United States v. Andrew Auernheimer
2014 U.S. App. LEXIS 6671
| 3rd Cir. | 2014Background
- In 2010 Spitler (San Francisco) discovered an AT&T login feature that prepopulated email (user ID) when a browser request included an iPad ICC-ID; he wrote an automated “account slurper” that iterated ICC-IDs and harvested email addresses. 114,000 addresses were collected between June 5–8, 2010.
- Spitler shared the list with Auernheimer (Fayetteville, Arkansas); Auernheimer helped refine the tool and later provided the list to a Gawker reporter. AT&T fixed the vulnerability after media inquiries.
- The accessed AT&T servers were located in Dallas, Texas and Atlanta, Georgia. Neither defendant was ever in New Jersey while the events occurred; no evidence placed the Gawker reporter in New Jersey.
- A Newark grand jury indicted Auernheimer for (1) conspiracy to violate the CFAA (18 U.S.C. §1030) (enhanced under §1030(c)(2)(B)(ii) by alleging a New Jersey-law predicate) and (2) identity fraud (18 U.S.C. §1028(a)(7)).
- The District Court denied Auernheimer’s venue challenge, tried the case in New Jersey without a jury venue instruction, convicted him on both counts, and sentenced him to 41 months. The Third Circuit reviews venue de novo and reverses.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Was venue proper in the District of New Jersey for count one (CFAA conspiracy)? | Gov: venue proper because ~4,500 of the harvested emails belonged to NJ residents; conspiracy alleged to further a NJ-law violation. | Auernheimer: no essential conduct (accessing or obtaining data) or overt acts occurred in NJ; servers and defendants were elsewhere. | Venue improper — essential conduct (accessing protected computers and obtaining info) and alleged overt acts occurred outside NJ. |
| Could the §1030(c)(2)(B)(ii) enhancement (violation in furtherance of state law) provide venue in NJ? | Gov: enhancement ties crime to NJ because victims in NJ were affected and state law was the predicate. | Auernheimer: elements of the NJ statute (unauthorized access; disclosure) were not performed in NJ; disclosure to Gawker not shown to have occurred in NJ. | No — none of the essential conduct elements of the NJ statute occurred in NJ, so enhancement cannot confer venue. |
| Was venue proper for count two (identity fraud §1028(a)(7))? | Gov: Auernheimer used/transferred ICC-IDs and transferred the email list to Gawker, affecting NJ residents, satisfying venue. | Auernheimer: no transfer/possession/use occurred in NJ and the §1028 count was tied to the CFAA violation (which didn’t occur in NJ). | Venue improper — neither essential conduct element (use/transfer/possession in connection with a felony) nor the related CFAA conduct occurred in NJ. |
| If venue was improper, was the error harmless? | Gov: Even if improper, trying in NJ benefited defendant (access to counsel); any error was harmless. | Auernheimer: venue error deprived him of the constitutional protection of being tried where the crime was committed; not subject to harmless-error. | Error not harmless; venue defects implicate substantial rights and likely are structural — conviction vacated. |
Key Cases Cited
- United States v. Johnson, 323 U.S. 273 (venue protections are fundamental)
- United States v. Cabrales, 524 U.S. 1 (venue depends on locus delicti; distinguish essential conduct from circumstance elements)
- United States v. Rodriguez-Moreno, 526 U.S. 275 (identify conduct constituting offense then location of those acts)
- United States v. Perez, 280 F.3d 318 (conspiracy venue: any district where a co-conspirator committed an act in furtherance)
- Hyde v. United States, 225 U.S. 347 (conspiracy venue principles)
- Apprendi v. New Jersey, 530 U.S. 466 (facts that increase statutory penalty are elements for jury to decide)