Are criminal penalties for hacking excessive?


This week Andrew Auernheimer was sentence to 41 months (!) in prison for exposing an AT&T security flaw. I know that is a bit biased in how I stated it, but he found and exploited a weakness that AT&T should be hanging their head over, didn't use any of the information he was able to access to take anything, and turned it over the Gawker to publicize the issue. Aurenheimer may come off as a bit of a jerk at times, but 41 months in federal prison for THAT?!? It was only a month or so ago that Aaron Swartz committed suicide while facing 35 years in federal prison + a $1,000,000 fine for accessing a server and downloading a ton of academic articles. I know it sounds cliché, but people really do often get lesser sentences for killing people. 


On the other hand, I've had a personal account compromised in the past, and I would love for whoever did it to spend some time in prison (but even then not decades). What do people think; Are the punishments for hacking under the Computer Fraud and Abuse Act unfair, or is it what we need to dissuade people from committing cybercrimes? 

Topic: Security
Answer this Question


3 total
Vote Up (9)

I think it is out of balance, and I entirely agree with Christopher's contrasting example of bankers and execs getting off with ZERO personal liability when their actions ruin people's lives. I personally lost well over $100,000 when the financial system nearly collapsed, and I don't know when I'll ever catch back up. Yet the people who caused it walk free and get million dollar bonuses.

The problem is that many prosecutors just don't care about the relative moral implications of actions they prosecute. They see a law, they can prosecute people for it, and they seek the maximum penalty nearly every time. If you don't want to face the possibility of decades in jail, which is a very real possibility even if you are actually innocent, you have to accept their plea offer. Take it or leave it.

Back to the original question, yes, I do think the penalties are out of control for some things. To me, it is somewhat like John Stewart Mill's Harm Principle, and if the individual is not causing direct harm to others, they should be punished very little or not at all. The Auernheimer case would fall into this category, and it is reasonably arguable that his actions actually benefited millions of iPad users. If the miscreants are causing direct harm to others, such as Christopher's examples of stolen credit cards and on-line harassment, then I am all for Old Testament style, merciless punishment.  Prosecutors have demonstrated that they are unwilling to appreciate the difference, so the only answer is to change the laws.

Vote Up (8)

Perhaps AT&T should have hired him as a security consultant? He did seem to provide an important service to them. So rather than prosecuting him, maybe they should have hired him to take advantage of his skill sets?

Christopher Nerney
Vote Up (6)

It depends. In the cases you cite, the sentences definitely appear to be excessive.


However, in this case and this case, it can fairly be argued that the longer sentences may be more appropriate. For me, stealing money and credit cards or harassing, stalking and terrorizing people online are deserving of harsh punishment. Hacking into a network for fun or to prove a point, not so much. 


All that being said, there's something wrong when hackers get excessive sentences for committing lesser crimes than the bankers and other corporate executives who routinely abuse our laws and economic system and ruin lives for their own personal financial gain. 


Ask a question

Join Now or Sign In to ask a question.
Almost 500,000 patient records have been hacked from the servers of the Harley Medical Group, the plastic surgery firm which has clinics across the UK.
Security researchers have found that many satellite communication systems have vulnerabilities and design flaws that can let remote attackers intercept, manipulate, block and in some cases take full control of critical communications.
The U.S. commercial drone industry is still struggling to get off the ground more than two years after President Obama signed into law a bill that permits the civilian use of unmanned aerial vehicles (UAV) over the country's airspace.
Sure, you’ve changed a bunch of passwords, but are you doing all you can to protect yourself?
About 2.6 million payment cards at Michaels Stores and another 400,000 at subsidiary Aaron Brothers may have been affected in a card skimming attack that compromised its point-of-sale systems, the retailer said Thursday.
National security may be at stake as private businesses try to manage a growing number of cyberthreats, but IT professionals shouldn't have to bear that burden alone.
Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help.
Whether it's the first time you've picked up an iPad or the seventeenth time you've pulled out your iPhone today, there are probably still some iOS 7 features and functionality that you're not familiar with. Don't sweat it: We're here to help. We've collected some of our favorite and most useful tips and compiled them here, just for you.
The Tor Project has flagged 380 Tor relays vulnerable to the critical Heartbleed flaw to be rejected from the Tor anonymity network, reducing the network's entry and exit capacity.
Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

White Papers & Webcasts

See more White Papers | Webcasts

Join us: