Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lawyers Say Hackers Are Sentenced Too Harshly

michael posted more than 11 years ago | from the hacker-crackdown dept.

The Courts 439

Bendebecker writes "Cnet is reporting: 'The nation's largest group of defense lawyers on Wednesday published a position paper arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.' Finally, someone is listening..." The document makes the points that most computer crime cases involve disputes between an employer and employee, and that the seriousness of the offense is generally comparable to white-collar fraud cases.

Sorry! There are no comments related to the filter you selected.

The Bulk (1, Insightful)

pkcs11 (529230) | more than 11 years ago | (#5353186)

The bulk of hacking is internal anyway. Only makes sense.

Re:The Bulk (1)

Fedaykin_Commando (592346) | more than 11 years ago | (#5353287)

No offense, but how do you know the bulk of hacking is internal . . . you seen any charts quoting that. My opinion is, if you keep the punishment higher, people are less likely to do it. In other countries, people are shot by a firing squad if they get caught DUI. Therefore, less people drive drunk and no accidents. Same principal applies here. Not saying we should shoot hackers :-), but that if the punishment is steep, maybe it would detere illegal hacking.

Re:The Bulk (2, Insightful)

yourmom16 (618766) | more than 11 years ago | (#5353322)

there are harsher punishments for drug possesion than many other crimes including child molestation here in the US. We still have more drug users than child molesters so your argument doesnt neccesarily hold.

Re:The Bulk (4, Insightful)

1u3hr (530656) | more than 11 years ago | (#5353387)

My opinion is, if you keep the punishment higher, people are less likely to do it. In other countries, people are shot by a firing squad if they get caught DUI. Therefore, less people drive drunk and no accidents. Same principal applies here. Not saying we should shoot hackers :-), but that if the punishment is steep, maybe it would detere illegal hacking.

If that logic is pursued, just make every crime, from littering and jaywalking on up, a capital offence. That would deter ALL crime. Sounds idyllic, doesn't it?

The point the lawyers are making is that the penalty should be in relation to the harm caused, not multiplied merely because it somehow involved a computer. Whether you defraud using a fountain pen or a PC, the penalty should be the same.

Re:The Bulk (1)

Fedaykin_Commando (592346) | more than 11 years ago | (#5353465)

If that logic is pursued, just make every crime, from littering and jaywalking on up, a capital offence. That would deter ALL crime. Sounds idyllic, doesn't it? Metaphors can be extended beyond what was intended, which is what has happened here. Now I'm not going to disagree that those things would happen less with stiffer punishments, but I'm not advocating stiffer punishments for crimes that don't call for it. If someone is hacking into a corporate network, the punishment should send a message to others who would attempt such an endevour that the risk it not worth the potential return.

2nd post (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5353199)

w00t!

Well (3, Interesting)

Bob Abooey (224634) | more than 11 years ago | (#5353201)

Since when are laywers a beacon for what a fair punishment should be? I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.

Quite frankly given the number of laywers who do their best to circumvent the true spirit of the law I don't want them making any public statements on my behalf...

Re:Well (1)

onepoint (301486) | more than 11 years ago | (#5353236)

I can see it now. Some grad student get's pissed off at someone in the firm and cause the entire network to fail.

Then for some odd reason they can not get it back up again for 5 days, the losses are so staggering that the business has to lay off 50% of the employee's

the guy goes to jail for 30 days and people are out of work .... what justice is that.

onepoint

Re:Well (3, Insightful)

Anonymous Coward | more than 11 years ago | (#5353274)

>the guy goes to jail for 30 days and people are
>out of work .... what justice is that.

Absolutely zero:

How much time did the MIS manager and CTO do? They share the responsibility for not securing the system. If the risks are that great, then not adequately protecting against those risks is criminal neglect.

Re:Well (1)

jandrese (485) | more than 11 years ago | (#5353355)

What about the guy who spits on the sidewalk and makes a slippery spot. Later that day the president is walking down the sidewalk, slips, falls, and kills himself.

That guy would only get a file at most! What justice is that?

Re:Well (5, Insightful)

Anonymous Coward | more than 11 years ago | (#5353252)

I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.

Who says they are deciding. They are stating their opinion. It is up to legislators to create and modify the law and judges to uphold it. Lawyers just happen to be the most intimitately involved with both types of cases and therefore are qualified to state an opinion.

I would also point out that they are as free to state their opinion as you are.

Re:Well (-1)

Anonymous Coward | more than 11 years ago | (#5353268)

And who are you to give opinions about this? Who do you think are?

See, it works from both sides.

Re:Well (0, Informative)

Jack Wagner (444727) | more than 11 years ago | (#5353461)

And who are you to give opinions about this? Who do you think are?

See, it works from both sides.

Actually Bob Abooey is a longtime industry pundit who used to work for Apple back in the 80's in their two button mouse division. He's also been a major kernel hacker for FreeBSD and has generally been regarded as one of the best minds in the Computer Science field for years now.

I suggest you perform a little research next time before making an arse of yourself.

Warmest regards,
--Jack

Re:Well (3, Insightful)

GimpyMcJackass (564895) | more than 11 years ago | (#5353283)

However, lawyers have a more intimate knowledge than any of us (as proven by the number of IANAL comments) since that's their job.

Also, this particular group of lawyers are defence lawyers, so it's their job to defend crackers and fight for their rights, which would include the whole fairness issue.

And also, these people might be judges someday, so then it will be their job to determine what fair judgement is.

Re:Well (5, Funny)

DonkeyJimmy (599788) | more than 11 years ago | (#5353286)

I don't want them making any public statements on my behalf...

Your behalf, eh? That's admission of guilt, get him boys.

Re:Well (3, Insightful)

argmanah (616458) | more than 11 years ago | (#5353299)

Since when are laywers a beacon for what a fair punishment should be? I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.
Major players in the criminal judicial process:

1) Judge (often a lawyer)
2) Prosecutor (lawyer)
3) Defense Attorney (lawyer)

Also, think about this. Whenever the two sides work out a plea bargain rather than going to court, you basically have 2 lawyers hashing out what is a fair penalty for the crime involved.

So, in response to your statement, I would have to say that lawyers have always been the beacon for what fair punishment should be since the modern criminal system came into being.I'm sure it's fun to take potshots at lawyers, but you need to realize that they do run the system to a large extent.

IANAL

Re:Well (1)

nomadic (141991) | more than 11 years ago | (#5353302)

Do you have any actual knowledge of this, or is this another tiresome slashdot lawyer slam?

Re:Well (1)

u-235-sentinel (594077) | more than 11 years ago | (#5353370)

Personally I don't have a very high opinion of lawyers. Those few I've spoken with don't impress me as people who care about doing the right thing.

Considering how low I believe them to be, you have to admit this is a radical statement coming from them.

If lawyers think the punishments are too harsh for hackers, then they really must be. Think about it.

just fraud (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5353203)

"The document makes the points that most computer crime cases involve disputes between an employer and employee, and that the seriousness of the offense is generally comparable to white-collar fraud cases. "

Oh, well, in that case, since it's ONLY fraud, might as well let them go free.

Re:just fraud (4, Insightful)

RyanAXP (60761) | more than 11 years ago | (#5353277)

Quoth the Rave,,, err, Anonymous Coward:
"Oh, well, in that case, since it's ONLY fraud, might as well let them go free."

You didn't understand the argument, or didn't bother to read it, at least. They're not saying computer criminal should "go free," but that the harshness of their punishments should be similar to the punishments meted out for similar crimes not involving computers. Is that really so difficult to support?

It all depends (5, Informative)

hawkbug (94280) | more than 11 years ago | (#5353215)

I think it all depends on the crime committed.... stealing 8 million credit cards is a lot more serious than defacing a website for an hour, don't you think?

It all depends... (2, Insightful)

mmol_6453 (231450) | more than 11 years ago | (#5353242)

On how much financial damage the cracker did when he defaced the website.

I'D THINK YOU'D WANT JAIL JUST FOR THE ASS RAPE (-1)

Subject Line Troll (581198) | more than 11 years ago | (#5353328)

Re:It all depends (3, Funny)

TheRaven64 (641858) | more than 11 years ago | (#5353319)

And defacing the RIAA website probably counts as 'pbulic service'...

Re:It all depends (0)

Anonymous Coward | more than 11 years ago | (#5353388)

HA! TheRaven64 just misspelled his way to my foes list!

Re:It all depends (0)

Anonymous Coward | more than 11 years ago | (#5353472)

Why do you bother posting anonymously really? http://slashdot.org/~TheRaven64/freaks

But does it still warrant... (5, Insightful)

aepervius (535155) | more than 11 years ago | (#5353382)

...more year in prison than the average raper ?

Re:It all depends (0)

yourmom16 (618766) | more than 11 years ago | (#5353403)

Defacing a website is analogous to graffiti where as stealing the credit card numbers is credit card fraud and is much more severe. breaking in the site could be considered like breaking and entering then the damage done would be treated like the most closely related non-computer crime.

Re:It all depends (2, Insightful)

JaxGator75 (650577) | more than 11 years ago | (#5353464)

It depends on who is counting the "financial damages". If they determine that they could have done that $2.3 million deal during the hour that you defaced their website, the elusive "they" would happily express their damages as $2.3M to watch the suspect (electronic terrorist) rot away in a P.M.I.T.A.-prison

I wish I had an easy answer instead of just more doubt / cynicism, but I think the harsher sentences should be reserved for potential/actual harm to humans and physical structures.

BTW - My /. Karma sucks, which is ironic as I am comfortable with my REAL karma. I'm afraid of Mods...

erm... (0)

Anonymous Coward | more than 11 years ago | (#5353216)

Isn't this story a dupe? I thought I just saw it.

_
Best Windows Cursors Ever [paware.com]

Re:erm... (1)

JWizard (542234) | more than 11 years ago | (#5353288)

You might have seen that on Ars Technica... I had the same feeling of deja vu when I saw that here :)

Hmmm . . . (5, Interesting)

Gabrill (556503) | more than 11 years ago | (#5353218)

Am I the only one who watches only to find out what kind of society I live in? And without any real hope of contributing to or affecting the overall state of affairs?

On the other hand I AM glad that computer crime is possibly going to be recognized as a white collar crime instead of a terrorist threat.

This one bombed a bus. That one stole a credit card. Kill 'em both!

Re:Hmmm . . . (3, Insightful)

nomadic (141991) | more than 11 years ago | (#5353349)

Am I the only one who watches only to find out what kind of society I live in? And without any real hope of contributing to or affecting the overall state of affairs?

No. I vote.

String 'em up (1, Insightful)

lseltzer (311306) | more than 11 years ago | (#5353221)

People need to know that some stuff is wrong and I like the idea of setting some examples. You don't screw with other people's property or their data.

Re:String 'em up (2, Insightful)

LippyTheLip (582561) | more than 11 years ago | (#5353279)

People need to know that some stuff is wrong and I like the idea of setting some examples. You don't screw with other people's property or their data

The point of the article is that there already are relevant examples and that hacker crime is analogous to white collar fraud. Ergo... it should be treated the same way in the law and in sentencing.

Re:String 'em up (0)

Anonymous Coward | more than 11 years ago | (#5353314)

If someone screws with your property or data should they do more time than if they had put a bullet in your head?

depends what you did (4, Insightful)

AssFace (118098) | more than 11 years ago | (#5353230)

defacing a web page != stealing credit cards.

they shouldn't have equal sentences, but that isn't to say one of them isn't deserving of what they get...

Depends on the impact too (2, Insightful)

www.sorehands.com (142825) | more than 11 years ago | (#5353383)

If I punch somebody in the face, that is a relatively minor crime, but if killed him with that punch, it is now murder. If I rob a bank with a gun, it is not the same as if I rob the bank with the gun and a person died of a heart attack in the robbery.


With the computer tresspass and fraud act, you have a minimal amount to trigger the act ($5000) and a large penalty. If you steal a car (worth $5000) you get a much smaller penalty.

I have to state the obvious... (1, Troll)

fudgefactor7 (581449) | more than 11 years ago | (#5353232)

But if those doing the hacking didn't do it, then there'd be no jail service at all.

I think the sentences should be unified. A crime of type is equal to a crime of similar type. That demands equal treatment.

Re:I have to state the obvious... (3, Insightful)

Bendebecker (633126) | more than 11 years ago | (#5353392)

So if I am distracted while I am driving and I accidently run over someone and they die, I should get the chair because "hey, the crime of killing a person is equal to the crime of killing a person"? Hacking into someone's webserver and adding the line to their webpage that I own their box should equal a punishment but that punnishment should not be the same as hacking into a computer and deleting their harddrive or changing the balance in my bank account. It's like saying that every theif should get ten years in prison regardless of what they stole; it sound nice on paper but do you really think anyone should go to jail for ten years for stealing a candybar?

Have to exaggerate the problem... (5, Insightful)

$$$$$exyGal (638164) | more than 11 years ago | (#5353243)

Those convicted "are receiving sentences based on the fear of the worst-case scenario rather than what the case may really be about," Granick said.

In many cases, the victim would be ignored if s/he didn't over-state the actual damages. I've heard victim after victim (right here on slashdot) state that they've went to the FBI/local officials, and were denied help because the actual damages didn't add up to a certain amount.

No wonder victims are overstating the problem, it's because they don't like being ignored.

--sex [slashdot.org]

Re:Have to exaggerate the problem... (1)

mike_mgo (589966) | more than 11 years ago | (#5353357)

No wonder victims are overstating the problem, it's because they don't like being ignored.

There probably is some truth to this, especially in a civil case when each side may atate extreme positions to allow for bargaining room for pre-trial settlements.

But in the case of criminal trials this shouldn't be the case, especially by the punishment phase of the trial when all of the facts should be known.

On a related note, in cases such as this who normally decides the specific punishment, judge or jury? Or does it vary state to state.

