United States v. Auernheimer

• Citation: 748 F.3d 525
• Decision Date: 11 April 2014
• Docket Number: No. 13–1816.,13–1816.
• Parties: UNITED STATES of America v. Andrew AUERNHEIMER, a/k/a Weev a/k/a Weelos a/k/a Escher. Andrew Auernheimer, Appellant.
• Court: United States Courts of Appeals. United States Court of Appeals (3rd Circuit)

748 F.3d 525

UNITED STATES of America

v.Andrew AUERNHEIMER, a/k/a Weev a/k/a Weelos a/k/a Escher.

Andrew Auernheimer, Appellant.

No. 13–1816.

United States Court of Appeals,

Third Circuit.

Argued: March 19, 2014.

Filed: April 11, 2014.

Tor B. Ekeland, Esq., Mark H. Jaffe, Esq., Tor Ekeland, P.C., Brooklyn, N.Y., Orin S. Kerr, Esq. [Argued], George Washington University, Washington, DC, Marcia C. Hofmann, Esq., Street San Francisco, CA, Hanni M. Fakhoury, Esq., Electronic Frontier Foundation, San Francisco, CA, for Appellant.

Paul J. Fishman, Esq., Glenn J. Moramarco, Esq. [Argued], Office of United States Attorney, Camden Federal Building & Courthouse, Camden, NJ, Mark E. Coyne, Esq., Office of United States Attorney, Newark, NJ, for Appellee.

Christopher C. Walsh, Esq., Harvard Law School, Cambridge, MA, Alexander C. Muentz, Esq., Temple University, Department of Criminal Justice, Philadelphia, PA, Jennifer S. Granick, Esq., Stanford Law School, Center for Internet & Society, Stanford, CA, Steven P. Ragland, Esq., Keker & Van Nest, San Francisco, CA, for Amicus Appellants.

Before: CHAGARES, GREENAWAY, JR., and VANASKIE, Circuit Judges.

OPINION

CHAGARES, Circuit Judge.

This case calls upon us to determine whether venue for Andrew Auernheimer's prosecution for conspiracy to violate the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and identity fraud under 18 U.S.C. § 1028(a)(7) was proper in the District of New Jersey. Venue in criminal cases is more than a technicality; it involves “matters that touch closely the fair administration of criminal justice and public confidence in it.” United States v. Johnson, 323 U.S. 273, 276, 65 S.Ct. 249, 89 L.Ed. 236 (1944). This is especially true of computer crimes in the era of mass interconnectivity. Because we conclude that venue did not lie in New Jersey, we will reverse the District Court's venue determination and vacate Auernheimer's conviction.

I.

A.

The relevant facts are fairly simple and not in dispute. Apple, Inc. introduced the first iPad, a tablet computer, in 2010. Customers who purchased the version that had the capability to send and receive data over cellular networks (commonly referred to as “3G”) had to purchase a data contract from AT & T, Inc. (“AT & T”), which at the time was the exclusive provider of data services for this version of the iPad. Customers registered their accounts with AT & T over the Internet on a website that AT & T controlled. In the registration process, customers were assigned a user identifier (“user ID”) and created a password—login credentials that they would need in order to access their accounts through AT & T's website in the future. The user ID assigned to each customer was that customer's email address.

AT & T decided to make it easier for customers to log into their accounts by prepopulating the user ID field on the login screen with their email addresses. To do this, AT & T programmed its servers to search for an iPad user's Integrated Circuit Card Identifier (“ICC–ID”) when a user directed her browser to AT & T's general login webpage (AT & T's “URL” ¹). An ICC–ID is the unique nineteen- or twenty-digit number that identifies an iPad's Subscriber Identity Module, commonly known as a SIM Card. The SIM Card is the computer chip that allows iPads to connect to cellular data networks.

If AT & T's servers recognized the ICC–ID as associated with a customer who had registered her account with AT & T, then AT & T's servers would automatically redirect the customer's browser away from the general login URL to a different, specific URL. That new specific URL was unique for every customer and contained the customer's ICC–ID in the URL itself. Redirecting the customer's browser to the new specific URL told AT & T's servers which email address to populate in the user ID field on the login page. This shortcut reduced the amount of time it took a customer to log into her account because, with her user ID already populated, she had to enter only her password.²

Daniel Spitler, Auernheimer's co-conspirator, discovered this feature of AT & T's login process. Although he did not own an iPad, he purchased an iPad SIM Card, hoping to install it on another computing device and then take advantage of the unlimited cellular data plan that AT & T offered for $30 per month. At first, he did not know how to register his SIM Card, so he downloaded the iPad operating system onto his computer, decrypted it, and browsed through the operating system's code to try to find a way to register it. In the course of doing so, he came across AT & T's registration URL. He noticed that one of the variables in the registration URL was a field requiring an ICC–ID.

