
The U.S. Crackdown on Hackers Is Our New War on Drugs - adamnemecek
http://www.wired.com/opinion/2014/01/using-computer-drug-war-decade-dangerous-excessive-punishment-consequences/
======
tptacek
This article makes an important point about the brokenness of CFAA sentencing,
but it (or Wired's editors) do the point a disservice by making an absolutely
hyperbolic claim.

The "War On Drugs" has imprisoned literally millions of people, and done so in
a fashion that is both racist (minorities are far more likely to be imprisoned
for a drug offense) and classist (wealthy defendants are unlikely to be
imprisoned for casual offenses). Furthermore, persecution of drug users
targets actions people take that cause debatable harm to society.

If[f] Keys, who is accused of deliberately enabling Anonymous to vandalize the
front page of the front page of one of the largest newspapers in the world, is
shown to have done the things spelled out in the warrant, then prosecutors
will have shown that he:

* knowingly damaged the computer systems of Tribune Corporation

* actually caused 5 figures worth of damage

* did so by abusing a trusted position at Reuters

Keys, who as we can see has _exceptional_ attorneys working on his case, is
far more culpable for his actions than a large fraction of drug offenders.

It is indeed a very serious flaw in the CFAA that sentences can "scale with
the iterator in your for loop" as your actions cause seemingly spectacular
amounts of damage despite no change in your actual criminal intent.

But it's worth pointing out here that that flaw plays a minimal part in Keys
potential sentencing. The base level for CFAA crimes (like most larceny and
fraud charges) is 6, which merits a 0-6 month sentence. The damage
"accelerator" in Keys charges adds 4 points to that level, bringing him to
level 10, which is a 6-12 month sentence where conditional probation is
allowed. The damage accelerators aren't what's ramping up Keys' sentence ---
it's the combination of damage (at any level), cost to remediate, and abuse of
his position of authority.

Here's Popehat with a fantastic post on how the sentencing guidelines actually
work (I don't think they disagree with Keys' lawyer, except that Popehat goes
into more detail later in the article on how sentences are reduced in
practice) ---

[http://www.popehat.com/2013/02/05/crime-whale-sushi-
sentence...](http://www.popehat.com/2013/02/05/crime-whale-sushi-sentence-
eleventy-million-years/)

~~~
rayiner
The article goes off the rails with this sentence: "As a country and a
criminal justice system, we’ve been down this road of excessive punishment
before: with drugs."

There's no particularly strong connection between computer crimes and drug
crimes. As you point out, the comparison is hyperbole, and ignores the deep
racial, cultural, and class conflicts at the heart of the drug war. None of
those things are really applicable to computer crimes.

Rather, the time Keys is facing is simply a symptom of the broader malaise of
the justice system: felony enhancements are too quick to trigger, sentences
are too long and the sentencing guidelines offer false precision while
reducing necessary judicial discretion.

The article's comparison to California's vandalism law highlights the issue
described above: "Under California law, physical vandalism – like spray
painting graffiti on a building — can be punished as either a misdemeanor or a
felony..." That part is true of the CFAA as well, which is also a misdemeanor
unless committed in furtherance of another crime. And the trigger for felony
vandalism in California isn't high--above $400 in property damage makes a
felony charge available to the prosecutor, as well as a sentence of up to
three years in prison. In other words, I don't think it's fair to say that
Keys faces more time for his computer crime than if he had physically
vandalized a building to the tune of five figures of damage.

Drug crimes are just in a whole different league. Possession with intent to
distribute less than 100 grams of heroin can carry a sentence of up to 20
years, or up to 30 years on a second offense. Meanwhile, prison time for
computer crimes is still relatively light, unless they are effectively some
sort of fraud or theft:
[http://en.wikipedia.org/wiki/List_of_computer_criminals](http://en.wikipedia.org/wiki/List_of_computer_criminals).
Something like this is much more typical:
[http://www.washingtonpost.com/local/crime/aspiring-
medical-s...](http://www.washingtonpost.com/local/crime/aspiring-medical-
student-to-be-sentenced-in-mcat-hacking-
case/2013/12/12/3e5e012a-6278-11e3-aa81-e1dab1360323_story.html) (three months
prison + 7 months of halfway house out of 10 months sought by the prosecution
for hacking into AAMC computers with intent to cheat on the MCAT exam).

~~~
tptacek
I've been idly working on an essay for... I don't know, 5 years now? about how
computers and the Internet catalyze harm, by shielding people who cause harm
from the impact of their action, and by making harmful actions practically
indistinguishable from benign ones --- "click this button and 'like' someone
on Facebook, click this other button and help DDoS someone whose politics you
disagree with".

