
After Threatening Hacker with 440 Years, Prosecutors Settle for a Misdemeanor - InternetGiant
http://www.wired.com/2014/11/from-440-years-to-misdemeanor/
======
tptacek
Obligatory:

[http://www.popehat.com/2013/02/05/crime-whale-sushi-
sentence...](http://www.popehat.com/2013/02/05/crime-whale-sushi-sentence-
eleventy-million-years/)

Most importantly: when you are charged with many counts of the same crime, the
DOJ likes to write press releases suggesting your sentence is the product of
the maximum sentence of each count. _But that is not how sentencing works in
reality_. Reality works more like this: the judge uses sentencing guidelines
to figure out a sentence for the "worst" single count you're charged with, and
that's how much time you serve.

~~~
sillysaurus3
You've said this a few times, but you leave out how scary it must be to be
charged in such fashion. Some people are uninformed and plead guilty just to
avoid that scary fate.

I know you're not saying anything more than "This isn't actually what it would
have turned out to be," but what would it have turned out to be if these
charges had stuck? I'm curious how long a felony count of computer fraud or
cyberstalking will land you in prison for.

~~~
tptacek
I don't know, but that's not what happened in this case; the defendant had an
extremely competent lawyer who specializes in computer crime cases.

How long could your sentence be? With no criminal history and for offenses
deemed non-money-making, your sentence could be so low that you fall below the
threshold for probation. On the other hand, if your crime is deemed serious or
you have any history, 3-4 years might be more realistic. If you ran the
world's largest credit card ring --- really, if you did anything with credit
cards --- think more along the lines of 10-20 years.

Interestingly, that last point has been a truism in the "computer underground"
since I was a teenager. Break into phone switches. Own up Unix boxes. Release
viruses. Just don't fuck with credit cards. It remains truish today.

------
will_brown
The problem here is that the CFAA - especially the way it is being interpreted
as of late - is a relatively new and undefined body of law. Therefore, there
is not much case law on point.

As a result you have prosecutors doing what they do best, throwing everything
at the wall and seeing what sticks. The problem with throwing everything at
the wall is that defendants are more inclined to accept a reasonable plea
rather than face the unknown.

For example, is it reasonable to charge someone with a count under CFAA for
each instance they try to access a system without permission? You can try to
adapt existing case law in unrelated crimes - such as attempted murder, should
someone be charged for a new count of attempted murder for each bullet that
was shot at a given victim or just a single count notwithstanding the number
of shots fired, or how about if there are 2 potential victims the defendant
wanted dead but only shot 1 bullet near both of them? Is it reasonable to
charge a count under CFAA for running vulnerability software on a website? Is
it reasonable to charge someone for breaking and entering if the defendant
simply checks to see if doors or windows are unlocked, should we file an
additional count for each door/window that was checked or a new count for each
time a door knob was turned?

These are all issues that are ripe for the courts to decide, but it will take
a very long time before you have a defendant willing to take the risk. What is
really troublesome is that in the meantime there are cases such as this where
44 felony counts can be reduced to a single misdemeanor in exchange for a
change of plea. The fact that a prosecutor was willing to offer a deal like
this means the original charges were improper even in the eyes of the
prosecutor.

Expect things to only get worse in terms of prosecutorial discretion vis-a-vis
charges under CFAA in the foreseeable future.

~~~
tptacek
The number of counts charged in CFAA doesn't appear to have much to do with
sentencing.

There is a huge problem with CFAA sentencing: the sentence accelerator for
damages. The iterator count in someone's "for()" loop can make the difference
between probation and 3 years in prison.

Incidentally: you probably can be charged with breaking and entering for
checking your neighbors window locks.

