Feds seek public input on hacker sentencing

[InfoSec News <isn () c4i org>]

Forwarded from: Jei <jei () cc hut fi>

http://online.securityfocus.com/news/2028

By Kevin Poulsen
SecurityFocus 
January 13 2003

Sick and tired of a revolving door justice system that lets hackers 
skate with just a few measly years in prison? Or do you think that the 
courts are already too hard on online miscreants who sometimes go up 
the creek for longer than many killers? 

Either way, the U.S. government wants to hear from you. 

Last week the presidential-appointed commission responsible for 
setting federal sentencing rules formally asked the public's advice on 
the formula used to sentence hackers and virus writers to prison or 
probation, as part of a review ordered by lawmakers increasingly 
concerned that computer criminals are getting off easy. 

"All we're really looking for is for people to comment," says Michael 
O'Neill, a law professor at George Mason University Law School, and a 
member of the United States Sentencing Commission (USSC). "Do they 
think we're going down the wrong road? How do they feel about the 
penalty structure?" 

The USSC's Federal Sentencing Guidelines set the range of sentences a 
court can choose from in a given case, based on a point system that 
sets a starting value for a particular crime, and then adds or 
subtracts points for specific aggravating or mitigating circumstances. 

A convicted kidnapper, for example, starts off with 24 sentencing 
points -- which maps to 51 - 63 months imprisonment for a first-time 
offender. But if the culprit held his victim for 30 days or more, he 
gets two bonus points, translating to an additional 12 - 15 months. 
The criminal earns another six points if he demanded a ransom, and two 
points for injuring a victim -- but can shave off two points for 
pleading guilty and accepting responsibility for the crime. 

Though they're called "guidelines," the rules are generally binding on 
judges. 

Computer crimes currently share sentencing guidelines with larceny, 
embezzlement and theft, where the most significant sentencing factor 
is the amount of financial loss inflicted, and additional points are 
awarded for using false ID or ripping off more than 10 victims. But in 
a congressional session that heard much talk about "cyberterrorism," 
lawmakers became convinced that computer outlaws had more in common 
with al Qaida than common thieves. 

Deterrent Value? 

Consequently, one of the provisions in the massive Homeland Security 
Act passed last November requires the USSC to review the cyber crime 
sentencing guidelines to ensure they take into account "the serious 
nature of such offenses, the growing incidence of such offenses, and 
the need for an effective deterrent and appropriate punishment to 
prevent such offenses." (The law also created new penalties for 
hackers who literally kill people over the Internet.) 

"It's not clear what Congress wants the sentencing commission to do," 
says Orin Kerr, a cyber law professor at George Washington University 
Law School, and a former attorney with the Justice Department's 
computer crime section. "In fact, the section seems to say, go back 
and think a lot about sentences, and then file a report." 

Last week the commission -- normally seven members; currently five 
pending two replacement appointments -- turned to the public for 
advice, publishing a formal "Issue for Comment" on the general 
question of whether sentences are strong enough to deter and punish 
cyber evildoers, and on eight specific proposals to add more variables 
to the formula that produces a hacker's sentence. 

The possibilities include adding extra points for financially 
motivated hackers, or for intruders that invade an individual's 
privacy. 

The formal notice is available from the United States Sentencing 
Commission's Web site, along with a detailed list [pdf] of the 
questions the commission is pondering. 

"It's important for us to get input from people who are 
technologically familiar with these issues to be able to think about 
... potential changes that might be appropriate," says O'Neill. "We 
want to know whether or not the relevant community... believes that 
serious penalties will deter people from engaging in that sort of 
conduct." 

Kerr says he's already filed his comments. "Computer crime penalties 
are as stiff as normal penalties... In fact there are a few provisions 
that treat computer crimes more harshly than traditional crimes," he 
says. "I think the trick is to make sure the sentencing commission 
doesn't believe that it needs to jack up sentences, which it shouldn't 
do." 

The public comment period ends on February 18th. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.