January 17, 2007
How Legal Codes Can Hinder Hacker Cases
Prosecutions of Virus Writers Find Complex Issues,
Soft Penalties -- but Laws May Stiffen
By CASSELL BRYAN-LOW
January 17, 2007
As police around the world become more skilled at tracking down criminals who spread computer viruses, they are realizing there are some bugs in their own system: hurdles to trying their cases in court.
The problems lie in both building cases and securing stiff sentences, say legal and security experts. Prosecutors can have a hard time explaining the complex crimes to the courts. It often is difficult for law enforcers to quantify the damage caused by a virus that infects computer networks. And judges often hand down light sentences to the culprits, who typically are young, first-time offenders, among other factors.
"The main obstacle in any complex computer-crime case is convincing a judge or a jury about the seriousness of the case," says Arif Alikhan, a former federal prosecutor in Los Angeles. "It's a lot harder than a bank robbery or other crimes."
As a result, some countries -- including the U.S., United Kingdom and Germany -- are reviewing their laws. The British Parliament in November passed the Police and Justice Act which, among other things, updates the country's cybercrime laws by raising the maximum prison penalty for unauthorized access to a computer to two years from six months. It also seeks to plug a loophole by criminalizing so-called denial-of-service attacks, by which one party attempts to knock another party's computer system offline by bombarding it with data via the Internet. Perpetrators now face as many as 10 years in prison; previously, such cases typically were prosecuted for unauthorized modification of a computer, which carries a maximum five-year sentence.
In the U.S., legislation proposed last year advocated raising the maximum sentence for most computer crimes to 30 years in prison. Current penalties for computer crimes vary and generally reach up to 20 years in prison. The bill also tackles certain virus-related activities by outlawing the creation of networks of infected computers, known as botnets. Such networks are frequently used by criminals to launch Internet attacks, fire out the unsolicited email known as spam and swipe personal data stored in other computers. The Cyber-Security Enhancement and Consumer Data Protection bill had broad support in the House, but it wasn't voted on by either chamber during the last session of Congress. It is unclear whether it will be reintroduced.
The push for tougher laws comes as prosecutors have won some high-profile cases that nonetheless resulted in light punishments. An example is the case of the writer of the Agobot virus, a widespread and powerful piece of malicious code that was one of the first major viruses to allow the person spreading it to remotely control armies of infected machines. Since starting to spread in about 2003, the code and the hundreds of offshoot viruses it spawned have affected millions of computers that use Microsoft Corp.'s operating-system software. While the virus wouldn't necessarily shut computers down, it could create a back door through which identity thieves and other criminals could gain access.
But its author, Axel Gembe, a 24-year-old German, received just two years' probation following his conviction on charges of computer sabotage and modifying data at his trial in Germany in November. Prosecutors in the case weren't able to demonstrate the total damage caused by the virus around the world or show Mr. Gembe was directly responsible for infecting all of the machines.
Mr. Gembe admitted in court to writing the virus and supplying it to another hacker but said he didn't widely disseminate it. In Germany, as in the U.S. and many Western countries, writing a computer virus isn't in itself illegal. Distributing a virus with intent to cause harm is a crime in most of those countries, but showing that intent often is difficult for prosecutors to prove. Virus writers often claim to have written a piece of code merely to win bragging rights for the accomplishment among their peers.
The judge also took into account that Mr. Gembe had a difficult home life as a child, including being abandoned by his mother, and that he has recently taken steps to improve his situation. Mr. Gembe currently lives in the city of Freiburg with friends and has an apprenticeship at a security firm that produces alarm systems.
While some legal experts say Mr. Gembe's sentence may be appropriate considering his personal circumstances, they consider it light considering the disruption his virus caused. "Agobot was an industry-changing code" in terms of the rate at which it spread and the ability it gave a remote user to manipulate infected machines, says James Aquilina, a former assistant U.S. attorney in Los Angeles who prosecuted Internet crimes and now is a lawyer at Stroz Friedberg LLP. "Given the way the hacker community regale, revere and admire [Mr. Gembe], I'm sure they think, 'He gets a slap on the wrist, and I'm in the clear.' "
Some prosecutors say the problem in general isn't so much that available penalties aren't sufficient. "The bigger challenge in the penalty sense is making sure that we can actually quantify the harm that is caused" to persuade a judge to issue a punishment that fits the crime, says Christopher Painter, deputy chief of the U.S. Justice Department's Computer Crime Section. Damages can play a key part in sentencing, but collecting comprehensive data is practically impossible as a virus can affect millions of machines, which often are scattered across many countries.
There have been some lengthy sentences. In the U.S., a federal judge in Los Angeles last May sentenced 21-year-old Jeanson James Ancheta to 57 months in prison for computer-virus related crimes. Mr. Ancheta pleaded guilty to several charges, including conspiracy to commit computer fraud and unauthorized access to computers.
Prosecutors said he secretly hijacked tens of thousands of computers, including those at two military sites. Mr. Ancheta then rented the armies of infected computers -- the botnets -- to others for the purpose of launching Internet attacks and sending spam, complete with advice on how many machines would be needed for a specific task. In addition, he received about $60,000 of advertising revenue by directing hundreds of thousands of infected computers in his networks to other computer servers he controlled where so-called adware would surreptitiously download onto the zombie machines, the court filings show.
--Almut Schoenfeld contributed to this article.
Write to Cassell Bryan-Low at email@example.com