~~~
rayiner
Your example makes me thing of something: what if we're all just less
conscientious people online? Lots of people looked at the recent leaked
celebrity pictures who wouldn't look into those peoples' windows. It's hard to
argue that this is the result of the former being less wrong--the impact on
the victim is identical. So it must be that people are just more willing to do
"wrong" things on the internet. Should the law take this into account,
especially when you're analogizing between the CFAA and breaking and entering,
or cyberstalking and real stalking.

~~~
tptacek
We're not just less conscientious online (though we certainly are that).
Technology also makes unethical, immoral, and criminal decisions much easier
to make, often so easily that we don't realize that we've done it unless we go
out of our way to reflect on it.

~~~
boracay
That isn't unique to the Internet though. That goes both for other
technologies like cars, guns or publishing and "protected" activities like
running a business, being a journalist or a lawyer. Maybe most importantly
there has to be a reasonable balance between protection (liability) and
enforcement (punishment).

------
mbreedlove
"Eighteen of the 44 counts in Salinas’ indictment, for instance, were for
cyberstalking an unnamed victim. But each of those charges was based on
Salinas merely filling out a public contact form on the victim’s website with
junk text. Every time he clicked “submit” had been counted as a separate case
of cyberstalking."

This is obscene... There seems to be an utter lack of understanding by the
prosecutors handling these cases.

~~~
ci5er
> There seems to be an utter lack of understanding by the prosecutors handling
> these cases.

Not at all. They know exactly what they are doing.

It isn't about them not understanding the intent of the law. It is about them
understanding how to use the blunt tool of that law's language to satisfy
their own objectives.

~~~
genwin
And if it goes to trial, the jury's likely to think in terms of compromising
on the multitude of charges (rather than outright rejection), in which case
the defendant still goes to prison for many years.

~~~
lawnchair_larry
This is the problem I have with _the contrarian 's_ position in all of these
threads. As usual, the answer is somewhere in the middle.

------
hessenwolf
Plea-bargaining goes against the fundament of innocent until proven guilty. It
puts the requirement on the accused to know for certain that they can prove
their innocence, to avoid the ludicrous sentence.

That is, there may be a motivation for pleading guilty even when you are not.

~~~
tptacek
How exactly does plea-bargaining do that? Prosecutors don't determine
sentences; judges do, and the sentences they choose are circumscribed by very
detailed guidelines.

~~~
maurits
Sobering read: "Plea Bargaining and Torture in light of the Aaron Swartz case"
[1]

[1]: [http://blogs.law.harvard.edu/philg/2013/01/15/plea-
bargainin...](http://blogs.law.harvard.edu/philg/2013/01/15/plea-bargaining-
and-torture-in-light-of-the-aaron-swartz-case/)

~~~
tptacek
This read _starts out_ and is _premised_ on a falsehood:

 _An interview with Aaron Swartz‘s defense attorney reveals that, though the
government was threatening Aaron with between 30 and 50 years in prison if he
went to trial and was convicted._

Not only was Swartz not threatened with 30 years, but the prosecutors
themselves threatened him with (an itself implausible) single-digit-year
sentence. Swartz's own attorney thought it likely that even were he convicted,
he wouldn't end up serving a custodial sentence.

It sucks when this case gets brought up, because the only way to get to the
truth of it requires people to sound like they're defending Steve Heymann, the
prosecutor in the case. There was a great deal wrong with the case. It's just
that a 30-year sentence wasn't part of it.

~~~
loopdoend
The government was definitely threatening him with over 30 years, perhaps not
privately, but it is not a falsehood.

"If convicted on these charges, SWARTZ faces up to 35 years in prison, to be
followed by three years of supervised release, restitution, forfeiture and a
fine of up to $1 million."
([http://www.justice.gov/usao/ma/news/2011/July/SwartzAaronPR....](http://www.justice.gov/usao/ma/news/2011/July/SwartzAaronPR.html))

Not pleading out would mean that the offer of a lower sentence is off the
table, and the prosecutor would push for the threatened maximum sentence.

~~~
tptacek
No. That DOJ pres release is also false.

------
talmand
Prosecutor using vaguely written laws to pile on charges to make the defense
feel overwhelmed to force them into a plea deal for a lesser, but actually
more accurate, charge? This is nothing new, it's been done for generations.

