Wednesday, May 21, 2008

Sentencing: "Harm" and Punishment

This post is about how we decide what kinds of penalty to impose on someone who commits a cybercrime. Part of the problem in reconciling the "harm" the person committed (which can be actually or potentially very severe) with their personal characteristics (e.g., non-violent, no prior criminal record, etc.).

In a recent post, I outlined the goals of sentencing: incapacitation, deterrence, rehabilitation and retribution. ("Why?", May 16, 2008.)

In sentencing offenders, judges are to consider (i) those goals, (ii) the “harm” inflicted by the crimes the defendant committed and (iii) the defendant’s personal characteristics insofar as they impact on how a particular sentence would comport with the “harm” inflicted and the goals of sentencing.

Sentencing is not an easy task, even when real-world crimes like murder and rape and arson and robbery are involved. But sentencing for real-world crimes is, I submit, much easier than sentencing for cybercrime, at least for the moment.

We have had at least two thousand years’ experience in learning how to sentence people for crimes that cause tangible “harms” in the real, physical world. As I noted in that recent post, the ancient principle of lex talionis demanded simple equivalence between the “harm” caused and the punishment inflicted on the offender. So, in the phrase we all know, the lex talionis called for an “eye for an eye,” and so on.

Writing in the eighteenth century, English lawyer William Blackstone explained why the lex talionis principle really isn’t workable in practice:
The difference of persons, place, time, provocation, or other circumstances, may enhance or mitigate the offence; and in such cases retaliation can never be the proper measure of justice. If a nobleman strikes a peasant, all mankind will see, that if a court . . awards a return of the blow, it is more than just compensation. On the other hand, retaliation may sometimes be too easy a sentence; as, if a man maliciously should put out the remaining eye him who had loft one before, it is too slight a punishment for the maimer to lose only one of his. . . . Besides, there are many crimes, that will in no shape admit of these penalties, without manifest absurdity and wickedness. Theft cannot be punished by theft, defamation by defamation, forgery by forgery, adultery by adultery, and the like.
Blackstone’s Commentaries.

The difficulty of ascertaining what punishment is proper for cybercrimes – which tend to inflict intangible “harms” – is something we are still struggling with.

A few years ago, someone argued – facetiously, I hope – that we should apply the death penalty to “hackers” and those who spread worms and viruses. The premise was that death is an appropriate penalty because of the extreme financial losses these crimes can, and do, cause.

Even if the article was serious, the proposal cannot be implemented in the United States, anyway, because the U.S. Supreme Court has held that the death penalty can only be imposed for crimes involving serious physical “harm.” So far, in a move reminiscent of the lex talionis, the Court has limited the death penalty to serving as a punishment for homicide, but it is currently considering whether it can also be imposed for raping a child. However that case comes out, though, death is not going to be used as a punishment in economic crime cases. The Supreme Court has held that the Eighth Amendment prohibition on cruel and unusual punishment bars the imposition of “too much” punishment, and death for economic damage would be “too much.”

That leaves us to think about how courts should use the “other” available penalties – imprisonment, fines, probation and restitution – in sentencing cybercriminals. I can’t begin to cover all the issues this problem raises here, so I’m going to use a recent cybercrime case as an example to consider what should and should not be taken into account in sentencing a cybercriminal.

According to a Department of Justice Press Release, in March, 2006, Christopher Maxwell pled guilty to one count of violating 18 U.S. Code section 1030 by intentionally causing or intending to cause damage to a computer and one count of conspiring to do so in violation of 18 U.S. Code section 371. (Section 371 makes it a crime to conspire to commit a federal offense). Here’s how the Press Release describes the crimes:
[A] botnet is created when a hacker executes a program . . . that seeks out computers with a security weakness it can exploit. The program will then infect the computer with malicious code so that it becomes . . . a robot drone for the hacker . . . controlling the botnet. . . . Botnets can range in size . . . to tens of thousands of computers doing the bidding of the botherder.

MAXWELL and two unnamed co-conspirators created the botnet to fraudulently obtain commission income from installing adware on computers without the owners' permission. . . . [B]y controlling someone's . . .computer, the botherder can remotely install the adware and collect the commission all without the computer owner's permission or knowledge. In this case, the government alleges that MAXWELL and his co-conspirators earned $100,000 in fraudulent payments from companies that had their adware installed. . . .

[A]s the botnet searched for . . . computers . . . it infected the computer network at Northwest Hospital in . . .Seattle. The increase in computer traffic as the botnet scanned the system interrupted . . .hospital computer communications. These disruptions affected the hospital's systems in numerous ways: doors to the operating rooms did not open, pagers did not work and computers in the intensive care unit shut down. By going to back up systems the hospital was able to avoid any compromise in the level of patient care.

Following MAXWELL's indictment in February, 2006 the investigation revealed that the botnet had also damaged U.S. Department of Defense computer systems at the Headquarters 5th Signal Command in Manheim, Germany and the Directorate of Information Management in Fort Carson, Colorado. More than 400 computers were damaged at a cost of $138,000 to repair.
According to a news story, Maxwell’s botnet also caused more than $50,000 in damage to the computer system at a California school. According to investigators, Maxwell’s botnet attacked more than 441,000 computers during the two weeks it was in operation. (The other conspirators were juveniles, which is why they're not named in the Press Release.)

The conspiracy count was punishable by up to 5 years in prison and a $250,000 fine. The damaging a computer count was punishable by up to 10 years in prison and a fine of $250,000.

The federal prosecutor wanted Maxwell sentenced to serve 6 years in prison. She said the sentence was warranted by deterrence: “There is a hacker community. They will know immediately what sentence you impose."

According to one news story, Maxwell, “holding back tears,” pled for probation instead of prison: "`I am a 21-year-old boy with a good heart and I made a mistake,’ he told the judge. `I never realized how dangerous a computer could be. I thank God no one was hurt.’"

The judge agreed with the prosecutor that the need for deterrence warranted a prison term, but didn’t go as far as the prosecutor wanted. She cited Maxwell’s age and lack of previous criminal history in sentencing him to serve 37 months and to pay $114,000 in restitution to the hospital and $138,000 in restitution to the Department of Defense. I suspect that will take a while.

What do you think? Should the judge have maxed out (no pun intended) and sentenced him to serve 15 years? Should she have gone with the prosecutor and sentenced him to 6 years? Or is 37 months enough?

If the sentence is meant to deter others from following his lead, there may be a problem. Studies have shown that deterrence is not simply a function of harsh the penalty is. It’s a function of two things: the severity of the punishment I’ll get if I’m caught; and the likelihood I’ll get caught. If I’m not likely to get caught, or if I think I’m not likely to get caught, even a really severe penalty isn’t likely to deter me from committing crimes if I can make money by doing so.

If you could make, say, $1,000,000 in the next two months by committing crimes for which you could be sentenced to 25 years in jail IF you got caught, but your chances of getting caught are 1%, would you be deterred or would you go for it? What if you could make $100,000 with a 10% chance of getting caught and prosecuted?

No comments: