February 20, 2003 3:47 PM PST
Lawyers: Hackers sentenced too harshly
The paper--signed by the National Association of Criminal Defense Lawyers (NACDL), the Electronic Frontier Foundation and the Sentencing Project, a nonprofit group that focuses on perceived injustices in penalties--criticized today's sentences for computer crimes because they frequently exceed the seriousness of the crime and rely on damage figures that can be easily inflated.
"The serious nature of offenses is overplayed," said Jennifer Granick, author of the paper and clinical director at Stanford University's Center for Internet and Society. "The (majority) of the offenses are generally disgruntled employees getting back at the employer or trying to make money."
The lion's share of cases prosecuted under the most-often-used computer crime statute--Title 18, Section 1030 of the United States Code--involved monetary damage to a private interest. In a review of 55 cases highlighted by the Department of Justice, only 15 involved harm to the public and only one involved a threat to safety, the paper stated.
While admitting that the small set of cases might not truly represent reality, the paper said that the DOJ statistics and other evidence does support the conclusion that such cases should be treated as white-collar fraud, not as some sort of terrorism.
Those convicted "are receiving sentences based on the fear of the worst-case scenario rather than what the case may really be about," Granick said.
The position paper came in response to a public request for comment by the United States Sentencing Commission as required by the passage of the Homeland Security Act of 2002. That act would also create harsher sentences--up to life in prison--for computer criminals who endanger human life with their activities.
Yet, with no reported incident of cyberterrorism to date and other statutes that would punish any act of terrorism already on the books, Granick and the paper's signatories argue that harsher sentences for cyberterrorism are unwarranted.
"The guidelines punish people more for using a skill that members of the general public don't have," Granick said. "If we can't do your crime, then we punish you more."
Moreover, the report found that prosecutions for computer crimes are increasing, though slowly. In 1997, the DOJ prosecuted 57 cybercrime cases, resulting in 47 convictions. In 2001, the DOJ prosecuted 135 cybercrime cases, resulting in 107 convictions.
However, the paper argues that the increase in prosecutable "crimes" could have a chilling effect on security researchers and industry. Security researchers who uncover and disseminate information on vulnerabilities could be charged for their activities. Companies that send unsolicited bulk e-mail could be convicted of unauthorized access. And, makers of faulty software could be liable for the transmission of harmful code.
Scott Frewing, an attorney at law firm Baker & McKenzie and formerly the lead prosecutor in the Elcomsoft copyright infringement case, disagrees with that aspect of the paper.
"I think the fears of security researchers and others are overstated," he said.
While he concurs with some of the points brought up in the position paper, he does believe that network intruders who intend to cause bodily harm or actually do so by gross negligence should be punished more severely.
"I would be comfortable in a situation where the code addresses the discrepancy between those who cause bodily injury and those that don't," he said. "If that results in the law being unfair to a virus writer, maybe that's enough to put them on notice."
The National Association of Criminal Defense Lawyers represents 10,400 direct members including private criminal defense attorneys, public defenders and military defense counsels. State and local affiliates account for another 28,000 members.