Lawyers Say Hackers Are Sentenced Too Harshly

Bendebecker writes "Cnet is reporting: 'The nation's largest group of defense lawyers on Wednesday published a position paper arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.' Finally, someone is listening..." The document makes the points that most computer crime cases involve disputes between an employer and employee, and that the seriousness of the offense is generally comparable to white-collar fraud cases.

Well

[Bob Abooey]

Since when are laywers a beacon for what a fair punishment should be? I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.

Quite frankly given the number of laywers who do their best to circumvent the true spirit of the law I don't want them making any public statements on my behalf...

Hmmm . . .

[Gabrill]

Am I the only one who watches only to find out what kind of society I live in? And without any real hope of contributing to or affecting the overall state of affairs?

On the other hand I AM glad that computer crime is possibly going to be recognized as a white collar crime instead of a terrorist threat.

This one bombed a bus. That one stole a credit card. Kill 'em both!

"White collar crime" - a misnomer...

[MosesJones]

Scenario A: man walks into a store with a gun, demands they empty the till, walks out with a hundred bucks.

Net effect: 100 bucks for the store + mental anguish for people in there.

Punishment: Ten years

Scenario B: Man defrauds investors, pension funds etc out of millions or billions

Net Effect: Pension funds slashed, thousands made unemployed

Punishment: 5 years

We all know that white collar crime gets punished a whole lot less, but is that right ? Why shouldn't execs from the likes of Enron, WorldCom et al be looking at life behind bars for the havoc they have reaked ? Well because there really is a different set of laws for the rich. Sure they might even get 15 years in the cases of these massive frauds, but is this enough given the damage they have caused ?

So maybe the problem is that white collar crime is punished too little, rather than hacking is punished too much. Maybe having sentences for theft, fraud etc (of any kind not involving actual violent which already has punishments) should be related to the amount of money stolen.

Maybe 1 year per $1000....

Perhaps the hacking penalties are fine...

[TopShelf]

And the white collar fraudsters should be hit harder? I think I'd rather see that myself. Send Skilling, Lay, and their ilk up the river for an age and a day.

Read...

[aengblom]

sipthe seriousness of the offense is generally comparable to white-collar fraud cases.

Read: The fast-growing, little-punished type of crime that destroys the finances of thousands every year.

"Hacking" is no more the refuge of the geek. True criminals have embraced it as a way to siphon off lots of money with little risk.

Let's not charge people looking for CC#'s with terrorism, but let's not label it "annoying" and offer up slaps for people's wrists.

The problem isn't the harsh sentences for hackers

[Mothra the III]

Its the inability to impose proper sentences for violent criminals and drug offenders. I have no sympathy for people invading companies computers for whatever reason and they should be punished harshly. I have better things to do on my weekends then combat those assholes. But there is a need for reform in the way punishment is administered for violent criminals and longer sentences need to be handed out.

I agree

[Visaris]

If I break into someone's house, I'll be charged with breaking and entering, and with trespassing.

If I hack into someone's network and don't even do anything but look around, I'm charged with causing losses of millions. I'm charged with stealing any sensitive content I gained access to whether or not I even looked at it. Not to mention they'll slap all the cybercrime and terrorism laws they can find down on me too. It has nothing to do with the severity of the laws, just that you get pinned with so many of them.

White collar?

[PincheGab]

comparable to white-collar fraud cases.

If hacking isn't white-collar, then what is?

white-collar fraud

[doubtless]

I can see that sometimes the claims of damage in online crimes can be ridiculously high. However, if the claims of damage is reasonable, I don't see why the punishment should be any lesser than any other crime.

I think white-collar criminals are already getting far less punishments than they should. How could someone who screws up the millions of dollars from their employees be subjected to punishment comparable to shoplifters or burglars?

Re:"White collar crime" - a misnomer...

[byrd77]

The error in your reasoning is the presumption that increased jail terms will deter this type of crime. Research shows [cfenet.com] that the vast majority of people who commit crimes like this don't think they'll get caught. It's highly unlikely they are even aware of what the potential sentence may be, so making it larger doesn't help.

Re:"White collar crime" - a misnomer...

[lasmith05]

You are comparing apples to oranges... In scenario A, armed robbery is very serious because it could result in homicide. In Scenario B, which sounds more like an Enron CEO then a computer criminal, people could lose a lot of money, but in end the company should be responsible for paying customers back. And ensuring that a security situation like this doesn't happen again.

