, Marcia C. Hofmann, and Tor B. Ekeland and Mark H. Jaffe of the law firm Tor Ekeland, PC, also listed as representing the appellant. It's another hair-pulling
Computer Fraud and Abuse Act case, so I believe you're interested in knowing about it.
It's a law in desperate need of adjustment, but in the meanwhile, because it's so vague, it's being stretched beyond what the law was intended to cover by overcharging and misunderstanding, the brief argues, and vagueness can reach the level of being a violation of the Constitution.
The idea is that if you don't know where the criminal line is, how do you avoid it? And worse, if no one knows what a law means, what it ends up meaning is whatever any prosecutor anywhere arbitrarily says it means.
It's sad to read the brief, because a man is in jail for 41 months, until 2016, for surfing the web, finding a public website, and collecting information from it and sharing it. Have you ever done that?
Jump To Comments
The fundamental problem in this case seems to be that the court didn't understand how the Internet works, and if the government and the alleged victim, AT&T, do, they offer no clue that I can discern from this brief. The brief tries to help out by explaining technical bits and offering footnotes with more help, and it does a very good job of that. I started Groklaw expressly to try to help lawyers and courts understand the tech better than they do, and this is a fine model of how to do exactly that.
It's also a very good read, with clever bits interspersed with strong arguments that this conviction should be overturned. Meanwhile, a man is in jail, and judging from the way he was treated at trial, I'm guessing he's not having an easy time of it. Granted, he has an off-putting personality and history. But in legal cases, that's not supposed to be a factor, as the law is supposed to be fair to everyone, even to the least loved among society. So, let's put all that aside (better than the court did) and just look at what happened, how it morphed into jail time, and what the appeal arguments are.
Let's start with the section called 'Issues Presented for Review' in the brief, which provides an overview of what they are asking the court to review in this appeal:
So those are the issues to watch for as we look at what the full story is. Each of the questions are fleshed out in the brief. First, though, let's look at
what happened, the facts of the case, including what the appellant did. I'm skipping the legal history of what happened, what the charges were and what happened at the trial, and we'll look at the section called Statement of Facts:
ISSUES PRESENTED FOR REVIEW
This is an appeal from a remarkable and unprecedented criminal conviction.
The government charged Auernheimer with felony computer hacking under the
Computer Fraud and Abuse Act (“CFAA”) for visiting an unprotected AT&T
website and collecting e-mail addresses that AT&T had posted on the World Wide Web. The government also charged Auernheimer with identity theft for sharing those addresses with a reporter. This prosecution was brought in New Jersey even though neither Auernheimer, his alleged co-conspirator Daniel Spitler, nor any computer or communications were actually located in or passed through New Jersey. Finally, Auernheimer was sentenced to a forty-one-month prison term based in large part on AT&T’s decision to spend approximately $73,000 to supplement e-mail notification to customers with a postal letter informing them that their privacy was not breached.
This case raises five legal issues:
1. Did Auernheimer and Spitler access a computer “without
Where Issue Was Raised: Auernheimer challenged the sufficiency of the
superseding indictment pre-trial and moved for acquittal under Federal Rule of Criminal Procedure Rule 29 both at the close of the government’s case and after the jury’s verdict. DCR 51, 88, App2. 66-70, 339, 729-31.
authorization” under 18 U.S.C. § 1030(a)(2)(C)?
Standard of Review: Sufficiency of evidence claims are reviewed de novo. United States v. Pavulak, 700 F.3d 651, 668 (3d Cir. 2012). The Court must decide whether the evidence, viewed in the light most favorable to the government,
“make[s] a strong enough case to let a jury find [the defendant] guilty beyond a reasonable doubt.” Id. (citation omitted).
2. If Auernheimer was properly convicted of a conspiracy to violate the
Where Issue Was Raised: Auernheimer challenged whether he was properly charged with a felony pre-trial and moved for acquittal under Rule 29 both at the close of the government’s case and after the jury’s verdict. DCR 51, 88, App2. 70- 75, 339, 729-31.
CFAA, was that conspiracy a misdemeanor or a felony?
Standard of Review: Sufficiency of evidence claims are reviewed de novo with the Court deciding whether the evidence, viewed in the light most favorable to the government, shows that the defendant is guilty beyond a reasonable doubt. Pavulak, 700 F.3d at 668.
3. Did Auernheimer violate the identity theft statute, 18 U.S.C.
Where Issue Was Raised: Auernheimer moved for acquittal under Rule 29 both at the close of the government’s case and after the jury verdict. DCR 51, 88, App2. 339, 729-31.
Standard of Review: Sufficiency of evidence claims are reviewed de novo with the Court deciding whether the evidence, viewed in the light most favorable
to the government, shows that the defendant is guilty beyond a reasonable doubt. Pavulak, 700 F.3d at 668.
4. Was venue proper in the District of New Jersey?
Where Issue Was Raised: Auernheimer challenged venue before trial and requested a jury finding on venue that was denied by the district court. DCR 51, App2. 75-77, 574-78, 586-91.
Standard of Review: Whether venue is proper raises a question of law for which this Court exercises plenary review. United States v. Baxter, 884 F.2d 734, 736 (3d Cir. 1989).
5. Do AT&T’s costs in mailing a letter to its customers support an eight-
level upward adjustment under the United States Sentencing
Where Issue Was Raised: Auernheimer objected to the eight-level
adjustment in both his written objections to the presentence report and during the sentencing hearing. DCR 90, App.2 748-50, 762-63.
Standard of Review: This Court reviews legal conclusions regarding the United States Sentencing Guidelines (“U.S.S.G.”) de novo. United States v. Blackmon, 557 F.3d 113, 118 (3d Cir. 2009). Factual findings during sentencing, including loss calculations under U.S.S.G. § 2B1.1, are reviewed for clear error. United States v. Dullum, 560 F.3d 133, 137 (3d Cir. 2009).
So that's what happened. I remember when it happened. I thought it was awful, what they did, sharing the materials with Gawker, because at the time I owned an iPad and I was freaking out. But the way the story was told at the time in the media, and the story I'm reading here are not identical. And leaving aside how I wish people acted, let's look at the full arguments raised in the brief, beginning on page 15 of the brief (26 of the PDF), to see if what he did is *illegal* as opposed to not-so-likable. There is a difference. To be guilty of a crime, what you did has to match what the law says you are not allowed to do. Actually, another question is, if what he did matches the law, was it a misdemeanor or a felony?:
STATEMENT OF FACTS
A. AT&T and the iPad.
In January 2010, Apple Computer introduced the iPad portable tablet computer. The iPad allowed users to connect to the Internet through either a wireless internet connection, commonly known as “wifi,” or through a cellular connection, commonly referred to at the time as “3G” service. App2. 216. The telecommunications company AT&T established an exclusive contract with Apple to provide 3G access to iPad users.4
AT&T created a website to allow its customers to access their AT&T accounts using the combination of an e-mail address and a password. App2. 217. The AT&T website was available at the Internet address https://dcp2.att.com, and
it contained a login prompt that appeared whenever a user visited the website. App2. 252-53, 257.5 When iPad users registered with AT&T and created an account, they also provided AT&T with an e-mail address. App2. 216-17. AT&T registered each iPad using a serial number found on the part of the iPad used to send and receive communications. App2. 153. The serial numbers were known as “integrated circuit card identifiers,” or ICC-IDs. App2. 217. Each ICC-ID is a nineteen or twenty digit number. App2. 149-151, 481.
