Two recent cases, one in the United States and the other in Germany, point out the problem of how we determine the appropriate punishment for computer hackers.  To a great extent, we both over-punish and under-punish these crimes; sometimes both in the same case.

Most crimes are fairly discrete events.  You rob a bank, you commit an assault, and you steal something.  Computer hacking — in all its forms and permutations — is fundamentally different.

Hackers may be engaged in activities for weeks, months or years before they officially launch their attack.  This preparatory activity — testing, researching and plotting — may also include criminal activity itself; unauthorized access to computers or networks, and could be separately charged as crimes.

So something that might be looked on by one prosecutor as a single computer crime would, to another prosecutor, be a dozen or more criminal offenses.

The same problem is exacerbated by the automated nature of computer attacks.  If I launch a Denial of Service attack using a Botnet on a single company or network, I could be charged with a single count of computer hacking, or thousands (one for each infected bot.)  If I download files from a hacked computer, each downloaded file could represent a separate theft offense.  Prosecutors have wide discretion in how and whether to charge these offenses.  Very wide discretion.

In the case of a Turkish national Ercan Findikoğlu the U.S. government arranged to have the hacker arrested while boarding a flight in Frankfurt two years ago, and he has been held in German custody ever since fighting extradition to the United States.

One ground for a country refusing to extradite a person is that the person faces punishment that, in the opinion of the extraditing country, is far too severe for the offense.  It is this ground that some countries refuse to extradite to the U.S. where the Americans seek the death penalty.

So Germany is complaining that the U.S. criminal justice system is too severe. Germany.  Yes, that Germany.

So last week, Germany’s Bundesverfassungericht (gotta love those German names) or Supreme Court overturned a decision of a lower court finding Ercan extraditable to the U.S.

It noted that the conspiracy charges in the U.S. would hold the Turk criminally liable for credit card fraud actions in which he did not participate and the potential sentence in the U.S. for the credit card fraud in which the Turk did participate were much more severe in the U.S. than that called for under German law.  This is for a guy who may have been responsible for credit card frauds of about $100 million. Under U.S. law, he was eligible for three life sentences –and maybe a bit more.

That’s because, under U.S. law, each separate sale of a credit card number is a separate crime, punishable by 5, 10 or 20 years depending on the statute selected and the cleverness of the prosecutor.  Use a stolen credit card 3 times, there a potential 60 years in jail.  One more time, it’s a practical life sentence.

Prosecutors frequently pile on the number of counts.  There are many reasons for this.  First, if the jury wants to compromise between total guilt and total innocence, it can convict on just a few counts.  If you indict for 100 counts of computer crime, and the jury convicts on only one or two, they are being “lenient” except that they don’t know that you can be sentenced on crimes for which you have been acquitted. Yep.  That’s right.  And you can be sentenced for crimes for which you have never even been charged.

Another reason prosecutors will charge hundreds of counts is to put pressure on defendants to plead to a crime — whether they committed it or not.  I got a deal for you; instead of facing 300 years in jail I can offer you a mere 18 months.  Sounds good, no?

Of course, the defendant’s actual sentence depends on factors considered by the United States Sentencing Commission (USSC). In theory, the sentence can be calculated before the crime occurs.  It’s like a slot machine.  Just go to a website like and plug in a few variables. Viola. The sentence appears.

But prosecutors like to overcharge.  So Aaron Swartz faces dozens of years in federal prison for downloading files from the MIT library.

28-year-old Fidel Salinas was charged with 44 felony computer hacking and cyber stalking crimes — each punishable by 10 years in jail. Maximum sentence means a release sometime in early 2455

Ultimately, Salinas, a reputed member of the Anonymous hacker group, plead guilty to a misdemeanor charge of repeatedly scanning the Hidalgo County, Texas website for vulnerabilities which slowed the performance of the County computers.

Far cry from 440 years in jail.

On the other hand, by focusing on economic loss and damage, the Sentencing Guidelines fail to take into account the impact of computer crimes on privacy, integrity and confidence.  These are serious crimes deserving serious punishment. Sometimes.  Sometimes not.  And we need a logical and rational way of determining the difference.

Leave a Reply