Cyber crime sentencing is out of whack

Just a few years ago, malicious hackers could steal millions of dollars, send billions of spam messages, or infect millions of computers with viruses, yet still escape jail time. Now, cyber criminal prosecutions are on the rise along with prison time.

A cellphone hacker was recently sentenced to 10 years in prison, ordinary kids caught with illegal downloads are being fined tens of thousands of dollars — and as you’ve heard by now, a cyber hacktivist by the name of Aaron Swartz was threatened with 30 years of prison for wanting a university database to be free. It’s clear that in certain cases, punishment — or the threat of punishment — has grown too extreme.

[ Also on InfoWorld: Today we are all Aaron Swartz | In memory of Aaron Swartz: Stealing is not stealing | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Two weeks ago, the tech world was awash in news stories covering Aaron Swartz’s suicide. Swartz’s case was again in the headlines a few days ago when sources revealed that the original prosecutors were expected to let him off with no jail time, but federal prosecutors pushed the 30-year sentence.

I’m no friend of the malicious hacker. I think all unauthorized significant and malicious computer activity should be punished. I’ve been around long enough to remember the slaps on the wrists administered to many early hackers. From the 1980s to about 2009, it was the rare computer criminal that saw any jail time, much less punishment commensurate with the misdeed.

Times have changed, and in many cases, that’s a good thing. Some malicious hackers should serve significant sentences in prison — and those guilty of theft need to pay back every cent they stole. But the Aaron Swartz saga in particular indicates the pendulum has swung too far the other way in some instances.

Writing in Massachusetts Lawyer’s Weekly, criminal defense lawyer Harvey Silverglate details how the prosecution ran amok in the Swartz case under the auspices of the Computer Fraud and Abuse Act. That’s the same act under which Christopher Chaney, cellphone hacker of the stars, got 10 years.

In fact, Swartz probably wouldn’t have been sentenced to 30 years at all. No doubt the prosecutors were using the threat of that much jail time to make him sing and reveal his techniques. We won’t know now.

The circumstances remind me of a guy I once knew who brought a gun to a fistfight after high school. He shot and killed his unarmed opponent, then turned around and threatened to shoot all the teenage witnesses. He served a few months in prison — for ending a life.

I’ve seen firsthand the damage the worst malicious hackers can do to individuals. I’ve seen victims of Internet crime spend hundreds of hours trying to clean up the mess. I’ve seen credit histories ruined for a decade. I’ve seen tens of thousands of dollars stolen and never recovered. I’ve seen victims cry and wish death on the Internet hackers who harmed them.

But perhaps malicious hackers should serve fewer years in prison than convicted murders.

Likewise, the RIAA has successfully charged people caught with a few dozen songs thousands to millions of dollars, and our court system backs up the organization all the way. Somehow the RIAA has convinced the court system that a single stolen song on a college student’s hard drive is worth tens of thousands of dollars in lost revenue. Please! These huge RIAA settlements look especially ridiculous when compared to the fines levied against offline criminals who commit worse crimes.

I know that many of the excessive sentences are fringe cases. The majority of hackers who’ve been caught are receiving sentences that fit the crime, more or less. The Sarah Palin email hacker served less than a year in jail. The average Anonymous hacker who caused significant damage is seeing prison sentences of between three and seven years. Most credit card thieves serve about the same amount of jail time.

I’m sure part of the problem, for prosecutors, judges, and juries is determining the extent of the damage caused. For instance, the biggest spammers sent literally hundreds of millions of spams a day. But out of each million spams, maybe six people (a figure I’ve heard repeated many times over the years) incur actual damage — from fake medication, for example. Of course, I’m not counting the bandwidth we’re all paying for to transmit that spam, but I’m sure some quick calculations would yield a rough dollar value.

Likewise, if a virus infects tens of millions of computers and causes problems with hundreds of thousands, what is the real cost of the damage incurred? Denial-of-service attacks could be valued at the lost revenue or reputation the victim suffered during the attack, along with the costs of recovery and future protection.

We need to update Title 18, Section 1030 of the Computer Abuse and Fraud Act to include damage formulas for various types of computer crime, the intent of the computer hacker (degrees of maliciousness), and the number of victims. As the Swartz case highlights, prosecutors are being given way too much leeway in sentencing.

Given the technical nature of calculating the effect of cyber crime, perhaps we need narrow sentencing guidelines to ensure fairness. I’m all for criminal hackers being punished, but I also want the punishment to fit the crime.

This story, “Cyber crime sentencing is out of whack,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.