I have some sympathy for defendants who are blindsided by the impact of
simple, trivial-seeming actions; things that just see like pranks or political
statements. But I'm also very familiar with the real damage these actions
cause. I see the gap. I don't know how to resolve it. And I think it occurs
all over the place, not just in computer intrusions but in things like mass
file sharing, online trolling, defamation, revenge porn and sexting.

I don't have the right words yet for it, as you can see; I'll probably still
be mulling it 5 years from now.

Anyways: the fix I'd want to see for the CFAA is the one that applies
approximately the same consequence to pulling 10 accounts from an AT&T
endpoint as it does for 100,000, and so keeps Auernheimer from facing a long
custodial sentence for abusing an AT&T web service simply because he ran his
script too long. From the way these things are prosecuted, constraining
sentences also (a) makes it safer to push back on potentially unjust charges
--- since you're most likely looking at probation anyways, and (b) might keep
them out of court to begin with.

I don't know what you do about the guy who fed his admin credentials to
Anonymous to help them deface a newspaper. That seems overtly criminal no
matter what rules we come up with.

~~~
stretchwithme
Just wait until someone tells a robot to go out and gather carbon compounds.

~~~
TeMPOraL
Like this:
[http://wiki.lesswrong.com/wiki/Paperclip_maximizer](http://wiki.lesswrong.com/wiki/Paperclip_maximizer)?

~~~
stretchwithme
Its not in a human beings best interests to create something capable of
undergoing an intelligence explosion. Of course, that won't prevent somebody
from doing it.

Its better to control the technology you're using. Most robots will be either
remotely controlled or designed to handle a specific domain. To create a
potential competitor with an ever-evolving ability to compete is very
dangerous.

But even drones will be very dangerous even when tightly controlled by someone
malicious.

I'd say we have some interesting challenges ahead of us.

------
Crito
Unless they figure out how to use hackers to justify frisking random
minorities for the crime of walking on the sidewalk, then this is not _really_
the new _War on Drugs_.

The _War on Drugs_ is a "solution" to a "problem" that white suburbia America,
and their police departments, perceived. At the federal level it was driven by
people attempting to protect their political interests by criminalizing the
behavior they associated with groups that they felt threatened by.

 _Hacker Panic_ is working at a different level. I think that it would be more
accurate to say that it is our new _War on Terror_.

~~~
hansjorg
The original claim is outlandish and devoid of any perspective, but comparing
this to the "War on Terror" is just mind boggling. You do realize that there's
a world outside the US where the "War on Terror" has had some pretty
devastating effects.

Or was that a joke?

~~~
Crito
Oh fucking christ, I am not having the conversation in two places at once:
[https://news.ycombinator.com/item?id=7110399](https://news.ycombinator.com/item?id=7110399)

My comparison between _Hacker Panic_ to the _War on Terror_ is not meant to
imply that a few teenagers getting sent to prison for decades is equivalent in
any respect to raining missiles down on wedding parties.

It is a statement about the motivation of the people driving it. It isn't
motivated by fear of civil rights movements, or a desire to continue
segregation under the radar. Rather it is about using irrational fear to
facilitate power grabs and justify pointless expenditures (In the case of
hackers: any government program that has the word "Cyber" in it. In the case
of terrorists: damn near everything else).

~~~
hansjorg
To see the War on Terror as chiefly about domestic power grabs and pointless
expenditures is the prerogative of US tax payers and US citizens, but it's
also a pretty narrow point of view.

If you're going to make coarse, meaningless comparisons and only after that
narrowing it down with qualifications, I guess the original article was right.
Hacker Panic is the new War on Drugs. Except for all the ways it is not, of
course.

~~~
Crito
It's not just about domestic power, and even if it was, it would not effect
the veracity of the comparison.

The _War on Terror_ uses racism as a tool. The _War on Drugs_ is waged
_because of_ racism. Racism was not simply a tool used by the _War on Drugs_ ,
it was the reason for it in the first place.

Is the Hacker Panic created and driven by fear of hackers, or is fear of
hackers merely a tool being used to achieve another goal? I am arguing it is
the later.

> _" I guess the original article was right. Hacker Panic is the new War on
> Drugs. Except for all the ways it is not, of course."_

I am saying that the _War on Terror_ is a more apt and useful comparison if we
want to answer any "why" questions. The comparison to the _War on Drugs_ does
not give us any useful insight.

------
ihsw
The comparison is fairly skin deep:

* mandatory minimum sentences

* lopsided plea bargains (you can go to jail for anywhere between 18 months to 30 years, depending on whether you take the bargain)

* prosecutors pushing for convictions as a means of adding to their professional scorecard

* rampant fear and paranoia (marijuana is a gateway drug! command line interfaces are scary!)

* using that fear and paranoia to pass draconian (and oftentimes ineffective) legislation via door-in-the-face argument -- propose something _obviously_ ridiculous, and when it's rejected then you propose something that's _still_ overreaching but not enough to cause outrage

* using the above-said legislation to funnel public funds to our congress-critters' friends

Beyond that, the two are essential incomparable.

