"How Legal Codes Can Hinder Hacker Cases"

The Wall Street Journal (Cassell Byran-Low, p. A8) runs an article today about some of the difficulties in trying people accused of computer crimes, and sentencing them once they're convicted. The article points out that the evidence of a crime, such as the release of a worm or operation of a botnet, can be difficult to collect and that the crimes themselves are difficult to explain in court. In addition, the article notes that damages are difficult to measure:

Some prosecutors say the problem in general isn't so much that available penalties aren't sufficient. "The bigger challenge in the penalty sense is making sure that we can actually quantify the harm that is caused" to persuade a judge to issue a punishment that fits the crime, says Christopher Painter, deputy chief of the U.S. Justice Department's Computer Crime Section. Damages can play a key part in sentencing, but collecting comprehensive data is practically impossible as a virus can affect millions of machines, which often are scattered across many countries.

For example, one provision of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030(a)(4), sets a threshold of $5000 in damages in a one-year period to define a crime. In addition, the U.S. Sentencing Guidelines take the amount of damage into account when recommending a sentences for people convicted under the CFAA. For a criticism of how these damages have been calculated in practice, see this paper by Jennifer Granick.