• by Wendy Davis , Staff Writer @wendyndavis, April 11, 2014

In a closely watched case, a federal appellate court has reversed the hacking conviction of Andrew “weev” Auernheimer, who was sentenced to 41 months in prison after exposing AT&T's poor security practices.

Briefly, Auernheimer discovered that AT&T had posted iPad users' email addresses on a Web site that wasn't password-protected. He figured out that the URLs for those sites all began with the same block of characters but went on to include particular iPads' serial numbers. Auernheimer gathered 114,000 email addresses and sent them to Gawker, which publicly reported on the security glitch.

The federal government then prosecuted Auernheimer, arguing that he violated the Computer Fraud and Abuse Act by accessing AT&T's servers without the company's authorization. Auernheimer was also prosecuted for identity theft, for sharing the email addresses with Gawker. He was convicted and has been imprisoned since March of 2013.

He raised several arguments on appeal, including that the case shouldn't have been brought in New Jersey. He also argued that it's not a crime to access publicly available Web sites. 

A broad array of outside groups -- including digital rights organizations, security researchers, and other computer experts -- sided with Auernheimer in “friend-of-the-court” briefs. Many of those groups argued that Web site operators effectively authorize anyone on the Internet to access information that has been posted without passwords.

Mozilla pointed out in its brief that privacy researchers often access sites in ways operators don't want. For instance, several years ago researchers at the University of California, Berkeley reported that many Web companies used “flash” cookies to track people who deleted their "regular" cookies. Those findings spurred companies to change their practices, sparked public debate, and appeared to result in at least one Federal Trade Commission case. But the site operators that were examined didn't necessarily want their sites accessed by researchers who were trying to expose privacy glitches. Today's ruling by the 3rd Circuit Court of Appeals doesn't answer whether Auernheimer's acts were criminal. Instead, the court vacated Auernheimer's conviction on a relatively narrow ground -- that the Department of Justice had no legitimate reason to bring the case in the state of New Jersey.

Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence,” the judges wrote in the opinion, issued on Friday.

They went on to add that New Jersey was the wrong locale for a prosecution because none of the allegedly criminal acts took place in the state. “The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia,” the opinion states. “No protected computer was accessed and no data was obtained in New Jersey.”

Auernheimer is expected to be released today. It's not yet clear whether the Department of Justice will seek to try him again.