http://www.thesynthesis.com/tech/crimepunishment/index.html

The Crime of Punishment



As you read this, an unusual legal case history is being established around the prosecution of computer crime. Because computer crime is still a relatively new aspect in the arena of law and prosecution, each and every case sets more important precedent that will be called on in upcoming cases. The growing concern by many people seems to be the drastic nature of punishments being levied against computer intrusions. Not only are the punishments not seeming to fit the crime, there is little consistancy in the legal system's application of punishment to these people.

Previous articles have pointed out the disturbing trends in damage figures which directly affect sentencing in these cases. Unfortunately, the emerging problem seems to go well beyond suspicious damage figures. It is difficult to say exactly why the punishment for computer crime is so severe. Some people speculate it is the public perception of hacking and the FUD (Fear, Uncertainty and Doubt) surrounding it while some think it is nothing more than sacrifical lambs taking the brunt of public outcry. Others feel it can't be logically explained. I think the best answer is that computer crime is still shocking society who overeacts in their response.

The immediate disperity can be seen when comparing the sentencing between computer and non-computer crimes. While more traditional and material crimes like assault, burglary and murder are receiving what seems like light sentences, computer crime convicts are becoming the bearers of excepetionally stiff and smothering sentences. Not only is the prison sentences extraordinarily lenghty, the terms of probation are baffling and rough. Instead of a probation that encourages reform and nurtures a good life better than the previous life of crime, it thrusts the convicted into a life of poverty and despair.


Jailtime

Shortly after the new year, I was watching the news in a New York hotel and caught the followup of a story begun some two to three years prior. The news went on to say that a twenty-one year old man convicted of killing his baby was being released after two years of prison. He and his wife and killed their infant some three years age, and his prison term was two years. Surely this is one case that slipped through our justice system and let these killers off easy? A quick search yields that this is not necessarily uncommon. Patrick Jack served a two-year sentence for manslaughter after stabbing Francis Sunjay Weber with a pair of scissors. Another article that discusses short sentences mentions yet another case in which a 17-year-old Marysville girl was shot and killed. Her killer was in turn sentenced to 27 months in prison for his crime. These cases make me wonder about the effectiveness of our legal system.

On the flip side, two recent computer crime cases perfectly illustrate the baffling seriousness and resulting prison time that now accompanies computer crime. Eric Burns recently plead guilty to ONE felony count of computer intrusion, and took the blame for the defacement of the White House web page. For his confessed crimes, he was sentenced to a $36,240 fine and 15 months in prison. A second longer story unfolded recently, telling us of a small group of hackers known as the Phone Masters who wielded amazing control of computers and phone networks. One of the individuals, Corey Lindsley, was sentenced to 41 months in prison for his 2 felony counts. The last comparison is the infamous Kevin Mitnick saga in which Mitnick spent a total of 5 years in jail and prison for what ended up being five felony counts of computer related crimes.

What should be noted is the comparison of crimes. Burn's single felony is basically nothing more than high tech graffiti, a sort of digital spray paint on a federal building. What would that crime fetch for a sentence if done in the real world? Certainly not fifteen months of prison. Manslaughter can fetch as low as two years of prison time, while Lindsley and Mitnick sit in federal prison for four and five years respectively. This disparity is hard to believe considering the gruesome nature of manslaughter and killing a young baby as compared to altering the web page of an Internet web site.


Conditions of Probation

Even if you could dismiss the harsh penalty for relatively minor crimes, you would then face another practice that is becoming all too common with computer crime. After subjecting computer intruders to the long trial, large fines and lenghty jail terms, the real injustice occurs. It is not uncommon for people to be put on probation for one to five years for any felony conviction. I think it is fair to say that a probation term of two to three years is a sound average. Probation terms for most crimes are generally the same, preventing convicts from certain behavior and actions that are not appropriate. Some of these terms are not associating with known criminals, possessing weapons, use of drugs, and more. One thing about these terms are they tend to be generally the same with little variation based on crime.

For those convicted of computer crime, their probation guidelines are quite different. A quick review of the terms and conditions of Kevin Mitnick's probation bring on a whole new set of computer crime specific terms:
   A. Absent prior express written approval from the Probation Officer,
   the Petitioner shall not possess or use, for any purpose, the
   following:
       1. any computer hardware equipment;
       2. any computer software programs;
       3. modems;
       4. any computer related peripheral or support equipment;
       5. portable laptop computer, 'personal information assistants,'
          and derivatives;
       6. cellular telephones;
       7. televisions or other instruments of communication equipped with
          on-line, internet, world-wide web or other computer network access;
       8. any other electronic equipment, presently available or new
          technology that becomes available, that can be converted to or has as
          its function the ability to act as a computer system or to access a
          computer system, computer network or telecommunications network
          (except defendant may possess a 'land line' telephone);
   B. The defendant shall not be employed in or perform services for any
      entity engaged in the computer, computer software, or
      telecommunications business and shall not be employed in any capacity
      wherein he has access to computers or computer related equipment or
      software;
   C. The defendant shall not access computers, computer networks or
      other forms of wireless communications himself or through third
      parties;
   D. The defendant shall not act as a consultant or advisor to
      individuals or groups engaged in any computer related activity;
   E. The defendant shall not acquire or possess any computer codes
      (including computer passwords), cellular phone access codes or other
      access devices that enable the defendant to use, acquire, exchange or
      alter information in a computer or telecommunications database system;
   F. The defendant shall not use any data encryption device, program or
      technique for computers;
   G. The defendant shall not alter or possess any altered telephone,
      telephone equipment or any other communications related equipment.
Reading these, one can begin to see how this limits a convicted computer intruder in life after prison. Some argue that as convicted felons, who cares? They are getting what they deserve. Perhaps that is true, but why don't murderers and rapists receive special terms for their probation that might be deemed appropriate? Some of the few crimes that receive no special terms?

