iPad Hacker Who Slurped Harvey Weinstein's Email Address Overturns Conviction

An appeals court finds there was no basis to try Andrew Auernheimer in New Jersey for allegedly violating the Computer Fraud and Abuse Act.
Associated Press
Harvey Weinstein

A man who helped discovered a security flaw in the way that Apple's original iPad was set up on the AT&T network has successfully overturned his criminal conviction.

The breach was used to "slurp" email addresses from notables including Harvey Weinstein, ABC News' Diane Sawyer and top executives at big media companies such as Viacom, Time Warner and News Corp. On Friday, the 3rd Circuit Court of Appeals ruled that prosecutors had charged the defendant in the wrong venue.

PHOTOS: Next Gen: 10 Gadgets to Future-Proof Your Life

In 2010, Andrew Auernheimer was contacted by another individual, Daniel Spitler, about the discovery of the security flaw. Spitler didn't own an iPad, but he purchased an iPad SIM Card to install in another computing device and take advantage of AT&T's then-unlimited cellular data plan for $30 a month.

While downloading the iPad operating system onto his computer, decrypting it and browsing through the code to figure out a way to register it, he came across the way that IDs were used to authenticate subscribers on AT&T's network. He soon realized that the IDs were tied to iPad user email addresses, and that by changing the digits, he could pull new ones that had been populated into the system. So he wrote an "account slurper" program that automated the process.

Auernheimer, who met Spitler in an Internet chat room, helped refine the program -- which ultimately collected 114,000 email addresses in just four days' time -- and then contacted members of the media, including a reporter at Gawker who wrote an article headlined "Apple's Worst Security Breach."

STORY: Apple Considered Firing Longtime Ad Agency

For doing all this, Auernheimer was charged and convicted of conspiracy to violate the Computer Fraud and Abuse Act as well as identity fraud in a New Jersey federal court. After a five-day trial, he was sentenced to 41 months in prison.

According to an opinion by 3rd Circuit Judge Michael Chagares, the case never should have taken place in New Jersey. Auernheimer was not in New Jersey during the alleged crime, nor were AT&T's servers there either, but the trial judge allowed jurisdiction there anyway because he was alleged to have exposed the email addresses of 4,500 New Jersey residents. Yet the basis of that wasn't clear. The only disclosure happened through a Gawker article that shared the identities of some of the more prominent victims, but no evidence that any of them were from New Jersey.

Judge Chagares goes on to shred any foundation that any of the "essential conduct" happened in New Jersey. Although it might seem like a procedural technicality, the circuit judge writes, "Venue in criminal cases is more than a technicality; it involves 'matters that touch closely the fair administration of criminal justice and public confidence in it.' This is especially true of computer crimes in the era of mass interconnectivity."

Auernheimer's appeal was handed by attorneys Tor Ekeland, Mark Jaffe and Orin Kerr.

Email: Eriq.Gardner@THR.com
Twitter: @eriqgardner