WEBINAR: Live Date: December 14, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Modernizing Authentication — What It Takes to Transform Secure Access REGISTER >
Auernheimer was sentenced to 41 months in prison for leveraging a flaw in AT&T's Web site to view 114,000 iPad owners' e-mail addresses.
"I think the case against Auernheimer is deeply flawed, and that the principles the case raises are critically important for civil liberties online," Kerr wrote.
First, Kerr said, the case will set a major precedent regarding the definition of unauthorized access under the Computer Fraud and Abuse Act. Because Auernheimer simply wrote a script to pull publicly available data from AT&T's Web site, Kerr said it's hard to call that unauthorized access.
"The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access," Kerr wrote. "If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them."
Kerr also noted that the alleged crime was only defined as a felony rather than a misdemeanor by virtue of the fact that similar laws are in place in all 50 states as well as on the federal level. "The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime 'in furtherance of' the analogous state crime," Kerr wrote. "I think that kind of double-counting can’t be permitted."
Finally, Kerr wrote, Auernheimer's prison sentence seems highly disproportional to the actual damages suffered by AT&T, which experienced no interruption of service and apparently didn't have to conduct a damage assessment. The only actual loss was tied to AT&T's effort to notify its customers that their e-mail addresses had been exposed. Following e-mail notifications, AT&T followed up with mailed letters, which the company says cost $73,000 to send.
"Auernheimer’s 41-month sentence was based in substantial part on that $73,000 in loss, and he was also ordered to pay restitution in that amount," Kerr wrote. "But I don’t think that cost of paper and mailing counts as loss that can be attributed to [him]."