The ubiquity of the Internet doesn’t confer the same ubiquity to venue, the U.S. Court of Appeals for the Third Circuit has ruled, reversing Andrew Auernheimer’s cybercrime conviction from the District of New Jersey.
Auernheimer was a resident of Arkansas at the time that he helped Daniel Spitler perfect a program to collect emails through a security flaw in AT&T’s website, according to the opinion, and the pair publicized their effort as evidence of a lack of data security at AT&T.
“A defendant who has been convicted ‘in a distant, remote, or unfriendly forum solely at the prosecutor’s whim’ has had his substantial rights compromised,” Judge Michael A. Chagares said on behalf of the three-judge panel, quoting from the First Circuit’s 2004 opinion in United States v. Salinas.
“Auernheimer was hauled over a thousand miles from Fayetteville, Ark., to New Jersey,” Chagares said.
Although there was no connection to New Jersey, other than that about 4 percent of the collected emails were for New Jersey residents, a grand jury in the Garden State indicted Auernheimer for violating the Computer Fraud and Abuse Act, or CFAA, and for identity fraud.
Auernheimer was convicted in 2012 in the U.S. District Court for the District of New Jersey on both charges and is now serving a three-and-a-half-year sentence. The Third Circuit reversed the conviction.
The collection of New Jersey residents’ emails had been enough to convince the district court judge that venue was proper, according to the Third Circuit opinion.
That court “held that venue was proper for the CFAA conspiracy charge because Auernheimer’s disclosure of the email addresses of about 4,500 New Jersey residents affected them in New Jersey and violated New Jersey law,” Chagares said.
The Third Circuit eschewed other novel issues presented by the case to focus on venue.
“Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue,” Chagares said.
He related the issue back to the seeds of discontent that gave rise to the American Revolution, saying, “The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.”
Prosecutors had cast Auernheimer’s collection of the emails, which he did with Spitler, a San Francisco resident, as a complex hacking scheme, while the defense had characterized it as a simple collection of data from a publicly accessible website.
Soon after the Apple iPad was introduced in 2010, when AT&T had an exclusive deal to provide wireless 3G Internet service for the devices, Spitler discovered that the portal established by AT&T to allow customers to access their account using an email and password combination could be accessed online from any computer and that the website would automatically fill in the email address associated with a particular iPad’s serial number.
“IPads registered with AT&T would visit the page associated with that address automatically. However, AT&T configured its website so that it would share an email address with anyone—not just the account holder—who entered the correct website address,” according to Auernheimer’s brief.
Spitler figured out the system and created a program that he called an “account slurper” that would repeatedly visit the AT&T website and fill in different numbers so that the website would respond with email addresses when the number matched a registered iPad serial number. Spitler told Auernheimer, who helped him improve the program, according to the opinion.
The program collected about 114,000 email addresses, 4,500 of which were for New Jersey residents, before AT&T found out and fixed the problem, according to the opinion.
The computers that were hosting the AT&T website were in Dallas and Atlanta, according to the opinion.
The language in the CFAA clearly includes two “essential conduct elements: accessing without authorization and obtaining information,” Chagares said, and “New Jersey was not the site of either essential conduct element.”
Citing the Third Circuit’s 1980 opinion in United States v. Passodelis, Chagares said, “‘Though our nation has changed in ways which it is difficult to imagine that the framers of the Constitution could have foreseen, the rights of criminal defendants which they sought to protect in the venue provisions of the Constitution are neither outdated nor outmoded.’”
“Just as this was true when we decided Passodelis in 1980—after the advent of railroad, express mail, the telegraph, the telephone, the automobile, air travel, and satellite communications—it remains true in today’s Internet age,” Chagares said.
(Copies of the 22-page opinion in United States v. Auernheimer, PICS No. 14-0529, are available from The Legal Intelligencer. Please call the Pennsylvania Instant Case Service at 800-276-PICS to order or for information.) •