About 18 months ago 27 year-old Andrew Auernheimer was found guilty of one count of conspiracy to access AT&T Inc servers without consent. He was sentenced to 41 months in prison, a fine and supervised release.

[Correction on Setember 9: Auerenheimer tells me that his appeal is over, he won and he's out of the slammer. He's right.]

The case was successfully appealed and for good reason. The server held email addresses (and no other personal information) of registered iPad buyers, but AT&T had not taken any measures to control access to the server in question. Auernheimer saw, from the process of registering for AT&T service, that this particular server was being queried for the email address. Retrieving the contents of the server at that point only required a web browser.

Yet the federal government called this a felony, specifically unauthorized access under the Computer Fraud and Abuse Act. So I have to wonder whether the same logic applies to law enforcement, such as when they located the servers running the Silk Road marketplace on Tor, which the government claims they did by following addresses leaked because the server was misconfigured. (See the full government brief at the bottom of this story.)

As Professor Orin Kerr of the George Washington University Law School says on the Volokh Conspiracy blog, if Auernheimer is guilty of unauthorized access, then so is the FBI. Kerr, I should note, worked on Auernheimer's appeal to the Third Circuit US Court of Appeals.

The government brief, which is a declaration by an FBI cybercrime expert, says in part (footnotes omitted):

8. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.

With the IP address, the FBI was eventually able to locate the alleged operator of Silk Road, Ross Ulbricht. It would seem from this description that the CAPTCHA software was running on the same server as the login interface. This is a slight difference from the Auernheimer/AT&T case, where the email addresses were on a separate server, but it's a distinction without a difference. In both cases, in the normal course of using the site, the user was retrieving data from the server which was violated. Auernheimer and the FBI went on to access it differently and directly. If it's unauthorized access for Auernheimer, it is for the FBI as well.

Kerr presents many other arguements in defense of Auernheimer. The issue of whether this access violates the CFAA works, at least more immediately, for the defense of Ulbricht.