To make it easier for iPad owners to access their AT&T accounts, AT&T programmed its website to automatically pre-populate the login prompt with the e- mail address associated with that particular iPad computer. App2. 217. From the user’s perspective, an iPad owner with an AT&T account who visited the website found that the “e-mail” part of the login prompt was automatically filled in with the user’s e-mail address. Id. This feature was designed to save users time. App. 218, 258-59. Because the e-mail address would appear automatically, the user only needed to manually enter in his password to log in to the AT&T website. App2. 217.
AT&T implemented this feature by directing the iPad to a specific Internet address. When an iPad user with an ICC-ID visited the AT&T website, it would
automatically be directed to the following website, with “X” standing for the specific ICC-ID number:
App2. 726. When any computer using the correct browser setting visited that particular webpage, the AT&T website would return the e-mail address associated with that specific ICC-ID number. App2. 217. iPads registered with AT&T would visit the page associated with that address automatically. App2. 255-56.
However, AT&T configured its website so that it would share an e-mail address with anyone—not just the account holder—who entered the correct website address. App2. 409, 412-13.
B. Spitler Discovers the E-mail Addresses Were Available
on the Internet.
Auernheimer’s co-defendant, Daniel Spitler, identified this feature when he attempted to sign up for service with AT&T using a network card he had purchased from AT&T. App2. 251. After studying the iPad operating system, Spitler realized the AT&T website was configured to include a space in the Internet address for ICC-IDs. App2. 258. When Spitler entered his own ICC-ID number in that space, he was surprised to see that the AT&T login page already had his e-mail address filled out. App2. 257.
Curious about how AT&T’s website could return his e-mail address, Spitler changed the ICC-ID number of the website by one digit and the website “pre-
populated” the login page with a different e-mail address. App2. 258. Spitler realized that AT&T had stored the e-mail addresses associated with different iPads on AT&T’s servers. App2. 258. He concluded that he could collect many e-mail addresses using an automated computer program that he called the “account slurper.” App2. 259-61, 726-27.
Spitler configured his program so it would visit the AT&T website many times using web addresses with different ICC-ID numbers. App2. 260. When the website address contained an ICC-ID number that matched that of a registered iPad user, AT&T’s website would send back that user’s e-mail address. App2. 258, 515.
Spitler shared his discovery with Auernheimer, who helped Spitler brainstorm ways to improve the program. App2. 260. Ultimately, the program collected approximately 114,000 e-mail addresses before AT&T discovered its customers’ e-mail addresses were public. App2. 189, 283. AT&T quickly disabled the feature that pre-populated a customer’s e-mail address. App2. 259-60, 459.
During this time, Spitler was located in San Francisco, California. App2. 233. Auernheimer was in Fayetteville, Arkansas. App2. 366. The evidence suggested that AT&T’s computers that hosted its website were located in Dallas, Texas and Atlanta, Georgia. App2. 436.
C. Auernheimer’s Disclosure to Gawker.
In an effort to draw attention to the computer skills of both Spitler and
himself, Auernheimer contacted various media members and reporters to persuade them to write about how the e-mails were collected. App2. 272. One of those reporters was Ryan Tate of the online publication Gawker. App2. 150, 349. Auernheimer explained to Tate how the e-mail addresses had been collected. App2. 273. To confirm the collection, he shared the list of e-mail addresses with Tate. App2. 211, 285.
On June 9, 2010, Gawker ran a story written by Tate titled “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed.” App2. 150, 721-24.6 The story included a thorough discussion of how the e-mail addresses were collected, and it credited Spitler and Auernheimer with their collection. The popular website Drudge Report prominently linked to the story. App2. 162, 717.
4 See generally Serenity Caldwell, AT&T Releases More Details on 3G IPad Plans, PC World (Apr. 29, 2010),
5 The login prompt is presently viewable at
https://dcp2.att.com/OEPNDClient/ (last visited July 1, 2013).
6 The Gawker article is accessible at http://gawker.com/5559346/apples-
worst-security-breach-114000-ipad-owners-exposed (last visited July 1, 2013).
Those are the main issues, then. As you can see, it's a strange CFAA case, one that doesn't seem to match the wording of the statute. He is in jail for visiting a website that was publicly available to the world. Here's how the brief describes why that isn't a crime, beginning on page 18, and now we get into the deep end of the pool as far as the arguments go:
SUMMARY OF ARGUMENT
Auernheimer’s convictions must be overturned on multiple and independent grounds. First, Auernheimer’s conviction on Count 1 must be overturned because visiting a publicly available website is not unauthorized access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a “theft.” The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the e-mail addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime. See Pulte Homes, Inc. v. Laborers’ Intern. Union of North America, 648 F.3d 295, 304 (6th Cir. 2011).
Second, should the Court find that Auernheimer is guilty of conspiracy to violate the CFAA under Count 1, the Court must vacate the felony conviction
because the offense was at most a misdemeanor. The government charged Auernheimer with a felony on the novel ground that accessing a computer without authorization under the federal computer crime law is a felony because it is in furtherance of an analogous state computer crime law, N.J.S.A. § 2C:20-31(a). The felony enhancement was improper for two reasons. First, it constitutes double-counting: the government cannot charge a defendant with committing a crime in furtherance of the crime itself. See United States v. Cioni, 649 F.3d 276, 283 (4th Cir. 2011), cert. denied, 132 S. Ct. 437 (2011). Second, Auernheimer did not violate the New Jersey computer crime law.
Third, the conviction on Count 2 must be overturned because Auernheimer did not violate the identity theft statute, 18 U.S.C. § 1028(a)(7). Auernheimer’s actions were lawful for two reasons. First, the collection of e-mail addresses from a publicly accessible website does not run afoul of § 1030(a)(2)(C), so there was no predicate offense on which to anchor a § 1028(a)(7) violation. Second, even assuming that Auernheimer violated § 1030(a)(2)(C) to obtain the e-mail addresses, he did not “possess” or “transfer” them “in connection with” another distinct and separate crime, as both the plain text and legislative history of § 1028 require.
