Today the Mozilla Foundation joined an illustrious group of computer scientists and privacy researchers in an amicus brief the Center for Internet and Society filed in the United States Court of Appeals for the Third Circuit. Jonathan Mayer and I wrote the brief, arguing that weev's conviction in U.S. v. Andrew Auernheimer should be reversed. In the case, weev and his co-defendant noticed that AT&T’s website published iPad users’ email addresses when someone entered a URL that included an iPad’s unique identification number. The co-defendant created a script to keep entering random numbers to emulate the iPad IDs and got more than 114,000 email addresses as a result. Weev disclosed this security hole by telling journalists about the discovery and shared the list with Gawker. At trial, weev was convicted of violating the Computer Fraud and Abuse Act (CFAA) and sentenced to 41 months.
In the brief, we show that legitimate, highly valuable security and privacy research commonly employs techniques that are essentially identical to what Auernheimer did in this case. Most importantly, like Auernheimer, researchers cannot always conduct testing with the approval of a computer system’s owner. Such independent research is of great value to academics, government regulators and the public even when – often especially when — conducted without permission and contrary to the website owner’s subjective wishes. Businesses often have substantial economic, legal, and reputational interests in keeping their security flaws, privacy missteps, and other product or service shortcomings quiet. But these private, commercial desires are frequently at odds with the public interest and should not receive the force of criminal law. Such an application of the CFAA would greatly harm privacy and security and give private parties enormous power to enforce their parochial concerns against the public’s interest.
We hope that our brief will clarify the technical issues in the case and sensitize the Court to the ways that its ruling could help or harm security, privacy and user freedom online. It was a real honor to get to represent this set of amici in the case.