6th Grader Charged in Grade-Switch Caper

[Anonymous Coward]

Check this out:

Story [gopbi.com] (palmbeachpost.com)

An 11 year old snuck into his classroom during lunch and changed some of his grades on his teacher's computer. He was caught and is now facing FELONY computer fraud charges. Tell me that's not a bit ridiculous.

-Dan.

Exactly backwards

[fleener]

The issue isn't tough sentencing for hackers. The issue is that white collar criminals get off light.

Hacking is not a white collar crime. When I think of white collar crime I see millionaire executives spending stolen money for blow jobs by preteens in foreign countries. When I think of hacker crime I see a trail of empty Mountain Dew bottles and Cheetos bags. Hackers need to become filthy rich before they can play the courts like the big boys do.

Extreme cases aside, most hacking is like kids stealing cars to take 'em for joy rides. Sure, a few people get hurt by each crime, but it's not like you have a few hundred thousand stock holders who'll have to work 10 extra years before they retire because their portfolios are toast.

Re:Have to exaggerate the problem...

[FosterSJC]

The other side of the coin to this is that you get employers or "victims" or what-have-you artificially inflating the damages supposedly caused by a hacker.

Kevin Mitnick, in his Slashdot interview [slashdot.org], explained this in detail:

However, the punishment in my case was extremely harsh and did not fit the crime. I equate my illegal actions not to a person who molests children or burglarizes a house (I heard these specious analogies before), but to a person who illegally copies software.

The difference in my case is the software was proprietary. I was not an industrial spy, nor did I ever attempt to profit or damage any systems or information that I had illegally accessed. The government falsely claimed I had caused millions of dollars of loss, in an effort to demonize me in the press and the court. The truth of the matter is I regretfully did cause losses, but nowhere near a million dollars. The theory the government used to reach those numbers was to use the same formula for traditional theft or fraud cases. When a person steals money or property, the Federal Sentencing Guidelines use the value of the property lost, damaged, or destroyed as the loss amount. This formula works well with tangible property, but when the property at issue is information, or in my case source code, does the same formula reflect the true intended or actual loss? The government requested that my victims provide their research and development costs as the value of the information I either copied, or reviewed online (source code). Federal prosecutors simply added up all the R&D costs associated with the source code I had accessed, and used that number (approx $300 million) as the loss, even though it was never alleged that I intended to use or disclosed any source code. Interestingly enough, none of my victims had reported any losses attributable to my activities to their shareholders, as required by securities laws. Unfortunately, due to media hyperbole, the unknowing public believes I had caused these tremendous losses.

Suffice it to say, we need to find a compromise where we can accurately represent the loss of intellectual property without undually exaggerating its (non-material) worth.

But I'm angry now

[ellem]

Well this is really quite simple.

Computers are for "smart" people

People feel marginalized when they don't understand even the basic concepts of what has happened

Therefore when a CEO realizes they have been hacked/cracked (you fight that out) they feel even more violated since they don't even understand how someone could get past all the hardware they bought and all those 45-100K+ people they have running around purporting to be computer experts.

Their anguish is then felt by atrtorneys who can't understand the crime, the criminals or why everyone is so upset. The one thing they do know is that THAT FAT GUY WITH THE UNKEMPT BEARD AND THE WIERD SHIRT THAT HAS THE FORMULA FOR HELL ON EARTH:

#! /usr/bin/perl

ON HIS SHIRT IS DEFINITELY GUILTY!

And that's pretty much what happens.

I think..

[Maeryk]

That a lot of the problem here is due to double standards and lack of accountability.

Joe Schmoe embezzles from his S&L firm for ten years, gets caught, and it is realized that he made off with 500K. He is slapped on the wrist, fired, made to "pay it back" on time deferred payments, or maybe stuck in a white collar prison/country club for a few years.

Mike, the l337 hacker from down the street, defaces Stuff-Marts web page, pointing out that Stuff-Mart buys 80% of its stuff from china, where it is made in forced child labor camps at gunpoint, and it is repaired in an hour.

Now.. Stuff Mart's lawyers tell the jury that they *potentially* lost MILLIONS due to the damage, (when in fact, they did not "lose" anything.. and there is no way to prove how many people would have bought during that time anyway). The SM lawyers also point out that it cost "an estimated 100K dollars to repair the damage!".. which means they just budgeted in A) the new server and colocation company to handle the site, B) the three person team who maintains and handles the site already, and C) all of their IT staff who received an Email about the "hack" and therefore were "working" on it.