Fourth, the convictions must be vacated because venue was improper in the District of New Jersey. Venue requires a close study of the laws under which a
defendant is charged to determine the essential elements of the conduct Congress prohibited. Venue is improper under Count 1 because no computer was accessed nor information obtained in New Jersey. Venue is improper under Count 2 because no data was transferred, possessed, or used in New Jersey. This case has nothing to do with New Jersey and should not have been charged in New Jersey.
Finally, if the Court upholds the convictions on Count 1 and Count 2, the sentence must be vacated and the case remanded for resentencing because the district court improperly applied an eight-level upward adjustment under U.S.S.G. § 2B1.1. The district court applied this enhancement to account for AT&T’s alleged $73,000 mailing cost to notify its affected customers. This upward adjustment was wrongly imposed for three reasons. First, the government failed to carry its burden of proof that AT&T suffered this loss. Second, mailing costs are not the type of “loss” envisioned by the CFAA. And third, the $73,000 amount was unreasonable given the absence of a legal obligation to notify its customers of the breach and the otherwise adequate email notice sent to almost all of AT&T’s affected customers.
These errors require the convictions to be overturned and the sentence to be reversed.
Since accessing the web site was not illegal, the brief goes on to argue, it can't serve as a predicate offense with respect to sharing the email addresses with a media outlet. The statute he was convicted under requires that there be an underlying crime ("in connection with ... any unlawful activity"). Going to a public website and getting information from it is not a crime. Thereafter sharing that information is therefore not "in connection with" a crime. If simply having in your possession personal information about other people that you obtained from a public website is a felony -- identity theft according to the government's theory of the case -- the brief goes on, imagine the results:
I. AUERNHEIMER DID NOT VIOLATE THE CFAA BECAUSE
VISITING AN UNPROTECTED PUBLIC WEBPAGE IS NOT
Count 1 charged a conspiracy under 18 U.S.C. § 371 to violate 18 U.S.C. § 1030(a)(2)(C). Section 1030(a)(2)(C) punishes:
Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.
Section 1030(a)(2)(C) is part of the CFAA, a computer trespass statute that prohibits breaking into a computer much like physical trespass laws prohibit breaking into a home. See S. Rep. No. 99–432, at 7-12 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484-90. The first issue in this case is whether visiting AT&T’s website constitutes illegally breaking in to a computer: that is, whether it constitutes access “without authorization” or conduct that “exceed[ed] authorized access.” 18 U.S.C. § 1030(a)(2)(C). The CFAA conviction must be overturned because the answer is no. Because the conduct was not criminal, an agreement to engage in the conduct could not be a criminal conspiracy. See United States v. Rigas, 605 F.3d 194, 206 n. 9 (3d Cir. 2010) (en banc).
A. Visiting AT&T’s Website Was “Authorized” Under the CFAA
Because AT&T’s Webpages Were Unprotected and Openly
Available to the Public.
This case involves the World Wide Web, a publishing platform that makes information available to the public on the Internet.8 See Reno v. ACLU, 521 U.S. 844, 852 (1997). Computer users access the World Wide Web using software programs called “browsers.” Popular browsers include Google Chrome, Internet Explorer, and Mozilla Firefox. When a company publishes content on the World Wide Web, anyone with an Internet connection can enter the Internet address into a browser and access the website that has published the contents.
The fundamental question in this case is whether it is a crime to visit a public website. AT&T published the e-mail addresses of its customers on a public website available at https://dcp2.att.com. App2. 252-53, 257, 726. AT&T programmed its website to return the e-mail addresses of users when anyone visited the correct webpage at AT&T’s website. Here are a few sample website addresses visited by Spitler’s program:
The conviction under Count 1 must be overturned because visiting these and
other similar website addresses was authorized under the CFAA. Websites are open and available to the public. By publishing information on the World Wide Web, a website owner inherently authorizes others to view that information. App2. 500. A company that “places information on the information superhighway clearly subjects said information to being accessed by every conceivable interested party” unless “protective measures or devices that would have controlled access” are put in place. United States v. Gines-Peres, 214 F. Supp. 2d 205, 225 (D.P.R. 2002).
AT&T chose not to employ protective measures to control access to the e- mail addresses of its customers. Instead, AT&T made those e-mail addresses available to everyone without a password to make it “easier” for its customers. App2. 217. Because AT&T chose to make the information available to the public, visiting the AT&T website to collect the e-mail addresses was authorized and legal.
Pulte Homes, Inc. v. Laborers’ International Union of North America, 648 F.3d 295 (6th Cir. 2011), is directly on point. The LIUNA union was engaged in a bitter employment dispute with builder Pulte Homes. 648 F.3d at 298. LIUNA representatives attacked the builder’s computers and telephone system by “bombard[ing] Pulte’s sales offices and three of its executives with thousands of phone calls and e-mails.” Id. at 299. LIUNA’s “phone and e-mail blitz” overloaded the computer’s capacity and caused “havoc” by clogging access to the network. Id. Pulte then sued LIUNA under the CFAA, alleging that LIUNA’s campaign had accessed Pulte’s computers without authorization. Id.
The Sixth Circuit rejected the claim on the ground that LIUNA’s access of the builder’s telephone and e-mail systems was authorized. Id. at 304. To be sure, Pulte did not want the union to “bombard” its computers and wreak “havoc” on them. But LIUNA had only targeted computer systems that Pulte made available to the public. Because Pulte had configured its computers in a way that anyone could access them, LIUNA’s access was inherently authorized:
LIUNA used unprotected public communications systems, which defeats Pulte’s allegation that LIUNA accessed its computers “without authorization.” Pulte allows all members of the public to contact its offices and executives: it does not allege, for example, that LIUNA, or anyone else, needs a password or code to call or e-mail its business. Rather, like an unprotected website, Pulte’s phone and e-mail systems were open to the public, so LIUNA was authorized to use them.
Id. at 304 (internal quotations and citations omitted).
The principle underlying Pulte Homes controls this case. AT&T’s website was “an unprotected website” that was “open to the public, so [anyone] was authorized to use” it. Id. As in Pulte Homes, the computer owner in this case did not approve of how someone else used its computers. But Pulte Homes recognizes that the owner’s configuration of the computer, not its wishes as to how the computer will be used, is what determines “authorization” under the CFAA. Visiting a public website is inherently authorized, much like sending e-mails and making phone calls in Pulte Homes. See also Cvent v. Eventbrite, Inc., 739 F. Supp. 2d 927, 933-34 (E.D.Va. 2011) (holding competitor’s use of a scraper to query a company’s website was authorized access under the CFAA because “the entire world was given unimpeded access to [the] website”).
It would be different if AT&T had protected its data with a password. Guessing someone else’s password to gain access to another person’s private account without permission constitutes a criminal act of access without authorization. See United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991) (concluding that releasing an Internet “worm” that guessed passwords and gained access to private accounts was an access without authorization); United States v. Phillips, 477 F.3d 215, 220 (5th Cir. 2007) (holding that use of program that guesses passwords and then enters password-protected area of a website is an
unauthorized access);10 Cioni, 649 F.3d at 280, 284 (holding that unauthorized access occurred when defendant accessed the e-mail accounts of others and “[a]ll of the accounts were password protected”).