Re:Have to exaggerate the problem... (2, Insightful)

doubtless (267357) | more than 11 years ago | (#5353365)

Sometiems I feel that the overstatement of damanges should be a crime in itself.

Re:Have to exaggerate the problem... (4, Interesting)

FosterSJC (466265) | more than 11 years ago | (#5353416)

The other side of the coin to this is that you get employers or "victims" or what-have-you artificially inflating the damages supposedly caused by a hacker.

Kevin Mitnick, in his Slashdot interview [slashdot.org] , explained this in detail:

However, the punishment in my case was extremely harsh and did not fit the crime. I equate my illegal actions not to a person who molests children or burglarizes a house (I heard these specious analogies before), but to a person who illegally copies software.

The difference in my case is the software was proprietary. I was not an industrial spy, nor did I ever attempt to profit or damage any systems or information that I had illegally accessed. The government falsely claimed I had caused millions of dollars of loss, in an effort to demonize me in the press and the court. The truth of the matter is I regretfully did cause losses, but nowhere near a million dollars. The theory the government used to reach those numbers was to use the same formula for traditional theft or fraud cases. When a person steals money or property, the Federal Sentencing Guidelines use the value of the property lost, damaged, or destroyed as the loss amount. This formula works well with tangible property, but when the property at issue is information, or in my case source code, does the same formula reflect the true intended or actual loss? The government requested that my victims provide their research and development costs as the value of the information I either copied, or reviewed online (source code). Federal prosecutors simply added up all the R&D costs associated with the source code I had accessed, and used that number (approx $300 million) as the loss, even though it was never alleged that I intended to use or disclosed any source code. Interestingly enough, none of my victims had reported any losses attributable to my activities to their shareholders, as required by securities laws. Unfortunately, due to media hyperbole, the unknowing public believes I had caused these tremendous losses.

Suffice it to say, we need to find a compromise where we can accurately represent the loss of intellectual property without undually exaggerating its (non-material) worth.

This one's easy to explain... (4, Funny)

Fnkmaster (89084) | more than 11 years ago | (#5353245)

There's strength in numbers - and the lawyers finally realized that geeks are the only people as universally unpopular as they are.

"White collar crime" - a misnomer... (5, Interesting)

MosesJones (55544) | more than 11 years ago | (#5353247)


Scenario A: man walks into a store with a gun, demands they empty the till, walks out with a hundred bucks.

Net effect: 100 bucks for the store + mental anguish for people in there.

Punishment: Ten years

Scenario B: Man defrauds investors, pension funds etc out of millions or billions

Net Effect: Pension funds slashed, thousands made unemployed

Punishment: 5 years

We all know that white collar crime gets punished a whole lot less, but is that right ? Why shouldn't execs from the likes of Enron, WorldCom et al be looking at life behind bars for the havoc they have reaked ? Well because there really is a different set of laws for the rich. Sure they might even get 15 years in the cases of these massive frauds, but is this enough given the damage they have caused ?

So maybe the problem is that white collar crime is punished too little, rather than hacking is punished too much. Maybe having sentences for theft, fraud etc (of any kind not involving actual violent which already has punishments) should be related to the amount of money stolen.

Maybe 1 year per $1000....

Re:"White collar crime" - a misnomer... (1)

91degrees (207121) | more than 11 years ago | (#5353325)

Maybe 1 year per $1000....

Impractical. If I were to steal $1 000 000 from a large multinational, the owner would hardly flinch. If I were to steal $10 000 from an individual, I could cause them serious problems, and potential wreck their life.

Also, stealing 10 times as much is not ten times the crime. For large values, it's a more succesful version of the same crime. Should I be charged with a greater crime if I steal the Mona Lisa than if I steal less valuable Pollock painting?

Re:"White collar crime" - a misnomer... (2)

Hubert_Shrump (256081) | more than 11 years ago | (#5353449)

than if I steal less valuable Pollock painting?

Hey, you don't have to steal. I've been trying to give the damn things away. Send a SASE.

Allright then... (1)

siskbc (598067) | more than 11 years ago | (#5353478)

...take ln(Value/100) and round down. 9 years for a mil, 2 for a K.

Re:"White collar crime" - a misnomer... (5, Interesting)

byrd77 (171150) | more than 11 years ago | (#5353340)

The error in your reasoning is the presumption that increased jail terms will deter this type of crime. Research shows [cfenet.com] that the vast majority of people who commit crimes like this don't think they'll get caught. It's highly unlikely they are even aware of what the potential sentence may be, so making it larger doesn't help.

Re:"White collar crime" - a misnomer... (1, Interesting)

lasmith05 (578697) | more than 11 years ago | (#5353343)

You are comparing apples to oranges... In scenario A, armed robbery is very serious because it could result in homicide. In Scenario B, which sounds more like an Enron CEO then a computer criminal, people could lose a lot of money, but in end the company should be responsible for paying customers back. And ensuring that a security situation like this doesn't happen again.

Re:"White collar crime" - a misnomer... (2, Insightful)

LippyTheLip (582561) | more than 11 years ago | (#5353358)

From the article: The lion's share of cases prosecuted under the most-often-used computer crime statute--Title 18, Section 1030 of the United States Code--involved monetary damage to a private interest. In a review of 55 cases highlighted by the Department of Justice, only 15 involved harm to the public and only one involved a threat to safety, the paper stated.

Property crime is a crime, and it should be, but the danger posed to others by these crimes is usually minimal. The mental anguish caused by crimes committed thorugh violence or the threat of violence is, and IMO, should be punished more harshly.

Re:"White collar crime" - a misnomer... (1)

sfled (231432) | more than 11 years ago | (#5353385)


Why the armed robber gets a longer sentence than the embezzler:
Bodily harm or death is much more permanent than losing money. Societies therefore harshly punish induhviduals who use or threaten to use a firearm in the commission of a crime.

On the other hand, a word of warning to any future Ken Lays: If I were in my late 50s and had a serious illness, and the CEO of my longtime employer had stolen my retirement and any chance I may have had at a few short years in comfort, I would blow his brains out. And no one could prevent it.

Re:"White collar crime" - a misnomer... (1)

lostPackets (598793) | more than 11 years ago | (#5353490)

hmmm, could it be not that the Enron Exec should be punished more, but that the former criminal should be punished less? Think about it, the answer to unequal treatemnt isn't always to up the ante. BTW.. These two crimes are also not equivelent at all. Consider the risk posed by people from a robber brandashing a gun - no where in (most) white collar crimes is there that kind of immediate risk to people's lives.

Text copy of pdf (1, Informative)

Anonymous Coward | more than 11 years ago | (#5353250)

