The National Association of Criminal Defense Lawyers (NACDL), along with the Electronic Frontier Foundation (EFF) and the Sentencing Project, has released a position paper warning that current computer abuse laws are seriously flawed, and that greater penalties may quell legitimate research activities.
The paper comes in response to the Cyber Security Enhancement Act (CSEA), a group of legislation passed late last year as part of the Homeland Security Act. The CSEA increases the reach of 18 USC §1030, the section of U.S. law having to do with computer fraud and abuse.
Among its provisions, the CSEA instructs the U.S. Sentencing Commission to review (that is, increase) the penalties for people convicted under §1030. However, the authors of the new paper, which has been submitted to the Sentencing Commission, don't believe that computer crimes warrant harsher repercussions than their low-tech counterparts. On the contrary, the authors see numerous problems with the current law, and real dangers in making it more powerful.
Stanford University's Jennifer Granick, one of the authors of the paper, said that people convicted under §1030 receive sentences based on the worst-case scenario of what they could have done, rather than their true actions. One consequence, the paper warns, is that legitimate computer research activities may be deterred by the law.
Other laws already cover the crimes outlined in §1030, such as fraud and theft. The paper's authors argue that the vague language of §1030 expands its boundaries beyond these clearly-delineated crimes, to a whole host of now-illegal actions for which it was not intended. The cases of Stephen Puffer [report] and David McOwen, two computer consultants who were prosecuted under §1030 for ultimately harmless actions, are taken as examples.
The paper also cites the government's case against Kevin Mitnick, in which corporations claimed $80M in monetary damages under §1030, despite having suffered no operating losses [report]. In most cases, a largely imaginary figure for monetary damages becomes the basis for sentencing. "Relying so heavily on loss as a sentencing factor in computer crime cases misrepresents the defendant’s true culpability," the paper reads. "[M]alicious intent to cause harm will be punished less severely than negligent or reckless intent to cause harm, if the ultimate loss amount is less."
The authors of the position paper also say that the government has erred in adding specific provisions for so-called cyberterrorism. The CSEA spells out life sentences for computer crimes that threaten human life, creating a new standard for such crimes that is sure to be weaker than the current standards for terrorism or attempted murder.
In 2001, the Department of Justice prosecuted 135 crimes under §1030, 107 of which lead to convictions.
The NACDL and its affiliate organizations together represent more than 38,000 members, including public defenders, private criminal defense lawyers, U.S. military defense counsels, law professors, and judges.