Andrew Auernheimer, a.k.a. "Weev," has been sentenced to 41 months in prison and ordered to pay $73,162 in restitution for leveraging a security flaw in AT&T's Web site to access the e-mail addresses of 114,000 iPad owners. Auernheimer had been found guilty in November of 2012.
What's striking about Auernheimer's sentencing is that he didn't actually hack anything -- when he and Daniel Spitler (who also pleaded guilty and is currently awaiting sentencing) accessed the data in 2010, they made it clear that they had simply made use of a publicly available script on AT&T's Web site -- when provided with an iPad's ICC-ID, the script would provide the associated e-mail address.
Auernheimer and Spitler, according to Gawker, simply created a PHP script to speed up the harvesting of e-mail addresses.
But in a letter to iPad customers soon after the breach, AT&T chief privacy officer Dorothy Attwood characterized it differently. "The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses," Attwood wrote. "They then put togehter a list of these e-mails and distributed it for their own publicity."
In response to Attwood's letter, Auernheimer wrote in a June 2010 blog post, "The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
The Electronic Frontier Foundation (EFF) today announced that it will be joining Auernheimer's legal team for his appeal. "Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone," EFF senior staff attorney Marcia Hofmann said in a statement. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them."