Auernheimer, a hacker and member of Goatse Security, was sentenced to spend 41 months in prison for his role in the harvesting and publishing emails and AT&T authentication IDs of 114,000 early-adopters of Apple's iPad in 2010. Among the compromised accounts and email addresses were those of high-profile military officials, politicians, and CEOs.
At the time, Auernheimer and his co-defendant Daniel Spitler argued that they first tried to warn AT&T about the security hole that allowed them (or, indeed, anyone) to harvest the information in question, but after being ignored by them, they publicized the fact via Gawker in order to push AT&T to solve the problem.
They also pointed out that they didn't make the harvested information public.
After both were charged, Spitler pleaded guilty to one count of conspiracy to gain unauthorized access to computers and one count of identity theft in 2011, and received three years of probation.
Auernheimer went on to battle the charges in court, and was sentenced in March 2013 by a New Jersey federal court - despite the fact that he lived in Arkansas, and the servers he and Spitler accessed were located in Texas and Georgia.
And, as it turned out, it is precisely this discrepancy that made the US Court of Appeals for the Third Circuit vacate the conviction.
"Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue," the judges noted.
“Venue in criminal cases is more than a technicality; it involves ‘matters that touch closely the fair administration of criminal justice and public confidence in it,’” the judges explained in their opinion. “This is especially true of computer crimes in the era of mass interconnectivity. Because we conclude that venue did not lie in New Jersey, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.”
However you put it, this is good news for Auernheimer, although it is still unknown whether he will be tried again in Texas or Georgia.
The "complex and novel issues that are of great public importance in our increasingly interconnected age" the judges noted in the decision are those raised by Auernheimer's attorneys and concern the alleged wrongful application of the Computer Fraud and Abuse Act (CFAA).
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.