Apple iPad Hacker’s Conviction Thrown Out by Federal Court

Source: Thinkstock

Source: Thinkstock

A U.S. federal appeals court has voided the conviction of a hacker who gained notoriety for collecting the email addresses of thousands of Apple’s (NASDAQ:AAPL) iPad users. Andrew Auernheimer — who also used the aliases of Weev, Weelos, and Escher – was convicted of one count of conspiracy to violate the Computer Fraud and Abuse Act and sentenced to forty-one months in prison in November 2012, reports Reuters. Some famous celebrities and politicians were among the compromised Apple email addresses uncovered by Auernheimer, including movie producer Harvey Weinstein, news anchor Diane Sawyer, former New York City Mayor Michael Bloomberg, and Chicago Mayor Rahm Emanuel.

However, the U.S. Court of Appeals for the Third Circuit recently threw out his conviction because the prosecutors pursued the case in New Jersey, rather than Arkansas where the alleged crime was committed. “Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue,” wrote Circuit Judge Michael Chagares in the court’s ruling provided by Techdirt.

“New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T (NYSE:T) servers were located in Dallas, Texas, and Atlanta, Georgia,” wrote Chagares. “In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.”

As noted by Reuters, Auernheimer was able to acquire the emails of Apple’s iPad users on AT&T’s network in 2010 by using a so-called “account slurper.” He then shared the information with a Gawker reporter that wrote an article exposing the security vulnerability. At his trial, Auernheimer had argued that AT&T’s lack of security protections on the email addresses meant that his actions could not be categorized as “unauthorized access.” According to the court documents, the security vulnerability was fixed by AT&T after it was exposed by Auernheimer.

Although the court voided Auernheimer’s conviction over issues of venue, various security researchers have pointed out that the government’s case has serious implications for the entire computer security community, since it could leave researchers who expose security vulnerabilities open to prosecution. “This prosecution presented real threats to security research,” Electronic Frontier Foundation lawyer Hanni Fakhoury told Reuters. “Hopefully this decision will reassure that community.”

Auernheimer has already spent approximately one year in prison, and it was unclear when he would be released. Meanwhile, the government may be preparing to retry the case in a new venue.

More From Wall St. Cheat Sheet:

Follow Nathanael on Twitter (@ArnoldEtan_WSCS)