United States v. Auernheimer

by
Apple introduced the iPad in 2010. To send and receive data over cellular networks (3G), customers had to purchase a data contract from AT&T and register on an AT&T website. AT&T prepopulated the user ID field on the login screen with customers’ email addresses by programming servers to search for the user’s Integrated Circuit Card Identifier to reduce the time to log into an account. Spitler discovered this “shortcut” and wrote a program, the “account slurper,” to repeatedly access the AT&T website, each time changing the ICC-ID by one digit. If an email address appeared in the login box, the program would save that address. Spitler shared this discovery with Auernheimer, who helped him to refine the account slurper, which collected 114,000 email addresses. Auernheimer emailed the media to publicize their exploits. AT&T fixed the breach. Auernheimer shared the list of email addresses with Tate, who published a story that mentioned some names of those whose email addresses were obtained, but published only redacted email addresses and ICC-IDs. Spitler was in California. Auernheimer was in Arkansas. The servers t were physically located in Texas and Georgia. Despite the absence of any connection to New Jersey, a Newark grand jury indicted Auernheimer for conspiracy to violate the Computer Fraud and Abuse Act, 18 U.S.C. 1030(a)(2)(C) and (c)(2)(B)(ii), and identity fraud under 18 U.S.C. 1028(a)(7). The Third Circuit vacated his conviction. Venue in criminal cases is more than a technicality; it involves “matters that touch closely the fair administration of criminal justice and public confidence in it.”View "United States v. Auernheimer" on Justia Law