[Update 12:12pm PST: with news about EFF and others joining the defense team for Auernheimer's appeal.]
A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T's publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release.
The judge handed down the sentence following a minor skirmish in the courtroom when the defendant, Andrew Auernheimer, aka Weev, was pinned and cuffed. Auernheimer was reportedly asked to hand the court a mobile phone he had with him during the hearing, and after handing it to his defense attorney instead, court agents cuffed him.
Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty last November in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization after he and a colleague created a program to collect information on iPad owners that had been exposed by a security hole in AT&T's web site.
The two essentially wrote a program to send Get requests to the web site.
The controversial case is one of a string of highly criticized prosecutions of security researchers who have been charged with serious computer crimes under the Computer Fraud and Abuse Act, prompting calls for reform of the legislation to make clear distinctions between criminal hacking and simple unauthorized access and to protect researchers whose activities are not criminal in intent.
Computer security researcher Charlie Miller tweeted Monday morning in reference to Auernheimer's case that any security researcher could be facing the same fate.
Twitter content
This content can also be viewed on the site it originates from.
Auernheimer and Daniel Spitler, 26, of San Francisco, California, were charged last year after the two discovered a hole in AT&T's website in 2010 that allowed anyone to obtain the e-mail address and ICC-ID of iPad users. The ICC-ID is a unique identifier that's used to authenticate the SIM card in a customer's iPad to AT&T's network.
The iPad was released by Apple in April 2010. AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their e-mail address. AT&T linked the user's e-mail address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user's e-mail address.
Auernheimer and Spitler discovered that the site would leak e-mail addresses to anyone who provided it with a ICC-ID. So the two wrote a script - which they dubbed the "iPad 3G Account Slurper" – to mimic the behavior of numerous iPads contacting the web site in order to harvest the e-mail addresses of iPad users.