The National Association of Criminal Defense Lawyers, The Electronic Frontier Foundation and the Sentencing Project write in response to the Commission's request for public comment about how the Commission should respond to Section 225(b) of the Homeland Security Act of 2002 (the Cyber Security Enhancement Act of 2002), Pub. L. 107-296, which directs the Commission to review and amend, if appropriate, the sentencing guidelines and policy statements applicable to persons convicted of an offense under 18 U.S.C. 1030. We thank the United States Sentencing Commission for this opportunity. Interests of the Commentators The National Association of Criminal Defense Lawyers (NACDL) is the preeminent organization in the United States advancing the mission of the nation's criminal defense lawyers to ensure justice and due process for persons accused of crime or other misconduct. A professional bar association founded in 1958, NACDL's more than 10,400 direct members -- and 80 state and local affiliate organizatio ns with another 28,000 members -- include private criminal defense lawyers, public defenders, active U.S. military defense counsel, law professors and judges committed to preserving fairness within America's criminal justice system. The National Association of Criminal Defense Lawyers (NACDL) encourages, at all levels of federal, state and local government, a rational and humane criminal justice policy for America -- one that promotes fairness for all; due process for event the least among us who may be accused of wrongdoing; compassion for witnesses and victims of crime; and just punishment for the guilty. Equally important, a rational and humane crime policy must focus on the social and economic benefits of crime prevention -- through education, economic opportunity, and rehabilitation of former offenders. As a society, we need to eschew such simplistic, expensive, and ineffective "solutions" as inflexible mandatory sentencing, undue restriction of meritorious appeals,punishment of children as adults, and the erosion of the constitutional rights of all Americans because of the transgressions of a few. NACDL's values reflect the Association's abiding mission to ensure justice and due process for all. The Electronic Frontier Foundation ("EFF") is a non-profit, civil liberties organization founded in 1990 that works to protect rights in the digital world. EFF is based in San Francisco, California, but has members all over the United States. EFF has been deeply concerned about the criminalization of online behavior since its inception. The founders intended EFF to bring balance and reason to law enforcement in cyberspace. One incident that brought this need home was a 1990 federal prosecution of a student for publishing a stolen document. At trial, the document was valued at $79,000. An expert witness, whom EFF helped locate, was prepared to testify that the document was not proprietary, and was available to the public from another company for $13.50. When the government became aware of this information through defense's cross-examination of government witnesses, it moved to dismiss the charges on the fourth day of the trial. Accordingly, EFF is very concerned that the Sentencing Commission act very carefully with regard to computer crime sentencing. We believe that those convicted of computer crimes are already punished more harshly compared to other crimes for the reasons stated in these Comments. The Sentencing Project is a Washington, D. C.-based 501(c)(3) non-profit organization which promotes greater use of alternatives to incarceration and the adoption of sentencing policies and practices which are fair and effective in reducing crime. Founded in 1986 to encourage improved sentencing advocacy by the defense, The Sentencing Project has become well known as a source of widely reported research and analysis on sentencing and other criminal justice issues. The range of these issues includes: the number of non-violent, low- level drug offenders in state prisons; crack-powder cocaine sentencing discrepancy in federal law; unwarranted racial disparity in the criminal justice system; the impact of the federally mandated ban on receipt of welfare benefits for women convicted of drug offenses; "Three Strikes" mandatory minimum sentencing laws; denial to nearly four million Americans of the right to vote following felony convictions; and, the significance of prosecuting children as adults. The Sentencing Project's interests in the matter before the United States Sentencing Commission are to insure that federal penalties are not increased absent objective indications that an increase in penalties will reduce criminal computer fraud or "hacking," when other steps may provide a higher degree of public safety and corporate security, and when the rational for increasing penalties may be based on a misperception of the nature and character of most crimes prosecuted through application of 18 U.S.C. Section 1030. COMMENTS Congress has directed the Commission to review the guidelines applicable to person convicted of offenses under 18 U.S.C. section 1030 to ensure that the guidelines reflect the serious nature of such offenses, the growing incidence of such offenses and the need for an effective deterrent and appropriate punishment to prevent such offenses. We write in response to the Sentencing C request for comments because we believe that the guideline range should not be increased. Current guidelines not only adequately reflect, but also in many cases overstate the seriousness of 18 U.S.C. 1030 offenses. Section 1030 proscribes offenses that range in seriousness from misdemeanors to threats to national security. However, the heartland section 1030 violations are white collar fraud or insider misappropriation of information cases that should be treated comparably to other white collar fraud cases. Current section Three guidelines would substantially enhance sentences in rare cases of "cyberterrorism". Also, there has not been a significant increase in the commission of section 1030 offenses over the past five years that requires increased sentencing. Further, increased sentences will not deter terrorists, who may be willing to die for their cause, but may deter legitimate business innovation and practices as well as important computer security research and vulnerability testing. In fact, current guidelines are rife with problems, mostly surrounding the special definition of loss in computer crime cases. The definition includes unforeseeable losses that are wholly defined by the victim's behavior rather than the defendant's actions. Sentences that are widely disparate for identical offenses, easily manipula table, and that do not accurately reflect the defendant's culpability result. I. THE GUIDELINE RANGE SHOULD NOT BE INCREASED A. The Seriousness of the Offense is Comparable to Other Fraud or Theft Cases, not Offenses to the Person or Terrorism Cases The typical computer crime offense involves a disgruntled current or former employee misusing company computers. The Department of Justice maintains a non-exhaustive chart of computer crime cases on its website at www.cybercrime.gov/cccases.html. The chart has 59 entries, representing 55 unique cases. Of those, the chart describes sixteen of the defendants as employees of the victim company. Review of the linked DOJ press releases shows that an additional nine defendants were also employees or independent contractors of the victim. (Luckey, Blum, Leung, Farraj, Scheller; Brown; Carpenter; Dennis, and Alibris.) Thus, almost half of the cases in the table are readily identifiable as involving disgruntled insiders. In forty three of the fifty nine entries, the defendant caused harm to a solely private interest. Only fifteen of the cases involve harm to a public or public and private interests. Only one case, where the defendant was a juvenile, involved a threat to safety. This small set of data shows that the heartland computer crime case involves disgruntled employees causing harm to private companies. Of course, this cursory analysis depends entirely on a small set of data selected for publication by the Department of Justice. Defendants in the listed cases may eventually be acquitted, or the nature of the case may not be fully or accurately reflected in the press releases, or by the inclusion of the case in the table. For example, United States v. Alibris involved allegations that a company that provided email services to subscribers violated18 U.S.C. 2511 (interception of electronic communications), not 18 U.S.C. 1030. Additionally, the district court recently ruled in the Alibris case that the company's actions were not prohibited by section 2511. U.S. v. Councilman, U.S. District Court for the District of Massachusetts, 01-CR-10245-MAP (February 12, 2003), available at http://pacer.mad.uscourts.gov/dc/cgibin/ recentops.pl?filename=ponsor/pdf/councilman2.pdf. Also, not all section 1030 cases are included in the table - for example, U.S. v. Middleton, 35 F.Supp.2d 1189 (ND Cal 2002), 231 F.3d 1207 (9th Cir. 2002) and U.S. v. Sablan, 92 F.3d 865 (9th Cir. 1996), in which both defendants were disgruntled (ex-) employees. Based on the available information the typical section 1030 offense appears to be comparable to a white collar fraud. We urge the Commission to treat section 1030 offenses similarly, absent other considerations. Since the Commission recently amended the guideline applicable to economic crimes (2B1.1), there is no reason now to increase penalties further for computer crime cases. B. There are Already Guidelines that Can Apply to Terrorism Offenses and Offenses to the Person that Fall Under Section 1030 To date, there are no reported incidents of terrorists attempting to harm the health and safety of individuals through unauthorized computer access. However, in an abundance of caution, Congress amended section 18 U.S.C. 1030 to especially prohibit this type of offense and to proscribe a term of up to life in prison. 1030(a)(5)(A)(i). This should not inspire the Commission to increase punishment under the guidelines for the heartland of section 1030 cases, which, as shown above, primarily involve employment disputes. There are already guidelines that apply to attempts to commit bodily harm, as wells as the rare terrorist computer crime offender. Guideline 3A1.4(a) provides "if the offense is a felony that involved, or was intended to promote, a federal crime of terrorism, increase by 12 levels; but if the resulting offense level is less than level 32, increase to level 32." This guideline is adequate to punish a violator of Section 1030 who acts with terroristic intent. C. Incidents of Section 1030 Violations are Not Increasing Current statistics do not show an upward trend in section 1030 violations. We would expect to see some increase in violations as more people use computers and become connected to the Internet. We would also expect to see increased convictions as law enforcement becomes better trained and puts more resources into computer crime investigation and the formation of high tech crime task forces. However, the actual incidence of computer crime prosecutions is little more than 100 per year. The Transactional Records Access Clearinghouse (TRAC) located at Syracuse University makes targeted FOIA requests to collect, among other things, statistics on DOJ enforcement. For each incident referred to the DOJ, TRAC records a host of information, including referral date and agency, lead charge, disposition date and type, and prosecution filing date or declination reason. TRAC defines enforcement data as: Fraud involving violations of 18 U.S.C. 1030 or 2701 et. seq., computer "bulletin boards" and other schemes in which a computer is the target of the offense, including when charged as violations of 18 U.S.C. 1343, 2314, or 2319 e.g., computer viruses or where the defendant's goal was to obtain information or property from a computer or to attack a telecommunications system or data network. (All such cases are national priorities.) Program Category, at http://tracfed.syr.edu/help/codes/progcode.html (last visited June 19, 2002). Further information about TRAC's enforcement database resides at http://tracfed.syr.edu/index/cri/cri_help_index_pr os.html/ Data obtained by the commentators on computer crime prosecutions shows a steady increase in referral for prosecution and also in prosecutions. However, the number of prosecutions remains low and shows only slow growth. Though there was a dramatic increase in referrals from 1999 to 2000, there was also a large increase in the number of prosecutions declined. The actual conviction rate increased, but from only 72 convictions to 107 between 1999 to 2001. Fiscal Year 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 # of referrals for prosecution 115 126 155 201 197 292 417 497 807 853 # of referrals disposed of 69 100 133 137 172 178 253 360 491 631 # of referrals with prosecution declined 53 68 110 105 126 125 196 271 393 496 # convicted after prosecution 12 26 18 23 33 37 47 72 81 107 # not guilty after prosecution 4 6 5 9 13 16 10 17 17 28 In comparison, in 1999, 38,288 drug offense cases were referred for prosecution. That same year, 29,306 people were charged with a drug offense. Between 1984 and 1999, the number of defendants charged with a drug offense in Federal courts increased from 11,854 to 29,306. United States Department of Justice, Bureau of Statistics, Special Report, Federal Drug Offenders, 1999, with Trends 1984-1999, available at http://www.ojp.usdoj.gov/bjs/abstract/fdo99.htm. In 1999, United States Attorneys chose to prosecute over 88% of suspects referred for drug crime. In fiscal year 1998, the DOJ disposed of 253 computer crime referrals. Some of these referrals reached the DOJ in earlier years, but the DOJ disposed of all of them between October 1, 1997 and September 30, 1998. Of the 253 dispositions, 196 (77%) were declined prosecutions while 57 (23%) ended in court. Forty-seven dispositions (19%) were due to a guilty verdict or an appellate court victory, and 10 (4%) were due to acquittals or dismissals. Of the 47 found guilty in court, 20 (43%, 8% of all disposals) received prison sentences. In 2001, the DOJ disposed of 631 computer crime referrals. Of these, 496 (78%) were declined prosecutions, while 135 (21%) ended in court. One hundred seven dispositions (17%) were convictions and twenty eight (4%) were due to acquittals or dismissals. The Department of Justice declined prosecution for the following reasons. Declination Reason Number % of Declinations % of Total Dispositions Lack of evidence of criminal intent 27 13.78% 10.67% Weak or insufficient admissible evidence 34 17.35% 13.44% Suspect to be prosecuted by other authorities 23 11.73% 9.09% No federal offense evident 21 10.71% 8.30% Minimal federal interest or no deterrent value 19 9.69% 7.51% No known suspect 17 8.67% 6.72% Juvenile suspect 10 5.10% 3.95% Agency request 10 5.10% 3.95% Civil, administrative, or other disciplinary alternatives 6 3.06% 2.37% 6 Office policy (fails to meet prosecutive guidelines) 6 3.06% 2.37% Jurisdiction or venue problems 5 2.55% 1.98% Pre-trial diversion completed 5 2.55% 1.98% Lack of investigative or prosecutive resources 4 2.04% 1.60% Witness problems 3 1.53% 1.19% Suspect being prosecuted on other charges 3 1.53% 1.19% Other 13 6.63% 5.15% Thus, a review of the statistics suggests that the incidence of computer crime is very low, and, while slowly increasing, is not increasing at a rate that currently justifies instituting harsher penalties in light of the other considerations. Also, a significant number of these offenses involve disgruntled former employees, and criminal conduct of similar seriousness. The statistics on declinations suggest that the Assistant United States Attorneys do not believe that the damages and consequences of computer crimes reported to the Department are serious enough to merit a higher prosecution rate. Similarly, these crimes do not merit an increase in sentence length. D. Deterrent and Chilling Effect Nor should the Commission increase computer crime penalties as a deterrent unless statistical evidence shows that those convicted of section 1030 offenses re-offend at a statistically significant rate. In 1996, the Commission concluded that "existing data do not permit the Commission to draw any firm conclusions regarding the deterrent effect of existing guideline penalties for these computer-related crimes." Report to the Congress: Adequacy of Federal Sentencing Guideline Penalties for Computer Fraud and Vandalism Offenses, p. 3. Similarly, The Commission should examine whether new data allows any new conclusions. Greater penalties are dangerous. They may chill legitimate computer research, business development, and reporting on security vulnerabilities. Section 1030 generally prohib its "unauthorized access" to computer systems, while subsection 1030(a)(5) prohibits the "transmission" of harmful code. These are broad definitions. Case law shows that a wide range of common business practices have been challenged in civil suits under section 1030. Though these cases are civil, and though some of the business practices were held not to be actionable, the Commission should view these cases as a cautionary tale. First, there is no difference between the definition of civil and criminal offenses under section 1030, so the judicial interpretations of the statute apply in both situations. Second, in cases where the plaintiff's case failed, it was always for failure to show jurisdictional damages of greater than $5000, rather than failure to show that the contested business practice was in fact "unauthorized access" or an illegal "transmission." Common business practices that may be "unauthorized access" or illegal transmission including sending unsolicited bulk email (America Online v. National Health Care Discount, 121 F.Supp.2d 1255, 1273 (N.D. Iowa 2000)), using automated search programs to collect even publicly available data (Register.com v. Verio, Inc., 126 F.Supp.2d 238, 251 (S.D.N.Y. 2000) [domain name information]; eBay v. Bidder's Edge, 100 F.Supp.2d 1058 (N.D.Cal. 2000) [internet auction information], EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) [travel agent prices]) and placing "cookies" the computers of website visitors for purpose 7 of monitoring their web activity (In re Intuit Privacy Litig.,138 F Supp 2d 1272 (CD Cal 2001); Chance v. Ave. A, Inc., 165 F.Supp.2d 1153 (WD Wash 2001).1 Additionally, companies like AOL and Toshiba are potentially liable under section 1030(a)(5) for "transmission" of harmful code for shipping faulty software. See, e.g. Shaw v. Toshiba Am. Info. Sys., 91 F.Supp.2d 926 (ED Tex. 1999) [mailing floppy diskettes containing faulty microcode]; In re AOL, Inc.Version 5.0 Software Litig., 168 F Supp 2d 1359 (SD Fla. 2001) [AOL's transmission of its Version 5 software which allegedly "changes" the host system's communications configuration and settings so as to interfere with any non-AOL communications and software services actionable under 1030(a)(5)(A)]; Christian v Sony Corp. of Am., 152 F Supp 2d 1184, 1187 (DC Minn. 2001) [shipping personal computers with faulty floppy diskette controllers.] In Christian, though summary judgment was granted for Defendant Sony corporation on damages grounds, the Court believed that the inclusion of a defective FDC constituted a "transmission" within the meaning of section 1030. "[T]he Court was persuaded by the Plaintiffs that Sony's actions could, theoretically, be actionable under the CFAA. For example, Sony's argument that the inclusion of a defective FDC--one which causes corruption of data--in a computer, which was then distributed to individual consumers, does not constitute a 'transmission' within the meaning of the CFAA is not persuasive." Also, the practice of programming software to shut down under certain circumstances, even to prevent unauthorized use or to enforce contractual obligations, is a potential section 1030 violation. See North Texas Preventative Imaging v. Eisenberg, 1996 U.S. Dist. LEXIS 19990 (C.D. Cal. August 19, 1996); Gomar Manf. Co. v. Novelli, C.A. No. 96-4000 (D.N.J. Jan. 28, 1998). While these cases are primarily civil, each helps define the activity prohibited by section 1030, "unauthorized access" and "transmission" of harmful code. Increasing punishments for section 1030 offenses potentially increases criminal liability for any of these business practices that also causes $5000 worth of damage. Also, in many of the cases cited above, the lawsuit failed because the threshold damage level was not met. But, the new definition of damage allows harm to be aggregated across acts, victims and time. Under this new definition, practices which were previously the subject of unsuccessful lawsuits, like using cookies or collecting online travel data, could be illegal. Internet advertising company DoubleClick, search engine Google.com, Sony, Toshiba and AOL could all be criminally convicted of violation 18 U.S.C. 1030 for common business conduct. This is a problem that would best be addressed by Congressional amendment of section 1030. However, the Commission must decide whether increased penalties are appropriate. That decision must be informed by the fact that conduct that constitutes an offense under section 1030 is not necessarily serious, malum per se, or even an undesirable business practice. 1 Many of these cases find no liability under section 1030 based on the plaintiff's failure to allege or prove damages of the proper type or in sufficient amount. The underlying activity, however, is unauthorized access or unlawful transmission within the scope of section 1030. 