Spitler then directed his computer's web browser to the registration URL and inserted his iPad's ICC–ID in the requisite place. AT & T's servers were programmed only to permit browsers that self-identified as iPad browsers to access the registration URL. This required him to change his browser's user agent. A user agent tells a website what kind of browser and operating system a user is running, so servers that someone is attempting to access can format their responses appropriately. App. 256.

After changing his browser's user agent to appear as an iPad, Spitler was able to access the AT & T login page. He noticed that his email address was already populated in the login field and surmised that AT & T's servers had tied his email address to his ICC–ID. He tested this theory by changing the ICC–ID in the URL by one digit and discovered that doing so returned a different email address. He changed the ICC–ID in the URL manually a few more times, and each time the server returned other email addresses in the login field.

Spitler concluded that this was potentially a noteworthy security flaw. He began to write a program that he called an “accountslurper” that would automate this process. The account slurper would repeatedly access the AT & T website, each time changing the ICC–ID in the URL by one digit. If an email address appeared in the login box, the program would save that email address to a file under Spitler's control.

Spitler shared this discovery with Auernheimer, whom he knew through Internet-based chat rooms but had never met in person. Auernheimer helped him to refine his account slurper program, and the program ultimately collected 114,000 email addresses between June 5 and June 8, 2010. Its method—guessing at random—is called a “brute force” attack, a term of art in the computer industry referring to an inefficient method of simply checking all possible numbers.

While Spitler's program was still collecting email addresses, Auernheimer emailed various members of the media in order to publicize the pair's exploits. Some of those media members emailed AT & T, which immediately fixed the breach. One of the media members contacted by Auernheimer was Ryan Tate, a reporter at Gawker, a news website. Tate expressed interest in publishing Auernheimer's story. To lend credibility to it, Auernheimer shared the list of email addresses with him. Tate published a story on June 9, 2010 describing AT & T's security flaw, entitled “Apple's Worst Security Breach: 114,000 iPad Owners Exposed.” The article mentioned some of the names of those whose email addresses were obtained, but published only redacted images of a few email addresses and ICC–IDs.

Evidence at trial showed that at all times relevant to this case, Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.

B.

Despite the absence of any apparent connection to New Jersey, a grand jury sitting in Newark returned a two-count superseding indictment charging Auernheimer with conspiracy to violate the CFAA, 18 U.S.C. § 1030(a)(2)(C) and (c)(2)(B)(ii), in violation of 18 U.S.C. § 371 (count one), and fraud in connection with personal information in violation of 18 U.S.C. § 1028(a)(7) (count two, commonly referred to as “identity fraud”). To enhance the potential punishment from a misdemeanor to a felony, the Government alleged that Auernheimer's CFAA violation occurred in furtherance of a violation of New Jersey's computer crime statute, N.J. Stat. Ann. § 2C:20–31(a). See18 U.S.C. § 1030(c)(2)(B)(ii).

Auernheimer moved to dismiss the superseding indictment shortly after it was returned by the grand jury. In addition to asserting several challenges concerning the CFAA violation, he argued that venue was not proper in the District of New Jersey. The District Court acknowledged that neither he nor Spitler was ever in New Jersey while allegedly committing the crime, and that the servers accessed were not in New Jersey, but denied his motion nonetheless. It held that venue was proper for the CFAA conspiracy charge because Auernheimer's disclosure of the email addresses of about 4,500 New Jersey residents affected them in New Jersey and violated New Jersey law. It further held that because venue was proper for the CFAA count, it was also proper for the identity fraud count because proving the CFAA violation was a necessary predicate to proving the identity fraud violation.

Auernheimer's trial lasted five days and resulted in a guilty verdict on both counts. Initially, both parties requested a jury instruction on venue. App. 575. Venue is a question for the jury and the court “must specifically instruct the jury on venue” if “(1) the defendant objects to venue prior to or at the close of the prosecution's case-in-chief, (2) there is a genuine issue of material fact with regard to proper venue, and (3) the defendant timely requests a jury instruction.” United States v. Perez, 280 F.3d 318, 334 (3d Cir.2002). Although Auernheimer objected to venue and requested an instruction, the District...