This article originally appeared on Motherboard.
A federal court decided on Friday to vacate the conviction of Andrew “weev” Aurenheimer, the “web's most notorious troll,“ who was charged for accessing a computer without authorization after he discovered a breach in AT&T’s website that allowed him to acquire the information of some 120,000 iPad subscribers.
This is a swift response to an appeals hearing held just two weeks ago, in which the defense argued that among the problems with Aurenheimer's conviction was the issue of venue — the defense, led by the law professor Orin Kerr, argued that it was improper and arbitrary that the case was prosecuted in New Jersey, where none of the alleged criminal activity occurred.
The judges agreed. As they put it in the decision handed down today, "Because we conclude that venue did not lie in New Jersey, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction."
It's an interesting ruling, and one that many observers of weev's appeals hearing thought a likely outcome.
"Almost the entire thing was about venue," Tor Ekeland, an attorney who also represents Auernheimer, told me after the hearing in March. he speculated that weev was tried in New Jersey simply because the state had a major computer crimes division; it had no relevance to the case. "Nothing happened in New Jersey. No victims, no possession."
The decision allows the state to vacate what many considered to be an overzealous prosecution — which led to 41 months in prison — without reconsidering the fundamentals of the outmoded law he was convicted under, the heavily criticized Computer Fraud and Abuse Act.
That law, a relic of the 80s, is extremely ambiguous, and many commentators say it leaves room for overly aggressive prosecution. Aurenheimer was convicted of accessing a computer without authorization, after all. The federal prosecutor at the appeals hearing clearly demonstrated he barely understood what it was that weev did, nor how or why he should be punished for it.
Meanwhile, weev has not been acquitted; the ruling has just been 'vacated.' That means that he can still be retried in another venue—either Oklahoma, where weev was when he sent the data, or New York, the location of the Gawker offices where it ended up.
Still, venue is an important issue, and the court has made a potentially game-changing decision on how internet crimes can be prosecuted. From the decision:
Venue in criminal cases is more than a technicality; it involves “matters that touch closely the fair administration of criminal justice and public confidence in it.” United States v. Johnson, 323 U.S. 273, 276 (1944). This is especially true of computer crimes in the era of mass interconnectivity.
Furthermore, the case was built on having New Jersey as a venue, as one observer points out at Hacker News: "One reason this matters is that the CFAA charges that were applied to Auernheimer depended in part on NJ state law. In fact, the specifics of NJ state computer crime law might have been the reasons prosecutors stretched venue so much to get the case located there. But with the Appeals Court determining that the NJ venue was invalid, the whole framework of the case falls apart."
This should result in more consideration being made to how and where internet crimes can be prosecuted. Without this clarification, it was feasible that a hacker in Hawaii could be arrested and prosecuted in Florida for sending data to a server in New York; the sky was, essentially the limit. What precedent this sets in future hacking cases remains to be seen. But for the moment, the ruling simply means that weev is free, at least for now.
Follow Brian Merchant on Twitter: @bcmerchant
Photo via Wikimedia Commons