The United States Court of Appeals for the Third Circuit has held that defendant Andrew Auernheimer’s conviction for violating the Computer Fraud and Abuse Act rested on an incorrect determination by the United States District Court for the District of New Jersey that venue was proper in that district. The Court of Appeals vacated Auernheimer’s conviction. The Cyberlaw Clinic submitted an amicus brief in support of Auernheimer, on behalf of the Digital Media Law Project.
That amicus brief argued that Auerhmeimer’s conviction was improper, because the charge against him was escalated based on his alleged disclosure of information to a news website. The lower court punished Auernheimer for engaging in protected speech, and — as set forth in the brief — “the First Amendment bars the escalation of penalties for the publication of true and newsworthy information under any circumstance that does not fall into any existing exception to First Amendment protection.”
The Third Circuit’s decision is important, insofar as it reinforces key constitutional limits on the government’s power to prosecute criminal defendants in jurisdictions far removed from where they reside or where their allegedly criminal acts took place. As the Court noted:
Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey. Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened.
That having been said, by focusing on the venue determination, the Third Circuit avoided issues raised by Auernheimer, DMLP, and other amici regarding the propriety of charging him under the CFAA for accessing and sharing information that was publicly accessible over the web via an unprotected URL. The lower court’s decision raised troubling issues regarding, among other things, the meaning of the term “access without authorization” in the Computer Fraud and Abuse Act, and the Third Circuit’s decision leaves those issues largely unresolved.