Similarly, when a person obtains permission to use someone else’s password for one purpose and then accesses that password-protected account for a different purpose, the access for a different purpose in some circumstances “exceeds authorized access.” See 18 U.S.C. § 1030(e)(6) (“[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter”); United States v. Nosal, 676 F.3d 854, 856-64 (9th Cir. 2012) (en banc) (reviewing caselaw on “exceeds authorized access” and limiting its meaning to conduct that constitutes “hacking—the circumvention of technological access barriers”); Cheng v. Romo, No. 11-1007, 2012 WL 6021369 (D. Mass. Nov. 28,
2012), at *4 (D. Mass. Nov. 28, 2012) (indicating that whether use of another’s password-protected account exceeded authorized access depends on extent of permission); Wentworth–Douglass Hosp. v. Young & Novis Prof’l Ass’n, No. 10- cv-120-SM, 2012 WL 2522963 (D.N.H. June 29, 2012) at *4 (D.N.H. June 29, 2012) (holding that “hack[ing]” or “circumvent[ing] any technological access barrier” is required for unauthorized access, and therefore that use of another’s password to bypass limits on account is unauthorized access).11
By contrast, the computer program in this case did not enter a password or bypass a password prompt. App2. 537. It did not access any private accounts. It did not break in or “hack” in to AT&T’s computer. It did not infiltrate AT&T’s
B. AT&T’s Hope That the Public Would Not Visit Its Website Does
Not Make Such Visits Unauthorized.
At trial, the government argued that using the program was unauthorized because AT&T did not approve of what Spitler and Auernheimer did. App2. 608. “[I]f the defendant had called up AT&T” and asked for the e-mail addresses, the government argued to the jury, “[t]here’s no way that they would have provided that information to the defendant.” App2. 608; see also id. at 318.
This argument misstates the law. As Pulte Homes and Cvent make clear, the
subjective hopes and wishes of the website owner are irrelevant. By posting
information on the public web without a password requirement, AT&T made the
information available to everyone. Although AT&T did not wish that outsiders
would collect the information, the law does not criminalize visiting a website in
ways that owners find dissatisfying. AT&T’s act of making the information unprotected and available to the public on the information superhighway authorized everyone to access it. See Pulte Homes, 648 F.2d at 304; Cvent, 739 F. Supp. 2d at 933-34.
EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003), is particularly instructive. In EF, a company used an automated scraper program to send thousands of queries to its competitor’s website. As the First Circuit explained, a scraper is “nothing more than a computer program that accesses information contained in a succession of webpages stored on the accessed computer.” Id. at 60. The company’s goal was to collect pricing data available on the competitor’s site and then to use that data to undercut its competitor’s prices. Id.
The First Circuit held that use of the scraper was “authorized” under § 1030 even though the company that used the scraper “can have been in no doubt that [its competitors] would dislike the use of the scraper to construct a database” for other businesses to use against them. Id. at 63. By placing their prices on the World Wide Web, the website owner could not complain when others visited the web site even if the owner neither wanted nor expected the website to be visited by competitors in an automated way to hurt the plaintiff’s business. See id.
The same is true here. Spitler’s use of the program is closely analogous to the use of the scraper in EF. In both cases, the automated programs sent thousands of unwanted requests to a website. In both cases, the acts might appear selfish and impolite. But in both cases, visiting the website was authorized under the CFAA because the information was published on the World Wide Web.
Any other rule would have disturbing implications. Most Americans surf the web every day. How are they supposed to know when visiting a webpage is legal and when visiting a webpage might land them in jail? Programs that send automated requests to websites are in common use. The web store for the Google Chrome browser offers a free scraper program that anyone can use to collect data from many different pages on a website.13 How can users know when these programs can be used legally and when their use is illegal?
As the Eleventh Circuit has recognized:
Through the World Wide Web, individuals can easily and readily access websites hosted throughout the world. Given the Web's ubiquitous and public nature, it becomes increasingly important in cases concerning electronic communications available through the Web for a plaintiff to demonstrate that those communications are not readily accessible. If by simply clicking a hypertext link, after ignoring an express warning, on an otherwise publicly accessible webpage, one is liable under [unauthorized access statutes], then the floodgates of litigation would open and the merely curious would be prosecuted.
Snow v. DirecTV, Inc., 450 F.3d 1314, 1321 (11th Cir. 2006) (interpreting the unauthorized access statute in 18 U.S.C. § 2701). Fortunately, that is not the law. Under Pulte Homes and EF, visiting an unprotected webpage is authorized under § 1030 even if the website owner wished the visit did not occur.
C. Auernheimer’s Characterization of Spitler’s Act As “Theft” Does
Not Make the Access Illegal.
The government also argued at trial that use of the program was unauthorized because of the words Spitler and Auernheimer chose to describe it. See App2. 132; 606-12. In private e-mails, Auernheimer referred to collection of the e-mail addresses as a “theft.” App2. 166. In his testimony, Spitler agreed with the prosecutor’s view that his program “tricked” and “lied” to the AT&T website. App2. 264. The government argued to the jury that it was these words, “first and foremost,” that proved Auernheimer’s guilt. App2. 132. To the extent the government’s position was clear, it appeared to be that conduct characterized as a theft or a lie is necessarily unauthorized under § 1030. App2. 132, 606-11.
This argument is meritless. Auernheimer’s guilt turns on whether the program accessed AT&T’s website “without authorization” or “exceed[ed] authorized access.” 18 U.S.C. § 1030(a)(2)(C). That depends upon how AT&T’s website worked and what the program did. It does not depend on what words Auernheimer chose or thoughts he had when later describing his conduct to others. “The government cannot punish what it considers to be an immoral thought simply
by linking it to otherwise innocuous acts, such as walking down the street or chewing gum.” United States v. Tykarsky, 446 F.3d 458, 471 (3d Cir. 2006). To be sure, a defendant’s words can establish his state of mind. See Whitney v. Horn, 280 F.3d 240, 259 (3d Cir. 2002). But the missing element of the crime needed to convict Auernheimer is the absence of authorization, not his intent.
Auernheimer’s language is irrelevant even if read to reveal his subjective belief that his conduct was illegal. A defendant’s belief as to the criminality of his act is irrelevant. See generally Wayne R. LaFave, Substantive Criminal Law § 5.6 (2012). Ignorance of the law is no excuse, but neither is it an offense: A person who wrongly thinks his conduct was illegal is guilty of no offense. See id.
