The security researcher responsible for exposing a hole in AT&T’s website that revealed more than 100,000 iPad owners’ email addresses and unique device IDs was convicted today on federal charges. He faces a maximum sentence of 10 years behind bars and fines of up to $500,000. Why is this a big deal for the rest of us? He didn’t actually “hack” AT&T’s system any more than you are “hacking” this website right now.
The AT&T iPad hack
Andrew “weev” Auernheimer, 26, was convicted on one count of conspiracy to gain access to a computer without authorization, and one count of identity theft, in a federal court in New Jersey today. Wired reports that the jury only took hours to reach a verdict.
Auernheimer’s case goes back to 2010 when he and fellow self-described security researcher Daniel Spitler, 26, discovered that AT&T’s website would reveal the email address of iPad owners who used the wireless provider’s 3G network. And it would do this without requiring any passwords or code-breaking. Instead, all AT&T’s system needed was something called an ICC-ID, which is a unique ID number assigned to each iPad. Input the ICC-ID into AT&T’s website, and it would spit out a registered iPad user’s email address.
So Auernheimer and Spitler decided to investigate how deep the hole went by writing a program called “iPad 3G Account Slurper,” which would automatically input ICC-IDs, and collect the revealed email addresses. The result: More than 120,000 email addresses revealed, according to authorities, including those of high-profile figures like New York City Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel, and ABC News’s Diane Sawyer, among others.
The pair then leaked the data to Gawker, which published a story about the security hole in AT&T’s system. AT&T then confirmed the “breach,” and the FBI launched an investigation. Auernheimer and Spitler were charged by January 2011. Spitler pled guilty to the charges, and later settled. Auernheimer fought the charges, and lost today. In a tweet posted after the verdict came in, Auernheimer said he “went in knowing there would be a guilty [verdict] here,” and he’s “appealing of course.”
What Auernheimer and Spitler (really) did wrong
Official charges aside, the main problems for Auernheimer and Spitler arose from their apparent “trolling” of AT&T. In chat logs published by Wired, the pair admitted to discovering the breach, and joked about plans to use the security hole to make AT&T look irresponsible. Later chat logs with other individuals showed some floated plans to short AT&T’s stock ahead the Gawker article on the assumption that it would cause the company’s shares to fall. (They did – though neither Auernheimer nor Spitler took part in any short-selling.)
Furthermore, AT&T said that the pair did not contact AT&T directly about the security hole, which is standard practice for security researchers. Lastly, the Auernheimer marketed himself and Spitler to the media as “Goatse Security” (a play on the infamous goatse shock website), but were in fact just two guys, not a legitimate cyber security organization.
In short: Auernheimer and Spitler were massive jerks to AT&T and the customers whose data they collected, and made a name for themselves by doing so.
Why this is bad for the rest of us
As tempting as it may be to argue that Auernheimer and Spitler got what they deserved, one must also recognize that Auernheimer’s prosecution highlights a massive flaw in the law under which he was convicted.
Known as the Computer Fraud & Abuse Act, or CFAA, the law states that it is illegal to have “knowingly accessed a computer without authorization.” It also prohibits garnering “information from any protected computer.” Problem is, CFAA was written in 1986, before the Web existed, at a time when accessing most computers or networks required a password. That is no longer the case: Every time you visit a website, you are in effect accessing a computer without explicit authorization to do so.
“Everybody here accesses a protected computer by the definition of the law,” said Auernheimer while the jury was deliberating, according to TechNewsDaily. “The ‘protected computer’ is any network computer. You access a protected computer every day. Have you ever received permission from Google to go to Google? No. Nobody has …”
While Auernheimer’s example is simplistic, it perfectly explains his bind: All he and Spitler did was access AT&T’s website and gather information from it – no system breach took place since anyone could technically access the same information.
Cybersecurity expert Robert David Graham explained the situation in a blog post this way:
A well-known legal phrase is ‘ignorance of the law is no defense.’ But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between ‘authorized’ and ‘unauthorized’ access. We won’t know until if and when somebody tries to prosecute you.
Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying ‘look at what these idiots have done.’ As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.
As Graham later explains, the vagueness of CFAA, and today’s prosecution of Auernheimer, gives cybersecurity researchers a disincentive to find security flaws, which in turn makes the rest of us less safe on the Web.
“For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken,” he wrote. “When we see [a security flaw], what do we do? Do we keep our head down, or do we speak up? Even if we’ll probably be found innocent, why take the risk? Better to keep quiet.”
Image via Twitter