Attorneys for hacker Andrew Auernheimer filed an appeal late Monday seeking to overturn his conviction for obtaining thousands of email addresses from AT&T's servers and disclosing them to a reporter.
In their appeal, Auernheimer’s attorneys argued AT&T's security was so lax that collecting customers' email addresses did not violate a federal law that prohibits "unauthorized access" to computers.
"AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers," the attorneys said. "The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information."
Auernheimer, 27, known online by the nickname "Weev," found a security flaw in an AT&T server three years ago that allowed his security group to collect 114,000 email addresses belonging to iPad 3G users. Auernheimer turned over that information to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.
Last year, a jury found Auernheimer guilty of identity theft and conspiracy to gain unauthorized access to computers. He was sentenced in March to 41 months in prison.
His attorneys argued that the length of Auernheimer's sentence was based on an unproven estimate of $73,000 in damages, or the amount that AT&T said it spent to mail notices to customers about the breach.
"Auernheimer was aggressively prosecuted for an act that caused little harm and was intended to be -- and ultimately was -- in the public interest," said attorney Marcia Hofmann, who is representing Auernheimer in his appeal along with attorneys for the Electronic Frontier Foundation and George Washington University law professor Orin Kerr.
Auernheimer was convicted of violating the Computer Fraud and Abuse Act, a 1980s-era statute that makes it a federal crime to access a computer without authorization. Critics say the law is overly broad and gives prosecutors wide discretion to pursue defendants for computer-related offenses.
"The CFAA's vague language gives prosecutors great latitude to abuse their discretion and throw the book at people they simply don't like," Hofmann said. "That's as evident here as it was in the prosecution of Aaron Swartz."
Last month, Reps. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Ore.) introduced legislation in Congress to amend the law to prevent Internet users from facing criminal charges for violating a company's terms of service and to prevent prosecutors from pursuing multiple charges against a defendant for the same act.
The bill was named after Swartz, an Internet activist who committed suicide in January while facing charges for allegedly stealing millions of scholarly journal articles from the digital archive JSTOR. He faced a potential sentence of more than 30 years in prison.
Auernheimer is serving his sentence at the Allenwood Federal Correctional Complex in White Deer, Penn., about 170 miles west of New York City. Prison officials have cut off his email access and forced him to spend time in a "special housing unit" as punishment for posting messages to Soundcloud, an audio distribution platform, according to his attorney, Tor Ekeland.
Auernheimer is only allowed out of his 10-foot-by-10-foot cell, which he shares with one cellmate, for 15 minutes a day, three times a week, to take showers, Ekeland wrote in a recent blog post.
In an email to a security researcher from prison last month, Auernheimer wrote: "I miss everyone, also food and sunlight."
"I was hoping people would send m [sic] tweets and news article about me but nobody has," he wrote, according to the researcher who posted the email to the file-sharing site Pastebin. "Has the Internet forgotten about me or am I still a hot topic?"