Wednesday, March 19, 2014

Weev’s lawyers appear in court

Some observations from today’s appeal hearing of Weev  (the notorious case of someone convicted of accessing public info).

What was it?

Andrew "Weev" Auernheimer was convicted of conspiring to violate the CFAA, and was sentenced a year ago to 41 months in jail. His lawyers appealed, the prosecutors submitted a reply brief, his lawyers submitted a reply to the reply brief. Today they got in front of the three judges of the Third Circuit Court to fight it out. Each side got to talk for 15 minutes, and the judges peppered them with questions.

The online-media

I saw representatives from Verge, Vice, and DailyDot – the typical sort of online journalism sites. I didn’t see the traditional media – judging by who I saw scribbling in their little reporter’s notebooks.


All electronics were banned -- including laptops and Kindles. I asked the guard about this. He confirmed it was “highly unusual” (his words). He showed me the signed order that for today, and only today, nobody was allowed to have electronics.

...except for Weev's attorneys. It was fun watching other attorney's complaining as they had to give up their cellphones, too.

By the way, the bomb sniffing dog I saw coming out of the courtroom was perfectly normal. According to the guards, he does it every day.

Update: I should mention, "highly unusual" for this building. There are actually two different authorities: one authority (I think they said "federal marshals") who gated access to the building, and then a Third Circuit Court guards gating access to the court room. It's the court room guards who banned everything.

Update: I asked if Hanni Fakhoury, one of Weev's lawyers who therefore could have a cellphone, could take a picture of the daily order for me. The guard got upset, stressing that all pictures inside the courthouse were completely forbidden. Hanni didn't appear too pleased getting caught up in my drama, either. :)

The courtoom

The courthouse from the outside -- because photos inside
are strictly verbotten.
The building itself was your typical dreary government office building, but the courtroom itself was very nice and modern. The far side was the “bench” for the three judges, in a nice Star Trek:NG configuration. In the back of the room were benches for the spectators, with room for about 40 of us.

The supporters

I’m not sure how many showed up. The room filled quickly and many were turned away. Unlike the sentencing hearing last year, where apparently some demonstrators were rambunctious, everyone was calm and respectful. Many wore suits, only a few had the stereotypical blue hair and piercings.

I did refrain from tearing off my clothes being dragged away shouting “HACK THE PLANET”  – barely.

The appeal

You can read the issues involved in the various briefs, such as this one:

There are two major points. The first is that the defense claims the reading of the CFAA is too broad. Weev was convicted of conspiring to access a website without authorization. But, the defense argues, AT&T had made information public, implicitly authorizing the public to access it.

The second major issue is “venue”. Weev was in Arkansas, his partner Spitner was in California, the servers in Georgia, and the company in Texas. There is absolutely nothing about New Jersey that makes it a more appropriate place to try the case.

Orin Kerr was the lead lawyer for the appeal, the guy standing up and arguing the position. He has experience appealing CFAA convictions (namely, the Lori Drew case). He has spent an enormous amount of time prepping for this. It’s the CFAA issue that he (and the cybersec community) wanted to argue.

However, the judges weren’t interested in the CFAA. What they were interested in was the “venue” issue. Orin started with the CFAA, the judges interrupted him, and spent almost all the half hour discussing the venue issue.

The Venue Issue

There are 94 federal districts in the United States. Right now there are some prosecutors in some of those districts with light case loads who want to make a name for themselves by prosecuting you for hacking. You might find yourself snapped up and shipped off to Alaska to face charges for something that has nothing to do with Alaska. (Not my argument -- reflecting the argument Orin made.)

This is the crux of the “venue” argument. Back in the 1770s, one of the “grievances” that led to the American Revolution was that colonists would be arrested and shipped back to England, where they’d be unable to defend themselves (for example, all the witnesses were back in the United States).

Therefore, not once, but twice the Constitution mentions venue (as one of the judges helpfully pointed out). According to our constitution, you can only be tried “where the crime was committed”, not shipped off to an arbitrary location to face charges.

The judges seemed partial to this issue, grilling the prosecutor to come up with a good justification why New Jersey was a constitutionally acceptable venue to try Weev – since as mentioned above, no bits of the crime were committed in New Jersey. The prosecutor had weak reasons: the FBI agent read the Gawker article in New Jersey, and some people from New Jersey were in the database grabbed by Weev’s partner – even though none of them were disclosed by Gawker.

