Petition Closed
Petitioning US Dept of Justice, US Attorney General, US District Court - NJ Eric Holder, Judge Susan Wigenton

US Dept of Justice, US Attorney General, US Federal Court - Third Circuit: Withdraw conviction of Andrew Auernheimer

This conviction is not only misguided, it serves to chill the field of computer security research, and will inevitably lead to less disclosure and a more insecure critical infrastructure.

Letter to
US Dept of Justice, US Attorney General, US District Court - NJ Eric Holder, Judge Susan Wigenton
We, the undersigned, are computer security researchers. In our day-to-day work, we protect American citizens and businesses from criminals who seek to profit by illegally accessing private computers and private data. From time to time, we also encounter mistakes in programs or websites we use which lead to the inappropriate disclosure of private business or consumer information. When this happens, professional ethics dictate that we must assist the innocent victims of such security errors.

Andrew Auernheimer is a security researcher, not a criminal. When Mr. Auernheimer discovered a URL on an AT&T website which disclosed the private email addresses of over 114,000 AT&T customers, he brought this matter to the attention of the victims of AT&T's poor security practices - its customers - via the media. Accessing this URL required no "hacking" of any sort; it was available on the open Internet where anyone could use it, no password required. Indeed, we will likely never know who else already did, prior to Mr. Auernheimer. His "crime", if it can even be called that, consists of bringing a message that AT&T did not want to hear, and the prosecution contends that he should be punished for it.

We steadfastly believe that the charges against Mr. Auernheimer are not only unwarranted and misguided, but serve to chill the entire field of research into security vulnerabilities. The simple act of incrementally traversing open directories not only does not constitute "hacking", it is a commonly used method to determine the scope of public accessibility to information that should be properly secured. If we are legally barred from using non-destructive, non-invasive techniques to triage vulnerabilities, it will hamstring the security community's efforts to keep the Web safe for the public.

We urgently request that these charges against Mr. Auernheimer be dropped in the interest of national security. A conviction in his case will not only have a chilling effect on researchers like us who work to secure critical infrastructure, it will inevitably lead to other systems being compromised due to the inability of security professionals, like ourselves, to even identify such vulnerabilities without running afoul of the law. Criminals operate in secret - they don't hand their findings over to the press. Mr. Auernheimer has acted in the interest of the public, not as a criminal.