Further, the government’s claim that the program tricked and deceived the AT&T computer into giving up information —implicitly rendering the access unauthorized— is false. AT&T programmed its computer to respond to anyone who visited the correct address; it did exactly as it was programmed to do. App2. 514-15. Visiting a website does not carry an implicit promise that the visitor is someone the website owner would like them to be. See EF Cultural Travel, 318 F.3d at 63. Posting data on the web posts that data for everyone. See id.
The government also claimed that the program tricked AT&T into divulging data because Spitler set his computer web browser’s “user agent string” to appear as an iPad. App2. 264; 610. This claim misunderstands the purpose and function
of user agent strings. A user agent is a browser setting that tells the website what kind of browser is making a request. App2. 510. The browser setting sends a short string of data along with website requests that allows websites to optimize the presentation of different web pages for different browsers.14
Most importantly, user agents do not regulate access. App2. 514. They are merely browser settings that allow users to optimize how a webpage looks for the user’s own convenience. And changing a user agent string is both very easy and very common, taking just a few clicks to allow users to pick whatever settings they want. App2. 512. In fact, most browsers have tools that allow users to change their user agent directly built into their browsers.15 Setting the user agent string does not “lie” to a website any more than a Phillies fan lies when wearing a Mets cap.
Indeed, it has been common for browsers to be configured by their developers to change their user agent strings automatically as part of their design. See Nicholas C. Zakas, History of the User-Agent String, available at http://www.nczonline.net/blog/2010/01/12/
history-of-the-user-agent-string/ (“The history of the user-agent string is marked by browsers trying to convince user-
agent sniffers that they are what they are not. Internet Explorer wants to be identified as Netscape 4; Konqueror and WebKit want to be identified as Firefox; Chrome wants to be identified as Safari.”); see also App2. 512. If changing a user agent string is a federal crime, millions of Americans may be criminals for the way they routinely surf the Web.
D. If “Authorization” is Ambiguous, the Rule of Lenity Requires It
Finally, if the Court concludes that the meaning of “without authorization” or “exceeds authorized access” is ambiguous, the rule of lenity requires the court to adopt the narrower interpretation that favors the defendant. See Rewis v. United States, 401 U.S. 808, 812 (1971) (“[A]mbiguity concerning the ambit of criminal statutes should be resolved in favor of lenity”) (citing Bell v. United States, 349 U.S. 81, 83 (1955)). The public would be shocked to learn that it is a federal crime to visit an unprotected website. “If Congress desires to go further” and criminalize visiting websites, “it must speak more clearly than it has.” Skilling v. United States, 130 S.Ct. 2896, 2933 (2010) (quoting McNally v. United States, 483 U.S. 350, 360 (1987)).
to be Narrowly Construed.
In light of the rule of lenity, this Court should heed the guidance of a sister circuit sitting en banc on the need to reject broad readings of unauthorized access under the CFAA:
The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.
Nosal, 676 F.3d at 859. The same skepticism is warranted here.
For these reasons, the Court should find Spitler’s access to AT&T’s
computers was authorized under § 1030(a)(2)(C). The plan to obtain e-mail addresses from AT&T’s website was not a criminal conspiracy because the object of the plan was legal. Auernheimer’s conviction must therefore be reversed.
8 For a short video introduction to how the Internet works, see How the Internet Works in 5 Minutes,
watch?v=7_LPdttKXPc (last visited July 1, 2013).
9 These addresses can be deduced from Spitler’s explanation of how the program worked, combined with the list of ICC-ID numbers he collected. See App2. 263.
10 Phillips assumes that a user who visits a webpage with a login-prompt has not “accessed” the computer by simply visiting the webpage and seeing the prompt. Under the Fifth Circuit’s approach, the “access” occurs only when the user enters a password, bypasses the password gate, and sees the private information hidden behind it. See id. at 220-21 n.4. Other courts take a broader interpretation of “access” and indicate that visiting a webpage is an “access” that is authorized. See, e.g., Southwest Airlines Co. v. BoardFirst, L.L.C., No. 3:06-CV- 0891-B, 2007 WL 4823761 (N.D. Tex. Sept. 12, 2007) at *13 (N.D. Tex. Sept. 12, 2007); see also Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1624-28, 1646-48 (2003) (discussing broader and narrower interpretations of “access”). Either way, viewing information not protected by a password is legal—either as an authorized access or as no access at all.
11 At trial, the government did not distinguish between access “without authorization” and conduct that “exceeds authorized access” under the CFAA. Instead, the government simply argued to the jury “access to AT&T servers was unauthorized.” App2. 605-06. Caselaw indicates that the difference hinges on whether the person has any rights to access the computer. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). If a person has been granted no authorization at all to access a computer, breaking in to that computer would be “access without authorization.” On the other hand, if the person has been granted some rights to access a computer but then enters in ways that go beyond that authorization, the conduct “exceeds authorized access.” See id.; Pulte Homes, 648 F.3d at 304.
The difference between the two can be difficult to draw because different courts interpret “access” differently. See footnote 10, supra. However, it should not matter whether this Court looks to the access “without authorization” or “exceeds authorized access” prong because they both boil down to whether the program “circumvent[ed] technological access barriers.” Nosal, 676 F.3d at 863. Because no technological access barriers were circumvented, any access was authorized.
12 Other circuits have disagreed on whether use of a computer in a way contrary to written use policies “exceeds authorized access.” Compare United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (answering “yes”) with Nosal, 676 F.3d at 856-64 (answering “no”). That disagreement is not implicated here because the government presented no evidence that such a policy existed.
13 The program can be accessed at http://goo.gl/dVQ4k (last visited July 1, 2013).
14 See generally What’s A User Agent?, http://www.whatsmyuseragent.com/WhatsAUserAgent (last visited July 1, 2013).
15 Directions for how to do this for Chrome and other browsers are available at http://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent- without-installing-any-extensions/ (last visited July 1, 2013).
The government’s contrary view would render the statute unconstitutionally vague. Under the government’s theory, if it charges a defendant with hacking for illegally acquiring personal information, the government can always add a second count of identity theft for possessing the information just acquired. After all, possession of information will always be “in connection with” the way a person came to possess it. And when a person “obtains” information under § 1030(a)(2)(C) he necessarily then “possesses” that information under § 1028(a)(7). See Webster’s New Universal Unabridged Dictionary at 1138 (2003) (defining “obtain” as to “come into possession of”). Under the government’s theory, every misdemeanor unauthorized access involving personal information is always a felony identity theft, too.
This remarkable view of § 1028(a)(7) must be rejected. The phrase “in connection with” is notoriously vague. See United States v. Loney, 219 F.3d 281, 283 (3d Cir. 2000) (noting the phrase’s “vagueness and pliability” and “vague, loose connective”) (citations omitted). On one hand, it is possible to read the phrase breathtakingly broadly. “[A]s many a curbstone philosopher has observed, everything is related to everything else.” Cal. Div. of Labor v. Dillingham, 519 U.S. 316, 335 (1997) (Scalia, J., concurring); see also Bloom v. Bradford, 480 F. Supp. 139 (E.D.N.Y. 1979) (“[I]n one sense everything is connected to everything else.”).
