The Hanover Collaboration

Tech news sites reverberated two weeks ago with the offbeat story of a 16-year-old caught spamming and summarily sentenced to a two-month grounding. CNet’s Crave section does a fine job spelling out why this is one of the stupidest decisions since Greedo firing first, but like so many other cyber criminal sentences in recent memory, it demonstrates the wild inconsistency and seeming bewilderment with which justice systems handle cybercrime.

Consider the case of Simon Vallor. If you’ve never heard of him, it’s because his viruses didn’t turn out to be especially virulent, infecting only 27,000 of the estimated .8 billion PCs worldwide. That’s .000032%, or roughly the percentage of the world’s population you’d reach in a day by graffitiing the Big Dig’s I-93 tunnel. But, despite the low impact, he was given a two year sentence, because (and I quote):

“Virus writers are not so-called computer buffs or nerds, they happen to be criminals… Their viruses cause destruction, disruption, consternation and even economic loss on a grand scale.”

Though the QC’s concept of a “grand scale” (.00032%) is a bit questionable, his attempt to dissuade other hackers by punishing Vallor stiffly is at least understandable. Chances are you remember ILUVYOU, the Anna Kournikova worm, the Sasser worm and the Netsky worm, probably because they rendered your PC worthless until you could find someone smarter than you to fix the problem (don’t feel bad; entire airports suffered the same fate). Want to guess how much jail time the hackers behind those bugs did? None. In fact, the cumulative punishment doled out amounted to 180 hours of community service, and the ILUVYOU author didn’t so much as apologize.

The incongruous rulings in those cases can be attributed to a variety of factors (for example, Vallor was tried in England, while the others were tried in the Netherlands, Germany, or not at all), so examine instead the following high-profile domestic sentences, starting with Melissa virus author David L. Smith. Smith should have faced a maximum 10 year sentence after entering a guilty plea, but that somehow jumped to 40 years at sentencing, an unprecedented sentence he would still be serving, had he not acquired a taste for cheese.

Contrast that ruling with the sentence given Brian Salcedo, who attempted to steal credit card numbers by hacking into the wireless network at Lowe’s. Granted, it wasn’t a scheme of Bond-like grandiosity, and he was caught before he could take anything, but as a genuine attempt at fraud, rather than a large scale prank, you might expect his punishment to be more severe than Smith’s; instead, he came away mere 9 years.

This punishment-inversely-proportional to crime trend is most prominent in the case of Kevin Mitnick, now a free man and running an electronic security consulting group. Mitnick served a mere 68 months, despite being repeatedly convicted of hacking into several major corporations and stealing millions. (Mitnick’s sentence also included the laughable-but-frequently-applied “Banned From Computers” clause; impossible to enforce outside certain situations, frequently challenged, and usually overturned, this punishment is a perfect microcosm of the hamhandedness with which the courts have thus far treated cybercrime.)

The issue at hand, returning to the spray paint analogy, is that tagging a business is often more heavily punished than attempting to rob it. Courts seem to be easily swayed by inflated damage estimates. Smith’s Melissa worm didn’t steal him a dime, but it’s alleged it inconvenienced the world to the tune of 1.5 billion dollars – unlike cases of identity theft, I doubt plaintiffs have to provide receipts for virus-related damages. Courts also seem not to grasp that breaking into personal and corporate accounts to steal money can be at least as destructive (indeed, far more so for individual victims) as disseminating malicious software for notoriety and personal satisfaction. A barrier to this realization may be that, while most Internet users have been hamstrung for days by a virus, few have suffered extensively from wire fraud.

Simply put, all these issues trace their root to technological ignorance in the current justice system. A judge or juror who cannot fully comprehend the basics of a cybercrime case cannot effectively rule on it. Moreover, in the case of Melissa worm author Smith, the court clearly failed to consider that those affected by the virus must also bear some of the responsibility for its destructiveness. Using operating systems with a proven record of vulnerability, web browsers that usher in malicious code, and email clients that breed viruses like a Petri dish, then complaining when the latest web epidemic cripples them is tantamount to leaving the front door open for a week and being shocked that the good silver is missing.

Several viable alternatives exist to the most vulnerable and widespread operating systems, and free anti-virus programs are extremely effective when used correctly. There are countless websites on safe email and browser usage, and a good portion of Internet users, following these steps, have operated virus-free for years. The best, and most likely only way to establish a fair, effective and consistent legal precedent for cybercrime is for people involved in the court system to become more aware of exactly what’s involved in keeping a computer running smoothly, starting with the $2000 shoeboxes under their own desks.

The capriciousness of judicial punishments directly impacts cybercrime rates in the real world. The disproportionately heavy sentences dealt to virus writers in the USA and UK is only forcing online criminals into less punitive jurisdictions or other types of electronic disruptions. While crime on the Internet, like criminal activity anywhere, will never be eliminated, as long as the technically maladroit continue to hold court, the problem will only expand.