8 Additionally, legitimate computer security research and vulnerability reporting is chilled by disproportionate sentencing. For example, port scanning is a common practice among computer security researchers. "A port scan is a method of checking a computer to see what ports are open by trying to establish a connection to each and every port on the target computer. If used by a network administrator on his own network, the scan is a method of determining any possible security weaknesses. If used by an outsider, the scan indicates whether a particular port is used and can be probed for weakness." Moulton v. VC3, 2000 U.S. Dist. LEXIS 19916 (ND Ga. November 7, 2000). Though port scanning is a common tool for security researchers, both in determining vulnerabilities in their own systems and surveying networks for information about deployed programs and security weaknesses, many researchers fear that the activity is arguably illegal under section 1030. Unfortunately, tales of consultants who are prosecuted criminally or civilly for informing authorities of vulnerabilities are common. A recent cases is that of Stefan Puffer, a computer security analyst who was indicted after demonstrating to the Harris County, Texas District Clerk's office that ITS wireless computer network was vulnerable to unauthorized users. See "County Cuts Off Computer Network", Houston Chronicle, by Steve Brewer, March 21, 2002, available at http://www.chron.com/cs/CDA/story.hts/topstory/130 2663#top. See also, "Ethical Hacker Faces War Driving Charges", The Register, by John Leyden, July 26, 2002, available at http://www.chron.com/cs/CDA/story.hts/tech/news/15 07766. Many computer security practitioners fearfully view this prosecution as a case of shooting the messenger. In another recent incident of a computer security practitioner being charged criminally, David McOwen, a PC specialist at Georgia's DeKalb Technical Institute was convicted for participating in a project by the non-profit organization distributed.net that allowed computer users to donate their unused processing power to test the strength of a certain type of encryption. McOwen installed the distributed.net programs on several of the machines he maintained for his employer. Eighteen months later, McOwen was charged under Georgia law with computer trespass. Facing up to 120 years in prison, McOwen decided not to challenge the application of the law to his conduct. Instead, he plead guilty for probation under Georgia's First Offender Act. "Plea Agreement In Distributed Computing Case", SecurityFocus, By Ann Harrison, Jan 18 2002 available at http://www.securityfocus.com/news/311. As a result, computer security professionals fear that distributed computing itself may be illegal. See "Is Distributed Computing A Crime?", SecurityFocus, by Ann Harrison, December 20, 2001 available at http://www.securityfocus.com/news/300. Cases such as McOwen's chill innovation and slow the adoption of valuable new technologies. People who innocently stumble upon vulnerabilities may also be dissuaded from reporting them. A few years ago, Center for Internet and Society Director Jennifer Granick (also counsel for this submission) received a telephone call from someone who noticed that a coworker was connecting to the Internet with PC Anywhere file sharing enabled. The caller believed that anyone else could access the co-worker's computer and view files, and successfully tested this theory by doing just that. The caller wanted to notify the co-worker that he was vulnerable and should change his computer configuration, but was afraid to do so, for fear that he would get in trouble for having viewed one of the co-worker's files. The attorney called the coworker and notified him, keeping the identity of the reporter secret. However, the attorney also 9 could not give the co-worker the kind of detailed information about why he was vulnerable and how he could fix the problem that the more knowledgeable reporter could. That valuable information was lost in the translation. Thus, the Commission must act carefully to strike the right balance between deterring crime and chilling business innovation and security research. II. CURRENT GUIDELINES MAY BE OUT OF LINE WITH THE OFFENDER'S ACTUAL CULPABILITY, AND THE COMMISSION MAY SEE FIT TO AMEND THEM DOWNWARD The Commission was also directed to consider "the potential and actual loss resulting from the offense, the level of sophistication and planning involved in the offense, whether the offense was committed for purposes of commercial advantage or private financial benefit, whether the defendant acted with malicious intent to cause harm in committing the offense, the extent to which the offense violated the privacy rights of individuals harmed, whether the offense involved a computer used by the government in furtherance of national defense, natio nal security, or the administration of justice, whether the violation was intended to or had the effect of significantly interfering with or disrupting a critical infrastructure, and whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person." Many of these factors are already taken into consideration in the guidelines. A review of the current guidelines suggests that these factors are over-emphasized, and result in a sentence disproportionate to the defendant's culpability. The current scheme applies the guideline for economic crimes, specifically section 2B1.1, to most computer crimes. Theoretically, treating computer crimes like economic crimes is appropriate since the heartland of the offense is similar. However, Section 1030 crimes are treated more harshly than other crimes in several important ways. First, for all practical purposes, the starting offense level for computer crime cases is eight, because almost every computer criminal will receive a two level adjustment for the jurisdictional loss of $5000. Second, computer crimes almost always receive an enhancement for use of special skill in the commission of an offense. (3B1.3, 2B1.1(b)(8)). Third, the calculation of loss in computer crime cases is rife with problems that adjusts the sentence more harshly than in other economic crime cases. A. The Typical Computer Crime Case Will Be Sentenced At Least As Harshly, If Not More So, Than Other Economic Fraud Cases Most of the offenses set forth in section 1030 have as an element of the crime that the perpetrator causes $5000 or more in loss. For example, 1030(a)(5)(A) actions are offenses if the defendant caused or would have caused loss aggregated across victims during any one year period, aggregating at least $5000. 18 U.S.C. 1030(a)(5)(B). For violations of section 1030(a)(5)(A)(i), under subsection (c)(2)(B)(iii), if the value of information accessed is over $5000, then the offense is a felony rather than a misdemeanor. Since federal authorities will rarely prosecute misdemeanors, in almost every computer crime case, damages will be at 10 least $5000. Under Guideline 2B1.1, the Base Offense Level is 6. However, the BOL will be adjusted by at least two levels for loss, giving a minimum offense level of 8 for any prosecuted computer crime. This adjustment is "double counting", since the existence of $5000 of loss makes the offense not only a felony, but also enhances the Base Offense Level. Additionally, it has the effect of sentencing computer crimes more harshly than other economic crime cases. B. Special Skill Computer crime offenders disproportionately receive a sentencing enhancement for special skill. Under the pre-2002 guidelines, perpetrators received an adjustment under 3B1.3 for abuse of trust. That section provided that the district court may enhance the defendant's offense level if he "abused a position of public or private trust, or used a special skill, in a manner that significantly facilitated the commission or concealment of the offense." 3B1.3. The phrase "special skill" is defined as "a skill not possessed by members of the general public and usually requiring substantial education, training or licensing. Examples would include pilots, lawyers, doctors, accountants, chemists, and demolition experts." Id. comment. (applic. note 2). The "adjustment applies to persons who abuse their positions of trust or their special skills to facilitate significantly the commission or concealment of a crime. Such persons generally are viewed as more culpable." Id. comment. (backgr'd). The application of 3B1.3 overstates a defendant's culpability because almost every computer offense inherently requires abuse of trust or special skill. Though the public uses computers, it is generally uninformed about computer security matters. A computer intruder must either use a password that permits access, leading to an abuse of trust adjustment, or know how to circumvent the password requirement, leading to a special skill adjustment. In its 1996 Report to Congress on the adequacy of federal sentencing guideline penalties for computer fraud and vandalism offenses, the Commission reported that 32.5% of all computer crime cases received an upward adjustment for abuse of position/special skill, as compared to 8.8% of white collar cases and 3% of all cases. Table 2. Almost certainly, that percentage, and that discrepancy is higher today, if only because case law has supported a liberal application of 3B1.3 in computer crime cases. In United States v. Petersen, (9th Cir. 1996) 98 F.3d 502, the Ninth Circuit held that the special skill adjustment only requires that the offender have skills not possessed by members of the general public. Special education or certification is not a prerequisite. While the Petersen court did not hold that a special skill adjustment would apply in every computer crime case, it greatly liberalized any limits on when the adjustment would apply. Anecdotal evidence suggests that a special skill adjustment is applied in almost every computer crime case today. If the abuse of trust/special skill adjustment is applied, and the $5000 adjustment applies, then the minimum level at which the most innocuous computer crime offense would be punished is a level 10, not a level 6. Additionally, there's a special adjustment in 2B1.1 for "sophisticated means" under 2B1.1(b)(8)(B). "'Sophisticated means' means especially complex or especially intricate offense 11 conduct pertaining to the execution or concealment of an offense. For example, in a telemarketing scheme, locating the main office of the scheme in one jurisdiction but locating soliciting operations in another jurisdiction ordinarily indicates sophisticated means. Conduct such as hiding assets or transactions, or both, through the use of fictitious entities, corporate shells, or offshore financial accounts also ordinarily indicates sophisticated means." 2B1.1. If this adjustment is also liberally applied to computer crimes, than the most basic computer crime offenses will be sentenced at a minimum level 12. This results in a minimum sentence more than two times as high as the minimum sentence for the most basic economic crime. C. The Special Calculation of Loss in Computer Crime Cases Results in Harsher Punishments that That for Comparable Economic Crimes Under the current sentencing law, the estimation of loss is the primary factor driving both economic and computer crime sentencing. Along with other relevant factors under the guidelines, loss should reflect the seriousness of the offense and the defendant's relative culpability. In economic crimes, the calculation of loss is generally limited to "reasonably foreseeable pecuniary harm." However, in computer crime sentencing, "actual loss includes the following pecuniary harm, regardless of whether suc h pecuniary harm was reasonably foreseeable: reasonable costs to the victim of conducting a damage assessment, and restoring the system and data to their condition prior to the offense, and any lost revenue due to interruption of service." USSG 2B1.1 Application Note 2(A)(v)(III). The inclusion of unforeseeable pecuniary harms in the definition of loss, including "any lost revenue due to interruption of service" results in computer crimes being treated more harshly than other crimes. Additionally, the categories of harm described as loss are not easily assigned objective monetary value. As a result, the loss estimation for identical offenses can differ widely, resulting in grossly disparate sentenc es for identical conduct. Additionally, the estimation of loss can be manipulated by victims, investigators and prosecutors. The cost of conducting a damage assessment depends more on the victim's actions than it does on the perpetrator. Assume an intruder compromises two computer systems in identical ways. One victim simply restores the hard drive from backup. The other victim hires $300-anhour consultants to assess exactly what the intruder did and how he did it. The victim may also ask the cons ultants to review every other computer system they control, just in case the intruder gained unauthorized access there as well. This is "reasonable". However, in the first instance, the access does not result in loss equal to $5000. The case will probably not be filed, and if it is, the perpetrator will probably not go to jail. In the second instance, the case will be prosecuted and a prison sentence will result. However, the perpetrator's actions and intent are identical. A similar problem occurs with including any lost revenue due to interruption of service in the loss calculation. Assume one intruder destroys a personal computer, while a second intruder places an unwanted program, like a packet interceptor on an e-commerce computer. The value of the personal computer and the information on it is probably low. The intruder's sentence will be low. In the second instance, the e-commerce server may have to be taken off- line. If the business is small, the loss will be low, but probably higher than the loss the individual has 12 suffered. If the business is thriving, the loss could be very high. Again, the adjustment the perpetrator receives does not reflect the defendant's relative culpability, but depends on the nature of the victim. Individuals are probably less likely to be able to protect themselves against computer crime, or bounce back from an offense than well- to-do companies. Yet, less real damage on an e-commerce site will probably result in greater prison sentences than malicious destruction of a personal machine. Thus, the definition of loss appears to undermine victimrelated adjustments in unwarranted and undesirable ways. Moreover, loss of revenue is difficult to measure. In the 2000 denial of service attacks on Yahoo! Inc., the company went off- line for about three hours. Yahoo! initially refused to estimate how much the attack cost it in lost revenue. Yahoo! makes money from sale of goods and from showing advertisements. Its difficult to estimate whether Yahoo! actually lost any sales or advertising contracts as a result. Yet, some analysts estimated that Yahoo!'s loss would add up to millions of dollars. ZDNet News, February 7, 2000 http://zdnet.com.com/2100-11- 518359.html?legacy=zdnn. Sources quoted by the Industry Standard estimated that losses for Yahoo! and eBay would amount to 1.2 Billion dollars. February 11, 2000, http://www.thestandard.com/article/display/0,1151, 9703,00.html. The attack was perpetrated by a Canadian juvenile who never gained unauthorized access to Yahoo! machines or harmed data on the victim systems. Yet sentencing according to these loss estimates wo uld have resulted in the maximum punishment possible under the law. Similarly, section 1030(c)(2)(B)(iii) makes theft of data valued at over $5000 a felony offense. Valuing data is extremely difficult. For example, in U.S. v. Mitnick, the defendant accessed computers and viewed source code owned by the victim companies. The victims reported their estimate of the entire cost of research and development as their actual loss in the case, amounting to approximately 80 million dollars. However, the companies were not deprived of the use of that information, nor was it redistributed to competitors, thus reducing its use value. Subsequently, one of the victims started giving the same source code away for free. Additionally, none of the companies reported any economic loss as a result of the intrusions in their SEC filings. Of course, loss can be difficult to estimate in any economic crime cases. However, this is a serious problem in computer crime cases because loss includes unforeseeable pecuniary harm, losses defined by victim's conduct rather than offense conduct, and more commonly involve the valuation of data and intellectual property. As a result, the loose measure of loss undermines uniformity in sentencing. It also means that loss can be a distorted, or even wholly inaccurate, reflection of the defendant's culpability. Finally, it means that loss can be structured by victims, law enforcement and prosecutors, to manipulate the number of felonies charged and the sentences for them. In the commentator's experience, victims will be asked for estimates of how much time they spent on the problem, without being informed what type of efforts count towards loss (e.g. damage assessment) and what efforts do not (e.g. improving the security of the system). Victims often do not supply documentation to support their estimates. Rather, they estimate or summarize. The victims do not know that the law imposes limitations on factors that contribute to loss, so they naturally throw in everything. 13 Law enforcement fails to ensure that loss estimates are reasonable by not providing victims with guidelines to define loss. But the flexible definition of such an important factor leaves sentencing open to manipulation. In one of counsel's cases, the investigating FBI agent sent victims an email instructing that they document as much time spent investigating the problem as possible. For every $5000 they found, the email advised, the government could add another charge. Similarly, loss has become a huge barga ining chip in plea bargain negotiations. In the beginning of a case, the Department of Justice has early damage estimates based on initial contact with victims during the investigatory stage. Prosecutors will often offer the defendant a plea bargain based on that number. The prosecution tells the defendant that if he does not plead, they will contact victims that did not respond, or re-contact victims to gather additional evidence of damages, thus opening up the possibility of greatly increased loss estimates. Defendants, including those with potentially meritorious defenses, are frightened into entering a plea because the uncertainty of damages means they could do vastly more time in prison once the Department has beaten the bush for numbers from victims. Loss as currently defined is at risk of completely failing to accurately assess either actual harm, defendant's culpability, or proportionality in sentencing. Also, such vague categories open the sentencing process up to manipulation. D. The Statute And The Guidelines Do Not Distinguish Between The Culpability Of Offenders Acting With Less Criminal Intent Relying so heavily on loss as a sentencing factor in computer crime cases misrepresents the defendant's true culpability. This point is further illustrated by the fact that malicious intent to cause harm will be punished less severely than negligent or reckless intent to cause harm if the ultimate loss amount is less. Section 1030(a)(5)(A) sets a maximum of ten years for malicious harm, five years for reckless harm, and one year for unintentional or negligent harm, unless the intrusion was for commercial advantage, in furtherance of another criminal offense or involved the theft of information worth more than $5000. In the first case, the intruder maliciously uses a software program to delete data on the victim computer in violation of 1030(a)(5)(A)(i). The system administrator restores the data from back up in approximately two hours. The maximum sentence ten years. However, even though the defendant acted maliciously, the crime would probably not be charged, because the loss is well below $5000. In the second case, a teenager uses a program he finds on the Internet to get into his school's computer network. While looking around, he unintentionally corrupts the computer database. The school has to purchase new software and hire consultants to try to restore the data. The consultants bill the school for 40 hours of work at $300 an hour. The curious student has amassed $12,000 in damages. The offense would have had a cap of a year in jail. However, the damages exceed $5000, so the maximum is five years. The student would be sentenced at a level 12, or 10 to 16 months. (BOL 6, loss 4, special skill to download and run the program 2). 14 III. CONCLUSION We encourage the Sentencing Commission to act very carefully with regard to computer crime sentencing. We need to eschew simplistic, expensive, and ineffective tactics like inflexible, harsh sentencing. Those convicted of computer crimes are already punished more harshly compared to similar crimes. Additionally, there are fundamental problems with the way computer crimes sentences are currently determined. These problems should be resolved before the Commission considers new enhancements or penalties. Failure to address these problems, particularly the problem with the special definition of loss including unforeseeable pecuniary harms, USSG $ 2B1.1 Application Note 2(A)(v)(III), results in sentences which are disproportionate to the defendant's culpability and which chill legitimate computer security research, reporting and adoption of new, beneficial technologies. We believe that the Commission should not increase sentences for computer crime offenses. Also, the Commission should consider ways to revise the current scheme to resolve these issues. Dated: February 19, 2003 Respectfully submitted, By: Jennifer Stisa Granick, California Bar No. 168423 Center for Internet and Society 559 Nathan Abbott Way Stanford, CA 94305-8610 Tel. (650) 724-0014 Counsel for Commentators Carmen D. Hernandez, Co-Chair Sentencing Guidelines Committee National Association of Criminal Defense Lawyers One Columbus Circle, N.E. Suite G-430 Washington, D.C. 20544 Malcom C. Young, Executive Director Sentencing Project 514 - 10th Street, N.W., Suite 1000 Washington, D.C. 20004 Lee Tien, Senior Staff Attorney Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110

