The nation's largest group of defense lawyers on Wednesday published a
position paper arguing that people convicted of computer-related crimes
tend to get stiffer sentences than comparable non-computer-related offenses.
The paper--signed by the National Association of Criminal Defense Lawyers
(NACDL), the Electronic Frontier Foundation and the Sentencing Project, a
nonprofit group that focuses on perceived injustices in
penalties--criticized today's sentences for computer crimes because they
frequently exceed the seriousness of the crime and rely on damage figures
that can be easily inflated.
"The serious nature of offenses is overplayed," said Jennifer Granick,
author of the paper and clinical director at Stanford University's Center
for Internet and Society. "The (majority) of the offenses are generally
disgruntled employees getting back at the employer or trying to make money."
The lion's share of cases prosecuted under the most-often-used computer
crime statute--Title 18, Section 1030 of the United States Code--involved
monetary damage to a private interest. In a review of 55 cases highlighted
by the Department of Justice, only 15 involved harm to the public and only
one involved a threat to safety, the paper stated.
While admitting that the small set of cases might not truly represent
reality, the paper said that the DOJ statistics and other evidence does
support the conclusion that such cases should be treated as white-collar
fraud, not as some sort of terrorism.
Those convicted "are receiving sentences based on the fear of the
worst-case scenario rather than what the case may really be about," Granick
said.
The position paper came in response to a public request for comment by the
United States Sentencing Commission as required by the passage of the
Homeland Security Act of 2002. That act would also create harsher
sentences--up to life in prison--for computer criminals who endanger human
life with their activities.
Yet, with no reported incident of cyberterrorism to date and other statutes
that would punish any act of terrorism already on the books, Granick and
the paper's signatories argue that harsher sentences for cyberterrorism are
unwarranted.
"The guidelines punish people more for using a skill that members of the
general public don't have," Granick said. "If we can't do your crime, then
we punish you more."
Moreover, the report found that prosecutions for computer crimes are
increasing, though slowly. In 1997, the DOJ prosecuted 57 cybercrime cases,
resulting in 47 convictions. In 2001, the DOJ prosecuted 135 cybercrime
cases, resulting in 107 convictions.
However, the paper argues that the increase in prosecutable "crimes" could
have a chilling effect on security researchers and industry. Security
researchers who uncover and disseminate information on vulnerabilities
could be charged for their activities. Companies that send unsolicited bulk
e-mail could be convicted of unauthorized access. And, makers of faulty
software could be liable for the transmission of harmful code.
Scott Frewing, an attorney at law firm Baker & McKenzie and formerly the
lead prosecutor in the Elcomsoft copyright infringement case, disagrees
with that aspect of the paper.
"I think the fears of security researchers and others are overstated," he
said.
While he concurs with some of the points brought up in the position paper,
he does believe that network intruders who intend to cause bodily harm or
actually do so by gross negligence should be punished more severely.
"I would be comfortable in a situation where the code addresses the
discrepancy between those who cause bodily injury and those that don't," he
said. "If that results in the law being unfair to a virus writer, maybe
that's enough to put them on notice."
The National Association of Criminal Defense Lawyers represents 10,400
direct members including private criminal defense attorneys, public
defenders and military defense counsels. State and local affiliates account
for another 28,000 members.
http://news.com.com/2100-1001-985407.html?tag=fd_top
