Today the Cyberlaw Clinic filed an amicus brief in the case of U.S. v. Auernheimer on behalf of the Digital Media Law Project (DMLP), arguing that the First Amendment prohibits the government from punishing Auernheimer’s disclosure of true, newsworthy information, even if that information was unlawfully obtained. The case is on appeal to the U.S. Court of Appeals for the Third Circuit after the New Jersey District Court found Andrew Auernheimer (better known by his online handle, “Weev”) guilty of felony charges under the Computer Fraud and Abuse Act.
Auernheimer’s charges stem from his discovery of data mishandling by AT&T, which exposed iPad users’ email addresses on the public Internet. He and a colleague discovered that typing different numbers into the address bar of an iPad’s web browser, or a properly configured web browser on another computer, could reveal the email address corresponding to a given iPad device identification number. They tested the scope of the data exposure with an automatic tool and gathered 114,000 email addresses. Realizing that this was a major flaw that put iPad users’ e-mail addresses at risk of falling into the hands of fraudsters or spammers, Auernheimer shared his findings with the website Gawker.
The government argues that it was a criminal act for Auernheimer and his colleague to obtain the pertinent information from AT&T’s website, because they ought to have known that AT&T wouldn’t want them to do so. The government considers this “unauthorized access” to be a misdemeanor, punishable by one year in prison. Auernheimer’s attorneys have forcefully argued that such access does not constitute a criminal violation at all.
While DMLP agrees that the information gathering in this case was not illegal, today’s brief focuses on another issue raised in this litigation. The prosecution did not simply charge Auernheimer with a misdemeanor for accessing information on AT&T’s website. Instead, it argued that his disclosure of that information escalated his crime to a felony, punishable by up to five years of imprisonment, and the lower court judge agreed. Our brief argues that criminal punishment for communicating truthful, newsworthy information is prohibited by the First Amendment except in carefully delimited circumstances that do not apply to Auernheimer’s case. While unlawful access may be punishable, the First Amendment is plainly implicated when the government seeks to punish disclosure of information, even information that was unlawfully obtained.
This matter is of particular concern to DMLP’s constituency of online journalists, especially those covering technological vulnerabilities or data mishandling. Under the government’s dangerous theory, directly gathering evidence of such issues could constitute a misdemeanor, and sharing that evidence in order to substantiate one’s claims could be a felony. As argued in the brief, the First Amendment protects the public’s right to know about such issues by prohibiting the application of criminal disclosure laws in cases like Auernheimer’s.
The brief was filed by Kit Walsh of the Cyberlaw Clinic, with Jeff Hermes and Andy Sellars of the DMLP also attorneys on the brief. The DMLP thanks Cyberlaw Clinic interns David Collado and Kerry Sheehan and DMLP intern Kristin Bergman as well for their invaluable contributions to the preparation of the brief.