Another Hacker Hounded By The Feds, Ctd

A reader provides some excellent pushback:

The commenters you cited in the Andrew “Weev” Auernheimer case seem to be missing the point when it comes to what Auernheimer did wrong. Ryan Tate says “the jailing of Auernheimer criminalizes the act of fetching openly available data over the web.” That data was openly available in the same way your property is openly available if you forget to lock the door to your house when you go out. You should lock your doors, and companies should make sure their websites are secure, but in neither case does (or should) the failure to act grant intruders the permission to rummage around inside.

I’m a software developer, and I’ve seen and fixed exactly the type of vulnerability Auernheimer exploited. This wasn’t something he stumbled upon; he was searching for ways to access data that he knew was confidential. What’s more, according to Tate’s description of events, the vulnerability only allowed Auernheimer to access one email address at a time. I can understand the argument that groups like Auernheimer’s are providing a public service by searching for vulnerabilities in large corporate websites, and in publicly shaming corporations when they fail. If he had contacted AT&T and the media after first discovering the vulnerability, I’d probably be supporting him right now.

But that’s not what he did.

Instead, he exploited the vulnerability to extract as many email addresses as possible, and worse, shared the tools he used to do so with unknown third parties. Only then did he notify AT&T. That’s not whistle-blowing; that’s theft and the enablement of theft. What’s more, keep in mind this was personal information he stole; there’s no claim of political activism a la Aaron Swartz.

Was his sentence overly harsh? Perhaps, but I think the US sentencing guidelines are too harsh in general. Comparing his sentence to the Steubenville rapists’ is absurd; their crime was much more serious, but they’re also juveniles and he is an adult. Given his complete lack of remorse and failure to understand what he did wrong, I’m not at all surprised the judge decided to throw the book at him.

Look, I’m sympathetic to the argument that the American justice system fails to intelligently distinguish between harmful and harmless hacking activity, both by law and in prosecutorial practice. The lack of technical knowledge on the part of judges, lawyers and juries is a real problem, and likely does result in miscarriages of justice. Arguing that that is what happened here, however, strikes me as a real stretch.