I'm a cartoonist and activist, but perhaps lesser known is I have spent a significant portion of my life working in software and web startups. Companies I've worked for have been acquired by the likes of IBM, Citrix, and Corel. I understand product development, web development, and the consumer responsibilities software and hardware companies have when creating their products.
And this is the reason I've been watching in absolute horror this week as the trial of USA vs. Andrew Auernheimer progresses. The reality of what is happening to Andrew is one that anybody using the internet or corporate whistleblower could face.
Andrew, known online as the computer hacker "weev" made headlines in 2010 when Goatse Security revealed AT&T's iPad servers were allowing private user data to be accessed publicly -- completely unencrypted -- also known as "clear text."
The breach created quite a stir, and Michael Arrington of TechCrunch awarded Goatse Security a Crunchie award for public service for exposing the massive problem.
Security is nothing new. IT professionals are paid big bucks every day to ensure the security of customers' personal information. Even web developers would never collect sensitive information without a) secure connection and b) encryption of the data during transit and storage. We've understood this very simple concept for decades.
What's worse, AT&T published the API (Application Programming Interface) on their public web servers, so anybody in the world could access this kind of data with a simple request to their server. This is akin to leaving your car keys in your car, and giving random people off the street permission to drive your car, and then calling the police.
The same kind of technology was employed as is commonly used on millions of websites -- including every WordPress website and even DailyKos.
A huge embarrassment and PR problem for Apple and AT&T (and rightly so), rather than take responsibility for publicly exposing their customer data and encouraging people to access the data by publishing a public roadmap (API), the two companies convinced the FBI to charge Goatse Security.
The FBI raided weev and another member of Goatse Security, and handed down indictments for “Conspiracy to access a computer device without authorization” and also “identity theft” for possessing a list of email addresses.
Regarding the data that was collected, Leon Kaiser, Goatse Sec spokesperson said:
There was never any "full disclosure of private data" from GoatSec. The email addresses aggregated from AT&T's server were compiled into a list which the following people had access to: weev, Ryan Tate, and whoever Ryan Tate worked on his article with inside the gawker offices. The list was never sold to the highest bidder, nor was it fully disclosed to the Internet. The closest people outside AT&T have ever come to viewing that list is the redacted version on the original Valleywag posting.This all may sound very technical, but it isn't. If you've commented on a DailyKos diary, then you've used the same kind of technology these "hackers" used to humiliate two of the largest tech companies in the world. If the judge in this case finds weev guilty of these charges, technically any of us could be next, if a company decides they don't like us visiting their website or speaking out against them. This would be a huge blow to free speech.
While plenty of jokes about selling the list to Chinese spammers or using it to screw with the stock market circulated #gnaa, the truth of the matter is that disclosing this vulnerability let customers know how their data was being mishandled. As it was widely reported, the data was only released to Gawker to provide proof of the vulnerability. Considering the circumstances, it was the most ethical thing they could do.
The incredibly sad lesson here is the results of trying to "do the right thing," in holding corporations accountable. The judge will likely rule in favor of the corporations and stockholders, rather than the consumer, and will destroy a man's livelihood in the process.
For more information about weev and his case, visit http://freeweev.info.