Cyber crime sentencing is out of whack

Cyber crime detection and punishment has made great strides, but as the Aaron Swartz tragedy illustrates, some prosecutors must be reigned in

Just a few years ago, malicious hackers could steal millions of dollars, send billions of spam messages, or infect millions of computers with viruses, yet still escape jail time. Now, cyber criminal prosecutions are on the rise along with prison time.

A cellphone hacker was recently sentenced to 10 years in prison, ordinary kids caught with illegal downloads are being fined tens of thousands of dollars -- and as you've heard by now, a cyber hacktivist by the name of Aaron Swartz was threatened with 30 years of prison for wanting a university database to be free. It's clear that in certain cases, punishment -- or the threat of punishment -- has grown too extreme.

[ Also on InfoWorld: Today we are all Aaron Swartz | In memory of Aaron Swartz: Stealing is not stealing | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Two weeks ago, the tech world was awash in news stories covering Aaron Swartz's suicide. Swartz's case was again in the headlines a few days ago when sources revealed that the original prosecutors were expected to let him off with no jail time, but federal prosecutors pushed the 30-year sentence.

I'm no friend of the malicious hacker. I think all unauthorized significant and malicious computer activity should be punished. I've been around long enough to remember the slaps on the wrists administered to many early hackers. From the 1980s to about 2009, it was the rare computer criminal that saw any jail time, much less punishment commensurate with the misdeed.

Times have changed, and in many cases, that's a good thing. Some malicious hackers should serve significant sentences in prison -- and those guilty of theft need to pay back every cent they stole. But the Aaron Swartz saga in particular indicates the pendulum has swung too far the other way in some instances.

Writing in Massachusetts Lawyer's Weekly, criminal defense lawyer Harvey Silverglate details how the prosecution ran amok in the Swartz case under the auspices of the Computer Fraud and Abuse Act. That's the same act under which Christopher Chaney, cellphone hacker of the stars, got 10 years.

In fact, Swartz probably wouldn't have been sentenced to 30 years at all. No doubt the prosecutors were using the threat of that much jail time to make him sing and reveal his techniques. We won't know now.

The circumstances remind me of a guy I once knew who brought a gun to a fistfight after high school. He shot and killed his unarmed opponent, then turned around and threatened to shoot all the teenage witnesses. He served a few months in prison -- for ending a life.

I've seen firsthand the damage the worst malicious hackers can do to individuals. I've seen victims of Internet crime spend hundreds of hours trying to clean up the mess. I've seen credit histories ruined for a decade. I've seen tens of thousands of dollars stolen and never recovered. I've seen victims cry and wish death on the Internet hackers who harmed them.

But perhaps malicious hackers should serve fewer years in prison than convicted murders.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)