A lot of discussion centered CFAA language: the the crime was “accessing a computer”. That “access” happened from California to Georgia. In other words, the CFAA doesn't mention "and disclosed the accessed information", and thus, no matter how much was disclosed in New Jersey, that's not the crime Weev was convicted of.

The “Harmless Error” issue

Assuming the judges agree that New Jersey was an inappropriate place to try Weev, they still might not overturn the conviction based on the “harmless error” principle, that result would’ve been the same regardless of where the trial happened.

A lot of argument was about how it’s not the result of the trial that is necessarily the harm, but the fact that the prosecutors charged Weev in the first place. As I mentioned above, it means that any prosecutor wanting to make a name for themselves can look for vague areas of cyber law and go after people anywhere in the country.  This prejudiced the prosecution from the very beginning.

For example, if the court throws out the conviction on the “venue” issue, remanding the case for retrial, it might not be retried. Georgia and California, possibly the only two appropriate venues, might decided not to prosecute, reading the CFAA law more narrowly than the New Jersey district.

Orin Kerr

Orin Kerr is a law professor, and it was fun watching him in action. He stepped up to the podium with binders upon binders of stuff he might reference when questioned.

Yet, he didn’t have to consult the papers, because he had everything on the tip of the tongue. Any question the judges came up with, Orin had a thoroughly prepared answer. I'm ignorant of the law, so this may be normal, but it impressed the heck out of me.

...although Orin isn't perfect, he's wrong about the 4rth Amendment :)

The prosecutor

I know I’m biased, but much of the prosecutor's arguments were extremely week. Whereas Orin stuck religiously to legal precedent, the prosecutor would try mere rhetoric, and a bit of snark, like the particular one I describe below.

I don't mean to disparage the prosecutor. He was neither incompetent nor evil. Our side has probably put more resources into this case than the prosecutor. Also, the judges on the panel grilled him harder -- teasing out where his argument was the weakest.

What else floats in water

At one point, for no particular reason, the prosecutor pointed out that Spitler (Weev’s partner) downloaded IOS, did some decryption, and wrote a script. He said “I don’t even understand it – but I don’t know how you could call this anything other than hacking”. This isn’t an exact quote, I had to grab the notebook/pen from the Verge reporter sitting in front of me and write down as much of the quote that I could remember.  We’ll have to wait for the transcripts to be published to get what he said exactly.

What the prosecutor said was essentially the Monty Python bit from Holy Grail: if she weighs as much as a duck, she must be a witch. BURN HER.

That the prosecutor doesn’t understand Spitler’s actions doesn’t mean Spitler is a witch – it just means the prosecutor is an uneducated villager.

What Spitler did is perfectly normal. Legitimate people do this sort of thing all the time. Engineers do this. Nerdy teenagers do this. I can teach you how to do it in a couple hours.

For example, that’s how the Google search engine came about. Before you do a search, Google must “index” the Internet. It does this by creating a script that download a complete copy of every website. If Spitler what did was some sort of evil witchcraft, then what Google does is even worse.

The precedent set by the CFAA case is to make all us engineers witches, making what we do illegal, purely because federal prosecutors don’t understand it.

Maybe there is a good reason to broadly the interpret the CFAA to cover Weev’s actions, but this snarky comment from the prosecutor isn’t it. It’s just torches and pitchfork reasoning, not valid legal theory. Weev is a controversial figure; his good will alone wouldn't bring out so many people in support. Likewise, most don't understand legal issues like venue. Instead, the thing that filled the courtroom with activists was precisely this rhetoric by prosecutors.

Predictions on the outcome

It’s impossible to say.

The judges seemed real keen on the venue argument. I suspect they’ll overturn the conviction based on that, forcing a retrial in another venue. This may be good or bad for Weev, because it means different charges can be brought (e.g. to include drug offenses).

Regardless, it’d be an awesome ruling for the cybersec community, reducing the chance us colonists in cyberspace will get sent to Hawaii for trial.

As a final note, here's a theory: judges like the venue issue because it's law, not technology. If they can throw out the conviction based on venue, then they won't need to consider the CFAA issue, either "yes" or "no". That they understand legal code better than PERL code may nudge them toward that ruling. If they uphold venue, then they'll have to spend more time reading HTTP RFCs.

Update: After this appeal, there are only two more options. The first is that the Third District re-hears the appeal en banc with all the judges instead of the panel of three in this case. The second is that the Supreme Court might take up the case. Lawyers tell me the chance of either is remote.

No comments: