After more than a year in appeals, Andrew "Weev" Auernheimer's conviction has been vacated, overturning the earlier ruling that sentenced the trollish security researcher to 41 months in prison. The original conviction tried Auernheimer in New Jersey, but the appeals court found the venue to be totally unrelated to the case, as neither Auernheimer nor AT&T's servers were in the state, and the government failed to establish any further connection to justify the venue.

"We're happy to litigate if we have to."

For the moment, Auernheimer is still in custody at Allenwood Federal Penitentiary, but it's expected that he will be released in the coming days. The appeals decision did not address the thornier issues of the Computer Fraud and Abuse Act, as many reformers had hoped, but it stands as a firm rebuke of many of the tactics used in the original prosecution. Judges seemed sympathetic to the larger case, noting that Auernheimer "simply accessed the publicly facing portion of the login screen," but since the ruling focused on the venue issue, it's unlikely to stand as a larger precedent.

As for Auernheimer himself, the future is unclear. The government may attempt to try him again in a more appropriate venue (the court suggested Arkansas, where he lived at the time of the attack), but a second prosecution might fall prey to Double Jeopardy rules, which prevent a defendant from being tried twice for the same crime. EFF's Hanni Fakhoury, who helped mount the appeal, said such a prosecution would be unwise, but "we're happy to litigate if we have to."