On April 11, 2014, Andrew Auernheimer, better known by his Internet alias "Weev," was released from Allenwood Federal Correctional Center in Pennsylvania after serving just under 13 months of a 41-month sentence for data and identity theft. He seems intent on being sent back there as soon as possible.
Auernheimer, 28, is notorious in certain circles online—Gawker has called him a "master troll" and "the Internet's best terrible person"—whose exploits the media has documented since at least 2008, when the New York Times Magazine wrote that "Weev … is legendary among trolls." But the legal battle that led to his imprisonment and release began in 2010, when Auernheimer and other members of the IT community discovered that AT&T was storing iPad 3G customer records, including ostensibly protected data, on a public server. After designing a script to retrieve this data, including some belonging to celebrities, journalists, and the White House chief of staff, Auernheimer and his associates handed it to Gawker.
That caught the attention of the FBI. After several false starts and a few shifting charges, Auernheimer was indicted for conspiracy and identity theft under the 1986 Computer Fraud and Abuse Act. In 2011, he was extradited to New Jersey to stand trial. His defense then, as now, is that the data he “stole” was already public. “I never broke into anything,” he told me recently. “Data was aggregated from this public resource and given to a journalist. The supposed victim in this case didn’t even think it was victimized.”
But the government prevailed. In prison, Weev spent a good chunk of time in solitary—retribution, he claims, for continuing to speak out about the case. By 2014, conditions had worsened. “I was not only in solitary,” he said, “but I had just started a hunger strike. To further punish me in solitary they stopped delivering my mail to me, refused to let me mail my attorney about the conditions I was living under, would not let me have my newspaper or magazine subscriptions, or my books.”
The hunger strike ended earlier this month after only four days, when the Third Circuit Court of Appeals vacated Auernheimer’s conviction on a technicality: Since neither Auernheimer nor the AT&T servers he accessed were located in the state of New Jersey, the original trial had run afoul of the Constitution. “Cybercrimes,” Circuit Judge Michael Chagares declared, “do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.”
But Auernheimer isn't pleased with the ruling, wishing it had addressed “the far more important issue of the Computer Fraud and Abuse Act.” “The CFAA is a law written under the Reagan administration at a time when there was no Internet," he explained. "It makes 'unauthorized access' to a 'protected computer' a criminal act. The problem is that a 'protected computer' is defined under the statute as anything with a network connection. This worked in the eighties when there was no internet and nobody accessed public web services. Now people interact with hundreds of such computers every day. You have never received a letter from Google authorizing you to do a Google search."
In the wake of his release, Auernheimer even expressed a willingness to return to court in order to force a ruling on the CFAA. “If I am indicted on this case in another district, I will not file a motion to dismiss for cause of double jeopardy,” he said.
He won’t get that chance. Last week, the government dismissed its indictment against Auernheimer, precluding a retrial in a more appropriate venue. But now that he’s a free man, Weev’s got plans for the future that might yet land him right back in court.
My interview earlier this month with Auernheimer was not the first time we had spoken. As a teenager in the mid-aughts, I fancied myself an up-and-coming internet troublemaker, and so Weev and I met where all nascent trolls hung out at the time: LiveJournal. We met in person a number of times: If you look closely enough, you can even spot a much younger me in the background of photos from a somewhat disastrous trip to the 2006 ToorCon security conference in San Diego.
By the time of his arrest, Auernheimer and I had long lost touch. I heard about his legal troubles from mutual friends, but was only able to follow his legal travails like every other outsider interested in the story—that is, mostly through Gawker. Since his release, Weev has done his fair share of celebrating, but he's also working on a new approach to his pet cause: creating incentives for data companies “to do the right thing.”
Right now, those incentives don’t exist—or rather, he says, they're overwhelmed by a contrary system of motivations designed to protect corporate and government interests at the expense of the public. “The government wants you to sell [information security] problems you find exclusively to organizations like the NSA, so that they can use them to illegally spy on Americans. People in my community refuse to do this, so we are outsiders and the government does everything they can to inhibit our ability to make a living. If we still persist after they harass us into poverty, they throw us in prison.”
Wary of the consequences that come from crossing the Feds, “most people in the information security industry sell software problems to governments in secret, instead of disclosing them to the public as they should.” Auernheimer says he gave AT&T's iPad data to the press so that "customers could be informed of the negligence with which AT&T and Apple treated their data. This is the only way consumers can make informed decisions about which companies they want to do business with.”
So how does Auernheimer plan to help consumers make those “informed decisions,” and avoid impoverishing himself in the process? He says he plans to start a hedge fund, conspicuously named “TRO LLC.”
“The strategy is short equities—like all short sellers, I am looking to publicize flaws in publicly traded companies,” he said. “However, instead of financial problems, I will be looking for companies with poorly written software that breach the implicit promise of safety that they give when they take data from their customers. When someone affiliated with our fund identifies negligent privacy breaches at a public web service, we will take a short position in that company’s shares and then tell the media about it.”
That, of course, will have financial consequences for the company in question, and could also bring a cash windfall to anyone—like Auernheimer—holding the short position.
Auernheimer insists he just wants to incentivize companies to protect customer data, but given the potential profitability of TRO LLC, one wonders whether or not the ethical crusade is merely cover for a scheme designed to make Auernheimer rich. From our conversation, I suspect he doesn’t see a conflict between the two motives, even in principle. His repeated references to “free market ideals” and hostility toward the government reflect the kind of digital libertarianism in vogue today.
But when pressed, Auernheimer provides a second explanation—that he also wants to motivate other information-security specialists to disclose security holes, presumably through his company. “Right now, the only incentive is to do something very wrong—to sell software vulnerabilities in secret to government which use them to spy on people illegally,” he said. “We can already get rich doing that. I’m trying to make it so people can still pay their bills doing the right thing: coming forward and informing the public of software issues of social importance.”
If that sounds quite a lot like what landed Auernheimer in prison in the first place, it is. And perhaps that’s part of the point: Weev wants a ruling on the validity of the Computer Fraud and Abuse Act, and again disclosing information in a way that could fall afoul of it—this time even more brazenly—could force another trial, especially if the Department of Justice is still intent on punishing Auernheimer.
But operating under the auspices of a hedge fund might both weaken and complicate Auernheimer’s case, according to legal experts. Whereas in 2010 he disclosed AT&T security data supposedly for the public good, profiting from such disclosures would be a more serious breach of the CFAA. This might lead to his being charged again—and therefore having another opportunity to challenge the CFAA—but would also make the case less useful as a constitutional test of the law in general.
That, at least, would still allow Auernheimer his (second) day in court. But according to Dr. Zhiwu Chen, a professor at the Yale School of Management and an expert on hedge funds, there’s another hiccup. Rather than force another trial under the CFAA, Auernheimer’s new plan could lead to an indictment under an even older statute: The 1934 Securities Act.
If TRO LLC has knowledge of a security flaw in a publicly traded corporation and buys short positions in that company before leaking knowledge of the flaw to the public, Chen says, “the basic point is that the hedge fund has traded ahead of the general public investor community.” This, he says, would violate at least the “most strict interpretation” of the securities law. But, Chen adds, not all financial and legal scholars agree here. “Some scholars would counter-argue that we need those with first-hand information about publicly traded companies’ products or services. When [the hedge fund] has that information and then trades based on it, it would be helping the stock market to make the stock price reflect the private information they knew ahead of the general public.” That, Chen says, would be “making a positive contribution.”
The many legal risks don’t worry Auernheimer. Rather, he says, they're essential to his mission: “I am obviously attempting to assert my rights, regardless of seditious judicial radicals that want to try me for it.”