By Eric Siebert
On April 11, the Third Circuit Court of Appeals vacated a conviction against Andrew Auernheimer (known among hackers by the nickname “Weev”) on venue considerations. The original case charged Auernheimer with conspiring to violate the Computer Fraud and Abuse Act (“CFAA”) under 18 U.S.C. § 1030, and identity fraud under 18 U.S.C. § 1028(a)(7). After being indicted on both counts by a federal grand jury, Auernheimer moved to dismiss the indictment based, in part, on improper venue. The United States District Court for the District of New Jersey denied his motion and found that New Jersey was a proper venue because 4,500 residents were affected by Auernheimer’s actions. Rejecting this reasoning, the Third Circuit reversed the district court’s decision and ruled that venue was improper, finding that New Jersey was not the site of any “essential conduct elements” of the crimes for which Auernheimer was charged.
The charges against Auernheimer centered on the unauthorized collection of about 114,000 iPad users’ email addresses through AT&T’s servers (AT&T was the exclusive data service provider for iPads at the time). Daniel Spitler, Auernheimer’s co-conspirator, first recognized that he could crack into AT&T’s registration and log-in systems, allowing him to extract the emails of any user that had previously registered their accounts through AT&T. After sharing his discovery with Auernheimer, the two proceeded to collect over 100,000 emails through a “brute force” attack on AT&T’s servers. While still collecting email addresses, Auernheimer contacted members of the media, including a reporter at Gawker, in order to publicize their activities. Gawker published a story about the hackers and the flaw exploited in AT&T’s system, mentioning some names of affected individuals, but only showing redacted images of a few email addresses. Importantly, at all times relevant to the case, Spitler was in San Francisco, California, Auernheimer was in Fayetteville, Arkansas, the servers accessed by the two were physically located in Dallas, Texas and Atlanta, Georgia, and it was undisputed that the Gawker reporter was not in New Jersey.
The first count charged Auernheimer with violating subsection (a)(2)(C) of the CFAA. To be liable under this section, an individual must have intentionally accessed a protected computer without authorization (or exceeding authorization) and thereby obtained information. In determining where venue may be proper to hear a case, the Third Circuit distinguished between “circumstance elements” and “essential conduct elements.” Importantly, the court said that only the location(s) where “essential conduct elements” occur may provide the basis for venue. Here, the only essential conduct elements under the CFAA are (1) accessing a protected computer without authorization, and (2) obtaining information.
In this case, the only link to New Jersey was the fact that about 4% of the emails obtained by the hackers were from residents of New Jersey. However, no computer was physically accessed and no data was obtained in New Jersey; neither hacker resided in New Jersey; and there were no allegations that the Gawker reporter was located in New Jersey, and no allegations that any of the email addresses disclosed in the Gawker article were those of New Jersey residents. Thus, the Third Circuit found that no essential conduct element occurred in New Jersey.
In adopting this “essential conduct element” test, the court rejected the government’s proposed “substantial contacts” test, which would look to multiple factors to determine where venue is proper, including the site of the defendant’s acts, the elements and nature of the crime, and the “locus of effect” of the criminal conduct. Notably, although the court deemed such an inquiry inappropriate for violations of section (a)(2)(C) of the CFAA, it stated that other sections of the CFAA (such as (a)(5)(B), which criminalizes similar conduct that causes damages) may warrant a “locus of effect” inquiry for determining venue, because liability under that section is defined in terms of its effects.
The court often noted that although technology is quickly advancing, individuals’ constitutional rights must not give way, and that the constitutional venue provisions are neither “outdated nor outmoded.” In summing up the enduring venue considerations in today’s technological age, the court said it best: “As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue. People and computers still exist in identifiable places in the physical world. When people commit crimes, we have the ability and obligation to ensure that they do not stand to account for those crimes in forums in which they performed no ‘essential conduct element’ of the crimes charged.”