Read very broadly, § 1028(a)(7) could have breathtaking scope. Imagine a bank robber asks the bank teller for her name in the course of the crime. After his arrest, the robber tells his lawyer that the teller gave her name as “Beth.” Under the broadest reading of § 1028(a)(7), both the robber and his lawyer would be guilty of felony identity theft. After all, the robber “transfer[ed]” and his lawyer “possess[ed]” a means of identification17 (the name Beth), all “in connection with” the crime of bank robbery.
Persuasive, isn't it? Imagine you are the appellant, living this story. It must be overwhelming.
Although such an extreme interpretation is linguistically possible, it would render § 1028(a)(7) unconstitutionally void for vagueness. See Giaccio v. Pennsylvania, 382 U.S. 399, 402 (1966) (noting that a criminal statute is unconstitutionally void if it is “so vague and standardless that it leaves the public uncertain as to the conduct it prohibits”). To save its constitutionally, this Court must construe the vague and standard-less language of § 1028(a)(7) in a fashion that covers only the core conduct Congress was attempting to prohibit. See Skilling v. United States, 130 S. Ct. 2896, 2931 (2010) (interpreting the honest services fraud statute narrowly to cover only the core conduct Congress clearly
intended to prohibit in light of the vagueness concerns raised by a broader interpretation). The core conduct was possession or use “in connection with” unlawful activity other than the unlawful means of obtaining the information.
With this understanding, Count 2 was premised on an erroneous view of the law. The government argued that the only unlawfulness in Auernheimer’s possession, use, or transfer of means of identity was acquisition in violation of § 1030(a)(2)(C). App.2 16, 707. The government offered no evidence whatsoever that the possession, use, or transfer was “in connection with” any other crime beyond the crime of coming into possession of the information in the first place. The conviction for Count 2 must fail then because there is no evidence that Auernheimer had any connection to a criminal scheme involving the information after it was unlawfully acquired.
17 “Means of identification” is defined as a “name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any . . . name.” 18 U.S.C. § 1028(d)(7)(A).
There are a number of other arguments, but the last one I'll highlight is where the brief argues that New Jersey had no jurisdiction over
the defendant because "...no computer was accessed and no data obtained there." Auernheimer was in Arkansas. His first visit to New Jersey was when he had to appear in court. AT&T's servers were in Georgia and Texas. And there was no evidence at all that any data traveled through or to computers in New Jersey. Why did the government use New Jersey, then? Under what theory?
Here's where the story becomes not just sad and not just disturbing but downright scary. States in the US vary greatly in how they feel about things. Mississippi isn't like New York and neither is like Arizona. The state laws are quite different. Food is different even, the whole culture is different. Imagine a legal system where if you do something in New York, someone in Mississippi who doesn't like it can bring you to court, charging you with a crime in Mississippi under Mississippi law, when you never ever set foot in that state and have no desire to ever do so? Would that be fair? You don't even know what the law is in Mississippi, because you live in New York. You have a familiarity with New York law, but you have no clue what is allowed, or not allowed, in Mississippi. But if you did what you did on the Internet, are you in Mississippi, so to speak, even if you are in New York? Let's take a look at why the brief argues this is not acceptable, that New Jersey has no hold on the appellant, beginning on page 44 of the brief (56 of the PDF). And while you read it, imagine the lawyers are writing about you, that your freedom depends on these arguments:
IV. VENUE IN NEW JERSEY WAS IMPROPER BECAUSE NO If you agree with the brief that there is nothing criminal about surfing the web and finding information on a public website, how can it be a crime -- given the language of the statutes at issue -- if you then share that information with the media?
AT&T COMPUTERS WERE THERE AND NO DATA WAS
TRANSFERRED, POSSESSED OR USED IN THE STATE.
Even if this Court concludes that Auernheimer was guilty of both Counts, the Court must still vacate the convictions because the government failed to establish that there was venue in the District of New Jersey. A criminal defendant has a constitutional right to be tried in the district where his alleged crime was committed. United States v. Rodriguez-Moreno, 526 U.S. 275, 278 (1999); United States v. Perez, 280 F.3d 318, 329 (3d Cir. 2002) (citing U.S. Const. amend. VI
and U.S. Const. art. III, § 2, cl. 3); United States v. Pendleton, 658 F.3d 299, 302- 03 (3d Cir. 2011) (same); see also Fed. R. Crim. P. 18 (“[G]overnment must prosecute an offense in a district where the offense was committed.”).
The venue requirement provides a “safety net” for criminal defendants. United States v. Salinas, 373 F.3d 161, 164 (1st Cir. 2004). If legal limits on venue are ignored, any aggressive Assistant U.S. Attorney anywhere in the country can bring charges against an unpopular or controversial person. The venue requirement ensures that only prosecutors in districts where the crime actually occurred can bring a prosecution.
“[A]ny offense against the United States begun in one district and completed in another, or committed in more than one district, may be inquired of and prosecuted in any district in which such offense was begun, continued, or completed.” 18 U.S.C. § 3237(a). “The Government bears the burden of proving venue by a preponderance of the evidence and venue must be proper for each count of the indictment.” United States v. Root, 585 F.3d 145, 155 (3d Cir. 2009) (citing Perez, 280 F.3d at 328-30).
To determine whether venue is proper, courts must apply the “locus delicti” test, which identifies where a crime occurred based on “the nature of the crime alleged and the location of the act or acts constituting it.” Rodriguez–Moreno, 526 U.S. at 279 (citation omitted); Pendleton, 658 F.3d at 303. A “court must initially
identify the conduct constituting the offense (the nature of the crime) and then discern the location of the commission of the criminal acts).” Rodriguez–Moreno, 526 U.S. at 279. Venue is proper where “the crucial elements [of the crime] are performed.” Perez, 280 F.3d at 329.
