United States v. Auernheimer - 748 F.3d 525 (3d Cir. 2014)

Rule:

In a criminal case, only "essential conduct elements" can provide the basis for venue in a criminal case; "circumstance elements" cannot.

Facts:

Apple, Inc. introduced the first iPad, a tablet computer, in 2010. Customers who purchased the version that had the capability to send and receive data over cellular networks (commonly referred to as "3G") had to purchase a data contract from AT&T, Inc. ("AT&T"), which at the time was the exclusive provider of data services for this version of the iPad. Customers registered their accounts with AT&T over the Internet on a website that AT&T controlled. In the registration process, customers were assigned a user identifier ("user ID") and created a password — login credentials that they would need in order to access their accounts through AT&T's website in the future. The user ID assigned to each customer was that customer's email address. AT&T decided to make it easier for customers to log into their accounts by prepopulating the user ID field on the login screen with their email addresses. To do this, AT&T programmed its servers to search for an iPad user's Integrated Circuit Card Identifier ("ICC-ID") when a user directed her browser to AT&T's general login webpage (AT&T's "URL"). An ICC-ID is the unique nineteen- or twenty-digit number that identifies an iPad's Subscriber Identity Module, commonly known as a SIM Card. If AT&T's servers recognized the ICC-ID as associated with a customer who had registered her account with AT&T, then AT&T's servers would automatically redirect the customer's browser away from the general login URL to a different, specific URL. That new specific URL was unique for every customer and contained the customer's ICC-ID in the URL itself. This shortcut reduced the amount of time it took a customer to log into her account because, with her user ID already populated, she had to enter only her password.

Daniel Spitler, Auernheimer's co-conspirator, discovered this feature of AT&T's login process. Although he did not own an iPad, he purchased an iPad SIM Card, hoping to install it on another computing device and then take advantage of the unlimited cellular data plan that AT&T offered for $30 per month. At first, he did not know how to register his SIM Card, so he downloaded the iPad operating system onto his computer, decrypted it, and browsed through the operating system's code to try to find a way to register it. In the course of doing so, he came across AT&T's registration URL. He noticed that one of the variables in the registration URL was a field requiring an ICC-ID. Spitler then directed his computer's web browser to the registration URL and inserted his iPad's ICC-ID in the requisite place. AT&T's servers were programmed only to permit browsers that self-identified as iPad browsers to access the registration URL. This required him to change his browser's user agent. After changing his browser's user agent to appear as an iPad, Spitler was able to access the AT&T login page. He noticed that his email address was already populated in the login field and surmised that AT&T's servers had tied his email address to his ICC-ID. He tested this theory by changing the ICC-ID in the URL by one digit and discovered that doing so returned a different email address. He changed the ICC-ID in the URL manually a few more times, and each time the server returned other email addresses in the login field. Spitler concluded that this was potentially a noteworthy security flaw. He began to write a program that he called an "account slurper" that would automate this process. The account slurper would repeatedly access the AT&T website, each time changing the ICC-ID in the URL by one digit. If an email address appeared in the login box, the program would save that email address to a file under Spitler's control. Spitler shared this discovery with Auernheimer. Auernheimer helped him to refine his account slurper program, and the program ultimately collected 114,000 email addresses between June 5 and June 8, 2010. While Spitler's program was still collecting email addresses, Auernheimer emailed various members of the media in order to publicize the pair's exploits. One of the media members contacted by Auernheimer was Ryan Tate, a reporter at Gawker, a news website. Tate expressed interest in publishing Auernheimer's story. To lend credibility to it, Auernheimer shared the list of email addresses with him. Tate published a story on June 9, 2010 describing AT&T's security flaw, entitled "Apple's Worst Security Breach: 114,000 iPad Owners Exposed." The article mentioned some of the names of those whose email addresses were obtained, but published only redacted images of a few email addresses and ICC-IDs.

Thus, Apple filed the instant suit. Despite the absence of any apparent connection to New Jersey, a grand jury sitting in Newark returned a two-count superseding indictment charging Auernheimer with conspiracy to violate the CFAA, 18 U.S.C. § 1030(a)(2)(C) and (c)(2)(B)(ii), in violation of 18 U.S.C. § 371 (count one), and fraud in connection with personal information in violation of 18 U.S.C. § 1028(a)(7) (count two, commonly referred to as "identity fraud"). To enhance the potential punishment from a misdemeanor to a felony, the Government alleged that Auernheimer's CFAA violation occurred in furtherance of a violation of New Jersey's computer crime statute, N.J. Stat. Ann. § 2C:20-31(a). Auernheimer moved to dismiss the superseding indictment shortly after it was returned by the grand jury. In addition to asserting several challenges concerning the CFAA violation, he argued that venue was not proper in the District of New Jersey. The District Court acknowledged that neither he nor Spitler was ever in New Jersey while allegedly committing the crime, and that the servers accessed were not in New Jersey, but denied his motion nonetheless. It held that venue was proper for the CFAA conspiracy charge because Auernheimer's disclosure of the email addresses of about 4,500 New Jersey residents affected them in New Jersey and violated New Jersey law. 

Issue:

 Is New Jersey the proper venue for Auernheimer’s trial?

Answer:

No.

Conclusion:

Count one charged Auernheimer with conspiracy to violate CFAA § 1030(a)(2)(C) and (c)(2)(B)(ii). The statute's plain language reveals two essential conduct elements: accessing without authorization and obtaining information. New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. App. 443-44. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey. Here, none of the essential conduct elements of a violation of the New Jersey statute occurred in New Jersey. As discussed, neither Auernheimer nor Spitler accessed a computer in New Jersey. The disclosure did not occur there either. The sole disclosure of the data obtained was to the Gawker reporter. There was no allegation or evidence that the Gawker reporter was in New Jersey. Further, there was no evidence that any email addresses of any New Jersey residents were ever disclosed publicly in the Gawker article. The alleged violation of the New Jersey statute thus cannot confer venue for count one.

Just as none of the conduct constituting the CFAA violation or its enhancement occurred in New Jersey, none of the overt acts that the Government alleged in the superseding indictment occurred in New Jersey either. The indictment listed four overt acts: writing the account slurper program, deploying the account slurper program against AT&T's servers, emailing victims to inform them of the breach, and disclosing the emails addresses obtained to Gawker. The co-conspirators collaborated on the account slurper program from California and Arkansas and deployed it against servers located in Texas and Georgia. The Government offered no evidence whatsoever that any of the victims that Auernheimer emailed were located in New Jersey, or that the Gawker reporter to whom the list of email addresses was disclosed was in the Garden State.

Count two charged Auernheimer with violating 18 U.S.C. § 1028(a)(7), which punishes anyone who "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any [federal crime, or state or local felony]." The two essential conduct elements under § 1028(a)(7) are transfer, possession, or use, and doing so in connection with a federal crime or state felony. Starting with the latter essential conduct element, the Government charged Auernheimer with committing identity fraud "in connection with" the ordinary violation of CFAA § 1030(a)(2)(C). As should be clear by now, no conduct related to the ordinary CFAA violation occurred in New Jersey. There was also no evidence that Auernheimer's transfer, possession, or use occurred in New Jersey.