Its all about what the jury wants to hear, and all about language.. "potential" is used ahead of "we could have potentially lost BILLIONS in sales!" but the judge/jury does not hear the "potential". Nor do they realize that 99% of that IT staff was already working there, doing their routine jobs, and had nothing to do with the repair anyway.

(Same reason a procedure at the hospital that took all of 15 minutes costs your insurance company as much as your house did.. funky accounting and everyone wanting to be "in" on the action.)

I think a lot of "hacking" is a no harm no foul problem anyway.

Maeryk

Re:The Witches of Yesterday...

[Joe the Lesser]

...are the terrorists of tomorrow.

white-collar fraud

[oliverthered]

people get off far to lightly for white-collar fraud crimes.

1: Open a Swiss bank account.
2: put money from xyz white-collar fraud into account, get a few mill
3: goto jail (not for that long)
4: take money out account.
5: Enough profit to retire.

or
1: Open a Swiss bank account.
2: Rob a bank for a few thousand
3: goto jail (for a long time)
4: take money out account.
5: umm... well you've got a bit of cash, but was it worth the time?

I agree

[arvindn]

Personally, the thing that strikes me as most ridiculous is how clueless courts are when it comes to estimating how much loss the hacker caused.

From http://www.savage.net/public_html/net/phrack.html:

The following March a Federal grand jury was told that the document that Knight Lightning had printed in Phrack was worth 80 thousand dollars and was extremely dangerous to the public. The grand jury brought a Federal indictment against Knight Lighting. He faced 31 years in prison for the interstate transportation of stolen property, wire-fraud and violations of the computer fraud and abuse act.

"In July of 90 we went to court...the witnesses took the stand to try and prove that I had not just committed the crimes they were saying i committed, but to prove that the actions I took were crimes in the first place. The defense never had to put on a single witness, by the end of the week, the governments case had completely fallen apart. The now famous 80 thousand dollar E-911 document was proven to be [publicly] available for no more than 13 dollars from Bellcore."

This guy was accused of stealing 80 grand when in reality it was worth 13 dollars!!!

Also see Kevin mitnick answers [slashdot.org] if you missed it.

Re:Have to exaggerate the problem...

[Lumpy]

the solution would be a requirement of PROVING damages. an invoice from "overpriced security fixer-uppers" for $21,985.31 to install W2K sp3 to fix that hole that script-kiddie4 used to get in are proveable damages... the "we lost $295,997,667,342.87 because he MAY HAVE copied a file" needs to be called bullcrap by everyone involved.

if you cannot produce an invoice or legitimate quote for repair/losses then you are told to shut up would fix every bit of this.

back to computer crime.

[Erris]

Bodily harm or death is much more permanent than losing money.

That's true! In fact, most societies would forgive you if you shot and killed someone who was busy carving up their friend with a knife. Do you know of any that would do the same for someone who shot a hacker? So why is it that hackers can be held for five years without being charged as KM was?

Punishment should fit crime, and ordinary rules of presumed innocence need to be applied in cases of suspected computer crime. As things are, any with-it employer could be frighfully abusive if they wanted.

Re:I agree

[evilWurst]

In a bank vault breakin, they take inventory afterwards and only charge you with stealing what you stole. In a computer breakin, they automatically charge you with stealing everything.

Re:Personal example

[Maeryk]

Yeah. No harm no foul. I was harmed, and I was fouled.

Yes.. but you have demonstrated he caused harm, therefore there *is* a foul. I wasnt saying that Cracking is always harmless.. but in some cases (defacing a web page) the cost of repair is as simple as bringing up the cached copy, re-installing it, and fixing the exploit (if known.)
There is no way that cost a million dollars.

Cracking is tresspass at the least and theft at the most. It deserves jail time. The issue is how much jail time. The guy who hacked me should face at a minimum the legal penalty for breaking into my house and rifling through my file cabinet

No argument. Define trespass though. SOmeone walks across my yard, its "trespassing". Refusing to leave when I ask them too, is "Defiant trespass". Coming into my house after I tell them to leave is anything from Breaking and Entering to Forced Entry (depending on whether I am trying to stop them or not, I think) and theft is another layer on top of that. (Hence the laundry list of charges usually piled on a burglar).

Breaking into your house and rifling your file cabinet would probably NOT net me jail time for a first time offense. Especially if nothing was taken, and none of the information gained was used against you. Its more likely a fine, time served, probation kind of thing.