Identifying the crucial elements requires a close reading of the statutory text to identify where the crime occurred. Count 1 is a charge of conspiracy under 18 U.S.C. § 371 to violate 18 U.S.C. § 1030(a)(2)(C). That section makes it illegal to “intentionally access a computer without authorization or exceed authorized access, and thereby obtain . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C) (emphasis added). This language makes clear that the crucial elements of the crime occur wherever the computer is accessed (that is, wherever the computer is located) or wherever the data is obtained (that is, wherever the individuals or storage devices located). The Department of Justice’s own manual on prosecuting computer crimes agrees, explaining “it would seem logical that a crime under section 1030(a)(2)(C) is committed where the offender initiates access and where the information is obtained.” Office of Legal Educ. Exec. Office for U. S. Attorneys, Prosecuting Computer Crimes at 118.18
The government indicted this case in the District of New Jersey even though no computer was accessed and no data obtained there. At all times relevant to the
charges in this case, Auernheimer was in Arkansas and never visited New Jersey until he had to appear in court there. App.2 185, 366. Spitler was in San Francisco, California. App2. 233. The evidence at trial demonstrated the AT&T servers that Spitler accessed were located in Atlanta, Georgia and Dallas, Texas. App2. 434-35, 443-44 There was no evidence whatsoever that any data traveled through or to computers in New Jersey. App2. 442-43
Focusing on where the computer was accessed or data was taken means that this case could have been charged in Arkansas, California, Georgia, or Texas. It might also have been proper to charge this case in other districts where computer traffic traveled in the course of the conduct. But the charges could not be brought in New Jersey, where no computer was accessed, no defendant was located, and no computer traffic traveled. See United States v. Lanoue, 137 F.3d 656, 661 (1st Cir. 1998) (holding that the crime of being a felon in possession of a firearm can only be charged where the firearm is “actually possessed”); United States v. Cabrales, 524 U.S. 1, 8 (1998) (holding that venue is improper when the government charged a defendant in Missouri for money laundering in Florida using money from a Missouri narcotics operation because the defendant did not act in Missouri).
Before the district court, the government’s main argument that venue was proper in New Jersey for the § 1030 charges was that the CFAA is about protecting privacy and approximately 4,500 of the e-mail addresses—4% of the 114,000—
belonged to New Jersey residents. App2. 112, 221. Thus, the end result of Auernheimer’s conduct was a privacy harm presumably felt in New Jersey. App2. 110-18.
The government’s argument misunderstands the applicable legal standard. Venue requires a close study of the text of the statute to see what conduct Congress prohibited, not speculation about where effects of the conduct might be felt or what happened after the crime was committed....
The government also argued that venue was proper because Count 1 charged a felony on the basis of conduct in furtherance of a New Jersey crime. App2. 110, 112. Again, this misunderstands the law. The question is what Congress prohibited when it enacted the statute, not what prosecutors decided to charge when they brought the indictment. Rodriguez–Moreno, 526 U.S. at 278; Cabrales, 524 U.S. at 6-7. Congress did not make it a federal crime to violate New Jersey law. Rather, Congress merely specified that hacking in furtherance of any crime or
tort is a felony rather than a misdemeanor. See 18 U.S.C. § 1030(c)(2)(B)(ii). The government’s theory means venue is proper for any CFAA crime wherever there is a state law prohibiting similar conduct.
Even if the New Jersey statute is included in a search for essential elements of the crime, the government’s theory fails. The New Jersey statute prohibits the knowing or reckless disclosure of personal identifying information that the defendant knowingly accessed without authorization. N.J.S.A. § 2C:20-31(a). The statute’s terms describe conduct that occurred in districts other than the District of New Jersey.
Venue is lacking for Count 2 for similar reasons that it is lacking in Count 1. Count 2 charged identity theft under 18 U.S.C. § 1028(a)(7), which punishes in relevant part any person who
knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law
18 U.S.C. § 1028(a)(7) (emphasis added).
The plain text of the statute indicates venue is proper in any district in which the means of identification were transferred, possessed, or used. Venue is not proper in New Jersey in this case because no data was transferred, possessed, or used there. See Lanoue, 137 F.3d at 661.
The government’s novel theory that venue is proper wherever some harm may be felt is particularly troubling in a case involving Internet crimes. Given the interconnectedness of the Internet, criminal defendants could be dragged into court in virtually any state, regardless of whether it would be foreseeable or reasonable to defend against a criminal trial there, giving every U.S. Attorney’s Office the choice of bringing a case and allowing the government to cherry-pick the most advantageous jurisdictions in which to prosecute the defendant. The doctrine of venue is predicated on avoiding this prosecutorial and constitutional abuse. See United States v. Morgan, 393 F.3d 192, 201 (D.C. Cir. 2004).
In short, this case has nothing to do with New Jersey and should not have been charged in New Jersey. Venue was improper in New Jersey and the convictions must be reversed.19
18 Available at
http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf (last visited July 1, 2013).
19 The government and district court relied heavily on a short unpublished decision by a Magistrate Judge in Nebraska in United States v. Powers, No. 09-cr-261, 2010 WL 1418172 (D.Neb. 2010). App1. 25-26, App2. 113-15. In Powers, an e-mail account holder in Nebraska gave the defendant her e-mail password. The defendant later used the account from Arizona for reasons beyond the account holder’s permission, finding nude pictures of her, harassing her in Nebraska, and sending the nude pictures to others in Nebraska. The defendant was indicted for violating the CFAA in Nebraska and unsuccessfully challenged venue there. See Powers, 2010 WL 1418172, at *1-2.
But Powers is distinguishable on its facts. In Powers, the defendant actually sent messages into the jurisdiction in which the case was charged. In contrast, no communications were sent to or even through New Jersey in this case. Further, the government did not allege harassment of anyone in New Jersey or identify any specific harm felt by anyone in New Jersey. Even if Powers somehow lends support to the government’s position, its cryptic and brief discussion is too light on legal analysis to be of much assistance. Further, an unpublished Magistrate Judge’s decision from Nebraska is not binding on this Court.
The defendant was also ordered to pay AT&T $73,000 because it sent snail mail notices to everyone affected, but the brief argues that this isn't a loss as loss is defined in the CFAA and that, further, there was no evidence presented on how that figure was even arrived at, beginning on page 53 of the brief (65 of the PDF):
B. The Mailing Costs Were Not “Loss” Under the CFAA.
Even if the government sufficiently proved AT&T spent approximately $73,000 in mailing costs to notify its customers of the disclosure of their email addresses, applying the eight level enhancement in U.S.S.G. § 2B1.1(b)(1)(E) was wrong because these mailing costs do not qualify as “loss” under the CFAA since (1) mailing costs do not qualify as “loss” under the CFAA specific definition of “loss” in U.S.S.G. § 2B1.1 and 18 U.S.C. § 1030(e)(11); and (2) the mailing costs were “unreasonable” under U.S.S.G. § 2B1.1 since electronic notice was effective.
Were the facts what you expected? They were not to me. I had formed a very different impression of what happened. That is perhaps because I wasn't paying attention to the details at the time. But now, I read this, and it seems very unfair. Just because you don't like what a person has done isn't the same as seeing a crime was committed. Lots of things are unpleasant but not criminal. And the bottom line, to me, is that AT&T didn't properly protect its customers' information. That's how I read it, anyway, and rather than just admit it, they allowed this defendant to be tried in this strange way. They should, instead, have asked him to advise them on how to fix the problem, since they were obviously somewhat clueless.