~~~
tptacek
Which of those attributes doesn't apply to pretty much every other federal
crime?

~~~
ihsw
Yeah, you're right. It's a bit of a shitty news article, but it's good at
grabbing your attention.

------
dobbsbob
Hacker crackdown been going on since the late 80s
[http://en.m.wikipedia.org/wiki/The_Hacker_Crackdown](http://en.m.wikipedia.org/wiki/The_Hacker_Crackdown)

I remember when I came home from school to find cops going through my room
demanding to know where I kept my copy of the cellular hackers bible because I
had told somebody on fidonet I had it and it was deemed forbidden knowledge

~~~
adamfeldman
That's the first ebook I ever read. It's free online!
[http://www.mit.edu/hacker/hacker.html](http://www.mit.edu/hacker/hacker.html)

------
angersock
Note that a lot of the work we do every day, in development or devops or
normal administration, can probably be presented to a layperson as "hacking".
Especially as we promote services which reduce the average person to a bunch
of database records and take away their middle-class job and parade about in
our buses and whatnot, we do not engender much love from the common person.

This is a great way of the .gov getting the tech sector back under control,
and reminding it of its place. Be careful folks. :(

------
alanh
Written by one of weev’s lawyers. Weev, the absolute cyber-douche who
threatened Kathy Sierra’s family and precipitated her years-long avoidance of
Internet and speaking appearances. Who _absoutely_ deserves punishment.

If the “crackdown on hackers” were remotely like the “war on drugs”, then
should we suppose weev to be analogous to a mere user of crack cocaine who was
racially targeted and unfairly handed an outsized jail sentence? No. weev is
no victim.

------
klez
Could someone please help me understand how can changing a headline on some
websites cause five-figures damages?

Honest question, really. Every time I see articles about computer vandalism or
hacking I see these big numbers and don't understand how they are calculated.

~~~
tptacek
Straightforward.

* Employees of the company spend X number of days responding to the incident, and you take their fully loaded cost and divide it out by the number of days they spent having to deal with the incident, and that's a big number. Plus:

* If the site is disabled or degraded, you can often easily calculate outage costs based on the average volume of revenue the site generates during the outage period. Plus:

* In a high-profile incident, outside professionals will often need to come in, first because insurance and contracts require a full investigation, and second because once a site is compromised you have to assume there are backdoors that will restore access for the attackers in the future. The cost of an external forensics investigation can hit mid-5-figures by itself very easily. Plus:

* A high-profile incident is inevitably going to involve legal fees for the victim.

That's before you get into things like reputation damage, loss of
clients/customers/advertisers, &c.

Like I said upthread, $10k-$20k damages for the defacement of one of the
largest newspaper websites in the world sounds like a very low figure to me. I
don't mean that in a normative sense. I mean, in the positive, descriptive
sense, that sounds like less than what these incidents usually actually cost
to their victims.

~~~
_delirium
That makes some sense, but is a little out of keeping with what people expect
in part because losses in many "physical" kinds of crimes aren't usually
reported in an all-inclusive manner, but just report the direct damage. For
example, if someone vandalizes (or steals) $20k of goods in a Wal-Mart
warehouse, both Wal-Mart and the media will typically report that as $20k
damage (or theft), rather than adding to the $20k the cost of the security
response, lost business or increased overtime caused by supply-chain
disruption, etc. Theft statutes that include thresholds for different classes
of theft also usually refer only to the value of the stolen goods, not other
losses caused by their theft (such as loss of business, cost of security
response, or supply-chain disruption). You could justify including them, but
it doesn't seem to be that common.

~~~
tptacek
We might be talking about two different issues. If you steal $20k worth of
PS4s from Best Buy and totally fuck up their January promo event, the $20k
theft amount might be all that factors into your criminal sentence, but Best
Buy can probably come after you civilly for the rest of it.

------
snake_plissken
When we start locking up tens of thousands of people because someone Trojaned
their computer and used it to run a LOIC node, maybe this could resonate. What
makes the War on Drugs unique is that so many people are and have been locked
up on felony charges for buying/possessing some type of substance that they
willingly want to put in their own bodies.

------
jlgaddis
_> It’s time for the government to learn from its failed 20th century
experiment over-punishing drugs and start making sensible decisions about
high-tech punishment in the 21st century._

I'm not gonna hold my breath.

------
silveira
War on Privacy is the new War on Drugs.

------
aaron695
> The U.S. Crackdown on Hackers Is Our New War on Drugs

No it's not.

Drug use is a personal choice where all actors are voluntary. (The 'war' bit
then causes the damage we currently see to everyone)

Hacking has victims that don't want to be involved.

It might be a heavy handed approach currently but relating it to the war on
drugs is insulting, millions die and are incarcerated because of that war.

------
at-fates-hands
This guy's an attorney and he compares a local/county crime (vandalism) to a
federal crime (CFAA) and expects the sentencing to be the same? I'm
speechless.

I'm not hacker, but even I know pretty much anything having to do with any
unauthorized access to someone's computer is a FEDERAL offense. Regardless of
whether you were the person breaking into that computer or not. Even Keys
should have know what he was doing was a crime.

It's the same defense people use when they're with someone in the commission
of a crime. "I was only there, I didn't kill the guy, Jim did." which is not a
viable defense. You're at the least an accessory to the crime, and at worst,
helped in the commission of a crime like driving the getaway car, hiding
evidence, etc.

The whole premise of the article is completely flawed.

------
everyone
Do you not think this sort of thing may be ultimately caused by the prison
industry? they need more patrons!

------
mtgx
And just like the War on Drugs, laws have been (CFAA) and will continue to be
passed out of panic or cluelessness that will affect people for _decades_ to
come, unless we try to stop them today.

------
Fuxy
If this "War on Hackers" truly becomes an issue this could potentially be the
most damaging war in the American economy.

Hackers are nothing like drug dealer the same people that vandalize a few
websites when their teenagers and part of anonymous could later become the
founders of the next great company like google.

By giving hacker overly hash punishments the US government is hurting their
potential to do good by unnecessarily exposing them to a world (prisons) where
the likelihood of them doing more black-hat hacking is higher.

------
gmuslera
If US government were the world's leading producer of drugs for sale
everywhere the analogy would be more fitting.

