Back in 2010 when the original iPad released, hackers exploited a loophole in AT&T’s online systems to gain email addresses of of over 114,000 iPad 3G owners. The loophole was largely silliness on the part of AT&T, whose systems tied the iPad’s ICC-ID (a unique SIM card id) to customer’s email addresses, and auto populated the email field of a webpage based on the id. By guessing the ICC-ID and sending it to AT&T’s servers, the hackers were able to retrieve the email addresses without really having to “break in.”
The hackers, operating under “Goatse Security,” were later arrested, and today one of them has now been convicted by a New Jersey court for identity fraud and conspiracy to access a computer without authorisation. The convicted hacker, Andrew Auernheimer, faces two consecutive five-year charges.
The 1986 Computer Fraud and Abuse Act, which Auernheimer was found to have violated, predates the web and contains language that is frequently criticized for being unintelligibly vague in an era of ubiquitous networked computers. The Act makes it illegal to “access a computer without authorization or exceed authorized access” on any “protected computer”
Auernheimer said to the press, “the ‘protected computer’ is any network computer. You access a protected computer every day,” before asking rhetorically, “have you ever received permission from Google to go to Google?”
Andrew tweeted that he wasn’t surprised by the decision, and that he plans to file an appeal:
Hey epals don’t worry! We went in knowing there would be a guilty here. I’m appealing of course.
— Andrew Auernheimer (@rabite) November 20, 2012