In the latest criminal prosecution to alarm Internet activists, a security researcher who accessed a non-password protected portion of AT&T's Web site was sentenced today to 41 months in prison and three years of supervised release.
Andrew Auernheimer, who goes by the nickname "Weev" and was convicted by a federal jury last year of hacking, was sentenced today by a federal judge in Newark, N.J. "No matter what the outcome, I will not be broken," Auernheimer said this morning after hosting an all-night party in Newark and making an unsuccessful appearance on Reddit. "I am antifragile."
Auernheimer is hardly the most sympathetic defendant: He's a self-described Internet troll who has delighted in making enemies along the way. "I hack, I ruin lives, I make piles of money," he told The New York Times, which published a profile of him in 2008, and two years later Fortune dubbed him "the ugliest computer hacker." He even trolled prosecutors in an open letter offering "friendly advice."
The Justice Department responded by using Auernheimer's trollishness to urge U.S. District Judge Susan Wigenton to hand down a lengthy sentence -- and 41 months is at the upper end of what the federal sentencing guidelines allow. In a letter to Wigenton last week, U.S. Attorney Paul Fishman cited "defendant's chosen 'career' of wreaking havoc on the Internet" and said "his entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he."
But, by itself, being a professional irritant isn't illegal. Supporters have set up a defense fund for Auernheimer, with one calling him "the Internet prophet of discord," and others organizing impromptu book deliveries in prison. The Electronic Frontier Foundation said this morning it will join his legal defense team during an appeal, and even Auernheimer's detractors said today that he didn't deserve to be imprisoned for accessing AT&T's servers.
If Keys had given the keys to the newspaper's printing press to vandals who altered a headline on a printed version of the newspaper, he might have been charged with misdemeanor crimes such as trespass or malicious mischief that would have yielded a few months in jail or, more likely, probation. But penalties in the CFAA -- which was enacted in a "WarGames"-fueled panic over hackers accessing government mainframes -- are far more Draconian than state law.
Auernheimer was arrested in 2011 after discovering a security hole on AT&T's Web site that exposed the e-mail addresses of more than 100,000 iPad users. His organization, Goatse Security, created a script to download the records and gave the results to Gawker.
In an interview with CNET at the time of the discovery, Auernheimer said: "I think it was necessary to inform the public in this particular manner. I know some people are criticizing us and calling it irresponsible, but we did our best effort to be good guys about it. We waited until the hole was patched. We didn't disclose the data except to a reporter who agreed to censor the relevant bits. We felt it was in the public's best interest."