~~~
RyanMcGreal
Voila: [http://www.amazon.ca/Cocaine-Politics-Central-America-
Update...](http://www.amazon.ca/Cocaine-Politics-Central-America-
Updated/dp/0520214498)

------
tsotha
There's a big difference between putting a substance into your own body and
breaking into someone else's computer and taking their data. Personally I
think the punishments for "hacking", the way the term is used in this article,
are too light.

------
NAFV_P
The prime failure of the criminalisation of drugs is that it defines someone
who is smoking a joint as a criminal.

This scenario is closer to what happened to Robert Morris. Apparently the worm
wasn't intended to be malicious, unlike the actions of Matthew Keys.

------
radley
War on IP/copyright is the new war on drugs. Attacking hackers is merely a
byproduct.

------
r0m4n0
This doesn't go into the statistics but I'm sure light has yet to be shed on
the ridiculousness of countless settled cases and state statute/pc violations
based on the CFAA (502c in CA and others).

------
njharman
For early history of this watch Freedom Downtime
[http://www.freedomdowntime.com/](http://www.freedomdowntime.com/)

------
coldcode
"Hackers" as a term is beginning to become too overridden to be useful.

------
fleitz
It's not a new war on drugs, its the same old war on critical thinking.

------
ivanbrussik
not even nearly close from a fiscal standpoint.

------
asmallfish
The government gives harsher sentences to hackers than many rapists. This is
because it is actually afraid of hackers. Hackers hold power that petty
criminals do not. The sentences for hackers are completely ridiculous because
they are created by fear.

~~~
sliverstorm
Examples?

~~~
dobbsbob
This guy got 5yrs for 2 rapes [http://www.rawstory.com/rs/2013/11/21/ex-
marine-serving-rape...](http://www.rawstory.com/rs/2013/11/21/ex-marine-
serving-rape-sentence-says-hes-been-sexually-assaulted-by-female-prison-
workers/)

Gary McKinnon was looking at 70yrs. The guy who made credit card fraud sites
and was busted in the carder.su op got 7yrs after pleading but was looking at
life. Rape and hacking are impossible to compare though because usually a rape
happens once, whereas charges are stacked a mile high for computer fraud
because nobody steals one login or card they steal a db full of them which
means multiple charges, so technically rape on the federal books is a larger
sentence compared to 1 charge of fraud or trespassing.

~~~
sliverstorm
What does what they were "looking at" matter one bit? I don't understand why
the 70 years he was "looking at" matters at all, if he wasn't sentenced to 70
years.

~~~
dobbsbob
Because nobody goes to trial for computer fraud, not if the prosecutor is
seeking 70 years so you are forced to bargain for 12-20yrs and yes there is a
real possibility you will get all that time if you don't plea

~~~
tptacek
Since there has never been a trial in US history where a prosecutor sought
anything like 70 years for computer fraud, nor has there (I believe) been a
CFAA case that plead out to 20 years, I don't think these are real
possibilities.

Google: Popehat Whale Sushi.

------
Fasebook
I don't know why anyone here is even discussing it. They'll make the laws they
want and they'll enforce the punishments they want. People's front pages are
too economically viable to let reason into the courtroom.