The sad thing is, this only truly affects the non-career criminals in our
society. Career criminals, that these tactics are supposed to be for, will
laugh in a prosecutor's face for suggesting such stupidity. It's how you give
non-career criminals a new career option so they can laugh later.

~~~
at-fates-hands
>>>> Career criminals, that these tactics are supposed to be for, will laugh
in a prosecutor's face for suggesting such stupidity

I'm pretty sure the three strikes law in California was enough to scare any
career criminal into co-operating with prosecutors. At least until recently
when changes have been proposed.

[http://ivn.us/2012/11/09/changes-in-three-strikes-law-
reform...](http://ivn.us/2012/11/09/changes-in-three-strikes-law-reform-
california-prison-system/)

 _" California’s controversial three-strikes law mandated that anyone with two
convictions on their record could be sentenced to life upon committing their
third felony of any type. This includes theft, robbery, or burglary and up
until 2011, could be applied legally to shoplifting. Passed in 1994 in
response to the kidnapping of Polly Klaas by a repeat offender, California’s
three-strikes law was the most unforgiving interpretation of the law in the
country. Up until Tuesday, California was the only state to demand life-
sentencing upon a third felony, regardless of whether or not that crime was
violent."_

~~~
talmand
That type of law is completely different than the practice of piling on
charges to cause a reaction from the defense.

Most cases of piling on charges for a non-career criminal would be for
posturing purposes.

Most cases of threatening third strike on career criminals would be for
investigation purposes. Or simply, to get a career criminal off the streets.

------
andrewtbham
I believe there should be a movement to pass a law to stop all plea
bargaining, and require all criminal proceedings to go to trial. It would
force the criminal justice system to only pursue solid cases, prioritize for
the worst crimes, and reduce our bloated prison system, and restore our right
to a fair trial.

~~~
tptacek
It would grind the criminal justice system to a complete halt. The impact
would fall almost entirely on the accused, who would sit in holding cells for
years waiting for trials, which would be even more perfunctory as a result of
the immense pressure that would be put on public defender offices as a result
of conducting pointless trials for open-and-shut cases.

~~~
gamblor956
Speaking as a former public defender, the opposite would be true. Defendants
are entitled to speedy trials. If a case cannot proceed to trial within the
specified time frame (usually 60 days from charging, unless the defendant
waives the right to a speedy trial, but it varies by state), then the charges
are dismissed.

I was lucky enough to participate in a plea bargaining strike organized by the
public defender and criminal defense attorneys bar in response to the DA
refusing to negotiate for low-level (non-dealing) drug offenses. As part of
the strike, our defendants also refused to waive their rights to speedy
trials. Almost 100 additional cases were scheduled for trial during a 1 week
period, with many more queued up in the weeks beyond. Despite utilizing every
DA and intern at its disposal, and opening up shuttered courtrooms, the DA was
wholly unable to staff the sheer volume of cases. On the 3rd day it became
clear that fewer than 25 cases would make it to trial by the deadline, and the
DA capitulated.

~~~
tptacek
Defenders are theoretically entitled to speedy trials, but in reality can be
held for years and years without trial based on procedural delays, and, in
particular, based on the court's scheduling problems:

[http://www.newyorker.com/magazine/2014/10/06/law-3](http://www.newyorker.com/magazine/2014/10/06/law-3)

And a huge flood of criminal trials would certainly _not_ make individual
criminal trials any more rigorous, or juries any more likely to carefully
weigh evidence.

Finally: people on HN _royally fucking hate_ hearing this, but it's true:
_most criminal defendants are guilty_. We hear about newsworthy cases where
there's enough of an interesting narrative to write an interesting lede graf.
But for every one of those, there are 100 where the details are completely
uninteresting: the defendant was found in his living room with bloody knuckles
standing next to his unconscious spouse.

A plurality of Cook County inmates are in for domestic violence; the majority
are incarcerated for violent crime. So the idea that we'd have a _fairer_
system by ensuring that fewer defendants actually faced charges is... suspect.

The injustices in our criminal law system need to be fixed at their source:
the law needs to be changed to ratchet down sentences. This is an
uncontroversial point. There is broad agreement that sentences were escalated
to untenable levels during the nationwide freak-out over crime from the late
1960s through the mid 1990s. _That_ problem needs to be fixed; no cosmetic
change will improve our system until it is.