Re:Text copy of pdf (1)

catch23 (97972) | more than 11 years ago | (#5353364)

What text conversion did you use? It looks like one block of mashed-together unreadable text to me. Just use the basic "pdftotext" tool and this is what you get out:

The National Association of Criminal Defense Lawyers, The Electronic Frontier Foundation and the Sentencing Project write in response to the Commission's request for public comment about how the Commission should respond to Section 225(b) of the Homeland Security Act of 2002 (the Cyber Security Enhancement Act of 2002), Pub. L. 107-296, which directs the Commission to review and amend, if appropriate, the sentencing guidelines and policy statements applicable to persons convicted of an offense under 18 U.S.C. 1030. We thank the United States Sentencing Commission for this opportunity. Interests of the Commentators The National Association of Criminal Defense Lawyers (NACDL) is the preeminent organization in the United States advancing the mission of the nation's criminal defense lawyers to ensure justice and due process for persons accused of crime or other misconduct. A professional bar association founded in 1958, NACDL's more than 10,400 direct members -- and 80 state and local affiliate organizations with another 28,000 members -- include private criminal defense lawyers, public defenders, active U.S. military defense counsel, law professors and judges committed to preserving fairness within America's criminal justice system. The National Association of Criminal Defense Lawyers (NACDL) encourages, at all levels of federal, state and local government, a rational and humane criminal justice policy for America -one that promotes fairness for all; due process for event the least among us who may be accused of wrongdoing; compassion for witnesses and victims of crime; and just punishment for the guilty. Equally important, a rational and humane crime policy must focus on the social and economic benefits of crime prevention -- through education, economic opportunity, and rehabilitation of former offenders. As a society, we need to eschew such simplistic, expensive, and ineffective "solutions" as inflexible mandatory sentencing, undue restriction of meritorious appeals, punishment of children as adults, and the erosion of the constitutional rights of all Americans because of the transgressions of a few. NACDL's values reflect the Association's abiding mission to ensure justice and due process for all. The Electronic Frontier Foundation ("EFF") is a non-profit, civil liberties organization founded in 1990 that works to protect rights in the digital world. EFF is based in San Francisco, California, but has members all over the United States. EFF has been deeply concerned about the criminalization of online behavior since its inception. The founders intended EFF to bring balance and reason to law enforcement in cyberspace. One incident that brought this need home was a 1990 federal prosecution of a student for publishing a stolen document. At trial, the document was valued at $79,000. An expert witness, whom EFF helped locate, was prepared to testify that the document was not proprietary, and was available to the public from another company for $13.50. When the government became aware of this informationthrough defense's cross-examination of government witnesses, it moved to dismiss the charges on the fourth day of the trial.

Accordingly, EFF is very concerned that the Sentencing Commission act very carefully with regard to computer crime sentencing. We believe that those convicted of computer crimes are already punished more harshly compared to other crimes for the reasons stated in these Comments. The Sentencing Project is a Washington, D. C.-based 501(c)(3) non-profit organization which promotes greater use of alternatives to incarceration and the adoption of sentencing policies and practices which are fair and effective in reducing crime. Founded in 1986 to encourage improved sentencing advocacy by the defense, The Sentencing Project has become well known as a source of widely reported research and analysis on sentencing and other criminal justice issues. The range of these issues includes: the number of non-violent, low-level drug offenders in state prisons; crack-powder cocaine sentencing discrepancy in federal law; unwarranted racial disparity in the criminal justice system; the impact of the federally mandated ban on receipt of welfare benefits for women convicted of drug offenses; "Three Strikes" mandatory minimum sentencing laws; denial to nearly four million Americans of the right to vote following felony convictions; and, the significance of prosecuting children as adults. The Sentencing Project's interests in the matter before the United States Sentencing Commission are to insure that federal penalties are not increased absent objective indications that an increase in penalties will reduce criminal computer fraud or "hacking," when other steps may provide a higher degree of public safety and corporate security, and when the rational for increasing penalties may be based on a misperception of the nature and character of most crimes prosecuted through application of 18 U.S.C. Section 1030.

COMMENTS Congress has directed the Commission to review the guidelines applicable to person convicted of offenses under 18 U.S.C. section 1030 to ensure that the guidelines reflect the serious nature of such offenses, the growing incidence of such offenses and the need for an effective deterrent and appropriate punishment to prevent such offenses. We write in response to the Sentencing C request for comments because we believe that the guideline range should not be increased. Current guidelines not only adequately reflect, but also in many cases overstate the seriousness of 18 U.S.C. 1030 offenses. Section 1030 proscribes offenses that range in seriousness from misdemeanors to threats to national security. However, the heartland section 1030 violations are white collar fraud or insider misappropriation of information cases that should be treated comparably to other white collar fraud cases. Current section Three guidelines would substantially enhance sentences in rare cases of "cyberterrorism". Also, there has not been a significant increase in the commission of section 1030 offenses over the past five years that requires increased sentencing. Further, increased sentences will not deter terrorists, who may be willing to die for their cause, but may deter legitimate business innovation and practices as well as important computer security research and vulnerability testing.

2

In fact, current guidelines are rife with problems, mostly surrounding the special definition of loss in computer crime cases. The definition includes unforeseeable losses that are wholly defined by the victim's behavior rather than the defendant's actions. Sentences that are widely disparate for identical offenses, easily manipulatable, and that do not accurately reflect the defendant's culpability result.

I.

A.

THE GUIDELINE RANGE SHOULD NOT BE INCREASED The Seriousness of the Offense is Comparable to Other Fraud or Theft Cases, not Offenses to the Person or Terrorism Cases

The typical computer crime offense involves a disgruntled current or former employee misusing company computers. The Department of Justice maintains a non-exhaustive chart of computer crime cases on its website at www.cybercrime.gov/cccases.html. The chart has 59 entries, representing 55 unique cases. Of those, the chart describes sixteen of the defendants as employees of the victim company. Review of the linked DOJ press releases shows that an additional nine defendants were also employees or independent contractors of the victim. (Luckey, Blum, Leung, Farraj, Scheller; Brown; Carpenter; Dennis, and Alibris.) Thus, almost half of the cases in the table are readily identifiable as involving disgruntled insiders. In forty three of the fifty nine entries, the defendant caused harm to a solely private interest. Only fifteen of the cases involve harm to a public or public and private interests. Only one case, where the defendant was a juvenile, involved a threat to safety. This small set of data shows that the heartland computer crime case involves disgruntled employees causing harm to private companies. Of course, this cursory analysis depends entirely on a small set of data selected for publication by the Department of Justice. Defendants in the listed cases may eventually be acquitted, or the nature of the case may not be fully or accurately reflected in the press releases, or by the inclusion of the case in the table. For example, United States v. Alibris involved allegations that a company that provided email services to subscribers violated18 U.S.C. 2511 (interception of electronic communications), not 18 U.S.C. 1030. Additionally, the district court recently ruled in the Alibris case that the company's actions were not prohibited by section 2511. U.S. v. Councilman, U.S. District Court for the District of Massachusetts, 01-CR-10245-MAP (February 12, 2003), available at http://pacer.mad.uscourts.gov/dc/cgibin/recentops. pl?filename=ponsor/pdf/councilman2.pdf. Also, not all section 1030 cases are included in the table for example, U.S. v. Middleton, 35 F.Supp.2d 1189 (ND Cal 2002), 231 F.3d 1207 (9th Cir. 2002) and U.S. v. Sablan, 92 F.3d 865 (9th Cir. 1996), in which both defendants were disgruntled (ex-) employees. Based on the available information the typical section 1030 offense appears to be comparable to a white collar fraud. We urge the Commission to treat section 1030 offenses similarly, absent other considerations. Since the Commission recently amended the guideline applicable to economic crimes (2B1.1), there is no reason now to increase penalties further for computer crime cases.

3

B.

There are Already Guidelines that Can Apply to Terrorism Offenses and Offenses to the Person that Fall Under Section 1030

To date, there are no reported incidents of terrorists attempting to harm the health and safety of individuals through unauthorized computer access. However, in an abundance of caution, Congress amended section 18 U.S.C. 1030 to especially prohibit this type of offense and to proscribe a term of up to life in prison. 1030(a)(5)(A)(i). This should not inspire the Commission to increase punishment under the guidelines for the heartland of section 1030 cases, which, as shown above, primarily involve employment disputes. There are already guidelines that apply to attempts to commit bodily harm, as wells as the rare terrorist computer crime offender. Guideline 3A1.4(a) provides "if the offense is a felony that involved, or was intended to promote, a federal crime of terrorism, increase by 12 levels; but if the resulting offense level is less than level 32, increase to level 32." This guideline is adequate to punish a violator of Section 1030 who acts with terroristic intent. C. Incidents of Section 1030 Violations are Not Increasing Current statistics do not show an upward trend in section 1030 violations. We would expect to see some increase in violations as more people use computers and become connected to the Internet. We would also expect to see increased convictions as law enforcement becomes better trained and puts more resources into computer crime investigation and the formation of high tech crime task forces. However, the actual incidence of computer crime prosecutions is little more than 100 per year. The Transactional Records Access Clearinghouse (TRAC) located at Syracuse University makes targeted FOIA requests to collect, among other things, statistics on DOJ enforcement. For each incident referred to the DOJ, TRAC records a host of information, including referral date and agency, lead charge, disposition date and type, and prosecution filing date or declination reason. TRAC defines enforcement data as: Fraud involving violations of 18 U.S.C. 1030 or 2701 et. seq., computer "bulletin boards" and other schemes in which a computer is the target of the offense, including when charged as violations of 18 U.S.C. 1343, 2314, or 2319 e.g., computer viruses or where the defendant's goal was to obtain information or property from a computer or to attack a telecommunications system or data network. (All such cases are national priorities.) Program Category, at http://tracfed.syr.edu/help/codes/progcode.html (last visited June 19, 2002). Further information about TRAC's enforcement database resides at http://tracfed.syr.edu/index/cri/cri_help_index_pr os.html/ Data obtained by the commentators on computer crime prosecutions shows a steady increase in referral for prosecution and also in prosecutions. However, the number of prosecutions remains low and shows only slow growth. Though there was a dramatic increase in referrals from 1999 to 2000, there was also a large increase in the number of prosecutions declined. The actual conviction rate increased, but from only 72 convictions to 107 between 1999 to 2001.

4

# of referrals for prosecution # of referrals disposed of # of referrals with prosecution declined # convicted after prosecution # not guilty after prosecution

Fiscal Year 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 115 126 155 201 197 292 417 497 807 853 69 100 133 137 172 178 253 360 491 631

53 12 4

68 110 105 126 125 196 271 393 496

26 6 18 5 23 9 33 13 37 16 47 10 72 17 81 107 17 28

In comparison, in 1999, 38,288 drug offense cases were referred for prosecution. That same year, 29,306 people were charged with a drug offense. Between 1984 and 1999, the number of defendants charged with a drug offense in Federal courts increased from 11,854 to 29,306. United States Department of Justice, Bureau of Statistics, Special Report, Federal Drug Offenders, 1999, with Trends 1984-1999, available at http://www.ojp.usdoj.gov/bjs/abstract/fdo99.htm. In 1999, United States Attorneys chose to prosecute over 88% of suspects referred for drug crime. In fiscal year 1998, the DOJ disposed of 253 computer crime referrals. Some of these referrals reached the DOJ in earlier years, but the DOJ disposed of all of them between October 1, 1997 and September 30, 1998. Of the 253 dispositions, 196 (77%) were declined prosecutions while 57 (23%) ended in court. Forty-seven dispositions (19%) were due to a guilty verdict or an appellate court victory, and 10 (4%) were due to acquittals or dismissals. Of the 47 found guilty in court, 20 (43%, 8% of all disposals) received prison sentences. In 2001, the DOJ disposed of 631 computer crime referrals. Of these, 496 (78%) were declined prosecutions, while 135 (21%) ended in court. One hundred seven dispositions (17%) were convictions and twenty eight (4%) were due to acquittals or dismissals.

The Department of Justice declined prosecution for the following reasons.

