We at the Center for Internet and Society are writing an amicus brief on Weev's behalf. Signatories must join by JULY 5th. Email me if you want to be a signatory on the brief. My email is jennifer at law dot stanford dot edu.
That brief will argue as follows:
The Computer Fraud and Abuse Act provides both criminal and civil remedies for "intentionally access[ing] a computer without authorization . . . and thereby obtain[ing] . . . information . . . ." 18 U.S.C. § 1030(a)(2)(C). In United States v. Auernheimer, the Department of Justice has interpreted this provision to cover calling an undocumented public API. The defendant in the case, Andrew "weev" Auernheimer, assisted in querying an AT&T iPad subscription website with SIM card serial numbers. A collaborator collected subscriber email addresses that were returned by the web API, and Auernheimer publicized their findings to substantial media attention. Auernheimer was convicted; the case is on appeal in the Third Circuit. We now have a unique opportunity to influence how courts interpret CFAA as applied to computer scientists.
We intend to inform the Third Circuit that researchers routinely investigate the security and privacy properties of public websites and APIs. Our brief will explain how many technology organizations encourage these studies and even offer a "bug bounty" cash incentive for discoveries. We will also recount examples of previous high-profile and high-impact findings that resulted from probing public APIs. Last, we will explain that under the text of the CFAA, a researcher's motives and notification process are irrelevant. Auernheimer may not have followed best practices in the security research community. But as far as the statute is concerned, if his conduct is prohibited, then much of the applied security research field is unlawful.
The final brief will be available sometime this week for signer's review before one must commit completely.