United States v. Andrew Auernheimer

Court of Appeals for the Third Circuit
748 F.3d 525 (2014)

ELI5:

Rule of Law:

For federal computer crimes prosecuted under the Computer Fraud and Abuse Act, venue is only proper in a district where an essential conduct element of the offense occurred, not in a district where the effects of the crime were merely felt by resident victims.

Facts:

In 2010, AT&T was the exclusive 3G data provider for Apple's first iPad.
AT&T's website had a feature that automatically populated a customer's email address on the login screen by using a unique URL containing the customer's Integrated Circuit Card Identifier (ICC-ID).
Daniel Spitler, located in San Francisco, California, discovered that by altering the ICC-ID number in the URL, he could cause AT&T's servers to reveal the email addresses of other customers.
Spitler collaborated with Andrew Auernheimer, who was located in Fayetteville, Arkansas, to create an automated script called an "account slurper" that used a "brute force" attack to guess thousands of ICC-IDs.
Between June 5 and June 8, 2010, the script accessed AT&T's servers, which were physically located in Dallas, Texas and Atlanta, Georgia, and collected approximately 114,000 email addresses of iPad users.
Auernheimer provided the list of collected email addresses to a reporter for the news website Gawker to publicize the security vulnerability; the reporter was not located in New Jersey.

Procedural Posture:

A federal grand jury sitting in Newark, New Jersey returned a superseding indictment charging Andrew Auernheimer with conspiracy to violate the CFAA and with identity fraud.
Auernheimer filed a pre-trial motion in the U.S. District Court for the District of New Jersey to dismiss the indictment, arguing that venue was improper.
The District Court denied Auernheimer's motion to dismiss.
After a five-day trial, a jury found Auernheimer guilty on both counts.
The District Court sentenced Auernheimer to forty-one months of imprisonment.
Auernheimer, as appellant, timely appealed his conviction to the U.S. Court of Appeals for the Third Circuit.

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Is venue for a criminal prosecution under the Computer Fraud and Abuse Act (CFAA) proper in a district where none of the defendant's or his co-conspirator's criminal conduct occurred, but where a portion of the victims of the resulting data breach reside?

Opinions:

Majority - Chagares

No, venue is not proper in a district where no essential criminal conduct occurred. The Constitution's venue clauses require that a criminal trial be held in the state and district where the crime was committed. To determine this location, or 'locus delicti,' a court must identify the 'essential conduct elements' of the charged offense and find where those acts occurred. For the charged CFAA violation, the essential conduct elements are (1) accessing a computer without authorization and (2) thereby obtaining information. In this case, Auernheimer was in Arkansas, his co-conspirator was in California, and the accessed servers were in Texas and Georgia. No essential conduct element of the crime occurred in New Jersey. The government's argument that venue is proper based on the 'locus of the effect' of the crime fails because the residence of the victims is a 'circumstance element,' not an 'essential conduct element.' While some statutes define crimes by their effects (e.g., affecting interstate commerce), the specific CFAA provision here punishes only the acts of access and obtaining information, regardless of their effect on victims. Therefore, because no part of the criminal conduct occurred in New Jersey, venue was constitutionally improper.

Analysis:

This decision significantly clarifies the application of constitutional venue requirements to federal cybercrime prosecutions. It holds that the physical location of the defendant, their co-conspirators, and the accessed computers are the key determinants for venue, not the location of the victims. By rejecting a 'locus of the effects' test for this type of offense, the court limits prosecutorial discretion to 'forum shop' for favorable jurisdictions in cases with geographically dispersed victims. This precedent reinforces that traditional, place-based constitutional protections apply robustly in the internet age, requiring a tangible link between the criminal act and the forum of prosecution.

🤖 Gunnerbot:

Query United States v. Andrew Auernheimer (2014) directly. You can ask questions about any aspect of the case. If it's in the case, Gunnerbot will know.

Subscribe to Lexplug to chat with the Gunnerbot about this case.

Unlock the full brief for United States v. Andrew Auernheimer

Get access to Issue, Opinions, Analysis, Gunnerbot & more for Lexplug's entire library of premium content

Premium Feature