Dangerous Fantasies and Everyday “Hacking”: The Second Circuit Decides on Criminal Liability for Employees’ Online Behaviors

handcuffs-computer-600x400.pngBy Julie Liu

It is generally understood that certain online behaviors can lead to trouble in the employer-employee context. Many of us are familiar with stories of people who were fired or denied jobs after posting incendiary selfies, offensive messages, or rants about work on social media. While risking one’s employment status is enough to worry about, being criminalized for online behaviors is an entirely different possibility. Up until last week, one case has led second circuit courts to wrestle with defining the criminal liability associated with two particular online behaviors: the violation of workplace policies on computer use, and “thoughtcrime,” specifically the online posting of fantastical statements. Continue reading

New Jersey Case Against Andrew “Weev” Auernheimer Dismissed for Lack of Venue

 

Image

Andrew “Weev” Auernheimer

By Eric Siebert

On April 11, the Third Circuit Court of Appeals vacated a conviction against Andrew Auernheimer (known among hackers by the nickname “Weev”) on venue considerations. The original case charged Auernheimer with conspiring to violate the Computer Fraud and Abuse Act (“CFAA”) under 18 U.S.C. § 1030, and identity fraud under 18 U.S.C. § 1028(a)(7). After being indicted on both counts by a federal grand jury, Auernheimer moved to dismiss the indictment based, in part, on improper venue. The United States District Court for the District of New Jersey denied his motion and found that New Jersey was a proper venue because 4,500 residents were affected by Auernheimer’s actions. Rejecting this reasoning, the Third Circuit reversed the district court’s decision and ruled that venue was improper, finding that New Jersey was not the site of any “essential conduct elements” of the crimes for which Auernheimer was charged.

The charges against Auernheimer centered on the unauthorized collection of about 114,000 iPad users’ email addresses through AT&T’s servers (AT&T was the exclusive data service provider for iPads at the time). Daniel Spitler, Auernheimer’s co-conspirator, first recognized that he could crack into AT&T’s registration and log-in systems, allowing him to extract the emails of any user that had previously registered their accounts through AT&T. After sharing his discovery with Auernheimer, the two proceeded to collect over 100,000 emails through a “brute force” attack on AT&T’s servers. While still collecting email addresses, Auernheimer contacted members of the media, including a reporter at Gawker, in order to publicize their activities. Gawker published a story about the hackers and the flaw exploited in AT&T’s system, mentioning some names of affected individuals, but only showing redacted images of a few email addresses. Importantly, at all times relevant to the case, Spitler was in San Francisco, California, Auernheimer was in Fayetteville, Arkansas, the servers accessed by the two were physically located in Dallas, Texas and Atlanta, Georgia, and it was undisputed that the Gawker reporter was not in New Jersey. Continue reading