% of % of Total

Declination Reason Lack of evidence of criminal intent Weak or insufficient admissible evidence Suspect to be prosecuted by other authorities No federal offense evident Minimal federal interest or no deterrent value No known suspect Juvenile suspect Agency request Civil, administrative, or other disciplinary alternatives

Number Declinations Dispositions

27 34 23 21 19 17 10 10 6 13.78% 17.35% 11.73% 10.71% 9.69% 8.67% 5.10% 5.10% 3.06% 10.67% 13.44% 9.09% 8.30% 7.51% 6.72% 3.95% 3.95% 2.37%

5

Office policy (fails to meet prosecutive guidelines) Jurisdiction or venue problems Pre-trial diversion completed Lack of investigative or prosecutive resources Witness problems Suspect being prosecuted on other charges Other 6 5 5 4 3 3 13 3.06% 2.55% 2.55% 2.04% 1.53% 1.53% 6.63% 2.37% 1.98% 1.98% 1.60% 1.19% 1.19% 5.15%

Thus, a review of the statistics suggests that the incidence of computer crime is very low, and, while slowly increasing, is not increasing at a rate that currently justifies instituting harsher penalties in light of the other considerations. Also, a significant number of these offenses involve disgruntled former employees, and criminal conduct of similar seriousness. The statistics on declinations suggest that the Assistant United States Attorneys do not believe that the damages and consequences of computer crimes reported to the Department are serious enough to merit a higher prosecution rate. Similarly, these crimes do not merit an increase in sentence length. D. Deterrent and Chilling Effect Nor should the Commission increase computer crime penalties as a deterrent unless statistical evidence shows that those convicted of section 1030 offenses re-offend at a statistically significant rate. In 1996, the Commission concluded that "existing data do not permit the Commission to draw any firm conclusions regarding the deterrent effect of existing guideline penalties for these computer-related crimes." Report to the Congress: Adequacy of Federal Sentencing Guideline Penalties for Computer Fraud and Vandalism Offenses, p. 3. Similarly, The Commission should examine whether new data allows any new conclusions. Greater penalties are dangerous. They may chill legitimate computer research, business development, and reporting on security vulnerabilities. Section 1030 generally prohibits "unauthorized access" to computer systems, while subsection 1030(a)(5) prohibits the "transmission" of harmful code. These are broad definitions. Case law shows that a wide range of common business practices have been challenged in civil suits under section 1030. Though these cases are civil, and though some of the business practices were held not to be actionable, the Commission should view these cases as a cautionary tale. First, there is no difference between the definition of civil and criminal offenses under section 1030, so the judicial interpretations of the statute apply in both situations. Second, in cases where the plaintiff's case failed, it was always for failure to show jurisdictional damages of greater than $5000, rather than failure to show that the contested business practice was in fact "unauthorized access" or an illegal "transmission." Common business practices that may be "unauthorized access" or illegal transmission including sending unsolicited bulk email (America Online v. National Health Care Discount, 121 F.Supp.2d 1255, 1273 (N.D. Iowa 2000)), using automated search programs to collect even publicly available data (Register.com v. Verio, Inc., 126 F.Supp.2d 238, 251 (S.D.N.Y. 2000) [domain name information]; eBay v. Bidder's Edge, 100 F.Supp.2d 1058 (N.D.Cal. 2000) [internet auction information], EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) [travel agent prices]) and placing "cookies" the computers of website visitors for purpose

6

of monitoring their web activity (In re Intuit Privacy Litig.,138 F Supp 2d 1272 (CD Cal 2001); Chance v. Ave. A, Inc., 165 F.Supp.2d 1153 (WD Wash 2001).1 Additionally, companies like AOL and Toshiba are potentially liable under section 1030(a)(5) for "transmission" of harmful code for shipping faulty software. See, e.g. Shaw v. Toshiba Am. Info. Sys., 91 F.Supp.2d 926 (ED Tex. 1999) [mailing floppy diskettes containing faulty microcode]; In re AOL, Inc.Version 5.0 Software Litig., 168 F Supp 2d 1359 (SD Fla. 2001) [AOL's transmission of its Version 5 software which allegedly "changes" the host system's communications configuration and settings so as to interfere with any non-AOL communications and software services actionable under 1030(a)(5)(A)]; Christian v Sony Corp. of Am., 152 F Supp 2d 1184, 1187 (DC Minn. 2001) [shipping personal computers with faulty floppy diskette controllers.] In Christian, though summary judgment was granted for Defendant Sony corporation on damages grounds, the Court believed that the inclusion of a defective FDC constituted a "transmission" within the meaning of section 1030. "[T]he Court was persuaded by the Plaintiffs that Sony's actions could, theoretically, be actionable under the CFAA. For example, Sony's argument that the inclusion of a defective FDC--one which causes corruption of data--in a computer, which was then distributed to individual consumers, does not constitute a `transmission' within the meaning of the CFAA is not persuasive." Also, the practice of programming software to shut down under certain circumstances, even to prevent unauthorized use or to enforce contractual obligations, is a potential section 1030 violation. See North Texas Preventative Imaging v. Eisenberg, 1996 U.S. Dist. LEXIS 19990 (C.D. Cal. August 19, 1996); Gomar Manf. Co. v. Novelli, C.A. No. 96-4000 (D.N.J. Jan. 28, 1998). While these cases are primarily civil, each helps define the activity prohibited by section 1030, "unauthorized access" and "transmission" of harmful code. Increasing punishments for section 1030 offenses potentially increases criminal liability for any of these business practices that also causes $5000 worth of damage. Also, in many of the cases cited above, the lawsuit failed because the threshold damage level was not met. But, the new definition of damage allows harm to be aggregated across acts, victims and time. Under this new definition, practices which were previously the subject of unsuccessful lawsuits, like using cookies or collecting online travel data, could be illegal. Internet advertising company DoubleClick, search engine Google.com, Sony, Toshiba and AOL could all be criminally convicted of violation 18 U.S.C. 1030 for common business conduct. This is a problem that would best be addressed by Congressional amendment of section 1030. However, the Commission must decide whether increased penalties are appropriate. That decision must be informed by the fact that conduct that constitutes an offense under section 1030 is not necessarily serious, malum per se, or evenan undesirable business practice.

1 Many of these cases find no liability under section 1030 based on the plaintiff's failure to allege

or prove damages of the proper type or in sufficient amount. The underlying activity, however, is unauthorized access or unlawful transmission within the scope of section1030.

7

Additionally, legitimate computer security research and vulnerability reporting is chilled by disproportionate sentencing. For example, port scanning is a common practice among computer security researchers. "A port scan is a method of checking a computer to see what ports are open by trying to establish a connection to each and every port on the target computer. If used by a network administrator on his own network, the scan is a method of determining any possible security weaknesses. If used by an outsider, the scan indicates whether a particular port is used and can be probed for weakness." Moulton v. VC3, 2000 U.S. Dist. LEXIS 19916 (ND Ga. November 7, 2000). Though port scanning is a common tool for security researchers, both in determining vulnerabilities in their own systems and surveying networks for information about deployed programs and security weaknesses, many researchers fear that the activity is arguably illegal under section 1030. Unfortunately, tales of consultants who are prosecuted criminally or civilly for informing authorities of vulnerabilities are common. A recent cases is that of Stefan Puffer, a computer security analyst who was indicted after demonstrating to the Harris County, Texas District Clerk's office that ITS wireless computer network was vulnerable to unauthorized users. See "County Cuts Off Computer Network", Houston Chronicle, by Steve Brewer, March 21, 2002, available at http://www.chron.com/cs/CDA/story.hts/topstory/130 2663#top. See also, "Ethical Hacker Faces War Driving Charges", The Register, by John Leyden, July 26, 2002, available at http://www.chron.com/cs/CDA/story.hts/tech/news/15 07766. Many computer security practitioners fearfully view this prosecution as a case of shooting the messenger. In another recent incident of a computer security practitioner being charged criminally, David McOwen, a PC specialist at Georgia's DeKalb Technical Institute was convicted for participating in a project by the non-profit organization distributed.net that allowed computer users to donate their unused processing power to test the strength of a certain type of encryption. McOwen installed the distributed.net programs on several of the machines he maintained for his employer. Eighteen months later, McOwen was charged under Georgia law with computer trespass. Facing up to 120 years in prison, McOwen decided not to challenge the application of the law to his conduct. Instead, he plead guilty for probation under Georgia's First Offender Act. "Plea Agreement In Distributed Computing Case", SecurityFocus, By Ann Harrison, Jan 18 2002 available at http://www.securityfocus.com/news/311. As a result, computer security professionals fear that distributed computing itself may be illegal. See "Is Distributed Computing A Crime?", SecurityFocus, by Ann Harrison, December 20, 2001 available at http://www.securityfocus.com/news/300. Cases such as McOwen's chill innovation and slow the adoption of valuable new technologies. People who innocently stumble upon vulnerabilities may also be dissuaded from reporting them. A few years ago, Center for Internet and Society Director Jennifer Granick (also counsel for this submission) received a telephone call from someone who noticed that a coworker was connecting to the Internet with PC Anywhere file sharing enabled. The caller believed that anyone else could access the co-worker's computer and view files, and successfully tested this theory by doing just that. The caller wanted to notify the co-worker that he was vulnerable and should change his computer configuration, but was afraid to do so, for fear that he would get in trouble for having viewed one of the co-worker's files. The attorney called the coworker and notified him, keeping the identity of the reporter secret. However, the attorney also 8

could not give the co-worker the kind of detailed information about why he was vulnerable and how he could fix the problem that the more knowledgeable reporter could. That valuable information was lost in the translation. Thus, the Commission must act carefully to strike the right balance between deterring crime and chilling business innovation and security research.

II.

CURRENT GUIDELINES MAY BE OUT OF LINE WITH THE OFFENDER'S ACTUAL CULPABILITY, AND THE COMMISSION MAY SEE FIT TO AMEND THEM DOWNWARD

The Commission was also directed to consider "the potential and actual loss resulting from the offense, the level of sophistication and planning involved in the offense, whether the offense was committed for purposes of commercial advantage or private financial benefit, whether the defendant acted with malicious intent to cause harm in committing the offense, the extent to which the offense violated the privacy rights of individuals harmed, whether the offense involved a computer used by the government in furtherance of national defense, national security, or the administration of justice, whether the violation was intended to or had the effect of significantly interfering with or disrupting a critical infrastructure, and whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person." Many of these factors are already taken into consideration in the guidelines. A review of the current guidelines suggests that these factors are over-emphasized, and result in a sentence disproportionate to the defendant's culpability. The current scheme applies the guideline for economic crimes, specifically section 2B1.1, to most computer crimes. Theoretically, treating computer crimes like economic crimes is appropriate since the heartland of the offense is similar. However, Section 1030 crimes are treated more harshly than other crimes in several important ways. First, for all practical purposes, the starting offense level for computer crime cases is eight, because almost every computer criminal will receive a two level adjustment for the jurisdictional loss of $5000. Second, computer crimes almost always receive an enhancement for use of special skill in the commission of an offense. (3B1.3, 2B1.1(b)(8)). Third, the calculation of loss in computer crime cases is rife with problems that adjusts the sentence more harshly than in other economic crime cases.

A.

The Typical Computer Crime Case Will Be Sentenced At Least As Harshly, If Not More So, Than Other Economic Fraud Cases

Most of the offenses set forth in section 1030 have as an element of the crime that the perpetrator causes $5000 or more in loss. For example, 1030(a)(5)(A) actions are offenses if the defendant caused or would have caused loss aggregated across victims during any one year period, aggregating at least $5000. 18 U.S.C. 1030(a)(5)(B). For violations of section 1030(a)(5)(A)(i), under subsection (c)(2)(B)(iii), if the value of information accessed is over $5000, then the offense is a felony rather than a misdemeanor. Since federal authorities will rarely prosecute misdemeanors, in almost every computer crime case, damages will be at

9

least $5000. Under Guideline 2B1.1, the Base Offense Level is 6. However, the BOL will be adjusted by at least two levels for loss, giving a minimum offense level of 8 for any prosecuted computer crime. This adjustment is "double counting", since the existence of $5000 of loss makes the offense not only a felony, but also enhances the Base Offense Level. Additionally, it has the effect of sentencing computer crimes more harshly than other economic crime cases. B. Special Skill Computer crime offenders disproportionately receive a sentencing enhancement for special skill. Under the pre-2002 guidelines, perpetrators received an adjustment under 3B1.3 for abuse of trust. That section provided that the district court may enhance the defendant's offense level if he "abused a position of public or private trust, or used a special skill, in a manner that significantly facilitated the commission or concealment of the offense." 3B1.3. The phrase "special skill" is defined as "a skill not possessed by members of the general public and usually requiring substantial education, training or licensing. Examples would include pilots, lawyers, doctors, accountants, chemists, and demolition experts." Id. comment. (applic. note 2). The "adjustment applies to persons who abuse their positions of trust or their special skills to facilitate significantly the commission or concealment of a crime. Such persons generally are viewed as more culpable." Id. comment. (backgr'd). The application of 3B1.3 overstates a defendant's culpability because almost every computer offense inherently requires abuse of trust or special skill. Though the public uses computers, it is generally uninformed about computer security matters. A computer intruder must either use a password that permits access, leading to an abuse of trust adjustment, or know how to circumvent the password requirement, leading to a special skill adjustment. In its 1996 Report to Congress on the adequacy of federal sentencing guideline penalties for computer fraud and vandalism offenses, the Commission reported that 32.5% of all computer crime cases received an upward adjustment for abuse of position/special skill, as compared to 8.8% of white collar cases and 3% of all cases. Table 2. Almost certainly, that percentage, and that discrepancy is higher today, if only because case law has supported a liberal application of 3B1.3 in computer crime cases. In United States v. Petersen, (9th Cir. 1996) 98 F.3d 502, the Ninth Circuit held that the special skill adjustment only requires that the offender have skills not possessed by members of the general public. Special education or certification is not a prerequisite. While the Petersen court did not hold that a special skill adjustment would apply in every computer crime case, it greatly liberalized any limits on when the adjustment would apply. Anecdotal evidence suggests that a special skill adjustment is applied in almost every computer crime case today. If the abuse of trust/special skill adjustment is applied, and the $5000 adjustment applies, then the minimum level at which the most innocuous computer crime offense would be punished is a level 10, not a level 6. Additionally, there's a special adjustment in 2B1.1 for "sophisticated means" under 2B1.1(b)(8)(B). "'Sophisticated means' means especially complex or especially intricate offense 10

conduct pertaining to the execution or concealment of an offense. For example, in a telemarketing scheme, locating the main office of the scheme in one jurisdiction but locating soliciting operations in another jurisdiction ordinarily indicates sophisticated means. Conduct such as hiding assets or transactions, or both, through the use of fictitious entities, corporate shells, or offshore financial accounts also ordinarily indicates sophisticated means." 2B1.1. If this adjustment is also liberally applied to computer crimes, than the most basic computer crime offenses will be sentenced at a minimum level 12. This results in a minimum sentence more than two times as high as the minimum sentence for the most basic economic crime.

