AT&T’s blame game: the Andrew Aurenheimer case

I haven’t been following the Andrew Aurenheimer case as closely as I perhaps should have.

But recently I read VentureBeat’s story of the night before and Rolling Stone’s story of the sentencing. And I find this case more than a bit unsettling.

Andrew’s alleged “crime” for which he will serve 41 months in Federal prison stems from a just plain boneheaded lapse in security on the part of AT&T, which Andrew was trying to get closed.

From the VentureBeat story:

During the summer of 2010, Auernheimer and co-defendant Danile
Spitler discovered that by querying AT&T’s iPad servers with a string of numbers that matched subscribers’ SIM card identifiers, AT&T’s servers would send back the unencrypted, unprotected email address of the AT&T customer, the iPad owner. AT&T had a massive security design flaw, which, as it admitted in Auernheimer’s one-week trial, was intentional: for subscriber convenience. After running the script to capture 114,000 email addresses of AT&T iPad subscribers, Auernheimer sent a list of the email addresses to Gawker to highlight the security hole. Gawker then printed them in redacted form.

Later in the VentureBeat story:

“We sent [HTTP] Get requests to a public API,” Auernheimer says. “They charged me with unauthorized access to a computerized device … and identity theft, which is a possession charge … if you walk down a street and write down physical addresses, you’re stealing identifiers, and you’re an identify thief.”

If you’re reading this, and thinking “this is just plain ludicrous” you’re not alone. If anyone should be prosecuted in a criminal court, it’s an AT&T employee for letting this happen. “Subscriber convenience” is an extremely poor excuse for this kind of thing.

The VentureBeat article goes into much more detail, which I’m not going to quote, on the implications. It would be one thing if Andrew had an AT&T employee’s password or similar access control information and got the 114,000 email addresses that way. But what Andrew’s trial sets as precedent is that any one of us could, in theory, be arrested just on the whims of the owner of an Internet-connected computer for what is perceived as “unauthorized access”.

It’s extremely difficult if not outright impossible to have a blog like this one for over four years, and throughout that entire time, completely avoid talking about someone who would rather not be talked about in a given context or even at all. In fact I know I’ve done this at least twice on this blog (probably more than that, but twice that I can easily remember). Based on this, if I access someone’s blog who doesn’t want me talking about them, to quote what they are saying, it can be labeled “unauthorized access”. And I could, in theory, be subject to the same 10 years in prison Andrew was facing, for accessing a public blog entry, the same way AT&T accidentally made public its subscriber info which it should not have. And so could anyone else, in theory. All they would need is a prosecutor willing to go along.

The EFF is leading the charge to reform the CFAA (Computer Fraud and Abuse Act), the law under which Andrew was prosecuted. If you can help the EFF, please do so. I hope Andrew wins his appeal. Because if the court system is about justice, then the court system really failed us here, because this is quite emphatically not justice.