Andrew Auernheimer, a hacker charged with accessing personal data of over 100,000 AT&T iPad subscribers who recently had his conviction overturned, published a letter on Tuesday addressed to the New Jersey District Court, the FBI, and Department Of Justice requesting compensation for the time he’s spent in prison.
Auernheimer, an internet security expert who is also known as “weev” in several online communities, was convicted in 2012 of identity theft and unauthorized access to computers. In 2010, Auernheimer’s web security group Goatse Security had discovered a security vulnerability on AT&T’s website that allowed people to acquire the e-mail addresses and ICC-ID of iPad users.
An ICC-ID is an identifier similar to a serial number that is used to authenticate the SIM card in a user’s iPad to the AT&T network. According to Wired, Auernheimer and his associate/co-defendant Daniel Spitler found that the security flaw was fairly simple to exploit:
The iPad was released by Apple in April 2010. AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their e-mail address. AT&T linked the user’s e-mail address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user’s e-mail address. Auernheimer and Spitler discovered that the site would leak e-mail addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the e-mail addresses of iPad users.
Auernheimer and Spitler ended up acquiring the CC-ID and e-mail addresses of as many as 120,000 AT&T subscribers, including Diane Sawyer of ABC News, studio executive Harvey Weinstein, and New York Mayor Michael Bloomberg. Auernheimer brought the discovery to the press ahead of AT&T, and he and Spitler were arrested and charged for violation of the Computer Fraud and Abuse Act.
Spitler pleaded guilty while Auernheimer underwent a trial. After Auernheimer’s conviction he was sentenced to 41 months in jail followed by 3 years of probation and an order to pay $73,000 in restitution to AT&T. Auernheimer appealed his conviction, arguing that the information he’d accessed was “freely available” due to AT&T’s negligence in securing its site. In an interview with CNET, he said that he exposed the flaw because “we serve the public and the reason we went public with this is because people have a right to know.”
However, Auernheimer had his conviction vacated in April on a technicality. He was tried and convicted in New Jersey, but the US Court of Appeals ruled that he had been tried in the wrong state.
Now Auernheimer is seeking restitution for the time he’s spent in prison. In his letter, Auernheimer described his discontent with his arrest, trial and conviction. “I have, over the course of 3 years, been made the victim of a criminal conspiracy by those in the federal government. This was a conspiracy of sedition and treason, perpetrated with violence by a limited number of federal agents to deprive me of my constitutional rights to a fair trial and unlawfully put me in prison,” he wrote.
Auernheimer is invoicing the government at a rate of 1 Bitcoin per hour totaling 28,296 Bitcoins, worth about $13 million in US dollars. “I do not accept United States dollars, as it is the preferred currency of criminal organizations such as the FBI, DOJ, ATF, and Federal Reserve and I do not assist criminal racketeering enterprises,” Auernheimer wrote. The letter in its entirety is available below.