C.

The Special Calculation of Loss in Computer Crime Cases Results in Harsher Punishments that That for Comparable Economic Crimes

Under the current sentencing law, the estimation of loss is the primary factor driving both economic and computer crime sentencing. Along with other relevant factors under the guidelines, loss should reflect the seriousness of the offense and the defendant's relative culpability. In economic crimes, the calculation of loss is generally limited to "reasonably foreseeable pecuniary harm." However, in computer crime sentencing, "actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: reasonable costs to the victim of conducting a damage assessment, and restoring the system and data to their condition prior to the offense, and any lost revenue due to interruption of service." USSG 2B1.1 Application Note 2(A)(v)(III). The inclusion of unforeseeable pecuniary harms in the definition of loss, including "any lost revenue due to interruption of service" results in computer crimes being treated more harshly than other crimes. Additionally, the categories of harm described as loss are not easily assigned objective monetary value. As a result, the loss estimation for identical offenses can differ widely, resulting in grossly disparate sentences for identical conduct. Additionally, the estimation of loss can be manipulated by victims, investigators and prosecutors. The cost of conducting a damage assessment depends more on the victim's actions than it does on the perpetrator. Assume an intruder compromises two computer systems in identical ways. One victim simply restores the hard drive from backup. The other victim hires $300-anhour consultants to assess exactly what the intruder did and how he did it. The victim may also ask the consultants to review every other computer system they control, just in case the intruder gained unauthorized access there as well. This is "reasonable". However, in the first instance, the access does not result in loss equal to $5000. The case will probably not be filed, and if it is, the perpetrator will probably not go to jail. In the second instance, the case will be prosecuted and a prison sentence will result. However, the perpetrator's actions and intent are identical. A similar problem occurs with including any lost revenue due to interruption of service in the loss calculation. Assume one intruder destroys a personal computer, while a second intruder places an unwanted program, like a packet interceptor on an e-commerce computer. The value of the personal computer and the information on it is probably low. The intruder's sentence will be low. In the second instance, the e-commerce server may have to be taken off-line. If the business is small, the loss will be low, but probably higher than the loss the individual has 11

suffered. If the business is thriving, the loss could be very high. Again, the adjustment the perpetrator receives does not reflect the defendant's relative culpability, but depends on the nature of the victim. Individuals are probably less likely to be able to protect themselves against computer crime, or bounce back from an offense than well-to-do companies. Yet, less real damage on an e-commerce site will probably result in greater prison sentences than malicious destruction of a personal machine. Thus, the definition of loss appears to undermine victimrelated adjustments in unwarranted and undesirable ways. Moreover, loss of revenue is difficult to measure. In the 2000 denial of service attacks on Yahoo! Inc., the company went off-line for about three hours. Yahoo! initially refused to estimate how much the attack cost it in lost revenue. Yahoo! makes money from sale of goods and from showing advertisements. Its difficult to estimate whether Yahoo! actually lost any sales or advertising contracts as a result. Yet, some analysts estimated that Yahoo!'s loss would add up to millions of dollars. ZDNet News, February 7, 2000 http://zdnet.com.com/2100-11518359.html?legacy=zdn n. Sources quoted by the Industry Standard estimated that losses for Yahoo! and eBay would amount to 1.2 Billion dollars. February 11, 2000, http://www.thestandard.com/article/display/0,1151, 9703,00.html. The attack was perpetrated by a Canadian juvenile who never gained unauthorized access to Yahoo! machines or harmed data on the victim systems. Yet sentencing according to these loss estimates would have resulted in the maximum punishment possible under the law. Similarly, section 1030(c)(2)(B)(iii) makes theft of data valued at over $5000 a felony offense. Valuing data is extremely difficult. For example, in U.S. v. Mitnick, the defendant accessed computers and viewed source code owned by the victim companies. The victims reported their estimate of the entire cost of research and development as their actual loss in the case, amounting to approximately 80 million dollars. However, the companies were not deprived of the use of that information, nor was it redistributed to competitors, thus reducing its use value. Subsequently, one of the victims started giving the same source code away for free. Additionally, none of the companies reported any economic loss as a result of the intrusions in their SEC filings. Of course, loss can be difficult to estimate in any economic crime cases. However, this is a serious problem in computer crime cases because loss includes unforeseeable pecuniary harm, losses defined by victim's conduct rather than offense conduct, and more commonly involve the valuation of data and intellectual property. As a result, the loose measure of loss undermines uniformity in sentencing. It also means that loss can be a distorted, or even wholly inaccurate, reflection of the defendant's culpability. Finally, it means that loss can be structured by victims, law enforcement and prosecutors, to manipulate the number of felonies charged and the sentences for them. In the commentator's experience, victims will be asked for estimates of how much time they spent on the problem, without being informed what type of efforts count towards loss (e.g. damage assessment) and what efforts do not (e.g. improving the security of the system). Victims often do not supply documentation to support their estimates. Rather, they estimate or summarize. The victims do not know that the law imposes limitations on factors that contribute to loss, so they naturally throw in everything. 12

Law enforcement fails to ensure that loss estimates are reasonable by not providing victims with guidelines to define loss. But the flexible definition of such an important factor leaves sentencing open to manipulation. In one of counsel's cases, the investigating FBI agent sent victims an email instructing that they document as much time spent investigating the problem as possible. For every $5000 they found, the email advised, the government could add another charge. Similarly, loss has become a huge bargaining chip in plea bargain negotiations. In the beginning of a case, the Department of Justice has early damage estimates based on initial contact with victims during the investigatory stage. Prosecutors will often offer the defendant a plea bargain based on that number. The prosecution tells the defendant that if he does not plead, they will contact victims that did not respond, or re-contact victims to gather additional evidence of damages, thus opening up the possibility of greatly increased loss estimates. Defendants, including those with potentially meritorious defenses, are frightened into entering a plea because the uncertainty of damages means they could do vastly more time in prison once the Department has beaten the bush for numbers from victims. Loss as currently defined is at risk of completely failing to accurately assess either actual harm, defendant's culpability, or proportionality in sentencing. Also, such vague categories open the sentencing process up to manipulation.

D.

The Statute And The Guidelines Do Not Distinguish Between The Culpability Of Offenders Acting With Less Criminal Intent

Relying so heavily on loss as a sentencing factor in computer crime cases misrepresents the defendant's true culpability. This point is further illustrated by the fact that malicious intent to cause harm will be punished less severely than negligent or reckless intent to cause harm if the ultimate loss amount is less. Section 1030(a)(5)(A) sets a maximum of ten years for malicious harm, five years for reckless harm, and one year for unintentional or negligent harm, unless the intrusion was for commercial advantage, in furtherance of another criminal offense or involved the theft of information worth more than $5000. In the first case, the intruder maliciously uses a software program to delete data on the victim computer in violation of 1030(a)(5)(A)(i). The system administrator restores the data from back up in approximately two hours. The maximum sentence ten years. However, even though the defendant acted maliciously, the crime would probably not be charged, because the loss is well below $5000. In the second case, a teenager uses a program he finds on the Internet to get into his school's computer network. While looking around, he unintentionally corrupts the computer database. The school has to purchase new software and hire consultants to try to restore the data. The consultants bill the school for 40 hours of work at $300 an hour. The curious student has amassed $12,000 in damages. The offense would have had a cap of a year in jail. However, the damages exceed $5000, so the maximum is five years. The student would be sentenced at a level 12, or 10 to 16 months. (BOL 6, loss 4, special skill to download and run the program 2).

13

III. CONCLUSION

We encourage the Sentencing Commission to act very carefully with regard to computer crime sentencing. We need to eschew simplistic, expensive, and ineffective tactics like inflexible, harsh sentencing. Those convicted of computer crimes are already punished more harshly compared to similar crimes. Additionally, there are fundamental problems with the way computer crimes sentences are currently determined. These problems should be resolved before the Commission considers new enhancements or penalties. Failure to address these problems, particularly the problem with the special definition of loss including unforeseeable pecuniary harms, USSG $ 2B1.1 Application Note 2(A)(v)(III), results in sentences which are disproportionate to the defendant's culpability and which chill legitimate computer security research, reporting and adoption of new, beneficial technologies. We believe that the Commission should not increase sentences for computer crime offenses. Also, the Commission should consider ways to revise the current scheme to resolve these issues.

Dated: February19, 2003 Respectfully submitted,

By:

Jennifer Stisa Granick, California Bar No. 168423 Center for Internet and Society 559 Nathan Abbott Way Stanford, CA 94305-8610 Tel. (650) 724-0014 Counsel for Commentators Carmen D. Hernandez, Co-Chair Sentencing Guidelines Committee National Association of Criminal Defense Lawyers One Columbus Circle, N.E. Suite G-430 Washington, D.C. 20544 Malcom C. Young, Executive Director Sentencing Project 514 - 10th Street, N.W., Suite 1000 Washington, D.C. 20004 Lee Tien, Senior Staff Attorney Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 14

Hurray for Criminals! (-1, Flamebait)

Nathan Ramella (629875) | more than 11 years ago | (#5353255)

Pffft.

Well, well, well . . . (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5353257)

Looks like Kevin Mitnick is putting that book-deal money to good use!

Punishment? What punishment? (2, Funny)

Anonymous Coward | more than 11 years ago | (#5353260)

I used to (note: past tense) belong to a small group of website defacers during my script-kiddie period. Three people and about 160 websites in a month. During about 4 months, one of us got 2 phone calls telling him to stop and two cases of soft drinks for pointing out a flaw in some company's online security. I got one warning on IRC. The third guy got away clean.

What punishments are you talking about??

Perhaps the hacking penalties are fine... (4, Interesting)

TopShelf (92521) | more than 11 years ago | (#5353267)

And the white collar fraudsters should be hit harder? I think I'd rather see that myself. Send Skilling, Lay, and their ilk up the river for an age and a day.

Re:Perhaps the hacking penalties are fine... (1)

gorilla (36491) | more than 11 years ago | (#5353329)

That's a very easy argument to make. White collar crimes are the least heavily punished. Someone who steals a $10,000 car will be less heavily punished that someone who defrauds $100,000

Re:Perhaps the hacking penalties are fine... (5, Funny)

nomadic (141991) | more than 11 years ago | (#5353334)

You can't send all the president's friends to jail, who will he invite to his barbecues?

Great White... (-1)

crow_t_robot (528562) | more than 11 years ago | (#5353273)

...is an al-quesadilla cover band! They are spreading terror and band music all over the country! Who the fuck would go see this fucking band? Drink up your budweiser and shoot off your pyros you motherfucking rednecks. Unfortunately, I hear that the band survived. FUCK REDNECK ROCK! AND THAT GOES FOR YOU BON JOVI FAGGOTS TOO. No more of your drunk shitbag antics.

Its all about lizards (-1, Troll)

TheLzardKng (651485) | more than 11 years ago | (#5353275)

In the lizard community we always punish our own the same. We pull off their tails... end of story... I mean you steal another lizards fly whether you work for him or not we will pull off your tail. I AM THE LIZARD KING

Fairly amusing (3, Informative)

Com2Kid (142006) | more than 11 years ago | (#5353281)

I believe it would be better off to just go and steal stuff old school than to do it via hacking.

Hint Hint Your are more likely to get your Credit Card number stolen by giving your card to the waiter/waitress in a restaurant to have the bill paid than by having it stolen over the net!

That is fraud though. . . . maybe identity theft? A better defining line needs to be made up, not all that happens over a computer is "hacking", intent should be judged as well as actions. If a person goes into a bank pointing a gun it is not automaticaly a bank robbery, it could very well be a hostage situation. Intent, ya know?

Read... (3, Interesting)

aengblom (123492) | more than 11 years ago | (#5353285)

sipthe seriousness of the offense is generally comparable to white-collar fraud cases.

Read: The fast-growing, little-punished type of crime that destroys the finances of thousands every year.

"Hacking" is no more the refuge of the geek. True criminals have embraced it as a way to siphon off lots of money with little risk.

Let's not charge people looking for CC#'s with terrorism, but let's not label it "annoying" and offer up slaps for people's wrists.

Too Harsh? (5, Insightful)

methuseleh (29812) | more than 11 years ago | (#5353292)

Are hackers sentenced too harshly, or are "comparable" criminals not sentenced harshly enough?

me != suprised (5, Insightful)

alaric187 (633477) | more than 11 years ago | (#5353294)

It's because lawmakers have no idea what hacking is. All they know is that the news and their handlers and their real constituents (donors) say it's very bad. It's just like way back in the day when people were put in institutions for being depressed. No one knew why they were depressed so they just put them away.

Now, I'm not saying that hacking others' equipment is good. I'm just saying that the punishment should fit the crime, not get 10 years in jail because you made the RIAA website say they love mp3s instead of money.

Re:me != suprised (1)

Tribbin (565963) | more than 11 years ago | (#5353485)

One person on tweakers.net said "people's view on hacking is the same as people's view on whichery thousand years ago."

People don't understand it and think hacking is whichery. They are afraid of it so they punish the hackers harder.

Note To Self: (5, Funny)

OwlofCreamCheese (645015) | more than 11 years ago | (#5353295)

Note To Self: change plans from hacking to fraud.

The problem isn't the harsh sentences for hackers (4, Interesting)

Mothra the III (631161) | more than 11 years ago | (#5353297)

Its the inability to impose proper sentences for violent criminals and drug offenders. I have no sympathy for people invading companies computers for whatever reason and they should be punished harshly. I have better things to do on my weekends then combat those assholes. But there is a need for reform in the way punishment is administered for violent criminals and longer sentences need to be handed out.

