As you read this, an unusual legal case history is being established around the prosecution of computer crime. Because computer crime is still a relatively new aspect in the arena of law and prosecution, each and every case sets important precedent that will be called on in upcoming cases. The growing concern by many people seems to be the drastic nature of punishments being levied against computer intrusions. Not only are the punishments not seeming to fit the crime, there is little consistency in the legal system's application of punishment to these people.
Previous articles have pointed out the disturbing trends in damage figures which directly affect sentencing in these cases. Unfortunately, the emerging problem seems to go well beyond suspicious damage figures. It is difficult to say exactly why the punishment for computer crime is so severe. Some people speculate it is the public perception of hacking and the FUD (Fear, Uncertainty and Doubt) surrounding it while some think it is nothing more than sacrificial lambs taking the brunt of public outcry. Others feel it can't be logically explained. I think the best answer is that computer crime is still shocking society, which overreacts in response.
The immediate disparity can be seen when comparing the sentencing between computer and non-computer crimes. While more traditional and material crimes like assault, burglary and murder are receiving what seems like light sentences, computer crime convicts are becoming the bearers of exceptionally stiff and smothering sentences. Not only are the prison sentences extraordinarily lengthy, the terms of probation are baffling and rough. Instead of a probation that encourages reform and nurtures a good life better than the previous life of crime, it thrusts the convicted into a life of poverty and despair.
Shortly after the new year, I was watching the news in a New York hotel and caught the follow-up of a story begun some two to three years prior. The news went on to say that a 21-year-old man convicted of killing his baby was being released after two years of prison. He and his wife and killed their infant some three years age, and his prison term was two years. Surely this is one case that slipped through our justice system and let these killers off easy? A quick search yields that this is not necessarily uncommon. Patrick Jack served a two-year sentence for manslaughter after stabbing Francis Sunjay Weber with a pair of scissors. Another article that discusses short sentences mentions yet another case in which a 17-year-old Marysville girl was shot and killed. Her killer was in turn sentenced to 27 months in prison for his crime. These cases make me wonder about the effectiveness of our legal system.
On the flip side, two recent computer crime cases perfectly illustrate the baffling seriousness and resulting prison time that now accompanies computer crime. Eric Burns recently pled guilty to ONE felony count of computer intrusion, and took the blame for the defacement of the White House web page. For his confessed crimes, he was sentenced to a $36,240 fine and 15 months in prison. A second longer story unfolded recently, telling us of a small group of hackers known as the Phone Masters who wielded amazing control of computers and phone networks. One of the individuals, Corey Lindsley, was sentenced to 41 months in prison for his 2 felony counts. The last comparison is the infamous Kevin Mitnick saga in which Mitnick spent a total of 5 years in jail and prison for what ended up being five felony counts of computer related crimes.
What should be noted is the comparison of crimes. Burns' single felony is basically nothing more than high tech graffiti, a sort of digital spray paint on a federal building. What would that crime fetch for a sentence if done in the real world? Certainly not fifteen months of prison. Manslaughter can fetch as low as two years of prison time, while Lindsley and Mitnick sit in federal prison for four and five years respectively. This disparity is hard to believe considering the gruesome nature of manslaughter and killing a young baby as compared to altering the web page of an Internet web site.
Conditions of Probation
Even if you could dismiss the harsh penalty for relatively minor crimes, you would then face another practice that is becoming all too common with computer crime. After subjecting computer intruders to the long trial, large fines and lengthy jail terms, the real injustice occurs. It is not uncommon for people to be put on probation for one to five years for any felony conviction. I think it is fair to say that a probation term of two to three years is a sound average. Probation terms for most crimes are generally the same, preventing convicts from certain behavior and actions that are not appropriate. Some of these terms are not associating with known criminals, possessing weapons, use of drugs, and more. One thing about these terms are they tend to be generally the same with little variation based on crime.
