Sentencing Study Probes Hacker Motives

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/technology/content/apr2002/tc2002045_4687.htm

By Alex Handy 
APRIL 8, 2002 

A computer-savvy law professor on the United States Sentencing
Commission launches a rare study that may decide how hackers are
sentenced in federal court

The courts may someday treat recreational hackers with a gentler
justice than malicious intruders and cyber thieves, depending on the
results of a study being spearheaded by a member of the government
commission responsible for setting federal sentences.

Since September 11 and the passing of the USA Patriot Act into law,
hackers have been lumped into an homogeneous and enigmatic category of
evildoers, along with terrorists, drug dealers, and arms smugglers.  
The act provides for a maximum of ten years in jail for first time
computer criminals, and the definitions of these crimes are vague at
best.

But the USA Patriot Act alone does not govern how judges sentence
hackers. That job is left up to the United States Sentencing
Commission (USSC), and the task of discerning the harmless intrusion
from the harmful has fallen squarely on the shoulders of Michael
Edmund O'Neill.

The USSC, as O'Neill puts it, "creates sentencing guidelines for all
federal courts. It crafts the guidelines that enable judges to choose
appropriate sentences within statutorily authorized ranges." That
means that the commission is responsible for building charts and
formulae that tell federal judges what range of possible sentences a
criminal should face -- from probation to life imprisonment. The term
"guidelines" is slightly misleading here: these guidelines are
binding, and all federal judges must sentence according to them.

Currently, the guidelines regarding computer crime are the same as for
larceny, embezzlement and theft, with factors like financial loss and
"use of special skills" dictating the offender's sentence. O'Neill
hopes to refine the guidelines for computer crime, possibly making the
intruder's motives a factor in their legal fate.

O'Neill is certainly the commissioner most qualified for the task. He
describes himself as the product of what was possibly the most
technologically advanced high school in Wisconsin. In the mid 1980's,
while other schools were struggling to keep their Apple IIs up to
date, O'Neill's high school was teaching its students how to program
C, Fortran, and Cobol. Later, while he attended Brigham Young
University in Utah, O'Neill got a summer job writing WordPerfect's
first thesaurus in C.

It's not the sort of background you'd expect to see behind Clinton's
last appointee to the seven-person United States Sentencing
Commission. When he's not writing sentencing guidelines, O'Neill is an
assistant law professor at George Mason University, and it is here
that he is undertaking his academic study on the causes and rationales
behind computer crime.

Sentences Rarely Drop The rationale most commonly found: Money. Those
that would steal credit card numbers, commit identity theft, or build
elaborate con games to harvest cash are at the focal point of
O'Neill's investigation. As O'Neill puts it "The Internet affords
con-men access to a massive number of people. Why should the laws be
any less stringent when the criminal has access to twenty times more
potential targets?"

But con artists aren't the only ones under O'Neill's microscope.  
O'Neill says his team has been interviewing convicted hackers in order
to find out where the line between experimentation and exploitation
can be drawn effectively. His study may result in new sentencing
guidelines that treat minor hacking offenses as vandalism, rather than
imprisonable crimes.

Hacker defense attorney Jennifer Granick is skeptical. "In my
experience as an observer [of the USSC] I have rarely, if ever, seen
sentences go down," says Granick, the litigation director at the
Stanford Center for Internet and Society. "In order for them to be
fair, they're going to have to go down."

Granick worries that O'Neill will simply increase penalties for more
severe intrusion, while using the current sentencing guidelines for
harmless attacks. If so, sentences for script kiddies would remain the
same, while hardened professionals could see sentences skyrocket past
20 years.

It remains to be seen how O'Neill's study will sway his fellow USSC
members. Perhaps his research will help keep harmless experimenters
out of jail. Or it may increase sentences for all computer criminals,
regardless of their crimes. Either way, in the coming months, the USSC
will hold in its hands the fate of hackers, script kiddies and cyber
thieves across the U.S.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.