Maeryk

federal point system

[margaret]

I've had the unfortunate opportunity to learn a little about how federal penalties work. It's all based on a point system. A certain number points for the crime, points if you have a prior record of anything in the past 10 years (state or federal), subtracted points for taking a plea, etc. Then they add them all up and use a chart to determine the range of sentences they can give you.

And for copyright cases, they automatically tack on 4 points if a computer was involved.

Why do lawmakers need a detailed understanding?

[MyNameIsFred]

It's because lawmakers have no idea what hacking is

I do no understand this type of argument. It implies that if I don't program, I can't write appropriate laws. There is an old saying about all the jokes were written long ago, all we do is change the names and the places, It's the same way with crime. All the basic types of crime were listed in the Ten Commandants. All technology has done is provide new ways of committing those same crimes.

Depending on exactly what the hacker does, we're talking about vandalism, or thief, or trepassing using a new technique. When bank robbers moved from horses to cars was it important that lawmakers have a detailed understanding of cars before writing applicable laws? When copyright laws moved from covering just books to motion pictures, did lawmakers require a detailed understanding of how motion pictures are created? Does it really matter the exact technical approach used to commit the crime? I don't think so. Vandalism is vandalism. It doesn't matter whether I use can of spraypaint or I hack into the web server. It costs the company money to fix. The dollar value of the damage should drive the punishment.

Definitely true at my College.

[0100010001010011]

I'm going up in front of a judicial review board for a small prank I pulled. After the whole Fake CNN news generator, our school set out a public e-mail to everyone saying that the Olson Twins were not going to come to my college. Me and my roomates thought it would be funny if "they" sent out an e-mail saying that it wasn't a fake. So I went thought the trouble of photoshopping the Olson twins on campus. Then I made up a short reply, "We're sorry about our previous e-mail. We're proud to say that the Olson twins are going to be joining us for the class of 2007." I found the MAC address of an institute computer (Only .institute. computers cand send out mass e-mails to all students) and used a fake e-mail program to send it from the same person that sent us the first e-mail. Well it didn't go through. (COMPRESS YOUR JPG's) and I got called in for it, right now I'm pending the review board decision. At the same time in an unrelated matter my roomates and I went and talked to the head of housing about a guy that wanted to move into our suite that liked to drink. Directly from the head of housing: "Oh, we don't care if you have alcohol in the building, as long as we don't see it." First off only probably 10 people in my dorm are over 21, Second this school advertises themselves as a DRY campus to high schoolers. I pulled a prank that hurt no one and didn't actually get pulled and I'm up to get kicked out of school. But if you're drunk and underage on campus who cares? Moral of the story: we need to get everyone to crack/hack. If it's the majority of the public then it'll start getting over looked, you can't put everyone away for 100 years can you? If we can get more websites hacked than people murdered then the punishment will go down.

There is a difference

[kmankmankman2001]

So many people posting here appear to be jumping to take sides one way or another about whether or not hacking is good or not good. The point isn't about hacking, it's about the punishment directed against people convicted of computer crimes as compared to other crimes - and that the punishment is disproportional. I agree with that. I have little sympathy for people that are actually guilty of any of the crimes - computer or otherwise - but feel that punishment should be consistent (and here I'm also not arguing on the effectiveness of punishment as a deterrant - different discussion). There is a knee-jerk reaction to the word 'computer' appearing in any judgement that appears to result in a much harsher sentence than when that word is replaced with 'gun', even. The sentence for any crime should be reasonable and consistent for the damages of that crime; "piling on" because that crime is today's buzzword is not appropriate.

Dammages...

[bobKali]

One thing that just jumped out at me as being a prime source of inflated punishments for these case seemed to be in the estimation of damages. Perhaps a requirement that the complaintant be required to file his losses in his SEC filing (for publicly traded companies) and in any apropriate IRS paperwork. This would criminalise the over-inflating of damages and provide the stock market with much-needed insight into the security abilities and practices of publicly traded companies.

From the trenches

[DarthWiggle]

The entire legal system is grappling with this new world. Too many lawyers are luddites who can barely program their phones, much less comprehend what "hacking" (sic) is all about. And, worse, so are the judges who oversee their trials. And the juries that weigh the evidence. And the media that covers the trials.

I dunno, it's a little disheartening to be an aspiring lawyer when I've heard of a firm that prides itself on defending those accused of computer crimes has a password policy that mandates a particular format for your network passwords, and that your password always be provided to your assistant.