Re:The problem isn't the harsh sentences for hacke (2, Insightful)

gorilla (36491) | more than 11 years ago | (#5353342)

Yeah, drug offenders are also punished far too hard.

I agree (5, Interesting)

Visaris (553352) | more than 11 years ago | (#5353307)

If I break into someone's house, I'll be charged with breaking and entering, and with trespassing.

If I hack into someone's network and don't even do anything but look around, I'm charged with causing losses of millions. I'm charged with stealing any sensitive content I gained access to whether or not I even looked at it. Not to mention they'll slap all the cybercrime and terrorism laws they can find down on me too. It has nothing to do with the severity of the laws, just that you get pinned with so many of them.

Re:I agree (1)

DoctorPepper (92269) | more than 11 years ago | (#5353417)

Well here's a clue, dumbass, don't break into someone else's network! It's just that simple.

Don't do the crime if you can't do the time.

Re:I agree (5, Insightful)

NineNine (235196) | more than 11 years ago | (#5353430)

What if you were to break into a bank vault? Not take anything, just break in and look around? You'd be up shit creek without a paddle. How about breaking into a military base "just to look around"? How about breaking into a casino's back rooms?

In case you haven't noticed, you can't just go where ever you want just to look around.

White collar? (2, Interesting)

PincheGab (640283) | more than 11 years ago | (#5353323)

comparable to white-collar fraud cases.

If hacking isn't white-collar, then what is?

I think they mean CRACKERS. (-1, Informative)

MisterFancypants (615129) | more than 11 years ago | (#5353330)

HACKERS are people who work on cool technology like GNU/Linux.

CRACKERS are TASTY TREATS!!!

TOUCH MY MONKEEEY!!!

Re:I think they mean CRACKERS. (1)

$$$$$exyGal (638164) | more than 11 years ago | (#5353386)

I prefer the term "malicious hacker". The word "cracker" is a "TASTY TREAT" as you so eloquently pointed out.

--sex [slashdot.org]

Improper premise. (0)

Anonymous Coward | more than 11 years ago | (#5353459)

We are speaking about people who break things.

A cracker is someone who exposes a crack in a brittle security. A food-cracker is brittle and is easily broken. A cracker, as applied in the proper premise of a noun, is someone who cracks.

In the premise of computer software security, a cracker brakes through the security, or shall I say the implied insecurness, of a specific software to gain access to the unprotected core the security-software aided in disguising.

A Long Time Ago ... (3, Funny)

Anonymous Coward | more than 11 years ago | (#5353331)

I remember when there weren`t any specific computer crime laws on the books in the U.K. and prosecutors tried to charge the accused with theft of electricity.

white-collar fraud (3, Interesting)

doubtless (267357) | more than 11 years ago | (#5353337)

I can see that sometimes the claims of damage in online crimes can be ridiculously high. However, if the claims of damage is reasonable, I don't see why the punishment should be any lesser than any other crime.

I think white-collar criminals are already getting far less punishments than they should. How could someone who screws up the millions of dollars from their employees be subjected to punishment comparable to shoplifters or burglars?

Really? (2, Funny)

neocon (580579) | more than 11 years ago | (#5353341)

<sarcasm> Wait, a large group of defense lawyers said that penalties are too tough for the types of cases they sometimes work on? Really?! Now why would they do that? </sarcasm>

MY ASS THEY ARE TOO PUNNISHEd! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5353350)

They deserve what they get!

They did somthing that someone didn't like!

They were caught!

A photo of Dmitri Skylarov [nbswebfx.com] , the famous russian hacker, shaking hands/accepting forgivness by the Adobe CEO.

LET ME TELL YOU, ONLY THE BEST CRACKERS NEVER GET CAUGHT...AND THAT IS WHY THE BEST CRACKERS MADE EVERYONE HATE HACKERS AND NOT THE REAL "CRACKORS" - Understand my paradigm?

Too harshly....in United States of America (5, Informative)

jsse (254124) | more than 11 years ago | (#5353353)

arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.

Only in US. Convicted hacker Raphael Gray, who stole 23,000 credit card no. and sent Bill Gates boxes of Viagra [bbc.co.uk] , was only sentenced to three years of community rehabilitation [iafrica.com] . As he told BBC:

"...Kevin Mitnick was stopped from going near computers, even from working a cash register, but they can't do that in this country.

I've had two job offers - one from the guy who tracked me down..."

Re:Too harshly....in United States of America (0)

Anonymous Coward | more than 11 years ago | (#5353376)

"...I've had two job offers - one from the guy who tracked me down..."

Was the other job offer the one in the prison, making uncomfortable wooden chairs with Bubba?

The Witches of Yesterday... (5, Insightful)

jetkust (596906) | more than 11 years ago | (#5353354)

...are the hackers of today.

White collar crime isn't punished seriously enough (1)

TXP (592446) | more than 11 years ago | (#5353372)

The system is fubar'd, CEO's who milk the system and break the law should be comparable to treason but get off completely, while pot users and dealers are in jail for minor crimes.

Something is wrong when murder gets you less time. (5, Insightful)

Anonymous Coward | more than 11 years ago | (#5353373)

"... McOwen was charged under Georgia law with computer trespass. Facing up to 120 years in prison..."

A man installed a program that for all intent and purposes is a screen saver and he could have been forced to serve 120 years in prison had he not plea bargained. Clara Harris killed her husband with her Mercedes, was found guilty of 1st degree murder, and was only sentenced to 20 years (she'll get out in 10).

I think something is wrong with a system that gives you more time for installing a program that doesn't do any damage than it does for murdering a person in cold blood.

This is a symptom (2, Insightful)

argoff (142580) | more than 11 years ago | (#5353390)


A symptom that copyrights are unenforceable, so the only way they can compensate is by fear mongering with draconian punishments. Our response should be to act in civil disobedience whenever possible. The sooner we force this thru, the sooner we can get on with the information age.

6th Grader Charged in Grade-Switch Caper (5, Interesting)

Anonymous Coward | more than 11 years ago | (#5353396)

Check this out:

Story [gopbi.com] (palmbeachpost.com)

An 11 year old snuck into his classroom during lunch and changed some of his grades on his teacher's computer. He was caught and is now facing FELONY computer fraud charges. Tell me that's not a bit ridiculous.

-Dan.

When I read that story (0)

Anonymous Coward | more than 11 years ago | (#5353435)

it struck me that the kid had motivation, ingenuity, and guts. He saw a problem, weighed the options, formed a plan, and took action. Move him into advanced placement, if you ask me.

Re:6th Grader Charged in Grade-Switch Caper (5, Insightful)

stratjakt (596332) | more than 11 years ago | (#5353488)

No, it isnt ridiculous at all that he face the charges. He knew what he was doing was against the law when he did it. He comitted felony computer fraud, and is being charged with it.

What would be ridiculous would his being tried and convicted as an adult, and spending 10 years in a max security prison. But that wont happen, he'll get the warning and the incident will go into his sealed juvenile record.

IMO there's too much 'juveniles shouldnt be punished after all they're just kids' sentiment. Youngsters know this, and commit more and more crime knowing they wont be severely punished.

It would be ridiculous if the teacher gave him permission to use the computer, and in doing so he accidentally formatted the C: drive, or something like that. But if he knowingly committed a crime (which it would seem he did), he should be prosecuted for it.

Exactly backwards (3, Interesting)

fleener (140714) | more than 11 years ago | (#5353400)

The issue isn't tough sentencing for hackers. The issue is that white collar criminals get off light.

Hacking is not a white collar crime. When I think of white collar crime I see millionaire executives spending stolen money for blow jobs by preteens in foreign countries. When I think of hacker crime I see a trail of empty Mountain Dew bottles and Cheetos bags. Hackers need to become filthy rich before they can play the courts like the big boys do.

Extreme cases aside, most hacking is like kids stealing cars to take 'em for joy rides. Sure, a few people get hurt by each crime, but it's not like you have a few hundred thousand stock holders who'll have to work 10 extra years before they retire because their portfolios are toast.

Computer offences are actually underplayed.... (3, Insightful)

Brian_Ellenberger (308720) | more than 11 years ago | (#5353407)

"The (majority) of the offenses are generally disgruntled employees getting back at the employer or trying to make money."

And how is this not serious? Destruction and blackmail are extremely serious and should not be tolerated in society.

Prison is not just rehabilitation. It is a deterrent. If there were little or no consequences to, say, wiping out a server just because you are mad you got fired then many many more people would do it. Consequentially companies would crack down hard on everyone and treat all employees like assumed criminals.

Most of the world we live in is based on trust. Most homes and businesses are relatively easy to break into. And if the consequences for such actions were light then more people would be trying it just for fun. And then home owners would have to put bars on their windows and constantly worry about keeping their house secure.

In fact, this is essentially what Slashdotters are recommending people do to their computers. Most people have better things to do with their lives than worrying about locking down their computer from hackers. How about the hackers say on their own boxes and stay the heck away from everyone elses!! If someone breaks into my computer, it is not MY fault the computer was easy to crack. It is the hackers fault for doing something they weren't supposed to do. And the hacker should go to jail for it, just as they would go to jail for breaking into my house and checking out all my stuff. I don't care if they steal anything or not, it is an invasion of my life and privacy!

I am sick of the hypocrisy Slashdot getting all up in arms about the Patriot Act and then worshipping Kevin Mitnick. At least I can vote against the Congressmen who supported the Patriot Act. I can't vote to keep Mitnick wannabes off my computer, except to vote to put them in jail where they belong.

Brian Ellenberger

Modern "Witch Hunt" (5, Informative)

resistant (221968) | more than 11 years ago | (#5353408)

People have always tended to be hysterical about that which they fear and don't understand. They see this "hacking" (it should be called "cracking" in this context, but that's a lost cause) as a vaguely defined but fearsome threat, regardless of the actual reality of harm, and clamor for the modern equivalent of witch burnings [washington.edu] .

We need strict sentances for hackers/crackers (4, Funny)

Billly Gates (198444) | more than 11 years ago | (#5353441)

For example Mitnick had to be in solitary confinement because he could of launched a nuclear war from a pay phone! Just ask the FBI or the judge taking his case!

Its not like it takes an order from the president with full access codes to launch a strike or anything. Just a dialtone and a modem from the computer that lauches the strikes.

Also he could of obstructed justice by using a walkman or radio because he could of turned it into a hacking device. The fbi needed to take these priveldges away as well so he can stare at the walls and do nothing in his solitary confiment for 7 months while still technically inocent I may add. I mean screw John Gotti. This man is clearly more dangerous to our whole American way of life.

Also look at economic sabatoge and espianage caused by Jon Johnson from reading his own personal dvd's? The RIAA and the BSA claimed they lost over 9 billion a year because of piracy. Its a shame and we all know that these kids and college students can easily afford adobe photoshop, 3dStudioMax and all of Nsync's and britney spears artistic masterpieces of great music which is worth every penny of the price so it must be piracy! We need to stop these so called terrorists before they kill every man woman and child on earth. Hopefully some hardware based solution will be the salvation towards the problem.

Do we want the whole ecomomy to fall apart and lose millions of jobs because of lenient sentancing? Somebody please think about our children.

But I'm angry now (4, Interesting)

ellem (147712) | more than 11 years ago | (#5353447)

Well this is really quite simple.

Computers are for "smart" people

People feel marginalized when they don't understand even the basic concepts of what has happened

Therefore when a CEO realizes they have been hacked/cracked (you fight that out) they feel even more violated since they don't even understand how someone could get past all the hardware they bought and all those 45-100K+ people they have running around purporting to be computer experts.

Their anguish is then felt by atrtorneys who can't understand the crime, the criminals or why everyone is so upset. The one thing they do know is that THAT FAT GUY WITH THE UNKEMPT BEARD AND THE WIERD SHIRT THAT HAS THE FORMULA FOR HELL ON EARTH:

#! /usr/bin/perl

ON HIS SHIRT IS DEFINITELY GUILTY!

And that's pretty much what happens.

Too Harshly? (5, Funny)

handy_vandal (606174) | more than 11 years ago | (#5353477)

Too harshly? Why, in my day, after Prometheus stole fire and gave it to mankind, we chained the guy to a rock and had a giant bird eat out his liver every day. Now that's punishment!

*BSD is dying (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5353482)

It's undeniable.

I think.. (5, Interesting)

Maeryk (87865) | more than 11 years ago | (#5353491)

That a lot of the problem here is due to double standards and lack of accountability.

Joe Schmoe embezzles from his S&L firm for ten years, gets caught, and it is realized that he made off with 500K. He is slapped on the wrist, fired, made to "pay it back" on time deferred payments, or maybe stuck in a white collar prison/country club for a few years.

Mike, the l337 hacker from down the street, defaces Stuff-Marts web page, pointing out that Stuff-Mart buys 80% of its stuff from china, where it is made in forced child labor camps at gunpoint, and it is repaired in an hour.

Now.. Stuff Mart's lawyers tell the jury that they *potentially* lost MILLIONS due to the damage, (when in fact, they did not "lose" anything.. and there is no way to prove how many people would have bought during that time anyway). The SM lawyers also point out that it cost "an estimated 100K dollars to repair the damage!".. which means they just budgeted in A) the new server and colocation company to handle the site, B) the three person team who maintains and handles the site already, and C) all of their IT staff who received an Email about the "hack" and therefore were "working" on it.

Its all about what the jury wants to hear, and all about language.. "potential" is used ahead of "we could have potentially lost BILLIONS in sales!" but the judge/jury does not hear the "potential". Nor do they realize that 99% of that IT staff was already working there, doing their routine jobs, and had nothing to do with the repair anyway.

(Same reason a procedure at the hospital that took all of 15 minutes costs your insurance company as much as your house did.. funky accounting and everyone wanting to be "in" on the action.)

I think a lot of "hacking" is a no harm no foul problem anyway.

Maeryk
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?