~~~
RickHull
Why, it's almost as if innocent until _proven_ guilty is not a bedrock
principle of our criminal justice system. That it would be better to lock up
one innocent to prevent 100 guilty going free.

~~~
tptacek
There's really no discussion about criminal justice that you can't shut down
by invoking "innocent until proven guilty" and taking the word "proven" in its
mathematical sense.

~~~
RickHull
I meant the "beyond a reasonable doubt, in a court of law" sense. Presumption
of guilt is a very treacherous path to advocate.

------
Amorymeltzer
The power that prosecutors have is unbelievable, especially when it comes to
using the plea bargain. Here's a fantastic look at the history of plea
bargains and how they get used to bully people into pleading guilty when they
aren't.

[http://www.nybooks.com/articles/archives/2014/nov/20/why-
inn...](http://www.nybooks.com/articles/archives/2014/nov/20/why-innocent-
people-plead-guilty/)

------
goatforce5
What's a greater form of harassment?

a) Submitting garbage text via a Contact Us form up to (and including) 18
times, or

b) Threatening someone with 180 years in jail for those messages and then
settling for a $10,000 fine?

Answers via my Contact Us form please!

------
anigbrowl
_After all, Ekeland argues, Salinas has already been pilloried in the local
and national press, which touted the early charges against him, but ignored
the fact that they were dropped._

This is what incentivizes the prosecutors to a large extent. It's a political
office (even in the case of US attorneys who are appointees, they're appointed
by the administration, and that job is often a stepping stone towards running
for a state AG job or some other political office) and the sad fact is that in
many parts of the country there are more people who want to throw the book at
people they perceive criminals than there are people concerned with
proportionality or preserving the rights of defendants. In fact, most people
are complete hypocrites about legal process and will cheerfully make
completely opposite arguments depending who is int he hot seat and why.

So there's a clear incentive for prosecutors to paint anyone they catch as
some Moriarty-like crime lord and of course that makes great news copy - big
number, cooperative prosecutor, astonished neighbors saying they never
realized they were living next to a crime lord, all heavily edited for maximum
emotional impact within the tight constraints of the 'Action News' format
([http://en.wikipedia.org/wiki/Action_News](http://en.wikipedia.org/wiki/Action_News)
\- the reason local TV news in the US is so awful is because it's manufactured
on a template rather than crafted in response to the facts of the story).

And of course, there's no requirement to report the much less interesting (to
most people) outcome of someone having their charges downgraded to a few
months in jail and a fine. Because of the first amendment it's difficult for
defendants to keep their name out of the media pending the outcome of a trial
(whenever courts put anything under seal news organizations tend to file suit
to gain access while mouthing platitudes about 'the public's right to know')
and there's no way to compel the media to give equally prominent coverage to
defendants whoa re acquitted, exonerated, have charges downgraded and so on.

