(Reuters) - A federal appeals court on Friday unanimously threw out the conviction of an Arkansas man for stealing the personal data of about 120,000 Apple iPad users, including big-city mayors, a TV news anchor and a Hollywood movie mogul.
The reason: Prosecutors brought the case in the wrong state.
The 3rd U.S. Circuit Court of Appeals said the prosecution of Andrew Auernheimer did not belong in New Jersey, hundreds of miles from his alleged crimes, and as a result, his November 2012 conviction and 41-month prison sentence could not stand.
It was not immediately clear when he might be released.
Writing for a three-judge panel, Circuit Judge Michael Chagares also admonished prosecutors that the Internet’s “ever-increasing ubiquity” did not give the government carte blanche to prosecute cybercrime wherever it wishes.
“Venue in criminal cases is more than a technicality; it involves matters that touch closely the fair administration of criminal justice and public confidence in it,” Chagares wrote.
“Cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.”
Auernheimer, who went by the names Weev, Weelos and Escher, had been convicted by a Newark jury of one count of conspiracy to violate the federal Computer Fraud and Abuse Act by accessing AT&T Inc servers, and one count of identity theft.
“The court merely determined that the Department of Justice brought this case in the wrong state, and we are reviewing our options,” said Matthew Reilly, a spokesman for U.S. Attorney Paul Fishman in New Jersey, who handled the prosecution.
Auernheimer, 28, has spent about one year in prison and had been serving his sentence at a low-security facility in Allenwood, Pennsylvania, federal records show.
Orin Kerr, a law professor at George Washington University who argued Auernheimer’s appeal, did not immediately respond to requests for comment.
“This prosecution presented real threats to security research,” said Hanni Fakhoury, a lawyer for the Electronic Frontier Foundation, who also worked on Auernheimer’s case. “Hopefully this decision will reassure that community.”
The alleged conspiracy took place in 2010, and involved a co-defendant, Daniel Spitler, and the group Goatse Security.
Prosecutors said Auernheimer used an “account slurper” to extract data about iPad users from AT&T servers, and then shared information with a reporter for the website Gawker who wrote an article naming some well-known people with compromised emails.
Among those affected were ABC News anchor Diane Sawyer, former New York City Mayor Michael Bloomberg, Chicago Mayor Rahm Emanuel and Hollywood movie producer Harvey Weinstein.
But the 3rd Circuit said that at all relevant times, Auernheimer was in Fayetteville, Arkansas; Spitler in San Francisco, and the servers in Atlanta and Dallas. It was also undisputed that the Gawker reporter was not in New Jersey.
Chagares said this meant that by being hauled more than 1,000 miles to the Newark courtroom of U.S. District Judge Susan Wigenton, Auernheimer was denied his “substantial right” to be tried where he allegedly committed his crimes.
“When people commit crimes, we have the ability and obligation to ensure that they do not stand to account for those crimes in forums in which they performed no ‘essential conduct element’ of the crimes charged,” Chagares wrote.
Fishman had argued that New Jersey was a proper forum in part because more than 4,500 residents were affected, and because the Gawker article could be read there.
The 3rd Circuit did not rule on Auernheimer’s claim that a lack of security protections left the email data accessible to the public, such that he did not obtain “unauthorized access.”
Spitler pleaded guilty in June 2011 and was sentenced in January to three years probation. Susan Cassell, his lawyer, did not immediately respond to requests for comment.
The appeal is Auernheimer v. U.S., 3rd U.S. Circuit Court of Appeals, No. 13-1816.
Reporting by Jonathan Stempel in New York; Editing by Jonathan Oatis, Bernadette Baum and Lisa Shumaker