For those convicted of computer crime, the probation guidelines are quite different. A quick review of the terms and conditions of Kevin Mitnick's probation bring on a whole new set of computer crime specific terms:
Reading these, one can begin to see how this limits a convicted computer intruder in life after prison. Some argue that as convicted felons, who cares? They are getting what they deserve. Perhaps that is true, but why don't murderers and rapists receive special terms for their probation that might be deemed appropriate? Some of the few crimes that receive no special terms?
The purpose of incarceration and the following probation is to punish and rehabilitate the convict. Probation specifically is geared to help push the criminal into a structured life without influences that may lead to their return to a life of crime. However, in the case of computer crime the probation guidelines do a lot more than discourage further computer crime. Some of the few acts they will be banned from:
Surprising as it seems, all of the above become illegal to most people on probation for computer crimes. Imagine living for three years with those restrictions hovering over you. Is this really a good guideline to get you back on the right track and lead a good life without bad influence? Or is this a well lit path encouraging you to break the terms of probation and risk more prison time?
If you are thrust into society after a lengthy prison sentence, stripped
of opportunity to work in the one field you previously excelled in, what
options does that leave? Unable to work in most modern and computerized
jobs, unable to work near computers, it leaves the convict with several
years of difficult living at below poverty level. Hardly the rehabilitation
that was intended or needed.
Recouping Your Tax Dollars
It is well established that those caught and convicted of any crime are subjected to restitution. The amount is typically arrived at by calculating the damage figures against the victim(s). If a bike worth one hundred dollars was stolen, the criminal could be ordered to pay restitution that included the cost of the bike, court fees the victim paid for, emotional distress, etc. One thing that has not historically been factored in is the cost of the investigation or the time and effort of the officers involved in solving the crime. Apparently the money associated with the law enforcement efforts was not a factor for one reason or another.
Once again, when computer crime enters the equation, circumstances seem to change. In May of 1997, Wendell Dingus was sentenced by a federal court to six months of home monitoring for computer crime activity. Among the systems he admitted to attacking were the U.S. Air Force, NASA and Vanderbilt University. What is different about this case is the court's order for Dingus to repay $40,000 in restitution to the Air Force Information Warfare Center (AFIWC) for their time and effort in helping to track him.
It is odd that the court systems are now levying punishments for computer crimes not based on the damage that was actually done, rather it is based on the amount of time, money and resources required to track down or fix the system's vulnerability. Worse, they are then lumping on time and resources required to (belatedly) create pro-active preventative measures from future intrusions, something that should have been done in the first place. So the system intruder is now responsible for future intrusions, yet the administrators were not in the first place?
When the police or FBI catch up to a robber, defrauder or murderer, they are charged and punished for their crimes. It is generally unheard of for these criminals to receive punishments and fines based on the efforts of the law enforcement tracking them down. Think of how much time and resources the FBI put into tracking down a serial killer that has been roaming our country for years. How many air plane trips, car rentals, hotels, overtime, examination and forensic equipment, food reimbursement and who knows what else do our tax dollars go to pay for? Why aren't these levied against the criminal like they are now starting to do with computer crime?
One difficult aspect that creeps back into computer crime cases is the blanket laws covering a wide variety of people and activities. As a computer crime investigator brought up in a conversation recently, a homicide typically affects a family, friends and perhaps a small community, while a concentrated computer attack could affect the lives of thousands of people or more. There are certainly exceptions to each type of crime but in general, that statement seems to be reasonable. The bottom line is that more consistency needs to be developed between traditional crimes and computer crimes.
In Texas, it is a Class B misdemeanor for graffiti if the damage is less than $500. In reality, most Web page defacements done today can be recovered from and dealt with for less than $500. Anyone saying otherwise is likely to be the consultant profiting heavily at your expense. So why is it that a young kid who spray paints a wall gets hit with a small fine, and a young kid who spray paints a Web site gets fifteen months in jail and tens of thousands of dollars in fines?
I think it is time for the media to quit hyping up computer crimes and introduce a dose of sanity to the Fear, Uncertainty and Doubt they love to bring to 'hacker' stories. The legal system needs to give a serious look at the disparity in how they handle various crimes. I think it is pretty obvious that something is wrong when a knife wielding murderer does less time than a keyboard wielding fourteen-year-old.
email Brian Martin