The purpose of incarceration and the following probation is to punish and rehabilitate the convict. Probation specifically is geared to help push the criminal into a structured life without influences that may lead to their return to a life of crime. However, in the case of computer crime the probation guidelines do a lot more than discourage further computer crime. Some of the few acts they will be banned from:

Surprising as it seems, all of the above become illegal to most people on probation for computer crimes. Imagine living for three years with those restrictions hovering over you. Is this really a good guideline to get you back on the right track and lead a good life without bad influence? Or is this a well lit path encouraging you to break the terms of probation and risk more prison time?

If you are thrust into society after a lenghty prison sentence, stripped of opportunity to work in the one field you previously excellend in, what options does that leave? Unable to work in most modern and computerized jobs, unable to work near computers, it leaves the convict with several years of difficult living at below poverty level. Hardly the rehabilitation that was intended or needed.

The Tip of the Iceberg

The story of Chris Lamprecht still remains in the depths of news sites. In 1995 Lamprecht was senteced to a 70 month prison sentence for money laundring. He did not plead to or get convicted of any computer related crimes. Despite this, Federal Judge Sam Sparks imposed the same "no computer" probation on Lamprecht at the request of the District Attorney. This seems to be an equivalent of being banned from restaurants because you ate dinner before breaking and entering.


Recouping Your Tax Dollars

It is well established that those caught and convicted of any crime are subjected to restitution. The amount is typically arrived at by calculating the damage figures against the victim(s). If a bike worth one hundred dollars was stolen, the criminal could be ordered to pay restitution that included the cost of the bike, court fees the victim paid for, emotional distress, etc. One thing that has not historically been factored in is the cost of the investigation or the time and effort of the officers involved in solving the crime. Apparently the money associated with the law enforcement efforts was not a factor for one reason or another.

Once again, when computer crime enters the equation, circumstances seem to change. In May of 1997, Wendell Dingus was sentenced by a federal court to six months of home monitoring for computer crime activity. Among the systems he admitted to attacking were the U.S. Air Force, NASA and Vanderbilt University. What is different about this case is the court's order for Dingus to repay $40,000 in restitution to the Air Force Information Warfare Center (AFIWC) for their time and effort in helping to track him.

It is odd that the court systems are now levying punishments for computer crimes not based on the damage that was actually done, rather it is based on the amount of time, money and resources required to track down or fix the system's vulnerability. Worse, they are then lumping on time and resources required to (belatedly) create pro-active preventative measures from future intrusions, something that should have been done in the first place. So the system intruder is now responsible for future intrusions, yet the administrators were not in the first place?

When the police or FBI catch up to a robber, fraud or murderer, they are charged and punished for their crimes. It is generally unheard of for these criminals to receive punishments and fines based on the efforts of the law enforcement tracking them down. Think of how much time and resources the FBI put into tracking down a serial killer that has been roaming our country for years. How many air plane trips, car rentals, hotels, overtime, examination and forensic equipment, food reimbursement and who knows what else do our tax dollars go to pay for? Why aren't these levied against the criminal like they are now starting to do with computer crime?

One thing I am fond of doing with articles pointing out problems is making recommendations on how to fix the problem. I can generically say that more consistancy needs to be developed between traditional crimes and computer crimes. I will not begin to argue if traditional crimes need to be raised or computer crimes need to be reduced.

One difficult aspect that creeps back into computer crime cases is the blanket laws covering a wide variety of people and activities. As a computer crime investigator brought up in a conversation recently, a homicide typically affects a family, friends and perhaps a small community while a concentrated computer attack could affect the lives of thousands of people or more. There are certainly exceptions to each type of crime but in general, that statement seems to be reasonable.

In Texas, it is a Class B misdemeanor for graffiti if the damage is less than $500. In reality, most web page defacements done today can be recovered from and dealt with for less than $500. Anyone saying otherwise is likely to be the consultant profiting heavily at your expense. So why is it that a young kid who spray paints a wall gets hit with a small fine, and a young kid who spray paints a web site gets fifteen months in jail and tens of thousands of dollars in fines?

I think it is time for the media to quit hyping up computer crimes and introduce a dose of sanity to the Fear, Uncertainty and Doubt they love to bring to 'hacker' stories. The legal system needs to give a serious look at the disparity in how they handle various crimes. I think it is pretty obvious that something is wrong when a knife wielding murderer does less time than a keyboard wielding fourteen-year-old.


Brian Martin (bmartin@attrition.org)
Copyright 1999

Special thanks to: B.K. DeLong for his invaluable time in researching the stories linked to in this article.
Kevin Poulsen for his excellent article and reminder on Chris Lamprecht.
James Atkinson, Carole Fennelly, Jay Dyson and Travis Haymore for feedback and ideas.