------
peter303
I wish Aaron Swartz had realized this. Prosecutors like to bluster and pile on
charges. In the end the bargain is more reasonable. Professor Lessig said such
in the Swartz bioptic earlier this year. Such a loss of talent.

~~~
tptacek
Aaron Swartz had excellent counsel and knew that press-release sentencing had
nothing to do with what he actually faced.

------
tomiko_nakamura
This is the way prosecution works in the US - charging with heaps of bullshit
felonies with the aim to scare the defendant, forcing him to plead guilty in
exchange for minimum sentence. The defendants have to consider the risk that
some of the felonies might stick (e.g. because of general ignorance of people
to technology), and the expenses for the defence. And many actually choose to
plead guilty despite being innocent ...

Just look at the percentage of "pleaded guilty" cases, that completely bypass
the judicial system. The prosecutors can claim how they convicted another
dangerous haxxxor, the general public applauds and the popularity helps them
eventually get into Congress, important post or whatever.

This is not really all that different from how patent trolls work - they
usually require payments that are slightly lower than the expected cost of
defence (which may or may not be successful, and you'll have to pay for it no
matter what the outcome is). So most companies do the math and simply pay to
make them go away.

Also, it's exactly the issue that killed Aaron Swartz ...

------
kazinator
In Canada, you can kill someone and only get six years. You can easily find
cases of this by searching CBC news stories for murder and "six years".

For instance, a few years ago, some dude in Alberta killed a foreign worker: a
welder from Thailand. That guy's life was worth six years in jail.

[http://www.cbc.ca/news/canada/edmonton/killer-of-thai-
welder...](http://www.cbc.ca/news/canada/edmonton/killer-of-thai-welder-
gets-6-years-1.1064550)

I'm also appalled by that someone who fills a form with garbage and clicks
Submit is even called a "hacker", let alone being charged with anything.

------
ZoFreX
> We've got enough on you right now to put you away for the rest of your life,
> plus 30 years

> Plus 30 years? That doesn't make any sense. Why not give me life plus a
> thousand years?

> Keep pushing.

\- Dilbert S02E12 "The Virtual Employee"

------
spacemanmatt
When a serious legal topic comes up here on HN, I start missing Groklaw again.

------
wtf_us_
when a prosecutor oversteps their authority like this, they should be punished
in some way.

------
pasbesoin
At some point, this abuse must cross some line which I will and perhaps the
law should define as extortion.

If the is no consistency nor comprehensibility and predictability to the law,
it is no longer law. It is merely capricious authoritarian behavior.

------
charonn0
The use of kitchen-sink charges and draconian sentences to coerce confessions
has all the same moral and practical difficulties as the use of torture for
the same ends.

------
steffenfrost
If you want to commit crimes with impunity, become a banker. Otherwise, you're
just needed fodder for the corporate prison system.

------
jldugger
> “If filling a website submission form a lot of times is cyberstalking, about
> half of Twitter is going to jail,” Ekeland says.

We can only hope!

------
bmmayer1
Salinas' defense attorney is named "Tor Ekeland."

------
Yadi
Ouch that is a lot of years! Kids don't do hacks.

------
notastartup
what is the point of such a long sentencing? 440 years?

------
eyeareque
The article states that he was scanning the website for vulnerabilities. He
wanted to do harm.. My assumption is that he was looking for exploits, perhaps
a XSS in the comments section (filling out comments with junk text) or he was
just trying to DoS the site.

Had he found a vulnerability in the site, what do you think he would have
done? He doesn't seem to be a white hat, but does the county have a
vulnerability reporting policy? (my guess is no.)

I equate what he did with a burglar snooping around a house and checking for
an open door or window to break in.

I think the laws they used were wrong--but it appears he was up to no good.

~~~
1337biz
_it appears he was up to no good_

The emphasis is on "appears". You can't convict anyone on (your personal)
"suspicions".

~~~
eyeareque
No, you can't. But I haven't seen the evidence. It isn't legal to scan a
website for vulns without permission. I assume the have evidence that he did
scan the site.

~~~
lawnchair_larry
_" It isn't legal to scan a website for vulns without permission."_

This isn't true.

I do it quite a bit, so do other people who have no malicious intentions. Some
professionals do it quite publicly, and even blog about it.

Check out this guy, not just scanning for, but actually exploiting shellshock
to execute commands on servers he doesn't own, internet-wide:

[http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-
in...](http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-
internet.html)

Are we better off with him in prison?

~~~
eyeareque
You're taking a risk when you do this. Not many people go after these types of
scans, but you're basically doing it without permission. It's a grey area, be
careful. If your scans cause an issue for the server, either through slowing
the system down, or causing a web server to crash, you've now broken a law.

