Cybercrime laws must be updated and more clearly defined
March 17, 2003
Christopher Andrew Phillips reported to the U.S. Secret Service and confessed. The… Christopher Andrew Phillips reported to the U.S. Secret Service and confessed. The 20-year-old University of Texas, Austin, student’s crime: hacking more than 55,000 names and social security card numbers from the school database.
Phillips’ data theft was the largest ever involving a university. The Secret Service charged him with “unauthorized access to a protected computer and using false identification with intent to commit a federal crime,” according to a March 14 article in The Washington Post.
Clearly, legislatures have not updated their criminal code to match his crimes. Phillips stole information, and is not being prosecuted for using this information. His intentions, rather than his actions, comprise his crimes.
The question arises: Do our laws protect effectively against such security violations? In Phillips’ case, they do not. Identity theft – stealing another’s name and information – does not seem to be a crime. Therefore the justice system cannot prosecute it well.
Freedom of information conflicts with the right to privacy. Computers and the Internet blossomed into a seemingly endless source of data. Few authorities can dictate successfully who can access what information. Beyond certain security measures, it remains an open forum.
And since we value disclosure over privacy – as seen in our free press and freedom of information statutes – it should continue to be so, in spite of Phillips’ actions.
Hackers exploit the connections between computers and breech this trust. Phillips took the social security numbers of students, staff and faculty. These could be used potentially to determine credit card and bank account numbers. Phillips did not do this. It seems he acquired them not because he wanted to use them, but simply because he could.
Our justice system prosecutes for crimes of intent regularly. People go to jail for intending to steal, maim and kill. Phillips stole information and is being prosecuted for the intent to commit a federal crime. The Washington Post does not specify this crime.
What becomes clear is that his actions are treated as crimes, but are not specifically outlawed. The U.S. attorney for western Texas promised that “these cases will be taken seriously, these cases will be prosecuted, and this case will be prosecuted vigorously.” Resultantly, Phillips faces up to five years in prison and a $500,000 fine.
His crimes are vaguely defined. Accessing a protected computer could range from remote hacking to simply using someone else’s name and password to log on. As widespread as computers and computer-related crimes are, our justice system is ill equipped to prosecute them.
While hacking a computer containing personal information seems like a major violation of others’ privacy, five years in prison is not a fitting punishment. Perhaps it is not the crime itself – stealing data – but the magnitude of it and the ease with which he did it that they are prosecuting.
Phillips reported to the Secret Service voluntarily. They released him without bail, on the condition that he would have limited access to computers. Neither the Secret Service nor the U.S. attorney’s office appears to have the capacity to pursue a fitting recourse.
Five years in prison would deter Phillips from hacking, but would it deter others from committing the same actions? Taking names and social security numbers – the currency of identification – pales in comparison to what he could have done, and what others do.
Because he submitted to the Secret Service rather than being apprehended, others seeing this may not be dissuaded from committing the same actions. Moreover, the charges Phillips faces do not suit what he did.
Either Congress should revise laws concerning identity theft or the justice system should relinquish its ability to prosecute technological crimes of intent. The current system is overbroad, yet under inclusive. Phillips’ actions demonstrate this. Until legislative adjustments occur, cyber crimes cannot be identified or prosecuted effectively.
Columnist Sydney Bergman can be reached at [email protected].