Sunday, 10 February 2013

Sentencing cybercriminals: a call for guidelines

Recent news of the sentencing of four men (1, 2) connected with Anonymous DDoS attacks on Visa, PayPal and Mastercard raises questions over the suitability of existing sentencing options and penal practices as a reaction to online offending.

For flooding these payment gateways with bogus requests such that they were no longer able to service legitimate traffic, in connection with the WikiLeaks saga, three of the four men received custodial sentences, one of which is suspended, while a fourth was reluctantly spared custody as he had been 16 at the time of the offences.

Without having read the sentencing remarks, it is difficult to tell on what basis a custodial sentence is said to be justified. Indeed, it is not immediately clear on what basis these acts are deserving of the moral label "criminal" at all. According to the news, these men were co-conspirators in a group responsible for some £3.5mn of lost revenue. A large sum of money, certainly; but, unlike these high-tech bank robbers, the men in this case did not share in £3.5mn of ill-gotten gains. Their motivations, it seems, were political.

Compare this to the financial cost of Occupy London: apparently St. Paul's lost revenue exceeding £16,000 per day, and authorities paid out over £1mn in "legal and monitoring costs". Yet, this was dealt with through the mechanisms of civil trespass. Is this cost any less direct than a loss of revenue caused by DDoS attacks?

Perhaps a line ought to be drawn between acts that result in private criminal gain and those that are motivated by something else. This is not to say that the latter should always be 'allowed' to happen, just that there ought to be a clear distinction between civil nuisance and criminal wrong. As my previous post on this subject argues, there is a moral hazard in overprotecting our interests using the coercive power of the state, in using the sledgehammer of the criminal law to crack the nuisance nut.

Police criticism of current sentencing practice rests on leniency toward cyber criminals relative to offline counterparts. It seems correct to say that, all other things being equal, a fraud committed online should not attract a lesser sentence than an equivalent fraud committed offline. However, these are fundamentally different acts, motivated by fundamentally different aims. Of course, many crimes may be committed in the name of ideology: my point is that the tension between trespass and DDoS calls into question the nature of the harm that the state seeks to condemn, and complicates the task of sentencing. If Parliament is unwilling to revisit the scope of liability, the CPS should draw up a code of practice (just as it is doing for social media prosecutions), and the Sentencing Council should issue guidance to structure judicial reaction to Internet offending.

Perhaps a special blameworthiness in DDoS rests in the typically illicit means by which perpetrators tend to amass the computing power necessary for the success of their attacks. If so, this should explicitly be stated; though this shotgun approach does seem rather at odds with orthodox standards of proof. What is it about DDoS attacks, in your view, that attracts this special blame?

Adding certainty to the criminal law in this area, if not rolling back its scope, ought to be the legacy of Aaron Swartz, the first casualty of overzealous prosecution, who was motivated by a desire to make academic journal articles freely available to all. We need coherent, evidence-based guidance on the proper scope and extent of criminal wrongdoing, on an international level.

The role of criminology and other social sciences in this debate is crucial. Without an empirical basis for the causation of Internet crime, the role of deterrence and other controls, and the extent of any normative framework around Internet crimes, policy risks amounting to little more than reactionary guesswork.