1. Mailing Costs Do Not Count as “Loss” Under 18 U.S.C. §
The application notes to U.S.S.G. § 2B1.1 explain that “loss” should be the greater of “actual” or “intended” loss. U.S.S.G. § 2B1.1 app. n. (3)(A). “Actual” loss is generally defined as “the reasonably foreseeable pecuniary harm that resulted from the offense.” U.S.S.G. § 2B1.1 app. n. (3)(A)(i). But the Guidelines include a broader definition of “actual” loss for CFAA convictions:
1030(e)(11) or U.S.S.G. § 2B1.1 Since They Were Unrelated to
In the case of an offense under 18 U.S.C. § 1030, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.
U.S.S.G. § 2B1.1 app. n. (3)(A)(v)(III). That broader definition comes from the definition of “loss” in the CFAA itself in § 1030(e)(11). Thus, court cases analyzing the CFAA’s definition of “loss” are relevant in determining what “loss” means for purposes of applying U.S.S.G. § 2B1.1 to CFAA convictions. See In re Cmty. Bank of N. Virginia, 418 F.3d 277, 295-96 (3d Cir. 2005) (“When Congress borrows language from one statute and incorporates it into a second statute, the language of the two acts ordinarily should be interpreted the same way.”) (citing Morales v. Trans World Airlines, Inc., 504 U.S. 374, 383–84 (1992)).
The definition of “loss” in §1030(e)(11) covers two things: “any reasonable cost to the victim” including the cost of “responding to the offense or otherwise restoring lost material” or “lost revenue or other damages incurred as a result of an interruption of service.” SKF USA, Inc. v. Bjerkness, 636 F. Supp. 2d 696, 721 (N.D. Ill. 2009). Though this definition can cover economic harm, any such harm must be related to the computer systems. Id; see also CustomGuide v. CareerBuilder, LLC, 813 F. Supp. 2d 990, 998 (N.D. Ill. 2011) (“economic costs unrelated to computer systems do not fall within the statutory definition of [loss]”).
Stated differently, “[c]osts not related to computer impairment or computer damages are not compensable under the CFAA.” Civic Ctr. Motors, Ltd. v. Mason
St. Imp. Cars, Ltd., 387 F. Supp. 2d 378, 382 (S.D.N.Y. 2005); see also Von Holdt v. A-1 Tool Corp., 714 F. Supp. 2d 863, 875 (N.D. Ill. 2010) (CFAA “loss” must relate to “the investigation or repair of a computer or computer system following a violation that caused impairment or unavailability of data or interruption of service.”) (quotations and citation omitted)); Am. Ins. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 772 (N.D. Ohio 2008) (“The CFAA does not contemplate consequential damages ... unrelated to harm to the computer itself.”).
So “remedial costs” incurred investigating damage and fixing that damage, as well any costs incurred “because the computer cannot function while or until repairs are made” are “loss” under the CFAA. Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 474 (S.D.N.Y. 2004) aff’d, 166 Fed. App’x 559 (2d Cir. 2006) (citing In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 521- 22 (S.D.N.Y. 2001)); see also A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009).
But travel costs for senior executives of a company to conduct a damage assessment and respond to an intrusion for business purposes are insufficient to count as “loss” under the CFAA. Nexans Wires S.A., 319 F. Supp. 2d at 476. The same is true of lost business revenue, and lost profits unrelated to fixing the computer. id. at 477-78; Civic Ctr. Motors, 387 F. Supp. 2d at 382. Nor do
attorneys fees or litigation costs, unrelated to the computer, count as “loss” under the CFAA either. Wilson v. Moreau, 440 F. Supp. 2d 81, 110 (D.R.I. 2006).
Here, the only alleged “loss” to AT&T was the mailing costs of notifying its customers of the breach. That cost was not incurred because of any damage caused to AT&T computers, let alone assessing, responding to or fixing any damage because Auernheimer caused no damage to AT&T computers at all. No data was taken, deleted or destroyed. AT&T customers could still login to AT&T’s website through their iPads accounts and access their accounts. As AT&T’s Shirley Ramsey testified at trial, the only technical thing AT&T did as a result of the breach was to disable the website from automatically populating a user’s email address:
So our technical folks looked at this server and were able to go in and do some technical changes so that the user, when they’re trying to register their iPad to get service to work, they would have to put in both the e-mail address and the password so the e-mail wouldn’t automatically be populated.
App2. 219. Because the mailing costs were unrelated to any damage caused to AT&T computers, any costs in assessing damage to or fixing AT&T computers, or costs incurred because of an interruption of service, they do not qualify as “loss” under the CFAA, and in turn U.S.S.G. § 2B1.1.
At least one district court has found that costs associated with “determining and complying with customer security breach notification obligations” do not
qualify as loss under the CFAA. Farmers Ins. Exch. v. Auto Club Grp., 823 F. Supp. 2d 847, 855 (N.D. Ill. 2011). Farmers sued a rival insurance agency, AAA, under the CFAA after Farmers employees gave AAA employees confidential login and password information that allowed AAA agents to login to a Farmers online database and obtain confidential policyholder information about Farmers’ customers. Id. at 850-51. The court found Farmers failed to allege “loss” and dismissed the claims under Federal Rule of Civil Procedure 12(b)(6). Id. at 856. The costs associated with complying with breach notification laws were not “loss” because they were not “directly attributable” to the “unauthorized computer access itself, but are instead properly attributable to the resulting disclosure of certain confidential information.” Id. at 856.
The same is true here. AT&T’s mailing costs were not attributable to the computer access itself, but rather the disclosure of the email addresses. After all, there was no “damage” to AT&T’s computers and the integrity of any AT&T data was not impaired. AT&T spent no money fixing its computer architecture or attempting to retrieve lost data. These incidental mailing costs do not qualify as “loss” under the CFAA. And as a result, it was improper to apply the eight level adjustment under U.S.S.G. § 2B1.1(b)(1)(E). Rather, under U.S.S.G. § 2B1.1(b)(1)(A), he should have received no upward adjustment since the “loss” was less than $5,000, specifically $0
If you want something to be private, don't put it on the Internet without some way to let people know that it's private and not to be accessed, like requiring a password, for example, which AT&T didn't bother to do. They were outraged that someone found their page, but I'm outraged that they would put such personal materials on the open Internet. And if it cost them something to fix the problem they created themselves, why should anyone have to pay them for doing it? They created the issue.
A lot of companies have never bothered to spend what it takes to hire qualified technical security experts to protect customers' private information. Not that it even would have cost AT&T anything but time. I mean, why didn't they, at a minimum, encrypt this information? If they had, then it wouldn't have mattered at all who accessed the page.
Update: Hanni Fakhoury has an article on Wired, "You May Not Like Weev, But Your Online Freedom Depends on His Appeal":
Weev’s case is just another example of a dangerous prosecution that covers all sorts of innocuous, common internet behavior. Perhaps more dangerously, it’s an example of a prosecution that tries to regulate a person, not just his or her crime.