White Hat Hacker Faces Jail Time For Exposing AT&T’s Incompetence
A jury could find Andrew Aurenheimer guilty of identity theft and conspiracy to gain unauthorized access to computers – he faces up to 10 years in prison for exposing AT&T's own mistake.
Many on-line security experts known colloquially as ‘white hatters’ or ‘white hat’ hackers are eyeing a certain legal case regarding an Andrew Auernheimer. Auernheimer is accused of hacking into an AT&T website. They say if he is convicted of his accusations, the case could very well jeopardize the very way in which we use the Internet and set a precedent in regards to how someone is prosecuted for using the Internet.
White hat hackers look for flaws in websites and servers and then give that information back to the company or website security firm to help with making needed changes. Their purpose is quite clear and they are to prevent bad hackers, or ‘black hat’ hackers from exploiting vulnerable websites.
According to an Andrew Auernheimer’s defense, in June 2010 AT&T ‘published’ the names of numerous iPad 3G users E-mail on their public webserver. According to Auernheimer, AT&T had no password set up for the data, no firewall or any type of authorization in place to prevent anyone from the public accessing this data. Auernheimer took the data and gave it to a journalist to publish because he felt the company was putting a lot of users data at risk. However, instead of getting a lot of positive feedback, AT&T pressed charges on him and accused him of stealing company data. Auernheimer is now looking at 10 years in prison for ‘hacking’.
The crimes he is being accused of are found in the “Computer Fraud and Abuse Act, or CFAA”. He is being tried as a criminal for posting information that was publicly available, but prosecutors say he should have given the data to AT&T or the FBI instead of a journalist.
The charges against Mr. Auernheimer are USC 1030, “Conspiracy to access a computer device without authorization”. However, the charges against him are also said to be in violation of a New Jersey state statute that uses the term ‘discloses’, which means that that act of giving the information to another individual, including a journalist, is a criminal act. Furthermore, he is also being charged under USC 1028 which is identity theft and simply because he possessed the names that AT&T had listed on the webserver.
Many experts are in agreement that Auernheimer’s case is unique and it makes a white hatter more reluctant to show any of the information they have found on-line. In an article from the Huffington Post regarding Auernheimer’s case, a Jeremiah Grossman, founder of White Hat Security was quoted in an interview as saying, “ If other researchers find flaws but are scared about disclosing them, that's going to give them pause. And that makes it easier for the bad guys to put people at risk."
Another individual by the name of Dave Aitel of the security firm Immunity stated that his conviction could mean that it may trickle down to other parts of the industry or a flood of new cases involving matters such as this “If they manage to make it stick,” said Aitel. “The collateral damage is all of us.”