November 1999

The Difficulty of Prosecuting High-Tech Crimes

"Tough cases make bad law," opines the old adage. While this conjures to mind the situation where a tough case makes bad common law resulting from inaccurate findings of fact, or the application of inartfully construed law, in high-tech cases the adage is more applicable to the creation and attempted creation of statutory law motivated from the fear of the unknown.

It took nearly four and one-half years for cracker Kevin Mitnick to go from his arrest on over 25 charges of computer-related fraud to his sentencing — all without ever having gone to trial. Mitnick, who on August 8, 1999, was sentenced to 46 months in prison pursuant to a plea agreement, and Kevin Poulsen, another cracker who served over five years, both experienced extraordinary delays in their cases. This was due primarily to the prosecutors' inability to assimilate enormous amounts of complicated evidence in their unrelated trials.

According to a recent study by David Banisar, a Fellow at the Electronic Privacy Information Center, the world of high-tech crime is frequently too complex for police and prosecutors to handle properly, too often leading to unnecessary searches, arrests and court delays. Using information provided by the Department of Justice in response to a Freedom of Information Act request, Banisar discovered that of the 419 cases of alleged computer fraud referred to federal prosecutors in 1998, a mere 83 cases were actually prosecuted. The remaining 336 were dismissed, frequently for lack of evidence. Banisar found that since 1992, 64 to 78 percent of federal computer fraud cases are not prosecuted, or are referred to the states for prosecution, leading to the conclusion that law-enforcement agencies are spending a significant majority of their time obtaining search warrants, investigating, and making arrests in cases that are not being prosecuted at the federal level. This seems to suggest two problems. First, high-tech criminals get away with their crimes. Secondly, innocent parties are being unduly burdened by investigations of high-tech crime.

Arguably, prosecutors apparently have a difficult time understanding and/or proving these kinds of cases. To compound the problem, evidentiary rules have not kept up with advances in technology. Consequently, the courts struggle to apply existing and historical interpretations of the rules to fact situations that neither they, nor the prosecutors, understand with sufficient clarity. This doesn't mean the current rules are inapplicable. Quite the contrary: many (arguably most) of the existing evidentiary rules can be properly applied to high-tech situations. But shoe-horning an "authentication by proving document produced by reliable process" admissibility rule into a fact situation that is more appropriately addressed as a "chain of custody" issue may result in altogether disallowing the admissibility of the document in a motion in limine or on appellate review. Nevertheless, despite their lack of understanding of the technologies, the DOJ, FBI, DOD and NSA are all asking for increased budgets to fight cyber-crime, despite the fact that they are prosecuting only about a quarter of the cases they investigate. While fighting the "Internet terrorists" and "waging battle in the InfoWar" make great soundbites in budget request hearings, common sense dictates that their efforts will be better served by looking for increases in their educational budgets. Silly me. I am talking about the government, after all….

The main problem with the law in relation to the Internet and cyberspace is that technology is moving so fast that it is leaving the law far behind. By the time the government creeps through the arduous process required to enact a new law, other technologies arise, and with them, a whole new array of technological considerations. On August 5, President Clinton signed an Executive Order[1] creating a cabinet-level working group to determine whether current laws are sufficient for dealing with Internet-related crime. The order also charges the group with investigating new technologies, methods and legal authorities to assist law-enforcement agencies in battling cyber-crime.

Critics say that the federal agencies are doing nothing short of empire-building by using perceived threats, blown out of proportion by the media, to build new programs and expand the scope of their agencies without appropriate safeguards and without sufficient computer expertise. In legislation recently drafted by the DOJ and being circulated around Capitol Hill, the proposed Cyberspace Electronic Security Act would allow investigators to obtain sealed orders from judges that would permit them to enter private property; rummage through computers (such as the one in your home); look for passwords to your private e-mail, bank records and other correspondence; and install devices that would override your encryption programs. "They have taken the cyberspace issue and are using it as justification for invading the home," says James Dempsey, senior staff counsel at the Center for Democracy and Technology, an advocacy group in Washington, D.C., that tracks privacy issues. If the Act passes, it is ironic that the use of encryption, which is designed to protect privacy, would give law enforcement a free pass to secretly break into homes by giving courts the right to approve covert police activities of a nature historically used only for foreign surveillance.

Congress isn't sold on the DOJ proposal, which follows previous unsuccessful attempts by the FBI and DOJ to secure laws requiring computers and software to include "back doors" allowing law enforcement to circumvent security and encryption schemes. "We want to help law enforcement deal with the new technologies. But we want to do it in ways that protect the privacy rights of law-abiding citizens," says Rep. Robert W. Goodlatte (R-Va.) who originally sponsored legislation known as the Security and Freedom Through Encryption Act. And Congress is listening. At the recent Congressional Technology Summit held in Seattle, and well attended by members of the House of Representatives and educators and leaders in technology-driven companies, the encryption question was a frequent topic at breaks and during lunch. While not addressed directly during the various panels, the question was foremost in many minds. Hopefully, the congressional contingent has carried the pro-encryption message back to Washington. As one noted educator analogized to gun control, "When you take all the guns away, the only ones left are those in the hands of the criminals."

As with the makers of statutory law, education of the judiciary and federal and state prosecutors is a primary solution to the problem. A long and tedious process at best, education provides the only lasting solution. When the triers of fact and courts don't understand the issues, and counsel is unable or unwilling to educate them properly, the results tend to be unrealistic. Relatively small crimes may get treated as large crimes because they're easy to prosecute. The government may exaggerate, or encourage the victims to exaggerate, the damages claimed. In any fraud case, a defendant's potential sentence is directly related to the potential damage caused. In Mitnick's case, Sun Microsystems claimed that the software Mitnick allegedly lifted was worth $80 million. Considering the total costs of research and development, the software probably did cost that much to create. Unlike the "cost" of an automobile or other tangible item, however, the cost of a copy of the software doesn't even come close.[2] Luckily for Mitnick, the Court "got it" and assessed Mitnick only $4,125 in restitution, not the $300 million claimed by the government. Had the government requested of the victimized software companies the actual losses sustained, and not the total amount invested in the development of the software, Mitnick's case would have had a very different flavor from the onset. In fairness, it is arguable that at that time, the prosecutors didn't know what questions to ask, or didn't have the necessary expertise to view with a critical eye the values supplied to them. I wonder.…

1. See http://www.epic.org/security/clinton_order_8_99.html.

2. Sun now sells copies of the same software to students and software developers for $100.

Back to table of contents >>